The Corporate & Commercial Law Society Blog, HNLU

Tag: technology

  • The Digital Dilemma: Reimagining Independent Directors’ Liability under Companies Act, 2013

    The Digital Dilemma: Reimagining Independent Directors’ Liability under Companies Act, 2013

    BY SVASTIKA KHANDELWAL, THIRD- YEAR STUDENT AT NLSIU, BANGALORE

    INTRODUCTION

    The 2025 breach compromising the personal data of 8.4 million users of Zoomcar underscores the growing prevalence of digital risks within corporate governance. Such incidents raise pressing concerns regarding the oversight obligations of boards, particularly independent directors (‘IDs‘), and call for a critical examination of S.149(12), Companies Act, 2013 (‘the Act’), which limits ID liability to instances where acts of omission or commission by a company occurs with their knowledge, attributable through board processes and with their consent or connivance, or where they have not acted diligently.

    This piece argues that S.149(12) has not kept pace with the digital transformation of corporate operations and requires legislative reform to account for the dual challenges of digitalisation: the increasing integration of digital communication in corporate operations, and its growing impact on digital corporate governance failures like data breaches and cybersecurity lapses.

    Firstly, the piece traces the evolution of the IDs’ liability regime. Further, it examines the knowledge and consent test under the first part of S.149(12), arguing it fails to address accountability challenges in the digital-era. Subsequently, it analyses the diligence test as a more appropriate standard for ensuring meaningful oversight.  Finally, the article explores how S.149(12) can be expanded to effectively tackle the liability of IDs for digital governance failures.

    UNDERSTANDING S.149(12) OF THE ACT: SCOPE AND DEVELOPMENT

    In India, the emergence of ID has evolved in response to its ‘insider model’ of corporate shareholding, where promoter-driven concentrated ownership resulted in tensions between the majority and minority shareholders. This necessitated safeguards for minority shareholders and independent oversight of management. Before the 2013 Act, the duties of directors were shaped by general fiduciary principles rooted in common law. This lacked the specificity to address the majority-minority shareholder conflict effectively. A regulatory milestone came when SEBI introduced Clause 49, Listing Agreement 2000, requiring listed companies to appoint IDs. However, it offered limited guidance on the functions and stakeholder interests these directors were expected to protect. A more detailed approach was followed in the 2013 Act, which explicitly defined the role of IDs in S.149(6), S.149(12), and Schedule IV. This marked a transition from treating IDs as general fiduciaries to assigning them a more distinct role. IDs facilitate information symmetry and unbiased decision-making. Furthermore, they are essential for raising concerns about unethical behaviour or breaches of the company’s code of conduct. Significantly, they must safeguard the interests of all stakeholders, especially minority shareholders. By staying independent and objective, they help the board make informed decisions.

    This article focuses on S.149(12) of the Act, which contains two grounds for holding IDs liable. First, if the company’s actions occurred with the ID’s knowledge and consent or connivance, provided such knowledge must be linked to board processes. Secondly, liability arises due to the lack of diligence. Since the provision uses “or,” both grounds function independently; failing either can attract liability. While knowledge must relate to board proceedings, the duty of diligence extends beyond this. It is an autonomous and proactive duty, not confined to board discussions.

    REASSESSING THE KNOWLEDGE AND CONSENT TEST

    The piece argues that S.149(12)’s knowledge and consent standard is inadequate in the context of digital governance, where risks emerge rapidly and information is frequently acquired through digital channels.

    Firstly, courts have tended to apply S.149(12) narrowly, often solely focusing on the knowledge and consent test. They fail to go a step further to assess the duty of diligence. This incomplete approach weakens accountability and overlooks a key aspect of the provision. This narrow interpretation was evident in  Global Infratech, where the IDs were cleared of liability due to insufficient evidence indicating their participation in board proceedings. Interestingly, while SEBI held executive directors to a standard of diligence and caution, it imposed no such obligation on IDs. The decision emphasised that an ID can escape liability solely on the ground of not having knowledge acquired through board processes, without demonstrating that he exercised diligence by actively seeking relevant information. A similar restricted interpretation was evident in the Karvy decision, where SEBI absolved IDs of liability as they had not been informed of ongoing violations in board meetings, without addressing their duty to proactively seek such information through due diligence.

    Further concern arises from the judiciary’s conflation of the knowledge test with involvement in day-to-day functioning. In MPS Infotecnics and Swam Software, IDs were not held liable because they were not involved in the day-to-day affairs of the company. This finding was grounded in the belief that the ID lacked knowledge of the wrongdoing. Such a reasoning exposes a critical flaw in the knowledge test, which lies in treating an ID’s absence from daily affairs as proof that they were unaware of any misconduct, thereby diluting the ID’s duty to exercise informed oversight over core strategic decisions and high‑risk domains, including cybersecurity.

    This interpretation is especially problematic in view of digital governance failures. Various grave catastrophic corporate risks like data breaches and ransomware attacks arise from routine technological processes. Storing user data, updating software, and managing cybersecurity are daily activities that are central to a company’s operations and survival. The “day-to-day functioning” standard creates a perilous loophole. It allows an ID to escape liability by remaining willfully ignorant of the company’s most critical area of risk. An ID can simply claim they lacked “knowledge” of a cybersecurity flaw because it was part of “day-to-day” IT work. Thus, this piece argues that the judiciary’s narrow reading of S.149(12), which applies only the knowledge test, is inadequate in the digital domain. IDs need not be technology experts. Still, they must ask the right questions, identify red flags and ensure appropriate governance mechanisms are in place, including cybersecurity, thus reinforcing the need to apply the diligence test more robustly.

    Another shortcoming of this test is its over-reliance on attributing ID’s knowledge only to matters in formal board processes. In the digital era, this approach overlooks the reality that board decision-making and oversight increasingly occur outside the confines of scheduled meetings. The integration of real-time digital communication channels such as Gmail and WhatsApp highlights crucial gaps. It creates an evidentiary vacuum, since highly probative indications of negligence, like the dismissal of a whistleblower’s alert or a decision to ignore a cybersecurity risk, may be discussed within informal digital communications. Limiting knowledge to board meetings enables plausible deniability. IDs may engage in and even influence critical decisions through private digital channels, omit these discussions from the official record, and later easily escape liability under the knowledge standard, despite having complete awareness of the wrongdoing. Cyber crises unfold without warning, long before the next board meeting is convened. Their rapidity and opacity require IDs to act through digital channels. The exclusion of these communications from the liability framework offers an easy shield from responsibility.

    Compounding this issue, the requirement of “consent or connivance” fails to capture digital corporate environment nuances. Consent is no longer limited to clear, documented paper trails, but is often expressed by various digital cues in businesses. A “thumbs up” emoji in a WhatsApp group could signal agreement, acknowledgement, or simply receipt, therefore giving IDs room to deny intent and escape liability. This problem is exacerbated by end-to-end encryption and disappearing messages features on some instant-messaging applications. It allows erasing potential evidence. Moreover, connivance or covert cooperation can now take subtler digital forms, like an ID editing a cloud-sharing Google Document, replacing “imminent risk” with “need routine system check” in an audit report, intentionally downplaying a serious breach warning. The current wording of the provision is silent on whether this would make an ID accountable.

    Therefore, it is evident that the knowledge and consent test is insufficient in the face of pervasive digitalisation and warrants a wider interpretation in light of the foregoing developments in corporate operations.

    THE DILIGENCE TEST: A STRONGER STANDARD

    While ID liability has often been confined to the narrow ‘knowledge test,’ SEBI’s order in Manpasand Beverages Ltd. reasserts the importance of diligence. On 30 April 2024, SEBI held the company’s IDs responsible, noting that although they claimed a lack of access to vital documents, they made no effort to obtain them. This ruling signals a renewed commitment to holding directors accountable beyond mere knowledge.

    This is beneficial in the context of digital governance failures, as the diligence test provides a stronger framework for ensuring accountability; it imposes an obligation on IDs, as highlighted in Edserv Soft systems, where it was observed that due diligence requires questioning irregular transactions and following up persistently with uncooperative management. The Bombay Dyeing case held that IDs in audit committees are expected to question the presented information and actively uncover irregularities, even if deliberately hidden. It emphasised that IDs must question accuracy and demand clarity without relying solely on surface-level disclosures. The same heightened duty must apply to digital governance, where concealed cyber risks like breaches or ransomware pose equally serious threats and require equally proactive investigation.

    Therefore, the diligence test is more effective for tackling digital corporate governance failures as it replaces passive awareness with active oversight. Since these digital threats often remain hidden until too late, waiting for information is insufficient. It is not a tool for operational meddling but for high-level strategic scrutiny, like questioning a cybersecurity budget marked below industry benchmarks for a data-intensive organisation.

    CONCLUSION: CHARTING THE WAY FORWARD

    As shown, S.149(12) of the Act, in its current form, appears ill-equipped to tackle the realities of digital corporate governance failures. This concern may be addressed through an evolved interpretation of the existing framework, potentially supplemented by a clarificatory Explanation to S.149(12), specifically tailored to digital threats.

     A logical starting point for this evolution is a broader reading of “knowledge.” It can be expanded to include not only information attributable to formal board meetings but also any material information communicated to, or reasonably accessible by, the ID through any mode, including digital means. Additionally, a rebuttable presumption of “consent or connivance” can be inserted where IDs, after gaining such knowledge, fail to record objection or dissent within a reasonable time, especially when the matter involves a material risk to the company or a breach of law. This approach does not set a high threshold; it merely shifts the onus and strengthens timely oversight, encouraging IDs to speak up. Given the potential severity of cyberattacks, such an approach aligns with the need for heightened vigilance in digital governance.

    Further, the timeless duty of due diligence may be interpreted to include a baseline level of digital literacy. While they need not be technology professionals, they must understand enough to ask relevant questions and assess whether management has adequately addressed digital risks. Without this foundational competence, IDs cannot meaningfully engage with cybersecurity, data governance, etc, leaving oversight dangerously superficial.  Embedding this requirement under S.149(12) makes it a statutory duty, ensuring that failure to acquire or apply such skills can directly trigger liability. In the modern corporate landscape, technology is not optional; rather, essential and enduring. Therefore, IDs must be equipped to fulfil their duties in this environment.  

