Technology Law and Data Privacy Updates
Edition II - January 2025
INDEX
A. SUMMARY
B. NATIONAL
- EU enforces Legislation safeguarding Financial Sector from Digital Threats
- US introduces Tighter Regulations on Export of Biotechnology and AI-Driven Tools
- In US GoDaddy booked for Misrepresentation of Data Security Practices
- US Court reviews Petition on Cryptocurrency Laws
- UK released Guidelines on Data Sharing for Fraud Prevention and Detection
- Bermuda enforces Data Privacy Legislation
SUMMARY
Welcome to the latest edition of Fountainhead Legal’s Data Privacy and Technology Law newsletter.
India’s latest budget signals a strong push towards digital innovation, AI, and cybersecurity, reflecting the government’s serious commitment to building a tech-driven and secure digital economy. A significant investment in cybersecurity and data protection highlights the urgency to enhance real-time threat monitoring, cyber defense, and compliance infrastructure. The focus on DPDP Act implementation suggests that businesses handling personal data must brace for stricter regulatory oversight and governance frameworks. Heavy funding in AI and IT R&D underscores India’s ambition to emerge as a global leader in AI-driven innovation, supporting new AI labs, deep-tech startups, and industry-led projects.
The expansion of Digital Locker Services and the push for paperless governance indicate a move towards a more efficient and digitally inclusive administration. Meanwhile, tighter cryptocurrency regulations point to the Government’s intent to control the digital asset market and ensure greater transparency in virtual financial transactions.
The global regulatory landscape is evolving rapidly, with data security and digital resilience emerging as top priorities. The EU’s implementation of DORA marks a major shift in how financial institutions and ICT service providers manage operational resilience and cybersecurity risks. For businesses providing IT services, cloud computing, and cybersecurity solutions in the EU, compliance with DORA’s stringent security mandates will be crucial to maintaining market access and regulatory approval.
In the US, new export controls on biotechnology and AI-driven tools indicate growing concerns over national security risks associated with emerging technologies. Regulatory enforcement is tightening, as seen in the FTC’s action against GoDaddy for misrepresenting its data security practices, reinforcing the need for companies to align their cybersecurity measures with their public commitments. The US court’s review of cryptocurrency regulations suggests an evolving legal landscape that could shape the future of digital asset compliance. The UK’s focus on responsible data sharing for fraud prevention and Bermuda’s adoption of a formal data privacy law reflect a wider global movement toward stricter data governance and consumer protection.
Fountainhead Legal is committed to supporting organizations on this journey. With our deep expertise in data privacy compliance and a strong understanding of regulatory nuances, we offer tailored solutions for each client’s unique needs.
From drafting privacy policies and developing data protection frameworks to advising on cross-border data transfers and facilitating employee training programs, our team is equipped to guide clients through every stage of their compliance strategy.
We hope you enjoy our latest updates!
NATIONAL
1. Key Announcements from Budget 2025-26 on Digital Innovation, AI, Cybersecurity, and Data Privacy[1]
- Cybersecurity Investment – The Government has allocated INR 782 crore for cybersecurity initiatives to enhance real-time cyber threat assessment, fund four new R&D projects, and develop advanced cyber defense technologies. This investment will strengthen India’s digital infrastructure and improve cyber resilience, requiring businesses to align with new security compliance frameworks.
- DPDP Act Implementation – A portion of the cybersecurity budget will be directed toward the DPDP Act, facilitating the notification of 25 new rules, the establishment of the Data Protection Board, and the creation of a Digital Office for governance and compliance. Organizations handling personal data will need to prepare for new compliance requirements, including stricter data protection and governance measures.
- R&D in IT & Electronics – INR 1,249.75 crore has been allocated for R&D in Information Technology & Electronics to support 20 new R&D projects, facilitate 50 new patents, and train 500 skilled science and technology professionals. This investment promotes indigenous technological advancements, though businesses may need to navigate new patent regulations and R&D funding frameworks.
- Expansion of Digital Locker Services – INR 617 crore has been allocated to expand Digital Locker Services, with a target of adding 6.5 crore new users to promote paperless governance. Increased adoption of digital document storage may drive efficiency in administrative processes but could necessitate additional security measures to protect sensitive data.
