Data Privacy, AI, And Technology Newsletter | March 2026

Welcome to the March 2026 edition of the Data Privacy, AI and Technology Newsletter. This issue highlights key regulatory and policy developments shaping India’s digital and technology landscape, including cybersecurity guidelines for space systems, new standards for AI infrastructure and data centres, and amendments to intermediary rules addressing synthetically generated content and stricter compliance timelines. It also covers emerging trends from the India AI Impact Summit and NITI Aayog’s roadmap for scaling India’s technology services sector in the AI era.

The newsletter further examines important developments in the telecommunications and fintech sectors, including TRAI’s directions on AI-driven detection of unsolicited commercial communications and RBI’s proposed framework on responsible business conduct for NBFCs. In addition, this edition features significant judicial pronouncements addressing the use of AI-generated content in legal proceedings, protection of personality rights against deepfakes, and data breach-related interim relief measures, offering valuable insights into evolving legal standards at the intersection of technology, data, and law.

Technology Updates

Indian Computer Emergency Response Team issues Cyber Security Guidelines for Space Systems

February 26, 2026: The Indian Computer Emergency Response Team (CERT-In) issued the “Cyber Security Framework and Guidelines for Space including Satellite Communication” to strengthen cybersecurity practices for satellite communications assets and promote secure deployment of satellite technologies in order to support India’s digital communication ecosystem. The guidelines aim to address emerging cyber risks and emphasise on security controls, incident reporting obligations, and cybersecurity governance for entities engaged in satellite communication activities, including government agencies, satellite operators, service providers, equipment manufacturers, and private space enterprises. Highlights of the guidelines inter alia are as follows:

• Data protection and localisation requirements: Entities operating satellite communication systems are required to implement robust data protection mechanisms, including encryption, data minimization, and secure storage of operational and telemetry data. The guidelines also emphasise data localisation, impose restrictions on routing data through foreign gateways and recommend the conduct of periodic security reviews for international gateways and ground stations located abroad.
• Six-hour cyber incident reporting obligation: In line with the existing reporting requirements under CERT-In directions, satellite communication operators and service providers are required to report cybersecurity incidents to CERT-In within six hours of detection, while maintaining incident logs for a minimum rolling period of 180 days. This requirement seeks to facilitate a rapid and coordinated response to cyber threats affecting satellite communication networks.
• Periodic cybersecurity audits and vulnerability assessments: Entities are required to conduct regular cybersecurity audits, through CERT-In empanelled auditing organizations at least once in a year. These audits are intended to ensure ongoing compliance with cybersecurity standards and strengthen resilience against evolving cyber threats.
• Supply chain assurance: Entities are required to procure equipment and components from trusted sources, in accordance with the Government of India's Trusted Telecom Directive and the National Security Directive on Telecommunication Sector. Further, guidelines recommend the conduct of supply chain risk assessments and third-party audits prior to the integration or deployment of any such equipment.

Link Here

Bureau of Indian Standards notified new international technology standards for AI infrastructure and security systems

February 20, 2026: The Bureau of Indian Standards notified several international technology standards under the Bureau of Indian Standards Rules, 2018, many of which are directly relevant to AI infrastructure, cloud computing and data centre.

These standards now inter alia include:

• Cloud Computing IS/ISO/IEC 22123-2:2023
• Data Centre key Performance indicators IS/ISO/IEC 30134-7:2023
• Ethical Considerations of AI IS/IEC SRD 63416:2023

These standards will now govern the development of AI systems, the energy consumption of data centres, and the integration of ethical safeguards across the AI lifecycle. These standards are expected to improve quality benchmarks and bring greater uniformity to India’s rapidly expanding digital ecosystem.

Link Here

Key highlights from the India-AI Impact Summit 2026

February 16, 2026: The India-AI Impact Summit 2026, held in New Delhi at Bharat Mandapam, was the first global AI gathering to be hosted in the Global South. Bringing together policymakers, technology companies, innovators, academia, and industry leaders, the Summit seeks to translate global AI deliberations into actionable development outcomes under the IndiaAI Mission and the Digital India initiative.