  • Contesting The ‘Big Tech’ Tag: India’s Digital Competition Bill At A Turning Point

    Contesting The ‘Big Tech’ Tag: India’s Digital Competition Bill At A Turning Point

    BY UJJWAL GUPTA AND BHAVISHYA GOSWAMI, SECOND- YEAR STUDENTS AT RMLNLU, LUCKNOW

    INTRODUCTION

    With India’s digital economy being nearly five times more productive than the rest of the economy, technological​‍​‌‍​‍‌​‍​‌‍​‍‌ companies have become central economic actors of a rapidly digitalising India, which prompted the need for a digital competition law to prevent the build-up of market power before it materialises. The Digital Competition Bill, 2024 (‘DCB’), aims at introducing ex-ante oversight to ensure competition in digital markets, thus complementing the already existing ex-post regime under the Competition Act, 2002. The DCB envisages a regime to identify Systemically Significant Digital Enterprises (‘SSDE’) and to impose conduct obligations on them.

    However, the draft has sparked discussion about whether its design manages to achieve the proper balance between restraining potential gatekeepers and protecting the growth of India’s tech ecosystem. While industry players and policy-makers generally agree on the necessity to control highly concentrated digital power, they are still worried that this tag may negatively affect rapidly growing Indian companies. The emerging proposal to allow companies to contest their SSDE designation reflects this balance-seeking approach. It indicates that the balance between protecting competition and giving the regulated entities fair treatment is not lost, i.e. the control does not hamper the innovation, investment, and the rise of domestic digital ​‍​‌‍​‍‌​‍​‌‍​companies.

    The SSDE DESIGNATION DEBATE

    One​‍​‌‍​‍‌​‍​‌‍​‍‌ of the key ideas of the DCB is SSDEs, which are entities that, due to their scale, reach, or market interlinkages, require ex-ante regulatory oversight. Under section 3 of the draft Bill, a company may be designated as an SSDE if it meets certain financial and user-based criteria. For example, a turnover in India of ₹4000 crore, global market capitalisation of USD 75 billion, or at least one crore end users. Besides, the Competition Commission of India (‘CCI’) can also identify an enterprise as an SSDE, even if it does not meet these quantitative criteria, by using qualitative factors like network effects, market dependence, or data-driven advantages. This allows the CCI to take preventive measures by identifying “gatekeepers” before their dominance becomes monopoly power.

    However, the Parliamentary Standing Committee and industry associations have pointed out that India’s comparatively low user threshold (one crore end users) might inadvertently prematurely rope in rapidly growing domestic firms, like Zomato or Paytm, that are still in the process of consolidating their market positions. By equating India’s digital scale with that of smaller Western markets, the Bill could act as a silent killer of innovation, deterring investment and freezing the entrepreneurial spirit. The concern is that the Bill’s broad definition of “systemic significance” could lead to a growth penalty and disincentivize the very growth India seeks to encourage under its “Digital India” and “Startup India” programs.

    Globally, the DCB draws clear inspiration from the European Union’s Digital Markets Act, 2022 (‘DMA’) and the UK’s Digital Markets, Competition and Consumers Act, 2024 (‘DMCC’). Each of their aims is to control the gatekeeping power of big tech companies. However, the implementation of the measures varies. The DMA is limited to ten defined “core platform services”, and it has already identified seven gatekeepers: Alphabet, Amazon, Apple, Booking, Byte Dance, Meta, and Microsoft. Moreover, it permits rebuttals under exceptional circumstances, a measure that is not in the current draft DCB. The DMCC creates the concept of “strategic market status” for dominant firms and thus puts more focus on tailor-made conduct rules. As per Schedule I, the draft DCB identifies nine “Core Digital Services”, similar to the DMA, excluding “virtual assistants”, and introduces “Associate Digital Enterprises”, defined under section 2(2), an Indian innovation to ensure group-level accountability.

    III. The Case for a Rebuttal Mechanism

    As established earlier, a ‍​‌‍​‍‌major concern of technology firms about the DCB is the lack of a mechanism to challenge a designation as an SSDE. These firms see such a designation as bringing problems of high compliance costs and of reputational risk to them, thus potentially labelling them as monopolistic even before any wrongdoing is established.

    The Twenty-Fifth Report of the Standing Committee on Finance recognised this problem. It stated that the current proposal has no provision for rebutting the presumption of designation based on quantitative thresholds, i.e., the Committee suggested referring to Article 3(5) of the DMA by implementing a “rebuttal mechanism in exceptional cases”. This would allow companies that meet or exceed quantitative criteria to demonstrate that they do not possess the qualitative features of gatekeepers, such as entrenched dominance or cross-market leveraging.

    Article 3(5) of the DMA is a good example in this case. Under it, companies can show “sufficiently substantiated arguments” which “manifestly call into question” their presumed gatekeeper status. In ByteDance v. Commission, the General Court of the European Union set a high standard for the issue and demanded that the companies bring overwhelming evidence and not mere technical objections. Firms like Apple, Meta, and Byte Dance have used this provision as a ground to challenge their identification; however, the evidentiary burden is still significant, and market investigations go on despite the fact that compliance with obligations is expected within six months after designation. Yet, the EU’s model illustrates that a rebuttal does not weaken enforcement; rather, it enhances it by allowing for flexibility in rapidly changing markets without compromising the regulator’s intention.

    The implementation of a similar mechanism in India would be beneficial in several ways. It would enhance the predictability of regulation and discouraging the over-designation of large but competitive firms, and also send a signal of institutional maturity consistent with international standards. In this context, the Centre is reportedly considering the introduction of an appeal mechanism that would allow firms to contest their designation after a market study on the digital sector is completed. However, the government still needs to deal with the possible disadvantages, such as the delay of enforcement against dominant players, the procedural burden on the CCI and the risk of strategic litigation by well-funded ​‍​‌‍​‍‌​‍​‌‍​‍‌corporations.

    IV. Dynamic vs. Fixed Metrics: Rethinking ‘Big Tech’

    The biggest challenge in DCB lies in the criteria for identifying SSDE as choosing between fixed quantitative metrics and dynamic qualitative assessments will shape administrative efficiency and long-term success. DCB follows primarily fixed metrics based on the DMA , having fixed quantitative criteria such as valuation or turnover for SSDE designation.

    The biggest advantage of fixed metrics is its speed and legal certainty. It becomes very simple vis-à-vis the administrative screening process when one has clear numerical boundaries, which then allows CCI to quickly identify the potential firms that pose competitive risks. However, this approach has attracted a lot of criticism. Industry stakeholders opine that the thresholds in DCB are “too low” and oversimplistic in the wage of a unique economic context and population scale of India.

    Another limitation is the risk of arbitrariness; if the benchmark were solely based on numerical terms, it could disconnect from the regulatory framework in finding a genuine entrenched competitive harm. For instance, in a market as large as India, having a high user database may only reflect the successful scaling and effective service delivery rather than having the real ability to act as an unchallengeable bottleneck. This challenge, where restriction is just imposed because a firm is successful irrespective of conserving if that firm has demonstrated any specific harmful market power, has led to a widespread demand that SSDEs forms should be allowed to contest this designation, and this tag should be revoked if they prove not to be harmful in the competitive or entrenched market power.

    On the other hand, the dynamic criteria are recognised in the DMCC, where the firm must possess ‘substantial and entrenched market power’. Through this, the UK regime can put conduct requirements based on qualitative and contextual market analysis, rather than quantitative analysis. However, its effective application requires resources vis-à-vis institutional capacity and legal justification while imposing terms on powerful firms.

    The dynamic criteria have been recognised by the CCI itself and provided a roadmap, which highlights the challenges arising out of the structural control that the big players have across the entire AI value chain and AI ecosystems, especially the control over data, computing resources, and models. The definition of the “significant presence” shall expand beyond turnover and should incorporate the firm’s control over the proprietary and high-quality resources, such as high-end infrastructure.

    V. The Road Ahead: Regulation without Stifling Growth

    The DCB will have a significant responsibility to manage the compliance needs of such a large country in its evolving shape. For that, the government is considering the establishment of a dedicated Digital Markets Unit within the CCI. It will be responsible for communicating with industry, academia, regulators, government, and other stakeholders, and facilitating cross-divisional discussions. It will avoid any structural damage caused by delays in the above-mentioned things.

    Yet another challenge is the very limited capacity of Indian regulators compared to other jurisdictions, which leads to the execution of prescriptive and technically complex regulations being extremely challenging. This deficiency in terms of specialised economists, data scientists, and technology lawyers would be the deciding factor in this fast-changing world, and India needs to cope with this as soon as possible.

    India’s number one priority is job creation through rapid growth, so that we can achieve sufficient wealth for all age groups. In the present scenario, policy experts have criticized the DCB, saying that it is “anti-bigness and anti-successful firms” that discourage Indian firms from expanding globally. Therefore, the DCB should maintain a balance that gives a fillip to competitiveness in the market while upholding the digital scale and innovation of one’s country.

    The DCB overlaps with the recently implemented amendments to the Competition Act, 2002. The Competition (Amendment) Act, 2023, has introduced the Deal Value Threshold, which makes it compulsory for any merger and acquisition that exceeds INR 20 billion to be notified prior. The problem would be the friction between the conduct control that the DCB would govern through its conduct rules and prohibitions, and structural control, because the mergers and acquisitions are subject to DVT clearance under the Competition (Amendment) Act.

    This dual scrutiny increases the legal complexity and transactional costs. Thus, if the proposed Digital Markets Unit under DCB lacks clear guidelines as to harmonise the existing inconsistencies between the conduct requirements and merger clearance conditions. This would lead to nothing but slowing down essential acquisitions imperative for scaling of the firm, and would contradict the overall aim of promoting efficient market dynamics.

  • SEBI’s AI Liability Regulation: Accountability and Auditability Concerns

    SEBI’s AI Liability Regulation: Accountability and Auditability Concerns

    AYUSH RAJ AND TANMAY YADAV, FOURTH AND THIRD-YEAR STUDENTS AT GUJARAT NATIONAL LAW UNIVERSITY, GANDHINAGAR

    INTRODUCTION

    Securities and Exchange Board of India’s (‘SEBI’) February 2025 amendments (Intermediaries (Amendment) Regulations, 2025) inserted Regulation 16C, making any SEBI-regulated entity solely liable for AI/ML tools it uses, whether developed in-house or procured externally. This “sole responsibility” covers data privacy/security, the integrity of artificial intelligence (‘AI’) outputs, and compliance with laws. While this shift rightfully places clear duties on intermediaries, it leaves unaddressed how AI vendors themselves are held to account and how opaque AI systems are audited. In other words, SEBI’s framework robustly binds intermediaries, but contains potential gaps in vendor accountability and system auditability. This critique explores those gaps in light of international standards and practice.

    SCOPE OF REGULATION 16C AND ITS LEGAL FRAMEWORK

    Regulation 16C was notified on Feb 10, 2025 with immediate effect. In substance, it mirrors SEBI’s November 2024 consultation paper: “every person regulated by SEBI that uses AI…shall be solely responsible” for (a) investor data privacy/security, (b) any output from the AI it relies on, and (c) compliance with applicable laws. The rule applies “irrespective of the scale” of AI adoption, meaning even small or third‑party use triggers full liability. SEBI may enforce sanctions under its general powers for any violation.

