Data Privacy, AI, And Technology Newsletter | May 2026

Welcome to this edition of the Data Privacy, AI and Technology Newsletter, highlighting key legal, regulatory, and judicial developments across India’s digital ecosystem. This issue covers significant updates relating to artificial intelligence governance, cybersecurity, online gaming, telecommunications, and digital payments.

The newsletter also captures important regulatory initiatives issued by MeitY, CERT-In, TRAI, RBI, and IRDAI concerning intermediary obligations, cyber resilience, telecom consumer protection, and fintech regulation, alongside key judicial developments shaping India’s evolving digital regulatory framework.

Updates: Industry Updates: India

Technology Updates

Cert-In issues an advisory on defending against frontier AI driven cyber risks

April 26, 2026: The Indian Computer Emergency Response Team (Cert-In) has issued an advisory acknowledging that advancements in frontier AI systems indicate significant increase in cyber capabilities which helps in discovery of security vulnerabilities including zero-day vulnerabilities across widely used software. However, these developments also heighten the risks of automated, multi-stage, low-cost surveillance of target networks, vulnerability exploitation, and credential compromise. The advisory sets out recommendations for organizations, MSMEs and individuals which, inter alia, includes:

• Security operations teams to increase the frequency of monitoring, threat detection and review of system logs.
• Adoption of AI enabled defensive security tools for automated vulnerability detection, attack surface analysis and threat detection to strengthen proactive defense capabilities.
• Every newly disclosed critical vulnerability in widely deployed software should be treated as susceptible to exploitation within hours of disclosure and not weeks.
• Enforce multi factor authentication across internet facing assets, critical services, remote access gateways, third party integrations and cloud management consoles.
• Conduct regular cybersecurity training to educate employees on risks posed by AI- generated content and scams.
• Encrypt data during transmission and storage, in order to safeguard against unauthorized access.
• Verifying the authenticity of voice calls, video messages and urgent requests, particularly those involving financial transactions or sensitive information.

Link Here

MeitY issues an advisory directing virtual private network service providers and intermediaries to ensure their platforms do not facilitate access to illegal and blocked online betting and prediction market platforms

April 25, 2026: The Ministry of Electronics and Information Technology (MeitY) issued an advisory raising concerns regarding the misuse of virtual private network (VPN) service providers and intermediaries to facilitate access to illegal and blocked prediction market and online betting platforms. MeitY reiterated that intermediaries, including VPN service providers, are bound by due diligence obligations under the Information Technology Act, 2000 (IT Act) and the Information and Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules, 2021), and must ensure that their platforms are not used to host, transmit, or share any information in violation of Indian law, including information that may be prejudicial to public order, sovereignty and integrity of India, or the security of the state, including its economic security. Key obligations under the advisory, inter alia, include:

• Undertake immediate and effective action to ensure that reasonable efforts are made not to host or store any information which is in violation of applicable law, including information relating to illegal or blocked online betting and prediction market platforms.
• Intermediaries including VPN service providers, are required to provide information under its control or possession, or assistance to authorised Government agencies for purposes of identity verification, and for the prevention, detection, investigation, or prosecution of offences under any law in force, within the prescribed timeframes under the IT Act.
• Any non-compliance with the statutory due diligence obligations may result in loss of safe harbor protection provided under section 79 of the IT Act and exposure to consequential legal action under applicable laws.

Link Here

MeitY notifies the Promotion and Regulation of Online Gaming Rules, 2026

April 22, 2026: MeitY has notified the most awaited Promotion and Regulation of Online Gaming Rules, 2026 (PROG Rules) in the official gazette, marking a decisive step in shaping India’s digital gaming landscape by establishing a structured system to govern online games. The PROG Rules came into force on May 1, 2026. We have prepared a detailed article on the PROG Rules, which can be accessed here.

