Technology Law and Data Privacy Updates

Latest News

Technology Law and Data Privacy Updates

Edition I - February 2025

INDEX 

A. SUMMARY

B. NATIONAL

C. INTERNATIONAL UPDATES

D. ABBREVIATIONS

SUMMARY 

Welcome to the latest edition of Fountainhead Legal’s Data Privacy and Technology Law newsletter.

In recent days, DeepSeek, a Chinese AI startup, has rapidly gained global attention. While its AI model is lauded for its cost-effectiveness and efficiency on less advanced hardware, concerns have emerged over its data practices. DeepSeek’s privacy policy explicitly states that user data, including text inputs and chat histories, is stored on servers in China. This raises significant concerns under India’s Digital Personal Data Protection Act (DPDP Act), particularly regarding data minimization, cross-border data transfers, and potential biases in AI algorithms.

Data protection remains a key focus, with MeitY extending the deadline for public consultation on the Draft Rules until March 5, 2025. Additionally, CCI has released the Draft CCI (Determining the Cost of Production) Regulations, 2025, aiming to refine competition law enforcement.

Regulatory scrutiny over digital content is also intensifying, as demonstrated by a recent FIR filed under Section 67 of the IT Act against popular influencers for obscene content on digital platforms. Meanwhile, privacy rights continue to be reinforced in Indian courts—the Calcutta High Court upheld an individual’s right to privacy in a CCTV surveillance dispute, while the Delhi High Court emphasized personal privacy protections under the RTI Act.

Further, enforcement in the Virtual Digital Assets sector has tightened, with FIU-IND imposing penalties on a major crypto exchange for non-compliance with PMLA and blocking its operations.

On the international front, regulatory action in the United States and the European Union underscores the increasing focus on AML, cybersecurity, and data protection. KuCoin, a major cryptocurrency exchange, faced enforcement actions over AML and compliance violations, leading to a substantial settlement and a temporary halt of its US operations. Meanwhile, the EDPB secured a legal victory, strengthening its authority to oversee cross-border data privacy investigations. Additionally, new GDPR guidelines on pseudonymization emphasize the importance of robust data security measures while clarifying compliance obligations.

As regulatory bodies worldwide adopt stricter enforcement measures, businesses must proactively ensure compliance with evolving legal standards. This newsletter provides key insights into these developments and their potential impact on organizations and the broader legal landscape.

Fountainhead Legal is committed to supporting organizations on this journey. With our deep expertise in data privacy compliance and a strong understanding of regulatory nuances, we offer tailored solutions for each client’s unique needs. From drafting privacy policies and developing data protection frameworks to advising on cross-border data transfers and facilitating employee training programs, our team is equipped to guide clients through every stage of their compliance strategy.

We hope you enjoy our latest updates!

NATIONAL 

1. Deadline for Stakeholders’ Submission on Draft Data Privacy Rules extended[1]

MeitY has extended the deadline for public consultation on the Draft Rules till March 05, 2025 from the earlier deadline of February 18, 2025.

The extension is due to the response to the representations received from several stakeholders.

The extension is a welcome move that gives more time for stakeholders to make a more detailed submission. So far, the important issues that have received attention during the stakeholders’ submissions are related to ‘consent manager’, ‘cross border transfers’ among other things.

2. ‘Draft CCI (Determining the Cost of Production) Regulations’ released for Public Consultation[2]

CCI has released Draft CCI (Determining the Cost of Production) Regulations, 2025 (“Regulations”) seeking stakeholder feedback. These Regulations play a crucial role in defining cost benchmarks used to assess predatory pricing, where dominant firms price goods or services below cost to drive out   competitors. Under the Competition Act, 2002, such practices are considered anti-competitive. The existing Cost Regulations of 2009 have been in place for over a decade, but with significant developments in competition law, both domestically and globally, a revision has been proposed to align with current economic and legal standards.

The updated regulations aim to improve clarity in evaluating pricing practices and strengthen competition enforcement. By ensuring fair market conditions, the revisions seek to promote healthy competition while safeguarding consumer interests.

CCI has invited stakeholders, including businesses, legal experts, and the public, to submit their comments and suggestions within 30 (thirty) days from February 17, 2025 to March 19, 2025.

3. FIR registered for alleged Obscene Content against Popular Influencers under Sec. 67 of IT Act

A recent FIR registered by the Maharashtra Police against a group of influencers, has brought Section 67 of the IT Act into the spotlight. The case stems from a content featured in a digital show, which allegedly violates this provision. The provision criminalizes the publication or transmission of obscene material in electronic form, such as through websites, social media or other digital platforms, imposing penalties that may include imprisonment of up to 3 years and a fine for first-time offenders, with stricter punishments for repeat violations. Currently, the case is at the stage of investigation.