    This framework operates within SEBI’s established enforcement ecosystem. Violations can trigger the regulator’s full spectrum of penalties under the Securities and Exchange Board of India Act, 1992, ranging from monetary sanctions and cease-and-desist orders to suspension of operations. The regulation thus creates a direct enforcement pathway: any AI-related breach of investor protection, data security, or regulatory compliance automatically becomes a SEBI violation with corresponding penalties.

    The legal significance lies in how this shifts risk allocation in the securities ecosystem. Previously, AI-related harms might fall into regulatory grey areas or involve complex questions of vendor versus user responsibility. Regulation 16C eliminates such ambiguity by making intermediaries the single point of accountability, and liability, for all AI deployments in their operations.

    VENDOR-ACCOUNTABILITY GAP

    In practice intermediaries often rely on third-party models or data, but the regulation places all onus on the intermediary, with no parallel duties imposed on the AI vendor. If a supplier’s model has a hidden flaw or violates data norms, SEBI has no direct rulemaking or enforcement channel against that vendor. Instead, the intermediary must shoulder penalties and investor fallout. This one-sided design could dilute accountability: vendors might disclaim liability in contracts, knowing enforcement power lies with SEBI, not with the provider. As a result, there is a regulatory blind spot whenever AI harms stem from vendor error.

    Moreover, industry and global reports warn that relying on a few AI suppliers can create systemic risks. The Bank for International Settlements (BIS) Financial Stability Institute notes that “increased use of third-party services (data providers, AI model providers) could lead to dependency, disruption of critical services and lack of control,” exacerbated by vendor lock-in and market concentration. In other words, heavy dependence on external AI technologies can amplify risk: if one vendor fails, many intermediaries suffer concurrently. The US Treasury likewise highlighted the so‑called “vendor lock-in” problem in financial AI, urging regulators to require vendors to enable easy transitions between competing systems. SEBI’s framework currently lacks any mechanism to counteract lock‑in, such as mandated data or model portability requirements that would allow intermediaries to switch between AI providers without losing critical functionality.

    The recognition of these risks inherently places a responsibility on intermediaries to secure strong contractual controls with AI suppliers. This requires regulated entities to perform thorough due diligence and establish back-to-back arrangements with AI vendors to mitigate risk. Such agreements must include provisions like audit rights, data access, and vendor warranties. However, because explicit legal requirements are absent, the onus falls entirely on intermediaries to negotiate these terms. A failure to do so means SEBI’s liability framework itself provides no enforcement of vendor-side transparency.

    In practice, this gap means an intermediary could satisfy SEBI’s rule on paper (having liability assigned), yet still face failures or disputes with no legal recourse beyond its own contract. The regulator’s approach is asymmetrical: intermediaries have all the incentives to comply, while vendors have none. SEBI’s choice to rely on intermediaries may have been pragmatic, but it is a potential weakness if vendors operate without accountability.

    Consider an AI-driven trading recommendation system supplied by Vendor X. If X’s model generates a flawed recommendation that causes losses, Regulation 16C makes the brokerage (user) fully liable. Yet Vendor X could escape sanction if it sold the software “as is.” Under OECD principles, both the user and the supplier are expected to manage risk cooperatively, but SEBI’s text does not reflect that partnership.

    The foregoing points suggest that SEBI may need to clarify how vendor risks are handled. Potential solutions could include: explicitly requiring intermediaries to contractually compel vendor compliance and audit access, or even extending regulatory standards to cover AI vendors serving Indian markets.

    AUDABILITY AND TRANSPARENCY OF AI SYSTEMS

    A related issue is auditability. Even if intermediaries are liable, regulators must be able to verify how AI systems operate. However, modern AI, especially complex Machine Learning (ML) and generative models, can be “black boxes.” If SEBI cannot inspect the model’s logic or data flows, apportioning entire liability to an intermediary could be problematic.

    Regulators worldwide emphasize that AI systems must be transparent and traceable. The OECD’s AI Principles state that actors should ensure “traceability … of datasets, processes and decisions made during the AI system lifecycle, to enable analysis of the AI system’s outputs and responses to inquiry”. Similarly, a UK financial‑services review emphasizes that auditability “refers to the ability of an AI system to be evaluated and assessed, an AI system should not be a ‘black box’”. In practical terms, auditability means maintaining logs of data inputs, model versions, decision rationales, and changes to algorithms, so that an independent reviewer can reconstruct how a given outcome was reached.

    SEBI’s 16C does not itself mandate audit trails or explain ability measures. It only requires the intermediary to take responsibility for the output. There is no explicit requirement for intermediaries (or their vendors) to preserve model logs or allow regulator inspection. Without such provisions, enforcement of output accuracy or compliance with laws is hampered. For example, if an AI-generated trade signal caused a regulatory breach, SEBI (or a forensic auditor) needs access to the system’s internals to determine why.

    Industry guidance suggests that firms should make auditability a contractual requirement when procuring AI. This could involve specifications on data retention, explainability reports, and independent testing. In the SEBI context, best practice would be for intermediaries to demand from AI providers any data necessary for SEBI audits.

    In essence, two main concerns arise that are closely interconnected. BIS notes that “limits to the explainability of certain complex AI models can result in risk management challenges, as well as lesser … supervisory insight into the build-up of systemic risks“. If AI outcomes cannot be easily audited, SEBI risks being unable to verify compliance, and lacking explicit audit provisions, regulators and investors may lack confidence in the system’s integrity. Additionally, without mandated audit provisions, firms may neglect this in vendor agreements, though the operational reality for firms should be to include audit clauses and perform due diligence. SEBI should consider guidance or rules requiring regulated entities to ensure audit rights over AI models, just as banks must under banking third-party rules.

    CONCLUSION

    SEBI’s insertion of Regulation 16C is a welcome and necessary move: it recognises that AI is now mission-critical in securities markets and rightly puts regulated entities on notice that AI outputs and data practices are not outside regulatory reach. Yet the regulation, as drafted, addresses only one side of a multi-party governance problem. Making intermediaries the default legal backstop without parallel obligations on vendors or explicit auditability requirements risks creating enforcement illusions, liability on paper that is difficult to verify or remediate in practice.

    To make the policy effective, SEBI should close the symmetry gap between users and suppliers and make AI systems practically observable. At a minimum this means clarifying the standard of liability, requiring intermediaries to retain model and data audit trails, and mandating contractual safeguards (audit rights, model-version logs, notification of material model changes, and portability requirements). If SEBI couples its clear allocation of responsibility with enforceable transparency and vendor-accountability mechanisms, it will have moved beyond a paper rule to a practical framework that preserves market integrity while enabling safe AI adoption.

  • Contractual ‘Non-Use’ Covenants: Plugging the Shadow-Trading Gap

    Contractual ‘Non-Use’ Covenants: Plugging the Shadow-Trading Gap

    Aditya Singh, THIRD- Year Student, Rajiv Gandhi National University of Law, Punjab

    INTRODUCTION

    The successful prosecution in Securities and Exchange Commission (SEC) v. Panuwat has introduced “shadow trading” as a novel enforcement concept for securities regulators. While India is yet to confront a concrete instance of shadow trading and its cognizance by Securities and Exchange Board of India (‘SEBI’), the U.S. experience highlights a potential lacuna in domestic regulations. Under SEBI’s current framework, insiders face civil liability only when trading in the stock of the very issuer, whose Unpublished Price-Sensitive Information (‘UPSI’) -they possess, and SEBI must prove both that the information “likely to materially affect” a particular security and that the insider used it with profit motive. The application of the shadow-trading principle domestically would therefore demand a framework which captures UPSI-driven trades beyond the issuer’s own stock, without becoming entangled in intricate economic-linkage or intent inquiries.

    This piece shows how India can strengthen its insider-trading regime by requiring all “designated persons” to pre-commit—via an expanded Code of Conduct—to refrain from using any UPSI for profit, and then empowering SEBI to invoke misappropriation principles against any breach. It begins by defining “shadow trading,” contrasts the classical and misappropriation theories, and then sets out the covenant-plus-notice proposal and its statutory foundation. The piece goes on to address proportionality and practical objections before concluding with implementation steps.


    THE SHADOW-TRADING PUZZLE

    Scholars have defined shadow trading as – when private information held by insiders can also be relevant for economically-linked firms and exploited to facilitate profitable trading in those firms. In SEC v. Panuwat, the U.S. District Court for Northern California confronted a novel fact pattern: Matthew Panuwat, a Senior Director at Medivation, received a confidential email revealing Pfizer’s imminent acquisition of Medivation. Rather than trading Medivation stock, he bought shares of Incyte—a competitor whose share price would rise on news of the Medivation deal.

    On the anvils of misappropriation theory, it was held that Panuwat’s breach of Medivation’s insider trading policy which expansively prohibited trading (while in possession of Medivation’s inside information) in not only Medivation’s securities, but arguably in any publicly traded securities in which Medivation’s inside information would give its insiders an investing edge. This fiduciary duty to Medivation—gave rise to insider-trading liability, even though he never traded Medivation securities. In rejecting Panuwat’s argument that liability requires trading in the issuer whose information is misused, the court emphasized that “misappropriation of confidential information for trading any economically linked security” falls within the scope of securities fraud under Rule 10b-5.

    The above discussion necessitates understanding 2 main principles behind insider trading. Under the classical model, insider-trading liability arises when an insider breaches a fiduciary duty by trading in the issuer’s own securities. By contrast, misappropriation theory treats any breach of duty to the source of confidential information as actionable; and India has consistently adhered to the classical approach.

    POSSIBLE IMPLEMENTATION IN INDIA THROUGH EXPANSIVE INTERPRETATION

    While the market-protection, investor-equity, and price-discovery rationales behind the prohibition of insider trading have been extensively examined by scholars, those same principles equally justify a similar regulatory approach to shadow trading, which is effectively an extension of insider trading itself.

    An interpretative reading of the SEBI (Prohibition of Insider Trading) Regulations, 2015 (‘PIT Regulations’), can be used for the domestic application of shadow trading . Regulation 2(1)(n) defines UPSI as any information “directly or indirectly” relating to a company’s securities that is “likely to materially affect” their price. The qualifier “indirectly” can thus for instance bring within UPSI material non-public information about Company A that predictably moves Company B’s shares due to their economic linkage. Indian tribunals have already endorsed expansive readings (see FCRPL v SEBI).  Likewise, the definition of “Insider” under Regulation 2(1)(g) encapsulates anyone who “has access to” UPSI. Once that information is used to trade Company B’s securities, the trader effectively becomes an “insider” of Company B.