Highlights of the summit inter alia are as follows:

• Sovereign AI: Three major indigenous AI models were unveiled in the summit, signalling India's decisive shift away from dependence on global AI tools toward building its own AI infrastructure powered by local data, Indian languages, and domestic computing capability.
• Sarvam AI: Introduced three large language and speech models (i) Bulbul (Text-to-Speech) (ii) Saaras (Speech-to-Text) (iii) Vision (Document Understanding) trained specifically for Indian languages.
• Gnani.ai-Vachana: A text-to-speech model capable of cloning human voices across 12 Indian languages, designed for reliable performance under low-bandwidth conditions.
• BharatGen-Param2: Unveiled a multilingual foundational model supporting multiple Indian languages, with applications spanning governance, healthcare, agriculture, and education.
• M.A.N.A.V. Vision: Prime Minister Narendra Modi launched a human-centric AI framework structured around five guiding principles (i) M-Moral and Ethical Systems; (ii) A- Accountable Governance; (iii) N-National Sovereignty; (iv) A- Accessible and Inclusive; (v) V-Valid and Legitimate.
• The New Delhi Declaration: The Summit concluded with the adoption of the New Delhi Declaration, a landmark document endorsed by over 92 countries and international organisations. Rooted in the principle of "Sarvajan Hitaya, Sarvajan Sukhaya" (Welfare for all, Happiness for all), the Declaration affirms that AI's benefits must be shared equitably across humanity, while respecting national sovereignty. To operationalise these commitments, three key collaborative platforms were launched: the Global AI Impact Commons, Trusted AI Commons, and AI for Social Empowerment Platform enabling shared learning and the scaling of successful use cases across regions.

Link Here

Link Here

Link Here

Link Here

NITI Aayog’s Frontier Tech Hub has released a ten-year roadmap on ‘Technology Services - Reimagination Ahead’ 

February 12, 2026: NITI Aayog's Frontier Tech Hub has released a ten-year roadmap titled ‘Technology Services - Reimagination Ahead’, outlining how India's approximately USD 265 billion technology services sector can scale to USD 750-850 billion by 2035, while strengthening global competitiveness in the AI era and supporting the Viksit Bharat 2047 vision.

Following are the key recommendations for industry which, inter alia, include:

• Tech service players must reimagine their service offerings to deliver 70% or more efficiency embedding Agentic AI and automation across every stage of work, through code generation, autonomous testing, document synthesis, and workflow orchestration.
• Tech services players should allocate 1-2% of revenues to research and development, focusing on vertical-specific tools, reusable accelerators, and AI-native software IP that deepen client stickiness and create scalable margin levers.
• Players should scale targeted reskilling for roles such as AI engineers, prompt designers, etc. while reorienting mid-level managers toward governance, orchestration, and client engagement.

Link Here

MeitY has released the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026

February 10, 2026: The Ministry of Electronics and Information Technology has released the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026 (IT Rules, 2026), amending the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. IT Rules, 2026 came into force on February 20, 2026, and introduce provisions addressing synthetically generated content and strengthen intermediary obligations relating to unlawful online content. Following are the key obligations which, inter alia, include:

• Introducing the concept of synthetically generated information including audio, visual, or audio-visual information which is artificially or algorithmically created, generated, modified or altered using a computer resource. Here it is necessary to note that pure text / written outputs do not fall under the synthetically generated information and is limited to audio/visual/audio-visual information.
• Intermediaries that offer computer resource enabling the creation/modification of synthetically generated information are subject to additional due diligence obligations. Such platforms must inform users (warning) of potential legal consequences for misuse, take expeditious action against unlawful synthetic generated information, and ensure that permitted synthetic content is clearly and prominently labelled and traceable through permanent metadata or provenance mechanisms.
• Significant Social Media Intermediaries (SSMIs) are required to obtain users declaration whether the uploaded content is synthetically generated information, undertake technical measures to verify the correctness of such declarations, and ensure that such content is appropriately labelled or identified as synthetic on the platform.
• The amendments introduce stricter timelines for intermediary action on complaints and government directions. Key changes include:
  • Grievance resolution timeline reduced from 15 days to 7 days;
  • Resolution of grievances relating to requests for removal of or disabling access to information reduced from 72 hours to 36 hours;
  • Removal or disabling access to certain categories of content, including content relating to nudity/sexual content/morphed content/impersonation etc. upon complaint reduced from 24 hours to 2 hours; and
  • Compliance with a court order or a reasoned intimation from an authorised officer in the Appropriate Government, remove or disable access, upon actual knowledge reduced from 36 hours to 3 hours.