- IndiaAI Mission Investment – The Government has allocated INR 2,000 crore to the IndiaAI Mission, which will establish 20 AI Curation Units, set up 80 IndiaAI Labs, fund 25 deep-tech startups, and execute three large-scale industry-led AI projects. This move positions India as a key player in AI innovation, but businesses leveraging AI may need to adapt to evolving regulatory and ethical frameworks.
- Technology Development for Indian Languages – INR 315 crore has been allocated for linguistic computing, funding 20 new tech projects and supporting 50 startups specializing in language technology solutions. This initiative promotes digital inclusivity, but companies working in multilingual AI and software solutions may need to align with emerging government standards.
- Technology Incubation (TIDE 2.0) Funding – INR 350 crore has been granted to support 51 tech incubators and fund 220 startups focused on digital innovation. The initiative will drive entrepreneurship, though startups may face challenges in securing funding and meeting government-backed innovation benchmarks.
- Social Security for Gig Workers[2] – The Government will introduce official identification and health coverage for gig workers, requiring online platforms to participate in workforce formalization. This initiative ensures greater worker protection but may increase compliance costs for platform-based companies like ride-hailing and food delivery services.
- Centre of Excellence in AI for Education – INR 500 crore has been allocated to establish a Centre of Excellence in AI under the Ministry of Education, aimed at improving education accessibility and learning outcomes through AI-driven solutions. AI-driven education initiatives will enhance teaching methodologies but may require careful data privacy considerations in student information handling.
- IT Changes for Regulation of Virtual Digital Assets[3] – A new Section 285BAA in the Income Tax Act, 1961, mandates that virtual digital asset exchange platforms register with tax authorities and furnish transaction data. Crypto platforms will face stricter compliance requirements, with non-compliance potentially leading to penalties or legal consequences. The definition of ‘virtual digital asset’ has been broadened to include any crypto asset using secure technology, such blockchain, to verify transactions. This regulatory expansion increases compliance obligations for businesses operating in the digital asset sector.
INTERNATIONAL
2. EU enforces Legislation Safeguarding Financial Sector from Digital Threats[4]
On January 17, 2025, EU enforced the Digital Operational Resilience Act, 2022 (“DORA”) aimed at strengthening the cyber resilience and Information and Communication Technology (“ICT”) risk management of financial entities. It applies to banks, insurance firms, fintech companies, and investment firms operating in the EU, requiring them to implement robust ICT security frameworks, incident reporting mechanisms, and resilience testing protocols. One of the key aspects of DORA is the focus on continuous risk monitoring, penetration testing, and real-time reporting of cyber incidents to ensure financial stability.
Impact on Businesses Servicing EU
DORA introduces supervisory oversight for critical third-party ICT providers that service the EU financial sector including cloud computing, software-as-a-service (“SaaS”), and cybersecurity firms. These providers will now be subject to contractual obligations, audit rights, and direct regulatory scrutiny from European authorities if they are classified as Critical Third-Party Providers. Financial institutions must ensure that their ICT service contracts include operational resilience guarantees, incident response obligations, and business continuity measures.
For businesses, particularly financial institutions and ICT service providers catering to EU clients, DORA compliance is essential to continue operations in the EU market. Businesses must assess their exposure, update their contracts with EU financial institutions to meet resilience obligations, and enhance cybersecurity frameworks through real-time risk monitoring, penetration testing, and incident reporting. Large ICT firms providing critical services to multiple EU financial entities should prepare for potential direct supervision by EU regulators.
Taking proactive steps to align with DORA will ensure that businesses remain competitive and compliant in the evolving regulatory landscape.
3. US introduces Tighter Regulations on Export of Biotechnology and AI-Driven Tools[5]
The Interim Final Rules (“Rules”) have been introduced to tighten export controls on certain biotechnology equipment due to national security concerns. Effective from January 16, 2025, the Rules place stricter licensing requirements on exporting advanced laboratory tools, such as high-parameter flow cytometers and specialized mass spectrometers, which could be misused for military or harmful purposes including human performance enhancement.
As per the Rules, Exporters must also submit Electronic Export Information (EEI) through the Automated Export System (AES) for specific shipments. While these technologies have important medical and research applications, the Government aims to prevent them from being used to develop biological weapons or enhance foreign military capabilities. Medical devices approved by the Food and Drugs Administrator are exempt, ensuring that routine healthcare and research remain unaffected. Although effective on immediate basis, the Government has invited public comments on the Rules until March 17, 2025.