    However, relying solely on this interpretative route raises a host of practical and doctrinal difficulties. The next section examines the key obstacles that would complicate SEBI’s attempt to enforce shadow‐trading liability under the existing PIT framework.

    CHALLENGES TO IMPLEMENTATION

    Key implementation challenges are as follows:

    No clear test for “indirect” links: Using “indirectly” as a qualifier posits the problem that no benchmark exists to determine how tenuous an economic link between two entities may be. Is a 5 % revenue dependence enough? Does a 1% index weight qualify? Without clear criteria, every “indirect” claim becomes a bespoke debate over company correlations in the market.

    Heavy proof of price impact: To show UPSI would “likely materially affect” a non-source instrument, SEBI and insiders can each hire economists/experts to argue over whether UPSI about Company A truly “likely materially affects” Company B’s price. Disputes over timeframes, statistical tests, and which market indicators to use would turn every shadow-trading case into an endless technical showdown.

    Uncertain Profit-Motive Standards: Courts already grapple with an implicit profit-motive requirement that the PIT Regulations do not explicitly mandate—a problem Girjesh Shukla and Aditi Dehal discuss at length in their paper—adding an ambiguous intent element and uncertain evidentiary burden. In shadow‐trading cases, where insiders can spread trades across stocks, bonds or derivatives, this uncertainty multiplies and is compounded by the undefined “indirect” linkage test and the need for complex price impact proofs as outlined above.

    THE CONTRACTUAL “NON-USE” COVENANT AND IMPORT OF MISAPPROPRIATION THEORY

    The author argues here that, despite there being many ways through legislative action to solve the problem, the quickest and most effective solution to this problem would be through an import of Misappropriation theory.

    This can be done by leveraging SEBI’s existing requirement for written insider-trading codes. Regulation 9(1) of the PIT Regulations mandates that every listed company adopt a Code of Conduct for its “designated persons,” incorporating the minimum standards of Schedule B, with a designated Compliance Officer to administer it under Regulation 9(3).

    Building on this foundation, SEBI could introduce a requirement to each Code to include a “Non-Use of UPSI for Profit” covenant, under which every insider expressly agrees to (a) abstain from trading in any security or financial instrument while in possession of UPSI, except where a safe-harbour expressly applies, (b) accept that a formal “UPSI Notice” serves as conclusive proof of materiality, obviating the need for SEBI—or any adjudicator—to conduct fresh event studies or call expert testimony on price impact and (c) Safe-harbour provision: extent to which trades can be made, to be determined/formulated by SEBI from time to time. Section 30 of the SEBI Act, 1992 authorises the Board to make regulations to carry out the purposes of this Act, thereby making the addition procedurally valid as well. It is important to note here that this covenant works alongside SEBI’s trading-window rules under PIT Regulations: insiders must honour the temporary ban on trading whenever they hold UPSI.

    Time-bound blackouts are already standard: EU MAR Article 19 enforces a 30-day pre-results trading freeze, and India’s PIT Regulations enforces trade freeze during trading window closures. This covenant simply extends that familiar blackout to cover any UPSI capable of moving related securities to adapt to evolving loopholes in information asymmetry enforcement.

    Under this covenant structure, SEBI’s enforcement simplifies to three unambiguous steps:

    1. UPSI Certification: The company’s board or its designated UPSI Committee issues a written “UPSI Notice,” categorising the information under pre-defined, per se material events (financial results, M&A approvals, rating actions, major contracts, etc.).
    2. Duty Evidence: The insider’s signed covenant confirms a clear contractual duty not to trade on UPSI and to treat the Board’s certification as definitive.
    3. Trade Verification: Any trade in a covered instrument executed after the UPSI Notice automatically constitutes a breach of duty under misappropriation theory—SEBI needs only to show the notice, the covenant and the subsequent transaction.

    To avoid unduly rigid freezes, the covenant would operate as a rebuttable presumption: any trade executed after a UPSI Notice is prima facie violative unless the insider demonstrates (i) a bona-fide, UPSI-independent rationale or; (ii) eligibility under a defined safe-harbour.

    The import of the misappropriation theory will help execute this solution, that is to say, as soon as this covenant is breached it would be a breach of duty to the information’s source, triggering the insider trading regulation through the misappropriation principle.

    The misappropriation theory can be embedded in the PIT regulations through an amendment to the Regulation 4 by SEBI to read, in effect:

    4(1A). “No Insider shall misappropriate UPSI in breach of a contractual or fiduciary duty of confidentiality (including under any Company Code of Conduct) and trade on that information in any security or financial instrument.”

    The blanket restraint on trading engages Article 19(1)(g) of the Constitution but survives the four-part proportionality test articulated in Modern Dental College & Research Centre v State of MP and applied to financial regulation in Internet & Mobile Association of India v RBI.

    WHY NOT A FACTOR-BASED TEST?

    An alternative approach,  advocates for a similar factor based test to determine “abuse of dominant position” by antitrust regulators to be adopted to the PIT regulations to determine cognizable economic linkage. Under this model, SEBI would assess a mix of metrics to decide when Company A’s UPSI is “economically linked” enough to Company B’s securities to trigger liability.

    However, the author argues that the covenant-based approach would be more effective. Unlike a factor-based linkage regime, which demands constant recalibration of revenue shares, index weights and supply-chain ties; fuels expert-driven litigation over chosen metrics and look-back windows; produces unpredictable, case-by-case outcomes; imposes heavy database and pre-clearance burdens; and leaves insiders free to game the latest matrices—the covenant-plus-misappropriation model skips the entire exercise as relies on one clear rule: no trading on UPSI. SEBI’s job becomes simply to confirm three things: the insider signed the promise, the information was certified as UPSI, and a trade took place afterward. This single-step check delivers legal certainty, slashes compliance burdens, and sharply boosts deterrence without ever reopening the question of how “indirectly” two companies are linked.

    CONCLUSION

    The covenant-plus-misappropriation framework streamlines enforcement, preserves SEBI’s materiality standard, and leverages existing Code-of-Conduct machinery—allowing rapid roll-out without new legislation. However, its success depends on corporate buy-in and consistent compliance-monitoring: companies must integrate covenant execution into their governance processes, and SEBI will still need robust surveillance to detect breaches. Therefore, SEBI should publish a consultation paper and pilot the covenant with select large-cap companies
    to identify practical challenges before a market-wide rollout.

  • Digital Competition Bill: Complementing or Competing with the Competition Act?

    Digital Competition Bill: Complementing or Competing with the Competition Act?

    BY Winnie Bhat, SECOND- YEAR STUDENT AT NALSAR, HYDERABAD
    Introduction

    Data is the oil that fuels the engine of the digital world. The economic value and competitive significance of data accumulation for companies in the digital age cannot be overstated. It is in recognition of this synergy between competition and data privacy laws, that the Competition Commission of India (‘CCI’) has imposed a fine of Rs 213 crore on Meta, the parent company of WhatsApp, for abusing its dominant market position under Section 4 of the Competition Act, 2002 (‘CA’).

    As digital markets evolve, so too must the legal frameworks that regulate them. This article considers whether the proposed Digital Competition Bill, 2024 (‘DCB’) enhances the current competition regime or risks undermining it through regulatory overlap. In doing so, it assesses how traditional competition tools have been stretched to meet new challenges and whether a shift toward an ex-ante model is necessary and prudent.

    Reliance on Competition Act, 2002

    In the absence of a dedicated digital competition framework, Indian regulators have increasingly relied on the CA to address issues of market concentration, data-driven dominance, and unfair terms imposed by Big Tech firms. One of the clearest examples of this reliance is the CCI’s scrutiny of WhatsApp’s 2021 privacy policy. In the present case, CCI found that WhatsApp’s 2021 privacy policy which mandated sharing of users’ data with WhatsApp and thereafter its subsequent sharing with Facebook vitiated the ‘free’, ‘optional’ and ‘well-informed’ consent of users as WhatsApp’s dominant position in the market coupled with network and tipping effects effectively left users with no real or practical choice but to accept its unfair terms.

    This contrasts with the CCI’s previous stances in Vinod Kumar Gupta v WhatsApp and Harshita Chawla v WhatsApp & Facebook, where it declined to intervene because data privacy violation did not impact competition. However, in a slew of progressive developments, a market study by CCI has now recognized privacy as a non-price competition factor and the Supreme Court’s nod in 2022 for CCI to continue investigation in the Meta-WhatsApp mater has effectively granted CCI the jurisdiction to deal with issues relating to privacy that have an adverse effect on competition.

    The facts of this case very closely resemble that of Bundeskartellamt v Facebook Inc.,2019 wherein the German competition regulator had flagged Facebook for imposing one sided terms about tracking users’ activity in the social networking market where consent was reduced to a mere formality. Both cases illustrate how dominant digital platforms exploit their market power to impose unfair terms on users, effectively bypassing meaningful consent. This pattern reflects a deeper structural issue—where existing competition law, focused on ex-post remedies, is used to address the unique challenges of digital markets. It is precisely this regulatory gap that the proposed DCB seeks to fill through its ex-ante approach.

    Abuse of dominant positions by Big Tech companies in the digital era occurs in more subtle ways as the price of these services is paid for with users’ personal data. A unilateral modification in the data privacy policy leaves users vulnerable as they have little bargaining power against established corporate behemoths. These companies collect huge chunks of “Big data” by taking advantage of their dominance in one relevant market (in the present case, the instant messaging market) and use them in other relevant markets (social networking, personalized advertising, etc.) which gives them a significant edge against their competitors. This creates entry barriers and a disproportionate share of the market goes to a few large corporations resulting in monopoly-like conditions.

    To deal with such issues, competition law first identifies a corporation’s dominant position in the market. Once this is established, it investigates the factors that lead to the abuse of this position. Here, the factor is collection of data which invades the privacy of users without their free and informed consent. The CCI, in its ruling against Meta, held WhatsApp to be in violation of Sections 4(2)(a)(i), 4(2)(c) and 4(2)(e) of the CA, dealing with imposition of unfair conditions in purchase of service, engagement in practices resulting in denial of market access and use of dominant position in one market to secure its market position in another relevant market respectively.

    The Digital Competition Bill, 2024

    The proposed Digital Competition Bill, 2024  when enacted, would signify a landmark shift in how India approaches competition regulation in digital markets. Unlike the CA, which operates on an ex-post basis; acting upon violations after analysing their effects, the DCB introduces a proactive approach that seeks to regulate the conduct of Systemically Significant Digital Enterprises (‘SSDEs’) through an ex-ante framework. SSDEs are large digital enterprises that enjoy a position of entrenched market power and serve as critical intermediaries between businesses and users. The DCB aims to curb their ability to engage in self-preferencing, data misuse, and other exclusionary practices before harm occurs, rather than waiting for evidence of anti-competitive outcomes. While this progressive approach aims to address the unique challenges posed by the dominance of digital giants, it also raises critical concerns about legislative overlap, disproportionate penalties on corporations and potential legal uncertainty.