Link Here

Link Here

Telecommunication Updates

TRAI issued directions for institutionalization of Artificial Intelligence /Machine Learning based Unsolicited Commercial Communication (UCC) detection intelligence for inter-operator sharing and regulatory action against UCC senders.

February 27, 2026: The Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCPR) regulate Unsolicited Commercial Communication (UCC). TCCPR requires Access Service Providers (ASPs) to establish an Artificial Intelligence (AI) / Machine Learning (ML) detection framework for UCC detection, prevention, and monitoring originating from unregistered telemarketers.

To strengthen the regulatory framework and enhance detection and enforcement mechanisms, the Telecom Regulatory Authority of India (TRAI) issued a direction to ASPs to institutionalize AI/ML-based UCC detection systems for inter-operator sharing and regulatory action against UCC senders. ASPs are required to comply with these directions within 30 days of its issuance. Key highlights of the direction are inter alia as follows:

• Terminating ASPs are required to identify and flag the Calling Line Identification (CLI) of the sender as “Suspected UCC CLI” and, within 2 hours of detection, terminating ASPs must share the flagged CLI with the relevant originating ASPs through the Distributed Ledger Technology (DLT) platform;
• Upon receiving the flagged CLI from the terminating ASP, the originating ASP must promptly notify the sender via SMS, email, or both that their CLI is flagged as “Suspected UCC CLI”;
• Originating ASP, within 1 business day of receiving the flagged CLI, must verify the KYC identifiers of the sender using its subscriber records and, within the next 1 business day, the originating ASP must share such KYC identifiers with all other ASPs, who, within 1 business day must identify all telecom resources allotted to such sender;
• After identification of the telecom resources allotted to such sender, all ASPs within the next 1 business day must evaluate whether any other CLI allotted to the same Sender has been flagged as "Suspected UCC CLI" during the preceding 10 days and share such details on the DLT platform on the same day; and
• If the concerned originating ASPs find five or more CLIs of the sender have been flagged as "Suspected UCC CLI" within the last ten days, all the concerned originating ASPs must take actions against the sender as prescribed, for the number of such instances.

Link Here

TRAI published the Telecommunication (Broadcasting and Cable) Services Interconnection (Addressable Systems) (Seventh Amendment) Regulations, 2026.

February 5, 2026: TRAI published the Telecommunication (Broadcasting and Cable) Services Interconnection (Addressable Systems) (Seventh Amendment) Regulations, 2026, to amend certain audit-related provisions. Key amendments inter alia include:

• Audit Timeline: A distributor of television channels has to conduct an audit of the addressable system of its distribution platform now on a Financial Year basis instead of the previous calendar year basis and has to submit an audit report to broadcasters by September 30th every year. Broadcasters can also depute their representative to attend the audit to ensure transparency and credibility of the audit process.
• Explicit Timeline for clarifications: If a broadcaster finds inadequacies or discrepancies in the audit report, it can notify the distributor in writing within 45 days. The distributor must refer the observations to the auditor within 7 days, following which the auditor must review and issue an updated audit report within 30 days, which the distributor must forward to the broadcaster within 7 days of receipt. If the broadcaster finds that its observations have not been fully addressed, it may make a representation to TRAI within 30 days of receiving the updated audit report, along with its observations and supporting documents.
• Non-receipt of timely audit report: If any broadcaster does not receive the audit report of the preceding financial year by September 30 from the distributor, the broadcaster can conduct the audit of the distributor’s addressable system through a TRAI empanelled auditor or M/s Broadcast Engineering Consultants India Limited, at its own cost.