4. In US GoDaddy booked for Misrepresentation of Data Security Practices[6]
An investigation against GoDaddy Inc. (“Company”) was undertaken for alleged unfair or deceptive business practices by misrepresenting its security practices. It was observed by the Federal Trade Commission (“FTC”), the investigating agency, that in its public statements, the Company suggested it had robust systems in place to safeguard sensitive information. However, these assurances were contradicted by the Company’s actual failures to implement proper security measures, such as asset management, software updates, and monitoring for threats. This discrepancy between what was promised and what was delivered led to various data breaches between 2019 and December 2022 and violated consumer trust.
Accordingly, the Company was ordered to implement a comprehensive information security program to safeguard customer data and prohibits the Company from making misleading claims about its security measures while requiring the Company to document its security efforts, assess risks, and maintain safeguards. Additionally, the Company was also directed to provide periodic reports to senior management and ensure it updates security practices in response to any data breaches.
The FTC’s directive to implement a comprehensive security program and provide regular updates highlights the necessity for companies to not only make accurate claims about their data protection efforts but also to actively uphold them. This sends a strong message that businesses must take their data security obligations seriously and align their practices with public statements to ensure consumer protection in an increasingly digital world.
5. US Court reviews Petition on Cryptocurrency Laws[7]
The Third Circuit Court (“Court”), in the matter of Coinbase Inc. (“Company”) v. Securities Exchange Commission [No. 23-3202], reviewed the petition of the Company against denial of SEC to provide clarity on application of federal laws to digital assets, and subsequently ordered SEC to provide further explanation of its denial.
In its petition, the Company argued that the current securities law framework does not address the unique characteristics of digital assets such as cryptocurrencies, making compliance both economically and technically challenging. The Company also claimed that the SEC has failed to provide a clear and consistent definition of when a digital asset qualifies as a security and is therefore subject to federal securities laws.
While the Court did not order SEC to establish new regulations immediately, it emphasized the need for clearer guidance on cryptocurrency regulation, highlighting the complexity and evolving nature of digital asset laws.
6. UK released Guidelines on Data Sharing for Fraud Prevention and Detection[8]
Guidelines on ‘Sharing Personal Information for Fraud Prevention, Detection, and Investigation’ (“Guidelines”) have been released to assist organizations navigate the complexities of data sharing within the boundaries of UK GDPR. Guidelines provide clarity on when sharing personal data is lawful and necessary. These Guidelines emphasize the importance of ensuring that data sharing is proportionate to the purpose, while still safeguarding privacy rights.
The Guidelines cover various critical areas, including the lawful bases for sharing personal data, the need for DPIAs, and the special handling of sensitive or criminal data. The Guidelines are particularly valuable for organizations working in sectors like finance or telecoms, where cross-sector collaboration is essential to combat fraud effectively.
7. Bermuda enforces Data Privacy Legislation[9]
Bermuda has officially enforced the Personal Information Protection Act, 2016 (“PIPA”) on January 1, 2025.
PIPA sets out clear guidelines on how businesses, Government bodies, and other entities must collect, use, and share personal information in a fair and transparent manner. Key features include requirements for organizations to implement appropriate security safeguards, obtain consent for data usage, and ensure individuals have rights over their personal information, such as access, correction, and deletion. It also introduces strict rules on handling sensitive data and international data transfers to protect Bermuda residents from data misuse.
PIPA applies to all organizations that handle personal information in Bermuda, including both public and private entities. By enforcing accountability and privacy principles, it aligns Bermuda with global data protection standards, strengthening consumer trust and encouraging responsible data management practices.
Authors:
- Rashmi Deshpande
- Aarushi Ghai
[1] https://www.indiabudget.gov.in/doc/OutcomeBudgetE2025_2026.pdf
[2] https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2098901#:~:text=The%20Union%20Budget%202025%20marks,security%20benefits%20to%20gig%20workers
[3] https://www.indiabudget.gov.in/doc/memo.pdf
[4] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=FR
[5] https://www.bis.doc.gov/index.php/documents/federal-register-notices-1/3566-90-fr-4612/file
[6] https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-takes-action-against-godaddy-alleged-lax-data-security-its-website-hosting-services
[7] https://www2.ca3.uscourts.gov/opinarch/233202p.pdf
[8] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/sharing-personal-information-when-preventing-detecting-and-investigating-scams-and-frauds/
[9] https://www.bermudalaws.bm/gazette