As per Section 67, material can be considered obscene if it appeals to salacious interest, meaning it primarily focuses on sexual arousal or base desires. It can also be deemed obscene if it is lascivious in nature, referring to content that is lewd or vulgar in a sexual manner. Additionally, if the content is likely to deprave or corrupt the audience, particularly those who may come across it, such material may be considered obscene. Additionally, the Indian Courts apply the ‘Community Standard Test’ to decide whether any content falls within the definition of being ‘obscene’. However, the term ‘obscene’ or ‘obscenity’ is not specifically defined under any law in India.

This case underscores the complex relationship between freedom of expression and content regulation. While the Constitution of India guarantees the right to free speech under Article 19(1)(a), this right is subject to reasonable restrictions, including those related to public morality and decency. However, the application of Section 67 in the absence of clear statutory guidelines often leads to subjective decisions, particularly given the diverse nature of online content.

The case also raises questions about the balance between protecting public morality and ensuring that creators and platforms are not unduly restricted in their expression. With content being produced and consumed in real-time on a global scale, the existing laws may need to evolve to better address the complexities of digital media.

4. FIU-IND blocks Website and fines Crypto Exchange for non-compliance with PMLA[3]

FIU-IND has imposed a hefty penalty of INR 9.27 crore on Bybit Fintech Limited (“Company”) and blocked the Company’s website for non-compliance with the PMLA failing to register with FIU-IND, which is a mandatory requirement for all crypto exchanges operating in India. Despite, FIU-IND issuing detailed guidelines for ‘reporting entities’ under the PMLA, the Company continued its operations without complying.

This highlights the growing regulatory scrutiny on businesses, particularly in VDA sector. Beyond monetary penalties, authorities are also leveraging other legal frameworks, such as the IT Act, to enforce compliance. The blocking of website under assistance from MeitY further reinforces that regulatory bodies are adopting a multi-faceted approach to ensure adherence to legal obligations in this digital age, emphasizing the importance of compliance across various legislations.

5. Right to Privacy upheld in Dispute over CCTV Surveillance

The High Court of Calcutta, in Shuvendra Mullick v. Indranil Mullick and Others [F.M.A.T. No. 172 of 2024], has upheld the ‘right to privacy’ of an individual in the context of residential surveillance. In 2022, the respondents installed 9 CCTV cameras around their property, including 5 cameras within the appellant’s designated portion of the dwelling house, without his consent. The appellant raised concerns that these cameras violated his right to privacy and interfered with his use of the property. Despite lodging complaints with the local police and filing a petition under Section 144(2) of the CrPC, the dispute remained unresolved. Subsequently, the appellant filed a suit seeking the removal of the cameras and access to the recorded footage, along with a temporary injunction to stop their operation.

Accordingly, the Court ruled that the installation and operation of CCTV cameras inside the appellant’s residential portion without his consent was a violation of his right to privacy. The Court prohibited the respondents from using or operating the 5 cameras installed within the appellant’s portion of the property. The court did allow the parties to take alternative security measures for protecting valuable property and ordered joint control over the CCTV cameras and their management, including access to the recorded footage.

This ruling reinforces the growing importance of safeguarding privacy rights even within family or co-owned properties, ensuring that security measures do not infringe on individual freedoms and enjoyment of one’s property.

6. RTI Petition seeking Passport Details of Third Party dismissed

In Rakesh Kumar v. Central Public Information Officer and Other [W.P.(C) 5836/2018], the Delhi High Court denied the request filed by the petitioner, under the RTI Act, seeking passport details of certain individuals. The petitioner had sought information from the Regional Passport Office, Mumbai regarding the issuance of passports between 1984 and 1990.  The Court ruled that the passport details—being personal in nature—are exempt from disclosure under Section 8(1)(j) of the RTI Act, which protects personal information and guards against unwarranted invasion of privacy.

The judgment reaffirmed prior rulings that emphasize the need to protect individual privacy and noted that the petitioner’s reliance on similar cases was misplaced due to the specific factual context of the Mumbai office. Ultimately, the court dismissed the petition, maintaining the legality of the existing orders and reinforcing the principle that personal data, especially related to sensitive identification documents, remains shielded from public disclosure.

INTERNATIONAL 

UNITED STATES OF AMERICA

7. Crypto Enforcement Tightens as KuCoin settles AML and Compliance Violations[7]

KuCoin, a well-known cryptocurrency exchange, came under regulatory scrutiny for multiple compliance failures, prompting enforcement action by US authorities. The exchange was accused of operating without proper registration, failing to establish robust KYC procedures, and lacking adequate AML controls. The regulators asserted that these deficiencies created vulnerabilities for illicit financial activities, including money laundering.

In order to settle, it has been agreed that the exchange will suspend its US operations for a minimum of 2 years and implement stricter compliance measures. This includes reinforcing AML protocols, enhancing transaction monitoring systems, and ensuring full regulatory adherence. Additionally, the exchange will pay more than USD 297 million to the authorities as a part of the settlement.