Link Here

Link Here

Fintech Updates

Reserve Bank of India issued draft amendment directions with respect to responsible business conduct for Non-Banking Financial Companies

February 11, 2026: Reserve Bank of India (RBI) issued the Draft Reserve Bank of India (Non-Banking Financial Companies - Responsible Business Conduct) Amendment Directions, 2026, which will come into effect from July 1, 2026. These directions propose to amend the earlier issued directions on the same. Key highlights of the amendment directions inter alia include:

• Inclusion of new definitions, such as:
  • Compulsory bundling: the practice of making availment of one product/service by a customer conditional upon availment of another product/service.
  • Dark pattern: shall mean any practices or deceptive design patterns using user interface or user experience interactions on any platform designed to mislead users.
  • Direct Selling Agent (“DSA”) / Direct Marketing Agent (“DMA”): refers to an agent/agency engaged to sell/market its own or third-party product/service.
  • Explicit consent: refers to a specific, informed, and unambiguous indication of an individual’s choice, given through a statement or clear affirmative action, indicating agreement to a specific action or arrangement with the entity.
• Addition of new provisions relating to advertising, marketing, and sales of financial products/services, which inter alia are as follows:
  • Entities are now required to adopt a policy for advertising, marketing, and sale of their own as well as third-party financial products/services, covering product suitability and appropriateness, customer feedback mechanisms, and compensation in cases of mis-selling.
  • Entities availing the services of DSAs/DMAs must maintain an updated list of empanelled/engaged DSAs/DMAs, including their details and period of engagement, which should be displayed on their website. Entities must also ensure that employees and DSAs/DMAs selling their own or third-party products/services possess the requisite qualifications/certifications, if prescribed.
  • Products or services, whether own or third-party, must be offered to customers only with their explicit consent, and separate consent must be obtained for each product, service, or purpose (i.e., consents cannot be clubbed together). Additionally, user interfaces for obtaining consent must ensure that consent cannot be granted without going through the applicable terms and conditions.

Link Here

Judgement

Supreme Court takes cognizance of Trial Court’s reliance on non-existing, fake, or synthetic AI-generated precedents

February 27, 2026: In Gummadi Usha Rani and Another vs. Sure Mallikarjuna Rao & Anr (SLP (C) No. 7575/2026), the Supreme Court (SC) of India expressed serious concern over the use of non-existent, fake, or synthetic judgments generated by AI in judicial decision-making. The SC declared that relying on such fabricated authorities is not merely an error in decision-making but may amount to misconduct entailing legal consequences.

Facts and background of the case: The matter originated from a civil suit for an injunction where the Trial Court appointed an Advocate Commissioner to note the physical features of a property. After the Commissioner submitted the report, the petitioners raised objections, which the Trial Court dismissed by its order dated August 19, 2025. In doing so, the Trial Court relied upon several judgments. The petitioners challenged this before the Andhra Pradesh High Court, contending that the judgments referred to and relied on are non-existent and fake orders. While the Andhra Pradesh High Court acknowledged that the cited judgments appeared to be AI-generated fake precedents and recorded a word of caution, it proceeded to decide the revision on merits and affirmed the Trial Court's order. The petitioners then approached the SC.

Judgment: The SC noted that the deployment of AI generated non-existing, fake or synthetic alleged judgments has a direct bearing on the integrity of the adjudicatory process and requires a deeper examination of consequences and accountability. SC issued notices to the Attorney General for India, the Solicitor General of India, and the Bar Council of India to examine the systemic implications of such reliance. Additionally, the SC directed that, pending disposal of the Special Leave Petition, the Trial Court shall not proceed on the basis of the Advocate Commissioner's report.