Link Here

Link Here

MeitY constitutes AI Governance and Economic Group to lead India’s AI governance policy

April 16, 2026: MeitY has constituted the AI Governance and Economic Group (AIGEG), a high-level inter-ministerial body that will serve as India's central institutional mechanism for AI governance policy development and coordination. AIGEG will be chaired by Shri Ashwini Vaishnaw, Minister of Electronics and Information Technology, Railways and Information & Broadcasting, with Shri Jitin Prasada, Minister of State, Electronics & IT and Commerce & Industry, serving as Vice Chairperson. Constitution of AIGEG gives formal effect to the institutional recommendations made in India's AI Governance Guidelines and the Economic Survey, both of which had recommended the establishment of an inter-ministerial body to steer a whole-of-government approach to AI governance. Furthermore, the terms of reference of AIGEG inter alia include:

• Coordination of policies across ministries, departments and sectoral regulators, and oversee cross sectoral governance issues.
• Promotion of responsible Al innovation and beneficial deployment of AI in key sectors.
• Review existing mechanisms and issue guidelines to ensure that firms are held accountable for compliance with local laws.

Link Here

IRDAI issues revised Information and Cyber Security Guidelines, 2026

April 6, 2026: Insurance Regulatory and Development Authority of India (IRDAI) issues the revised Information and Cyber Security Guidelines, 2026 (Guidelines) replacing the earlier 2023 guidelines in response to evolving cyber threats, industry feedback, and recommendations from IRDAI committees. The Guidelines are applicable to all insurers including Foreign Re-Insurance Branches and all insurance intermediaries regulated by IRDAI. However, insurance agents, micro-insurance agents, point of sales-persons and individual surveyors are expressly excluded from the scope of the Guidelines. Key amendments, inter alia, include:

• Compliance obligations for insurance intermediaries: The insurance intermediaries are now required to submit the cybersecurity audit report along with compliance thereto and the comments of the audit committee/ risk management committee/ board of directors/ principal officer (as applicable) to the insurers on an annual basis. The Guidelines introduce an additional requirement that such audit report be submitted within 30 days of completion of audit conducted by a CERT-In empaneled auditor or audit firm.
• Alignment with Digital Personal Data Protection Act, 2023: Regulated entities are required to implement appropriate technical and organizational measures to ensure compliance with the provisions of the Digital Personal Data Protection Act, 2023, and the rules made thereunder.
• Reconstitution of governance committees: The requirement to constitute Control Management Committee (CMC), a board level committee, is dispensed with. Organizations are, however, required to ensure that all functions previously envisaged to be performed by the CMC are incorporated within the terms of reference of the Risk Management Committee (RMC).
• Establishment of IT Steering Committee: Organizations are required to establish an IT Steering Committee (ITSC) with representation at the senior management level from both IT and business functions. The ITSC shall be responsible, inter alia, for:
  • Assisting the board of the organization in developing the IT strategy in alignment with business needs.
  • Ensuring effective implementation and governance of business continuity and disaster recovery frameworks.
  • Monitoring the effectiveness of controls established to protect data within IT systems.
  • periodically updating the RMC and CEO on the activities of the ITSC.

Link Here

Gujarat High Court releases AI policy prohibiting judges from using AI in any form of decision making, adjudication and for preparation of judgments

April 4, 2026: The High Court of Gujarat has issued a policy governing the use of AI in judicial and court administration, applicable to all judicial officers, court staff, legal assistants, interns, and para-legal volunteers engaged within the judicial and administrative framework of the Registry of the High Court of Gujarat and District Judiciary. Recognizing that AI tools present significant opportunities to enhance efficiency and accessibility and quality of justice delivery while carrying substantial risks including hallucinations, bias, confidentiality breaches, and erosion of judicial independence. The policy permits AI solely as a decision-support and administrative efficiency tool and not as a replacement for judicial reasoning. Key provisions, inter alia, include:

• Permitted uses: Legal research, retrieval or analysis of judgments and precedents (subject to mandatory verification against the full text of the original judgment or statute from an authoritative sources), improving the language, structure and clarity of draft orders, judgements and opinions (provided the substantive legal analysis and reasoning remains entirely that of the judge), AI-assisted scheduling based on objective and anonymized metadata, and machine-assisted translation (subject to verification by a qualified translator) and transcription (provided the transcript is reviewed and certified by the judicial officer before use).
• Prohibited uses: AI is absolutely prohibited from any aspect of judicial decision-making, reasoning, order drafting, judgment preparation, bail/sentencing considerations, or any substantive adjudicatory process. Entry of confidential case information, personal data of parties or witnesses, advocates or sensitive personal data into any public AI tool is also expressly prohibited.
• Human supervision and accountability: Every judicial officer remains fully and personally responsible for every order, judgment and observation issued under their name. The use of AI does not constitute a defense to a finding of error, misconduct, or professional negligence.