    A key issue with the coexistence of the DCB and the CA is the overlap in their regulatory scopes. The CA, particularly through Section 4, targets abuse of dominance through a detailed effects-based inquiry. As evidenced in the CCI’s ruling against WhatsApp, a compromise or breach of data privacy of the users will not be tolerated and has the potential to be considered as a means of abuse of an enterprise’s dominant position. By contrast, the DCB imposes predetermined obligations on SSDEs, which are deemed to have significant market power. Section 12 of the DCB prescribes certain limitations on the use of personal data of the users of SSDEs, whereas Section 16 grants the CCI the power to inquire into non-compliance if a prima facie case is made out, regardless of the effects such non-compliance may have on competition.

    Concerns about dual enforcement

    This duality creates an ambiguity. For instance, should a prima facie case involving data misuse by an SSDE, which unfairly elevates its market position, be assessed under the CA’s abuse of dominance provisions, or should it fall exclusively within the purview of the DCB? The risk of dual penalties further compounds these challenges. Section 28 (1) of the DCB empowers the CCI to impose significant fines (not exceeding 10% of its global turnover) on SSDEs for non-compliance with its obligations. However, under Section 48 of the CA, these entities are also subject to penalties for engaging in anti-competitive behaviour that may stem from the same act of data misuse.

    Although, the protection against double jeopardy only applies to criminal cases, the spirit of double jeopardy is clearly visible in this case, wherein businesses could face disproportionate punishments for overlapping offenses, raising concerns about fairness and proportionality. This mirrors similar concerns in the European Union, where the Digital Markets Act (‘DMA’) (India’s DCB is modelled on EU’s DMA) and Articles 101 and 102 of the Treaty on the Functioning of the European Union (traditional EU competition law provisions) operate in tandem. However, EU’s DMA grants the European Commission overriding powers over the nations’ competition regulating authorities, which brings unique challenges and is not applicable in India since the regulating authority (CCI) oversees implementation of both the CA and DCB. This vests the CCI with considerable discretion in deciding which act takes precedence and their spheres of regulation. The MCA report leaves potential overlaps in proceedings to be resolved by the CCI on an ad hoc basis. Therefore, statutory clarity on the application of the DCB and the CA are essential to avoid inconsistency in outcomes.

    The Way Forward

    To address these challenges, India must focus on creating a harmonious regulatory framework. Moreover, a Digital Markets Coordination Council could be established to harmonize enforcement actions, share data, and resolve jurisdictional disputes. Such a body could include representatives from the CCI, the Ministry of Electronics and Information Technology (MeitY), and independent technical experts to ensure holistic oversight.

    Proportional penalties are another area for reform. Lawmakers should ensure that corporations do not have to bear the burden of being punished in two different ways for the same offence. Introducing a standardised penalty framework across the DCB and CA would prevent over-penalisation and ensure fairness.

    Since the DCB has not been enacted yet, India can pre-empt these concerns of overlap and ensure that the CA and DCB complement rather than compete with each other. The exact scope of a solution to these concerns is beyond the scope of this article, but by learning from the EU’s experiences and adopting a coordinated, balanced approach, India can create a regulatory framework that promotes innovation, safeguards competition, and protects consumers’ rights and interests in the digital age.

  • From Approval To Autonomy: SEBI’s New Framework For Stock Brokers In GIFT-IFSC

    From Approval To Autonomy: SEBI’s New Framework For Stock Brokers In GIFT-IFSC

    BY Vishvajeet Rastogi, SECOND-YEAR STUDENT AT CNLU, PATNA
    INTRODUCTION

    The Gujarat International Finance Tec-City – International Financial Services Centre (‘GIFT-IFSC’) is India’s ambitious bid to develop a globally competitive financial centre catering to international markets and investors. A major regulator of securities markets in India, the Securities and Exchange Board of India (‘SEBI’) has inducted significant regulatory reform to ease the operational environment for stock brokers who seek to operate in GIFT-IFSC.

    On May 2, 2025, SEBI released a circular titled Measure for Ease of Doing Business – Facilitation to SEBI registered Stock Brokers to undertake securities market related activities in Gujarat International Finance Tech-city – International Financial Services Centre (GIFT-IFSC) under a Separate Business Unit” (‘SEBI Circular’) abolishing pre-approval for stock brokers for conducting securities market activities in GIFT-IFSC and enabling them to conduct such activities through a Separate Business Unit (‘SBU’) of their existing structure. This transition from a strict approval regime approach to an autonomous regime is likely to promote ease of doing business and support the internationalization of India’s financial services.

    This article assesses the salient provisions of the SEBI Circular, discusses its regulatory and legal implications, and reviews the opportunities and issues it throws for stock brokers’ foray into the GIFT-IFSC.

    KEY CHANGES

    The SEBI Circular brings in major reforms in order to ease the functioning of stock brokers in the GIFT-IFSC. It does away with the mandatory condition under which stock brokers have to take SEBI’s advance approval for starting securities market activities in GIFT-IFSC. The reform eases the entrance process and enables brokers to get started sooner with less procedural complexity.

    `In place of the previous approval mechanism, stockbrokers can now conduct activities through an SBU within their existing organizational structure. An SBU can be created in the form of an exclusive branch or division, providing more flexibility in organizing the business of brokers. Although the SEBI Circular encourages the utilization of SBUs, it also leaves the choice for stockbrokers to carry on through subsidiaries or through joint ventures if desired. Similarly, brokers who have already established subsidiaries or joint ventures in the GIFT-IFSC can choose to wind them down and bring their activities under an SBU if it aligns with their business strategy.

    The SEBI Circular also defines regulatory contours by bringing the operations of the SBU under the ambit of the International Financial Services Centres Authority (‘IFSCA’). That is to say that policy issues, risk management, grievance redressal, and enforcement in relation to the SBU will be regulated by IFSCA rules, not SEBI. SEBI’s jurisdiction will continue to extend only to Indian securities market activities. For the purposes of clear demarcation between the two activities, the SEBI Circular requires activities of the SBU to be segregated from the stockbrokers’ domestic activities at arm’s length. This requires maintaining separate accounts and operational autonomy to prevent regulatory overlap.

    Financial segregation has also come with the condition that the net worth of the SBU must be held separate from the stock broking entity dealing in the Indian market. The net worth of the stockbroker for Indian operations will be computed excluding the finances of the SBU, and the SBU itself will have to fulfil capital adequacy norms as per IFSCA’s regulatory guidelines.

    Finally, the SEBI Circular makes it clear that the investors dealing with the SBU will not be subject to SEBI’s grievance redressal platforms like the SEBI’s Complaints Redress System (‘SCORES’) or the Investor Protection Fund operated by the stock exchanges. Their protections and redressal of grievances will instead come under the framework of the regulation of IFSCA, strengthening the operational autonomy of the unit in the GIFT-IFSC.

    Together, these amendments constitute a policy shift towards regulatory clarity and increased operational autonomy with well-codified governance norms to allow stock brokers to successfully increase their presence in international financial services.

    Regulatory Rationale and Objective

      This SEBI Circular outlines the new strategy to promote operational efficiency and regulatory clarity for the stock brokers in the GIFT-IFSC. Removal of the requirement of prior approval from SEBI enhances the regulatory ease of doing business by reducing barriers to entry for brokers to conduct cross-border securities activities. This reform aligns with the larger vision of transforming the GIFT-IFSC into an internationally competitive financial centre at the global stage with international capital and global-level market players.

      The setting up of SBUs in existing stock-broking establishments brings about an objective definitional and regulatory distinction between transactions in domestic business and activities under the jurisdiction of GIFT-IFSC. Segregation does away with regulatory overlap, demarcates the areas of oversight between SEBI and the IFSCA, and protects against conflict of interest.

      Segregation requirements for finances as well as separate net worth requirements and accounting methods further specify that risk and obligation are properly segmented. These requirements increase transparency and the integrity of domestic and foreign market segments.

      In addition to this, the SEBI Circular specifically defines the extent of investor protection and vests grievance redressal and resolution of disputes in the jurisdiction of IFSCA and thereby strengthens jurisdictional certainty.

      Legal and Compliance Implication

      This SEBI Circular represents an important jurisdiction shift for stock brokers who are present in the GIFT-IFSC from SEBI to the IFSCA for business transacted through SBUs. This requires strict adherence to the dual regime of regulation where domestic business continues to be under SEBI’s jurisdiction while SBUs in the GIFT-IFSC operate in terms of IFSCA’s separate regulatory regime.

      The keystone of such a structure is the rigorous ring-fencing requirement with financial, operational, and legal separation between domestic and GIFT-IFSC activities of the stock broker. Financial ring-fencing implies separate accounts maintained by the SBU and separate net worth standards as governed by IFSCA to have clear delineation of assets and liabilities. Operationally, the SEBI Circular stipulates separation of SBUs through arm’s-length management to avoid inappropriately influencing control and mixing of resources. Legally too, separation enforces jurisdiction-related divisions, reduces regulatory arbitrage, and limits system risk.

      This regulatory framework replicates international best practices in influential global financial hubs like the Dubai International Financial Centre (‘DIFC’) and Singapore Monetary Authority-regulated centres. These jurisdictions all prioritize unambiguous jurisdictional demarcation, independence in operations of international financial institutions as well as strong investor protection systems, which support integrity in the marketplace and investor confidence.

      Emulating such principles, SEBI’s SEBI Circular establishes GIFT-IFSC as a compliant and competitive global hub, weighing deregulation against essential safeguards to preserve financial stability and regulatory oversight.

      Opportunities and Challenges for Stock Brokers

      These new guidelines offer stock brokers some strategic options. Most significant among them is greater operational independence, enabling brokers to carry out international securities activities in the GIFT-IFSC with the help of SBUs without obtaining SEBI approval in advance. This independence allows for quicker entry into the market, where brokers can leverage new opportunities in the international markets more easily. Also, carrying out business in the GIFT-IFSC exposes brokers to more international customers and varied financial products, largely opening them up to an extended marketplace and new revenue streams.

      But these advantages carry built-in difficulties. Dual regulatory compliances present a nuanced challenge in that stock brokers have to manage the regulatory conditions of SEBI for their Indian operations as well as IFSCA for their activities in the GIFT-IFSC. This duplicity requires evolved compliance structures and internal controls for maintaining conformity with separate law regimes. In addition, the investor dealing with SBUs will not be able to enjoy SEBI’s prescribed grievance redressals like SCORES, which can potentially create investor protection and redress concerns.

