India’s Most Critical Trade & Regulatory Compliance Digest

Cutting Edge

India’s Most Critical Trade & Regulatory Compliance Digest

Suvarna Mandal | July 2025

Lex Witness in association with the Trade & Regulatory Compliance Practice Desk at Saikrishna & Associates brings to you a detailed analysis on select updates and notifications.

OPERATIONALIZING CONSENT UNDER THE DPDP ACT: A LEGAL REVIEW OF THE BRD FRAMEWORK

The Digital Personal Data Protection (DPDP) Act, 2023 establishes consent-based processing as the cornerstone of lawful data governance. Under the Act, consent must be free, specific, informed, unambiguous, unconditional, and tied to a clear affirmative action by the data principal. In this context, implementing automated, transparent, and accountable consent management systems is no longer optional—it is a legal necessity and a strategic imperative.
Effective consent management enables Data Principals to exercise meaningful control over their personal data by determining what data they share, for what purpose, and with whom. This includes the ability to grant, modify, or withdraw consent at any point. For Data Fiduciaries, the process involves not only capturing valid consent but also ensuring its secure storage, real-time traceability, and lawful application throughout the data lifecycle.
As part of the “Code for Consent” Innovation Challenge, the Ministry of Electronics and Information Technology (MeitY), through its Startup Hub platform, released the Business Requirements Document (BRD) for Consent Management. The BRD is designed to assist startups and developers in building Consent Management Systems (CMS) that align with the Digital Personal Data Protection (DPDP) Act, 2023, and the anticipated obligations under the forthcoming Draft Rules. While the BRD does not carry legal force and is not binding, it serves as a persuasive technical and policy reference. Its structured guidance may influence how the Data Protection Board of India interprets compliance expectations, particularly with respect to operational best practices. Accordingly, organisations should view the BRD as a supplementary implementation framework, rather than a substitute for statutory compliance under the DPDP Act and its upcoming rules.
The Consent Management System (CMS) outlined in the BRD presents a detailed, lifecycle-based framework for managing user consent. A CMS is a technical and administrative framework designed to oversee the entire lifecycle of user consent—from collection and validation to updates, renewals, and withdrawals. Its core purpose is to help organisations manage consent in a manner that is both legally compliant and user-centric.
A robust Consent Management Platform (CMP) typically includes:

Customisable consent interfaces, such as banners tailored to user needs, including geolocation-sensitive preferences.
Cookie auto-blocking functionality, ensuring that no tracking occurs before consent is explicitly obtained.
Immutable audit trails, allowing businesses to retain verifiable records of each consent interaction—critical for demonstrating compliance during regulatory audits.

Beyond procedural compliance, a CMS operationalises key data protection principles such as purpose limitation, data minimisation, and transparency. It functions as a digital gatekeeper, permitting data processing only when valid, purpose-specific consent is in place.
The Business Requirement Document (BRD) for Consent Management provides a granular breakdown of how these principles are translated into system features and workflows, defining the roles and responsibilities of each stakeholder—Data Principals, Data Fiduciaries, and Processors.
While it reflects a strong architectural foundation, a closer legal analysis reveals both areas of alignment and potential deviations from the requirements of the Digital Personal Data Protection (DPDP) Act, 2023. This blog adopts a narrative “Green Flag / Red Flag” approach to assess the BRD—highlighting elements that demonstrate compliance (green flags) and those that appear non-compliant, incomplete, or misaligned with the statutory mandate (red flags).

REGULATORY GREEN FLAGS: BRD’S CONFORMITY WITH THE DPDP FRAMEWORK

One of the strongest features of the BRD is its proposed Consent Collection mechanism, which mandates granular, purpose-specific, and multilingual consent to be obtained through explicit affirmative actions, such as checkboxes or “I Agree” prompts. This approach closely aligns with Sections 5(3), 6(1), and 6(3) of the DPDP Act, which requires that consent be free, specific, informed, unconditional, and limited to the stated purpose, with clear support for local language notices and request for consent to ensure accessibility and comprehension.
The BRD’s approach to deploying a CMS that generates secure Consent Artifacts enriched with metadata—including timestamps, purpose identifiers, and language preferences—reflects a well-considered and compliance-oriented design. These artifacts act as verifiable records of consent, forming a critical foundation for regulatory auditability and demonstrable compliance under Section 6(10) of the DPDP Act.
Consent validation represents the second critical phase in the consent lifecycle, wherein the Data Fiduciary must confirm the existence of valid, active consent before initiating any personal data processing. This step is particularly vital for activities such as sending marketing communications or providing personalised services.