The settlement represents a pivotal moment in the ongoing effort to regulate the cryptocurrency industry. It underscores the increasing scrutiny by regulatory authorities and the need for digital asset platforms to implement robust compliance measures. The case also serves as a warning to other crypto businesses about the consequences of non-compliance, reinforcing the importance of aligning operations with evolving legal and regulatory frameworks.

EUROPEAN UNION

8. EU Court upholds EDPB’s Authority in Investigations into Cross-Border Data Protection Issues[8]

The EU General Court affirmed the authority of EDPB to issue binding decisions in cross-border data protection disputes. The Irish DPC challenged the EDPB over its handling of investigations into Facebook, Instagram, and WhatsApp’s data processing practices. The DPC raised concerns about the scope and approach of the EDPB’s instructions, questioning their adequacy in addressing sensitive data processing issues.

The EU General Court clarified that EDPB’s binding decisions are legally enforceable on data protection authorities, ensuring that individual authorities cannot undermine the harmonized enforcement of GDPR. The decision underscores EDPB’s ability to address these challenges and ensure a unified regulatory framework for data protection within the EU.

This ruling emphasizes that both companies and DPAs must adhere to proper mechanisms for ensuring GDPR compliance. While companies are responsible for implementing strong data protection practices, DPAs are equally obligated to conduct thorough and effective investigations, particularly in cross-border cases.

9. Guidelines on Pseudonymization of Personal Data Released[9]

EDPB released Guidelines 01/2025 Pseudonymization (“Draft Guidelines”) to clarify the role of pseudonymization under GDPR. Pseudonymization involves modifying personal data so that it cannot be linked to an individual without additional information, which must be kept separate and secure. The Draft Guidelines stress that while pseudonymization serves as a risk-reducing security measure, it does not exempt the data from GDPR requirements, as pseudonymized data is still considered personal data under the regulation.

The Draft Guidelines outlines specific steps for implementing effective pseudonymization, including ensuring that any re-identification information is stored separately with proper technical and organizational safeguards. Techniques like encryption, hashing, and tokenization are recommended, with practical examples provided to help data controllers align with GDPR standards. Additionally, the Guidelines emphasize the need for ongoing monitoring and evaluation to maintain the integrity of pseudonymization measures in response to evolving risks.

The Draft Guidelines are open to public consultation till February 28, 2025.

For businesses, this means implementing robust pseudonymization techniques such as encryption, hashing, and tokenization while ensuring that re-identification data is securely stored and access is strictly controlled. Moreover, companies must regularly assess their pseudonymization measures to address emerging security threats and regulatory expectations. Failure to do so could result in non-compliance risks, potential data breaches, and regulatory scrutiny.

ABBREVIATIONS
  • AML- Anti Money Laundering
  • CCI- Competition Commission of India
  • CFT- Combating Financing of Terrorism
  • CIC- Chief Information Commissioner
  • CrPC- Criminal Procedural Code, 1973
  • DPA- Data Protection Authority
  • Draft Rules – Draft Digital Personal Data Protection Rules, 2025
  • EDPB- European Data Protection Board
  • FIU-IND- Financial Intelligence Unit – India
  • IT Act – Information Technology Act, 2000
  • PMLA- Prevention of Money Laundering Act, 2002
  • RTI Act- Right to Information Act, 2005
  • VDA- Virtual Digital Asset

Authors:

  • Rashmi Deshpande
  • Aarushi Ghai
  • Shriya Haridas

[1]https://www.meity.gov.in/writereaddata/files/Notice%20for%20Extension%20of%20Public%20Consultation%20on%20Draft%20DPDP%20Rules%202025.pdf
[2] https://www.cci.gov.in/images/whatsnew/en/background-note-51739789963.pdf
[3] https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2098153
[4] https://www.justice.gov/usao-sdny/pr/kucoin-pleads-guilty-unlicensed-money-transmission-charge-and-agrees-pay-penalties
[5] ECLI:EU:T:2025:116 CURIA – Documents
[6] Guidelines 01/2025 on Pseudonymisation | European Data Protection Board

Disclaimer

Current rules of the Bar Council of India impose restrictions on maintaining a web page and do not permit lawyers to provide information concerning their areas of practice. Fountainhead Legal is, therefore, constrained from providing any further information on this web page except as stated below.

The rules of the Bar Council of India prohibit law firms from soliciting work or advertising in any manner. By clicking on ‘I AGREE’, the user acknowledges that:

The user wishes to gain more information about Fountainhead Legal, its practice areas and the firm’s lawyers, for his/her own information and use;

The information is made available/provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site is not intended to, and will not, create any lawyer-client relationship; and

None of the information contained on the website is in the nature of a legal opinion or otherwise amounts to any legal advice.

Fountainhead Legal, is not liable for any consequence of any action taken by the user relying on material/information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.

I Agree I Disagree