Link Here

Minister of Electronics and Information Technology issues a response to questions raised in Lok Sabha regarding offshore digital platforms including gaming platforms and their impact on users

April 1, 2026: Minister of Electronics and Information Technology, Mr. Jitin Prasada, issued a response to the questions raised in Lok Sabha regarding the measures introduced by the Government with regards to (a) protection of Indian users from the negative impacts of offshore digital platforms including gaming platforms (b) promotion of digital well-being, user safeguards and responsible digital participation (c) raising awareness amongst the youth regarding offshore gaming addiction and its impact.

Mr. Jitin Prasada responded that:

• A total of 8,376 website URLs related to online betting/gambling/gaming including offshore gaming platforms have been blocked till March 28, 2026 of which more than 4,800 URLs were blocked subsequent to the enactment of the Online Gaming Act, 2025.
• Ministry of Information and Broadcasting issued an advisory dated December 4, 2020 to all private satellite television channels directing compliance with the guidelines of the Advertising Standards Council of India, which mandate that every gaming advertisement should carry a disclaimer in print, static, and audiovisual formats noting that the game involves financial risk and may be addictive.
• University Grants Commission issued the “Handbook on Basics of Cyber Hygiene for Higher Educational Institutions” in December 2024 which provides comprehensive guidance on safe digital practices, responsible online behaviour, management of screen time and other risks associated with excessive digital exposure, including online gaming and addictive digital platforms.
• Regular awareness and knowledge dissemination lectures have also been conducted under the “UGC Chetna Series” including: (i) Cyber Hygiene in higher education institutions by Indian Cybercrime Coordination Centre (I4C), Ministry of Home Affairs - April 2024 (ii) Launch of Cyber Hygiene Handbook and lecture on “Busting Digital Arrest” – June 2024 (iii) Cyber Security, Cyber Law and AI Trends by Advocate, Supreme Court - November 2024.
• The Ministry of Home Affairs has operationalised the National Cyber Crime Reporting Portal to enable the public to report all categories of cyber-crimes, including cyber financial frauds. A toll-free helpline number, “1930”, has been made operational to assist citizens in lodging online complaints.

Link Here

Telecommunication Updates

TRAI issued the Draft Telecom Consumer Protection (Thirteen Amendment) Regulations, 2026

April 7, 2026: The Telecom Regulatory Authority of India (TRAI) released the Telecom Consumers Protection (Thirteenth Amendment) Regulations, 2026, proposing further amendments to the Telecom Consumers Protection Regulations, 2012 (TCPR 2012).

Earlier, through the Twelfth Amendment to TCPR 2012 dated December 23, 2024, TRAI required Telecom Service Providers (TSPs) to offer at least one Special Tariff Voucher (STV) exclusively for Voice and SMS with a validity period not exceeding 365 days.

In response, although STVs were introduced by TSPs, these STVs were limited to only two validity options, approximately with quarterly and yearly validity, which was challenging for low-income consumers who require shorter validity packs. Consumers who do not use data faced limited options and were consequently disadvantaged.

Furthermore, it was also observed that initially, prices were not reduced in proportion to the removal of data benefits from bundled plans but were subsequently adjusted following consumer backlash.

TRAI noted that TSPs offered multiple validity periods for STVs with Voice, SMS, and Data, but similar flexibility was not extended to STVs with Voice and SMS. Subsequently, TRAI was of the view that the outcome of the Twelfth Amendment to TCPR 2012 was inadequate and has now released the draft Thirteenth Amendment to the TCPR 2012 with the intention to enhance flexibility and benefiting consumers who do not require data-inclusive packs

The draft amendment proposes inserting a new proviso requiring TSPs to offer STVs with Voice and SMS that match the validity periods of their bundled STVs with Voice, SMS, and Data. Additionally, these Voice and SMS-only STVs must be priced with a proportionate reduction compared to bundled STVs.