Link Here

Delhi High Court grants ex-parte injunction to protect Jubin Nautiyal’s personality rights

February 19, 2026: In Jubin Nautiyal vs. Jammable Limited & Ors. (CS(COMM) 166/2026), the Delhi High Court granted an ex-parte ad-interim injunction protecting the personality and publicity rights of renowned playback singer Jubin Nautiyal. The Delhi High Court restrained various AI platforms and e-commerce entities from using his name, voice, image, likeness and other attributes for unauthorized commercial exploitation/ personal gain, specifically targeting deepfakes and AI-cloned voices.

Facts and background of the case: The plaintiff, a successful singer with numerous awards, filed the suit to safeguard facets of his personality including his voice, vocal style, mannerisms, and signature. The plaintiff alleged that certain AI platforms used machine learning algorithms to mimic his voice and create unauthorized audio/visual content for financial gain. Additionally, e-commerce platforms like Amazon and Flipkart were found to be selling merchandise bearing his images, signature and other elements of his persona on products, with the aim to unlawfully show a nexus/affiliation/sponsorship and/or association with the plaintiff. The suit highlighted the emergence of generative AI and deepfakes used to morph his face onto videos and overlay profane audio clips to certain video clips of the plaintiff, causing real and present damage to his reputation.

Judgment: The Delhi High Court held that the plaintiff established a strong prima facie case and that the balance of convenience tilted in his favour. The Delhi High Court observed that without an injunction, the plaintiff would suffer irreparable injury that could not be compensated in monetary terms. Accordingly, the Delhi High Court restrained the defendants from exploiting the plaintiff's personality rights through any medium or formats, including the Metaverse, social media. The Delhi High Court further directed e-commerce defendants to take down or block access to the infringing URLs identified in the order.

Link Here

Bombay High Court grants interim audit and data preservation measures following major credit card data theft

February 3, 2026: In CPP Assistance Services Private Limited vs. Teleperformance Business Services India Private Limited (Commercial Arbitration Petition (L) No. 475 of 2026), the Bombay High Court (BHC) granted interim measures under Section 9 of the Arbitration and Conciliation Act, 1996, directing Teleperformance Business Services India Private Limited (Respondent) to allow a forensic audit of its premises and systems and ordered the preservation of sensitive personal data following a massive breach that compromised credit card information of SBI Cards and Payment Services Ltd.’s (SBI Cards) customers.

Facts and background of the case: The petitioner, providing card protection and assistance solutions to insurance and financial partners, had outsourced customer servicing and retention calling services to the Respondent under a service agreement. In August 2025, a large-scale fraud was discovered involving the theft of sensitive personal and financial data of credit card holders of SBI Cards, leading to unauthorized transactions totalling approximately INR 2.60 crore. Investigations revealed that the data breach was facilitated by employees of the Respondent, resulting in arrests of employees. While the Respondent initially expressed willingness to cooperate, it ultimately refused to permit a forensic audit by the petitioner, which was contractually agreed between the parties. The Respondent claimed that audit rights were inoperative during the suspension of the contract and that the petitioner’s proposed audit plan exceeded the contractual scope and risked exposing data of other clients. The petitioner approached the BHC seeking urgent relief, citing threats of business termination from SBI Cards and demands for data from cybercrime authorities.

Judgment: The BHC held that the petitioner established a strong prima facie case for interim measures, noting that the Respondent was contractually bound to permit audits of its documents, records and premises. The BHC emphasized that these audit rights specifically survived the termination of the agreement. It rejected the Respondent’s contention that a mandatory injunction could not be granted at an interlocutory stage, holding that such relief is permissible to preserve the subject matter of arbitration and prevent irreparable injury. The BHC observed that the Respondent’s attempts to avoid the audit appeared to be aimed at hiding records and that the balance of convenience tilted in favour of the petitioner. Accordingly, the BHC directed the Respondent to allow a team of internal and external auditors to conduct an inspection of its premises and systems, ordered the maintenance of a complete status quo regarding all confidential information, records, backups and electronic logs and mandated the sharing of internal committee findings with the petitioner.

Link Here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.