      Internally, stock brokers also need to have strict ring-fencing of resources and finances to have clean separation of both domestic and international operations. Proper management of the segregation is important in order not to have operational overlaps, to protect financial integrity, and to guard against commingling of assets and liabilities. While the SEBI Circular paves the way for internationalization and growth, it also necessitates enhancing the risk management capacities and the regulatory infrastructure of the stock brokers.

      Conclusion and Way Forward

      The SEBI Circular is a forward-looking step towards increasing the regulatory independence of stock brokers in GIFT-IFSC by doing away with previous approval systems and permitting activities in terms of SBUs. The reform not just makes it easier to enter the market but also strengthens India’s vision of promoting GIFT-IFSC as an international financial centre powered by well-defined regulatory lines between SEBI and IFSCA.

      While it introduces new opportunities, it also poses issues like managing the dual regulatory compliances and lack of SEBI’s grievance redressals for investors transacting with SBUs. The author suggests that the stock brokers need to pre-emptively enhance their systems of compliance and risk management in order to be able to manage such complexity. In addition, having closer collaboration between SEBI and IFSCA on regulatory harmonization, particularly investor protection, would increase the confidence of the markets. Proper communication to the investor about the grievance mechanism applicable under IFSCA is also needed to inculcate trust and transparency in the new ecosystem. Using these steps, stock brokers can reap the maximum advantage of this regulatory change and promote sustained development and international integration of India’s financial markets.

    1. The European Commission’s Fine On Meta For Tying Allegations And Why India Needs To Do More

      The European Commission’s Fine On Meta For Tying Allegations And Why India Needs To Do More

      BY ANUSHKA GUHA, THIRD-YEAR STUDENT AT NLU, ODISHA

      INTRODUCTION

      The European Commission (‘EC’) fined Meta for tying Facebook Marketplace (‘FM’) to its social media platform, Facebook, in November 2024. FM is Meta’s online classified advertisement service which was introduced in 2016 and can be used to sell and buy products. Tying is a practice in which the availability of a product or a service is made conditional upon the availability of another. The EC found that Facebook had used its dominant position in the market for social networks and in the market for displaying classified ads to tie both services. What this essentially does is, expose all users of Facebook to FM, regardless of whether they want to see those ads or not. Such practices pose a competitive disadvantage for other online classified ads services, as they do not have access to the enormous database of social media users like Facebook does. Meta has also been accused of imposing unfair trade conditions through its terms of service that authorizes it to use ad-related data of competing classified ads service providers, who advertise on Facebook and Instagram, for the benefit of FM.

      GLOBAL SCRUTINY ON META

      This comes at a time when Meta is also under the scrutiny of the United States Federal Trade Commission for its acquisition of WhatsApp and Instagram resulting in the elimination of competition among social media platforms. The EC has previously fined Meta for providing misleading information during the WhatsApp-Facebook merger in 2014. In India, the Competition Commission of India (‘CCI’) has penalised Meta for abuse of its dominant position over WhatsApp’s contentious privacy policy introduced in 2021, which authorized the messaging platform to share user data with its parent company Meta and its subsidiaries. 

      This is not the first time Meta has been accused of tying its services. The launch of Threads in 2023 raised concerns about tying, as it requires one to have an account on Instagram. Meta, formerly known as Facebook, acquired Instagram, a photo-sharing app, in 2012. Although marketed as a competitor of microblogging platform X, the prerequisite of an Instagram account to operate the application makes it vulnerable to antitrust scrutiny, because the functioning of Threads and Instagram is fundamentally different. The Turkish Competition Authority, Rekabet Kurumu (‘RK’), has been investigating Meta’s anti-competitive practices since last year. In December 2023, the RK launched an investigation into the alleged tying of Threads and Instagram. 

      Subsequently, in January 2024, Meta was fined $160,000 per day for failure to adequately address competition concerns arising from its dominance in social networking, consumer communication, and online advertising. Most recently, the RK fined Meta $37.20 million over data-sharing practices between Facebook, WhatsApp, Instagram, and Threads.

      TYING : THE INDIAN PERSPECTIVE

      Tying is prohibited under section 4(2)(e)  of the Competition Act, 2002, in the context of abuse of dominance. The CCI’s interpretation of tying has been a bit more restrictive than its European counterpart. This is especially demonstrated by the element of ‘coercion’ which is very narrowly considered by the CCI. We will try to understand this through two cases: Harshita Chawla v. WhatsApp and Facebook (‘Harshita Chawla’) and the Baglekar Akash Kumar v. Google LLC (‘Google Meet case’). 

      In Harshita Chawla, WhatsApp was accused of tying its Unified Payments Interface, WhatsApp Pay (‘WPay’) services with its messaging platform. The CCI dismissed the allegations on two grounds: first, that the element of ‘coercion’ in using the two products was absent; and second, that it did not cause foreclosure of competition in the market for payments services. It is prima facie amply clear that WhatsApp’s messaging platform and WPay operate in different relevant markets, which is a consideration that was taken into account by the CCI as well. However, its rationale for reaching the conclusion stands on shaky ground. The CCI has failed to consider here that WPay is not independent of the messaging platform, and users need to have a WhatsApp account in order to use it. While the implementation of WPay did not foreclose competition in the market of payment services by itself because it is a heterogeneous market, WhatsApp’s conduct is in clear violation of Section 4(2)(e) for two reasons: first, that users need to use the messaging platform in order to use WPay; and second, that WhatsApp leveraged its dominance in the smartphone-based OTT messaging service market to enter into the payments services market.

      A similar reasoning was used in the Google Meet case. In 2020, Google was accused of anti-competitive tying following the integration of its video-conferencing service Google Meet (‘Meet’) with its client mail service, Gmail. This meant that Meet came pre-installed with Gmail and the latter could not be used without the former. CCI dismissed the allegations on Google on two grounds. Firstly, users were free to use Meet without having a Gmail account. They just needed a Google account, not Gmail. Additionally, they were not under an obligation to necessarily use the video-conferencing service while using Gmail. Secondly, it did not restrict users from using other video conferencing apps with their Google account, thus reaching the conclusion that users are not being ‘coerced’ to use Meet and Gmail together. This approach again overlooks the fact that a dominant enterprise (here, Google) leveraged its position in one relevant market (here, client mail service) to enter into another relevant market (here, video-conferencing service). 

      A PROBLEMATIC APPROACH

      The CCI’s narrow interpretation and mandatory requirement of ‘coercion’ in order to constitute tying is arguably not a favorable one. As demonstrated by both the cases above, it clearly neglects the presence of leveraging. Even if we consider that WPay did not cause foreclosure of market competition in Harshita Chawla, it does not weaken the fact that if a user wishes to use WPay, they would necessarily have to pass through WhatsApp, thereby increasing the market power of the messaging platform and giving it a competitive edge over its counterparts in that relevant market. Additionally, the CCI completely ignores the aspect of consumer inertia or status quo bias with its disproportionate focus on coercion. The concept of status quo bias assumes that consumers refrain from making active choices to change the status quo regardless of economic irrationality. In comparison, it has been due importance by the EC on more than one instance, a notable one being the Google Search (Shopping) decision, where it was observed that of the total consumers, only 1% looked at the second page of Google search results. Similarly, a user with a Gmail account is more likely to tilt towards using Meet over other video-conferencing apps, simply out of convenience, or one may say, irrationality

      If we apply the Indian approach to the present case of Meta tying FM with Facebook, chances are that Meta will probably escape CCI’s scrutiny, specifically with respect to tying, because it does not ‘coerce’ Facebook users to necessarily use FM. Users can use the social media platform without using the classified ads services and are also free to use other classified ads services while using Facebook. This approach ignores the aspect that FM is a service that cannot be used in isolation without having a pre-existing Facebook account. Consumer inertia is a significant factor in this case, considering the enormous user base of Facebook. Additionally, as compared to any other online classified ads services, Meta obviously has access to a variety of personal data of millions of users across the world (‘Big Data’), which gives it a significant competitive advantage. Something that has been consistently also ignored is the annoyance caused to the users who do not want to use the additional services but are unable to disable them. These are factors that must be taken into account by CCI while adjudicating upon tying allegations in the digital market. 

      CONCLUSION AND THE WAY FORWARD

      In evolving digital markets, Big Data raises competitive concerns, when dominant undertakings use it to the detriment of other competitors, by indulging in tying and leveraging. Being a non-price parameter for competition, possession of Big Data by technological giants (‘Big Tech’) puts non-dominant enterprises at a disadvantage. This is where competition regulators are expected to step in. As Big Tech is under stringent scrutiny around the world, remarkably in jurisdictions other than the European Union, it calls for stronger compliance strategies. For more market-friendly effects of antitrust regimes, it is essential to go beyond the imposition of fines. A monetary penalty, no matter how hefty it is, does not act as an effective deterrent for Big Tech as compared to the money that they make every minute of the day. Antitrust watchdogs should go further than that, and ensure the termination of the services or modification of anti-competitive features of such services, in order to protect and promote competition in the market. Considering liberal jurisdictions like the United States are becoming more active in scrutinising the distortion of competition by Big Tech, it is essential for developing economies like India to catch up as well, and not shy away from imposing stringent measures in the interest of consumer welfare. As we anticipate India’s ex-ante framework, one can hope that CCI will take its lessons and adopt a more dynamic approach in the future. 

    2. Algorithmic Enforcement and Anti-Competitive Effects: CCI vs. Swiggy and Zomato

      Algorithmic Enforcement and Anti-Competitive Effects: CCI vs. Swiggy and Zomato

      BY VASHMATH POTLURI, THIRD-YEAR STUDENT AT NALSAR, HYDERABAD

      INTRODUCTION

      The food delivery market in India has been one of the most dynamic and volatile markets, witnessing the quick exit of players like Uber Eats and Food Panda, among others, while being dominated by Zomato and Swiggy with a whopping market share of 58% and 42%, respectively. While there are many factors for such dominance, the recent allegations of Price Parity Clauses (“PPCs”) and exclusive agreements by the National Restaurants Association of India (“NRAI”) against both these platforms shed some light on the reasons for such market share. The findings of the Director General (“DG”), as reported by Reuters, indicate that the Competition Commission of India (“CCI”) is proceeding against these platforms under section 3(4)(c) of the Competition Act, 2002 (“Act”) based on the presumption that Swiggy and Zomato operate in a vertical framework as intermediaries distinct from their restaurant partners. However, this article challenges this presumption and argues that Swiggy and Zomato’s ownership of cloud kitchens transforms their relationship with restaurants into one of direct competition. As a result, this paper pushes for a reclassification of this case under Section 3(3)(a) and (b), enabling a shift from a ‘rule of reason’ approach to a per se standard. 