Link Here

Fintech Updates

RBI issued the Draft Reserve Bank of India (Prepaid Payment Instruments) Directions, 2026

April 22, 2026: The Reserve Bank of India (RBI), as part of its ongoing efforts to strengthen the long term growth of the Prepaid Payment Instruments (PPIs) framework and enhance transaction security, released the Draft Reserve Bank of India (Prepaid Payment Instruments) Directions, 2026 (Draft 2026 Directions), which proposes to replace the Reserve Bank of India Master Directions on Prepaid Payment Instruments, 2021 dated August 27, 2021 (2021 Directions).

Some of the key provisions under the Draft PPI MD 2026, inter alia, include the following:

• Reclassification of categories of Pre-Paid Instruments: The Draft 2026 Directions propose to recategorize PPIs as follows:
  • General Purpose PPI: which includes:
    • Full-KYC PPI: which is issued after the customer due diligence (CDD) process; and
    • Small PPI: which is issued after obtaining the minimum details of the customer.
  • Special Purpose PPI: consists of:
    • Gift PPI: Non-reloadable PPI for gifting purposes, enabling purchase of goods or services at merchants;
    • Transit PPI: PPI used only for payments across various modes of public transport;
    • PPI for Foreign Nationals or Non-Residential Indians (NRIs): INR-denominated PPI issued to foreign nationals / NRIs visiting India; and
    • Any other specific purpose PPI issued with the prior approval of RBI.
  • Authorisation requirements:
    • Authorisation for Banks: Under the Draft 2026 Directions, banks are no longer required to obtain prior approval from the RBI as compared to the prior approval requirement prescribed under the 2021 Directions. Banks permitted to issue debit cards can issue PPIs with prior intimation to the Department of Payment and Settlement Systems (DPSS), RBI.
    • Authorisation for non-banks: All non-bank entities are required to obtain prior approval from the RBI. Under the Draft 2026 Directions, an entity regulated by any financial sector regulator is required to apply along with a No Objection Certificate (NOC) from such regulator, within 45 days of obtaining the NOC, as compared to the 30-day timeline prescribed under the 2021 Directions. The Draft 2026 Directions propose to increase this timeline by a 15-day period.

• Capital Requirements: A non-bank applicant entity is required to maintain a minimum net worth of INR 5 crore. The Draft 2026 Directions propose that such entities must submit a Net-Worth Certificate issued by their statutory auditor, instead of a certificate from a Chartered Accountant, as required under the 2021 Directions.

• Governance: The Draft 2026 Directions propose to introduce an explicit ‘fit and proper’ criteria for promoters and directors of the applicant entity, inter alia, including fairness, integrity, financial integrity, reputation, honesty, and disqualifications such as conviction for moral turpitude, financial unsoundness etc.
• Removal of use of PPI for cross border transactions: The Draft 2026 Directions propose to completely remove the use of INR denominated PPIs for cross-border transactions. This is a complete change from the 2021 directions which permitted certain PPIs for cross-border transactions. Comments and feedback on the Draft 2026 Directions can be submitted by the regulated entities and other stakeholders on or before May 22, 2026.

Link Here

RBI issued the Digital Payments - E-Mandate Framework, 2026

April 21, 2026: RBI published the “Digital Payments - E-mandate Framework, 2026.” This framework is effective immediately and applies to all Payment System Providers and Payment System Participants with respect to the processing of recurring transactions, domestic or cross-border, using cards / PPI / UPI. Highlights of this framework, inter alia, are:

• Registration and revocation of E-Mandate: Customers opting for an e-mandate facility will be required to complete a registration process, including Additional Factor Authentication (AFA) validation.

Any modifications or withdrawal of an existing e-mandate will also require AFA validation;

• AFA validation of first transaction: Every first transaction under an e-mandate will require AFA validation. If the first transaction is processed at the time of e-mandate registration, then AFA validation for both can be combined;
• Pre-transaction Notification: Issuers are required to send a pre-transaction notification, including the merchant’s name, transaction amount, date/time of debit, reference number, etc., to the customer at least 24 hours prior to the charge.

Pre-transaction notification is not required for e-mandates registered to auto-replenish balances of FASTag and National Common Mobility Card (NCMC);

• Post-transaction Notification: Issuers are also required to send customers a post-transaction notification, including similar details as the pre-transaction notification and details on grievance redressal; and
• Transaction limits: AFA validation is not required for recurring transactions up to INR 15,000, and for payments up to INR 1,00,000 for insurance premiums, mutual funds subscriptions, and credit card bills.

Link Here

RBI published a Discussion Paper - Exploring safeguards in digital payments to curb frauds

April 09, 2026: RBI released a Discussion Paper titled “Exploring safeguards in digital payments to curb frauds.” The discussion paper notes the rapid rise in digital payment fraud, especially Authorized Push Payment (APP) fraud, in which users themselves authenticate transactions through manipulation, social engineering, impersonation, or coercion.

RBI notes that over the years it has taken several measures to strengthen the safety and resilience of digital payments, and it has proposed four additional measures as follows:

• Lagged credit for APPs other than low value: RBI has proposed a mandatory time lag of 1 hour for certain APP transactions above a threshold of INR 10,000, at the Payer Bank’s end;
• Additional authentication by a trusted person for high-value digital transactions by vulnerable sections of society: RBI has proposed an additional authentication layer through a “trusted person” for high-value APP transactions above INR 50,000 initiated by vulnerable customers like senior citizens aged 70 years and above and persons with disabilities;
• Only accounts with satisfactory additional review to receive large credits: RBI has proposed a framework under which certain bank accounts would be classified as low credit turnover accounts, which will require additional proof for receiving credits over the prescribed limit of annual aggregate credit of INR 25 lakh into the bank account.

If the credit exceeds this limit, the bank only grants shadow credit, which can be used once they verify the transaction's authenticity through additional information or documents. If the beneficiary fails to satisfy the bank within 30 days, the shadow credit is reversed and returned to the source; and

• Customer-induced controls: RBI has proposed an approach under which banks may provide customers with a facility to enable or disable digital payment channels through various interfaces, including a “kill switch” to disable all digital payment transactions from an account at once.

Link Here

Judgements

Delhi High Court directs DoT, MeitY to take action against Domain Name Registrar for failing to take down infringing URLs in Premier League case

April 10, 2026: In the Football Association Premier League Limited vs. Sportshub.Stream & Ors. (CS(COMM) 470/2025 & I.A. 12176/2025), the Delhi High Court (DHC) directed the Department of Telecommunications (DoT) and MeitY to take action within two weeks against defendant Tucows Domains Inc., a Canada-based Domain Name Registrar (DNR), for persistent non-compliance with court orders directing it to block URLs carrying infringing content.

Facts and background of the case: The Football Association Premier League Limited instituted the suit seeking, inter alia, injunctive relief against several defendants, including internet service providers and DNRs, for hosting and facilitating access to infringing content. Vide order dated May 14, 2025, the DHC had directed internet service providers and DNRs, including Tucows Domains Inc., to block certain URLs carrying infringing material. Despite the passage of several months, Tucows Domains Inc. failed to comply with these directions. On March 30, 2026, counsel for Tucows Domains Inc. undertook before the DHC that compliance would be affected within one week, which too remained unheeded. The DHC further noted that Tucows Domains Inc. had communicated to the plaintiff's counsel, vide e-mail dated September 30, 2025, that it would not take any action without a valid court order domesticated in Canada, Germany, Denmark, or the United States, a position the DHC described as unpalatable and constituting clear defiance of its orders.

Judgement: The DHC held that DNRs offering goods and services within the territory of India are bound by the IT Rules, 2021 and are obligated to comply with orders passed by competent courts. It observed that an entity cannot appropriate financial gains from the Indian market whilst remaining defiant of Indian court orders. The DHC further noted that DNRs are required to appoint Grievance Officers to ensure compliance with court orders and found Tucows Domains Inc. to be in violation of such mandatory obligations. Accordingly, the DHC issued the following directions:

• DoT and MeitY were directed to immediately take action within two weeks against Tucows Domains Inc. for non-compliance with the orders of the DHC.
• DoT and MeitY were further directed to examine whether Tucows Domains Inc. ought to be permitted to continue offering its goods and services in India in light of its continued non-compliance with orders passed by Indian courts.
• The Central Government standing counsel was directed to file a status report within two weeks on the action taken by DoT and MeitY in this regard.

Link Here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.