      The article advances this argument in a two-fold manner. First, it will analyze the anti-competitive effects of PPCs and exclusivity agreements, particularly in conjunction with Swiggy and Zomato’s cloud kitchens. Second, it will examine the role of dynamic algorithms in furthering these practices, proposing the introduction of the Algorithmic Facilitation Standard (“AFS”) in the Act, to ensure regulatory scrutiny and transparency in the market in line with the approach of the EU. 

      HORIZONTAL PRICE FIXING AND MARKET ALLOCATION

      The allegations by the NRAI that Swiggy and Zomato operate their cloud kitchens and enter into arrangements such as PPCs and exclusivity agreements throw light on the dominance of these platforms through anti-competitive practices. These practices demonstrate that these platforms are not merely intermediaries with restaurants as downstream partners, but competitors operating simultaneously in both the food preparation and delivery markets. This dual role works to the detriment of independent restaurants. 

      In the MakeMyTrip (“MMT-GO”) case, the CCI assessed the anti-competitive effects of wide Price Parity Clauses (“PPCs”) and exclusivity partnerships in a vertical framework between MakeMyTrip, Goibibo, and OYO with their hotel partners. The CCI found that these agreements restricted hotels from offering lower prices or better terms on competing platforms, creating entry barriers and limiting consumer choice. As a result, the CCI held that these agreements resulted in an Appreciable Adverse Effect on Competition (“AAEC”) — a standard under Section 19(3) of the Act, which examines factors such as foreclosure of competition, barriers to entry, and harm to consumer choice. Relying on these findings, this article argues that the anti-competitive practices of Swiggy and Zomato produce identical effects, such as inflated prices and foreclosure of competition, but in a horizontal framework rather than a vertical one. 

      Applying the findings of the MMT-GO on wide PPCs, the PPCs entered into by Swiggy and Zomato are wide because they suppress competition in the market by mandating that restaurants maintain uniform prices across all channels, including their direct platforms and competing delivery services. This eliminates price differentiation and forces restaurants to inflate prices, depriving consumers of competitive pricing or discounts. These clauses also ensure that Swiggy and Zomato’s cloud kitchens are insulated from price competition, as restaurants cannot undercut them even when operating more cost-effectively. On the other hand, exclusivity agreements further suppress competition by restricting restaurants from listing on competing platforms or offering direct delivery services, creating a “lock-in” effect. This limits consumer access to popular restaurants and forecloses rival platforms from competing effectively. 

      These arrangements unfairly establish the dominance of Swiggy and Zomato’s cloud kitchens by allowing them to leverage vast data generated through their platforms. This data provides critical insights into consumer preferences, including popular cuisines, peak ordering times, delivery locations, and pricing trends. Using this information, Swiggy and Zomato can strategically design their cloud kitchen offerings to align with market demand precisely, bypassing the trial-and-error process faced by independent restaurants. They can quickly identify underserved cuisines or delivery zones and establish cloud kitchens to fill these gaps with minimal risk and cost. This data-driven approach grants their cloud kitchens a significant competitive edge over independent restaurants, which lack access to such comprehensive data and must rely on slower, costlier market research methods.

      The combined effects of PPC, exclusivity agreement, and cloud kitchens on a horizontal level, results in the creation of barriers to entry and foreclosure of competition, causing an AAEC under Section 19(3)(a) to (c). Hence, this article argues that the CCI must re-examine this case under Section 3(3)(a) and (b) through a ‘per se’ approach. Taking inspiration from the EU’s Vertical Block Exemption Regulation (“VBER”), which removed wide PPCs from the regulatory exemption, the CCI could impose cease-and-desist orders and monetary penalties, ensuring a competitive marketplace.

      ALGORITHMIC FACILIATATION STANDARD

      Swiggy and Zomato’s algorithms play a crucial role in enforcing PPCs and exclusivity agreements, amplifying their anti-competitive effects. These platforms use algorithms to monitor pricing across various channels, including restaurants’ direct platforms and competing delivery services, ensuring strict compliance with PPCs. By scanning for pricing discrepancies, the algorithms flag instances where restaurants offer lower prices on alternative channels. Non-compliant restaurants face automated penalties, such as reduced visibility in search results or exclusion from promotional campaigns, discouraging price competition. Similarly, these algorithms enforce exclusivity agreements by tracking restaurants’ activities on competing platforms. Exclusive partners receive preferential treatment, such as enhanced visibility, while restaurants breaching exclusivity face reduced exposure, limiting their ability to attract orders.

      Operating as a “black box,” these algorithms lack transparency, leaving restaurants unaware of the reasons for penalties or visibility changes. This creates a unilateral power dynamic that disproportionately favours Swiggy and Zomato, making it difficult for restaurants to challenge or adapt to platform policies.  In this context, the article proposes that the AFS identify the role of such algorithms and bring them under regulatory scrutiny. Under this, the CCI would be required to follow a two-step inquiry-

      MANDATORY ALGORITHMIC DISCLOSURES: 

      The first step in the proposed AFS is to mandate disclosures by Swiggy and Zomato regarding their algorithmic decision-making. These platforms must provide information about the design, operation, and structure of their algorithms, specifically in relation to penalizing or incentivizing restaurants. Such disclosures should be made to the DG under Section 36(4)(b) of the Act during the investigation stage. This requirement mirrors the EU Platform to business regulations 2019/1150, which mandates transparency in ranking criteria, ensuring that platforms do not manipulate search results based on monetary compensation or preferential treatment.

      EFFECTS BASED OUTCOME ANALYSIS:

      The second step shifts the scrutiny from intent to effects, applying an effects-based outcome analysis to assess whether these algorithms control prices, foreclose competition, or limit consumer choice by restricting visibility or promotions. If these practices result in an AAEC, the burden of disproving their anti-competitive impact should shift onto Swiggy and Zomato, allowing the CCI to order a rollback of such algorithms, if necessary. This aligns with the EU Court of Justice’s ruling in the Google Shopping case which found algorithmic self-preferencing anti-competitive, and rejected short-term efficiency arguments as justifications for long-term market harm. Likewise, under Section 19(3)(d) to (f) of the Act, any efficiency claims by Swiggy and Zomato should be dismissed if they come at the expense of competition.

      WAY FORWARD

      This article proposes that the AFS could be incorporated into the Act in two ways. First, under the ‘Hub-and-Spoke’ model, introduced through the Competition Amendment Act, 2023, wherein, a central entity (hub) can facilitate anti-competitive coordination among independent entities (spokes), even if they do not explicitly collude with each other. In this context, Swiggy and Zomato function as hubs, using algorithms to impose price parity and exclusivity conditions on restaurants (spokes), effectively orchestrating market behavior without direct collusion between restaurants. Second, the liability of Swiggy and Zomato could be invoked under Section 2(b), as part of tacit collusion through algorithmic enforcement. Since intent is irrelevant under ‘per se’ approach, the AFS would impute intent constructively, aligning with the Competition Law Review Committee 2019s recommendation of a “guilty until proven otherwise” standard in cases involving algorithmic anti-competitive practices.

      CONCLUSION

      While the case is still pending before the CCI, this article has established that Swiggy and Zomato’s anti-competitive practices produce effects similar to horizontal price fixing and market allocation under Section 3(3)(a) & (b). A reclassification accordingly would enable for a shift to ‘per se’ from ‘rule of reason’, under which the entire burden to prove the anti-competitive effects rests on the complainant, and in such situations where these practices are furthered by opaque algorithms, it becomes difficult to hold Swiggy and Zomato responsible for their actions. Thus, under the AFS, the mere presence of algorithms and assessment of their prima-facie effects after due disclosure to the CCI, the burden to disprove AAEC would be heavy on Swiggy and Zomato. This reclassification would represent a significant jurisprudential shift, setting a precedent for addressing algorithm-driven anti-competitive practices and establishing a framework for future actions against quick commerce platforms.

    3. Examining the Flaws in SEBI’s Proposed AI & ML Regulations

      Examining the Flaws in SEBI’s Proposed AI & ML Regulations

      BY SACHIN DUBEY AND AJITESH SRIVASTAVA, THIRD-YEAR STUDENTS AT NLU, ODISHA AND LLOYD LAW COLLEGE

      INTRODUCTION

      Artificial Intelligence (‘AI’) has become an integral part of our daily lives, influencing everything from smart home technology to cutting-edge medical diagnostics. However, it’s most profound influence is perhaps in transforming the landscape of securities market. AI has advanced the efficiency of investor services and compliance operations. This integration empowers stakeholders to make well-informed decisions, playing a pivotal role in market analysis, stock selection, investment planning, and portfolio management for their chosen securities.

      However, despite the advantages, AI poses risks such as algorithmic bias from biased data, lack of transparency in models, cybersecurity threats, and ethical concerns like job displacement and misuse, highlighting the need for strong regulatory oversight. Therefore, Securities and Exchange Board of India (‘SEBI’) vide consultation paper dated 13thNovember, 2024 proposed amendments holding regulated entities (‘REs’) accountable for the use of AI and machine learning (‘ML’) tools.  

      These amendments enable SEBI to take action in the event of any shortcomings in the use of AI/ML systems. SEBI emphasises that these entities are required to safeguard data privacy, be accountable for actions derived from AI outputs, and fulfil their fiduciary responsibility towards investor data, while ensuring compliance with applicable laws.

      In this article, the author emphasises the necessity of the proposed amendments while simultaneously highlighting their potential drawbacks. 

      NEED OF THE PROPOSED AMENDMENTS

      The need for proposing amendments holding REs accountable for AI/ML usage has arisen due to various risks associated with its usage. 

      AI relies heavily on customer inputs and datasets fed into them for arriving at its output. The problem is that humans have found it very difficult to understand or explain how AI arrives at its output. This is widely referred to as “black box problem”. In designing machine learning algorithms, programmers set the goals the algorithm needs to achieve but do not prescribe the exact steps it should follow to solve the problem. Instead, the algorithm creates its own model by learning dynamically from the given data, analysing inputs, and integrating new information to address the problem. This opacity surrounding explainibility of AI outputs raises concerns about accountability for AI-generated outcomes within the legal field.

      Further, if just one element in a dataset changes, it can cause the AI to learn and process information differently, potentially leading to outcomes that deviate from the intended use case. Data may contain inherent biases that reinforce flawed decision-making or include inaccuracies that lead the algorithm to underestimate the probability of rare yet significant events. This may lead to jeopardising the interests of customers and promoting discriminatory user biases. 

      Additionally, relying on large datasets for AI functionality poses considerable risks to privacy and confidentiality. AI models may sometimes be trained on datasets containing customers’ private information or insider data. In such situations, it becomes crucial to establish accountability for breaches of privacy and confidentiality. 

      SHORTCOMINGS

      SEBI’s proposal to amend regulations and assign responsibility for the use of AI and machine learning by REs is well-intentioned. However, it could create challenges for both regulated entities and industry players, potentially slowing down the adoption of AI and stifling innovation.

      a. Firstly, SEBI’s proposal to assign responsibility for AI usage adopts a uniform, one-size-fits-all regulatory approach, which may ultimately hinder technological innovation. Effective AI regulation requires greater flexibility, favouring a risk-based framework. This approach classifies AI systems based on their risk levels and applies tailored regulatory measures according to the associated risks. A notable example is the European Union’s AI Act which adopts a proportionate, risk-based approach to AI regulation. This framework introduces a graduated system of requirements and obligations based on the level of risk an AI system poses to health, safety, and fundamental rights. The Act classifies risks into four distinct categories- unacceptable risks, high risks, limited risks and minimal risks. As per the classification, certain AI practices which come under the category of unacceptable risks are completely prohibited while others have been allowed to continue with obligations imposed upon them to ensure transparency.  

      b. Secondly, while SEBI’s regulatory oversight of AI usage by REs is crucial for protecting investor interests, it is equally important to establish an internal management body to oversee the adoption and implementation of AI within these entities. SEBI could draw insights from the International Organization of Securities Commission’s (‘IOSCO’) final report on AI and machine learning in market intermediaries and asset management. The report recommends that regulated entities designate senior management to oversee AI/ML development, deployment, monitoring, and controls. It also advocates for a documented governance framework with clear accountability and assigning a qualified senior individual or team to approve initial deployments and major updates, potentially aligning this role with existing technology or data oversight.

      c. Thirdly, SEBI has entirely placed the responsibility for AI and machine learning usage on REs, neglecting to define the accountability of external stakeholders or third-party providers. REs significantly rely on third parties for AI/ML technologies to ensure smooth operations. Hence, it is vital to clearly outline the responsibilities of these third parties within the AI value chain. 

      d. Fourthly, the Asia Securities Industry & Financial Markets Association (‘ASIFMA’) raised a concern that financial institutions should not be held responsible for client decisions based on AI-generated outputs. It contends that it would be unjustified to hold institutions liable when an AI tool provides precise information, but the client subsequently makes an independent decision. This viewpoint goes against SEBI’s proposed amendments which seemingly endorses broader institutional liability.  

      e. Lastly, SEBI’s proposed amendments and existing regulations remain silent on the standards or requirements for the data sets (input data) utilized by AI/ML systems to carry out their functions. While the amendments imply that REs must ensure AI models are trained using data sets that either do not require consent (e.g., publicly available data) or have obtained appropriate consent, particularly under the Digital Personal Data Protection Act, 2023 (DPDPA), SEBI could have more explicitly define the standards for high-quality data sets suitable for AI/ML functionality particularly crucial when the data protection rules have not seen the light of the day.

      CONCLUSION

      While it is commendable that SEBI, recognizing the growing use of AI/ML tools in the financial sector, proposed amendments to hold REs accountable for their usage, it should have given due consideration to the factors mentioned above. Because it is vital to ensure that any policy introduced is crafted carefully in a way that does not, in any way, discourage innovation and growth in the emerging fields of AI and ML technology. 

    4. Aligning RBI Directives with DPDP Act in the Banking Sector

      Aligning RBI Directives with DPDP Act in the Banking Sector

      BY VISHWAROOP CHATTERJEE AND NACHIKETA NARAIN, SECOND-YEAR STUDENTS AT RGNUL, PATIALA.

      Introduction 

      The intersection of banking and data protection is perhaps the next big leap for both the sectors. The banking sector is one of the most prone and vulnerable spaces for massive data breaches that can have severe financial and legal consequences. The lack of an effective cybersecurity infrastructure will lead to an onslaught of cyber-crimes such as fraudulent financial activities, phishing, data selling, ransomware, etc. The Government has introduced the  Digital Personal Data Protection Act (‘DPDP Act’) and the proposed Digital India Act which sheds positive light on the government’s intention for data protection. However, the mere introduction of legal provisions is not the solution, corporations have been notorious for acting as data brokers which results in data leaks. As a result, the financial data has always been prone to data breaches. 

      In this article, the authors shall deal with the analysis of the current laws that govern data protection with an understanding of the DPDP Act and its emphasis on the role of RBI as the watchdog of data privacy in the banking sector. 

      Failure To Comply with Data Protection Protocols: The Kotak Mahindra Bank Incident

      Digital banking is the new norm and yet, banks have been failing to be well equipped with a robust digital infrastructure for the protection of their consumer’s data. The recent actions against Kotak Mahindra Bank by the apex financial institution (‘RBI’) under Section 35A of the Banking Regulation Act, 1949 is an example of failure of banks to equip themselves with robust digital infrastructure for the protection of consumer data. RBI has barred the mentioned bank from onboarding customers through its online service platforms and issuing new credit cards. According to the RBI, Kotak Mahindra Bank failed to comply with various data protection protocols, and deficiencies were identified in IT inventory management, risk vendor management, data security and data leak prevention strategy, etc. RBI had notified the mentioned bank in 2022 and 2023 about the security lapses and provided them with a corrective action plan which Kotak Mahindra failed to comply with. A well-established Indian Bank failing to meet RBI’s data protection protocols is a worrisome event as other banks might follow if these lapses are left unchecked. 

      Data Privacy in Banking Sector

      In the case of  HDFC Bank Limited v. Jesna Jose,   it was held that with the advent of the digital age, the bank must be held liable for any unauthorised transaction or fraudulent activity from an act arising out of the bank’s negligence. This was done to keep a watch on the banks’ data privacy systems and to ensure that they minimise any unauthorised or fraudulent activity. The judgement relied upon the precedent set by the Chairman, Punjab National Bank v. Leader Valves Ltd which held that if the bank manages the account, it is incumbent upon the bank to ensure the safety and security of the account. The section 43(a) of the Information Technology Act, 2000 deals with the liability of a corporate body to compensate in instances of failure to protect sensitive data. Most importantly, the master direction issued by RBI on IT outsourcing services serves as a cornerstone to keep third-party data processors in the financial ecosystem in check.  

      One question that may arise here is, does RBI have the legal jurisdiction to enforce banks with data privacy compliances? In the case of Internet & Mobile Assn. of India v. RBI, (2020) one of the issues was the jurisdiction of RBI in matters not directly linked with traditional monetary policies. The judgement held that when RBI is not any other statutory body but a creature on its own that can exercise its power in its capacity for policymaking, operational risks or  regulation for enforcement and such directions would become supplementary to the Reserve Bank Of India Act, 1934 itself. Hence, it becomes a duty for the banks to comply with the data privacy directives of RBI.

      Analysis and Suggestions to the DPDP Act

      In the digital economy, consumers utilise the financial services offered to them by giving their personal data. This trade of confidential data for financial services is a highly sensitive aspect that must be backed by sturdy mechanisms protecting the confidentiality of sensitive data from misuse. 

      The most prominent issue that arises with the DPDP Act is that it has failed to differentiate between personal data and sensitive personal data. Under Section 2(h) of the Act, it defines data as the representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means. This classification may perhaps be too vague in the realm of the banking sector since it deals with highly sensitive consumer data that needs greater protection than other personal data since it contains sensitive financial information besides personal information. 

      The first suggestion is to classify the various types of data that need regulation. The vague definition is restrictive for the efficient regulation of different data sets. Therefore, there should be categorisation of data sets. The EU GDPR, UK GDPR, and US state laws like the California Consumer Privacy Act categorise certain types of data as ‘sensitive’ and deserving of extra protection. The DPDP Act can take a similar approach. This will provide clarification to data fiduciaries in the banking sector to regulate sensitive financial data with a well-defined approach.

      Moreover, the DPDP Act has misaligned accountability with respect to data fiduciaries and data processors. It defines data fiduciaries essentially as corporations who possess customer data and determine how the data will be processed. Whereas, a data processor is an entity that processes the data on behalf of the fiduciary.  The DPDP Act focuses on the guidelines for the data fiduciary and leaves the data processors with minimal regulation. The only significant element for data processors is subsection (9) of section 9 which states that a data fiduciary must have a contract with the data processor. 

      The DPDP Act falls short of providing the necessary clarity for processors on how to handle such data. Firstly, it fails to specify the security controls that processors are expected to implement. Secondly, the Act is deficient in outlining clear protocols for processors to follow in the event of security lapses. Lastly, the Act neglects to establish clear guidelines for handling requests for data from government authorities, resulting in ambiguity and potential liability issues. 

      This essentially makes it clear that there are hardly any guidelines or standards that ensure that these data processors undertake their responsibilities in a safe and secure manner so as to protect the sensitive data they handle; these data processors can ultimately emerge as the ‘unruly horse’ in the digital realm. This necessitates the framing of certain standards which the data processors comply with. Chapter 5 of the Master Direction by the RBI can be referred that clearly outlines the rules of the agreement pertaining to the data processors. 

      Hence, the second suggestion is to properly define the roles of the data processors in the DPDP Act like the RBI has done for its regulated entities by clearly laying out a roadmap that gives directions to data processors on data breaches, storage of data, risk management and etc. The relationship between data fiduciaries and data processors cannot be sufficed by a mere contractual agreement. 

      Some of the directions for data processors can be referred from the RBI Master Directions. As per this, the service providers (similar to data processors) are required to define the services they will deliver and the standards they will adhere to in order to meet in terms of quality and quantity. Moreover, the service provider is responsible for maintaining confidentiality and security of the data with ‘Regulated Entity’ (similar to data fiduciaries) pertaining to the customers or its own data. The agreement should define as to which data can the service provider share with other entities.

      Conclusion 

      The world of technology is adapting and the Banking and Finance world cannot be left behind. The RBI must act as the custodian of Data Privacy in the realm of Banking and Finance. The current DPDP Act needs revision and needs to be harmonised with the RBI directives to provide better clarity for the data protection of the finance world. 

      Moreover, it would be essential for the DPDP Act to categorise the various Data types as they may be susceptible to varying levels of risk. The Act must also adapt or incorporate RBI’s master directions on IT outsourcing to clearly establish the roles of Data Fiduciary and Data Processors. The legal ambiguity with the data processors is a regulatory gap that must be dealt with to create an efficient digital banking sector. India’s digital economy generating about $200 billion of economic value besides also being the second-fastest digitizing economy. Therefore, it is necessary for India to advance these data protocols. A secure digital infrastructure provides consumer trust and safety which paves the way for a resilient and sustainable banking sector.