In practice, the Data Fiduciary initiates a validation request via API to the Consent Management System (CMS). The CMS verifies the relevant Consent Artifact, checking for:

Purpose alignment,
Timestamp validity, and
Current consent status (e.g., active, expired, or withdrawn).

Only if consent is deemed valid does the system permit the data processing to proceed; otherwise, the request is denied, and the user may be notified accordingly. Importantly, all validation requests and outcomes are immutably logged to ensure auditability and regulatory defensibility.

The BRD’s emphasis on comprehensive audit logging of consent validations significantly strengthens the compliance posture under the DPDP Act, marking this feature as a clear “green flag” for implementation.

The BRD merits a green flag for incorporating a robust mechanism that enables Data Principals to modify previously granted consent in a granular, purpose-specific By allowing users to review and update their consents via a dedicated dashboard, supported by real-time synchronization and immutable audit logging, the framework aligns closely with Section 6(1) of the DPDP Act, which mandates that consent be informed, specific, and limited to stated purposes. Moreover, this feature complements the right to correction and updating of personal data under Section 12(1) of the Act, thereby reinforcing the broader principles of user autonomy, transparency, and ongoing control over personal data.
The BRD’s consent renewal feature—which proactively notifies Data Principals 30 days prior to consent expiry and facilitates seamless revalidation—demonstrates strong alignment with the accountability framework under Section 6(10) of the DPDP Act. This provision places the onus on the Data Fiduciary to demonstrate the continued validity of consent. By ensuring that data processing is contingent upon renewed, valid consent, the feature also supports Section 8(7) of the Act, which mandates timely erasure of personal data once the purpose is fulfilled or consent is withdrawn, unless legal retention is required. This built-in renewal mechanism not only reinforces user autonomy but also strengthens compliance with data minimization and purpose limitation principles central to the DPDP framework.

The BRD outlines a streamlined and user-centric consent withdrawal mechanism that allows Data Principals to revoke consent—either fully or partially—at any time. This system facilitates real-time updates across all relevant stakeholders and ensures that data processing is promptly halted in response. It is firmly aligned with Section 6(4) of the DPDP Act, which guarantees the right to withdraw consent at any stage, and Section 6(6), which places an obligation on both Data Fiduciaries and their processors to cease processing upon such withdrawal. Further, Section 8(7) reinforces this by mandating the erasure of personal data once the specified purpose has been fulfilled or consent has been withdrawn, unless a legal requirement necessitates retention. Collectively, these features underscore the BRD’s alignment with the DPDP Act’s core principles of user autonomy, purpose limitation, and data minimization.

REGULATORY RED FLAGS: MISALIGNMENTS WITH THE DPDP ACT

Exclusion of Consent Managers: A Missed Opportunity for Decentralization and Trust

Despite the BRD’s strengths, a significant compliance gap emerges in its complete omission of Consent Managers—a role expressly envisaged under Sections 6(7) to 6(9) of the DPDP Act. These intermediaries are intended to empower Data Principals by facilitating consent management in a neutral, platform-agnostic manner. The BRD neither integrates nor acknowledges this statutory function, undermining the Act’s core objectives of decentralization, user autonomy, and trust enhancement. This omission may also raise regulatory and operational concerns around excessive control being concentrated with Data Fiduciaries, counter to the DPDP framework’s structural checks and balances.

Absence of Redressal Mechanism in Notice: A Compliance Gap

The BRD’s consent collection framework overlooks a key statutory requirement under Section 5 of the DPDP Act—informing Data Principals of their right to file a complaint with the Data Protection Board. While the notice stage appropriately covers the categories of personal data being processed, the purpose of processing, and the modalities through which individuals can exercise their data rights, it fails to include any reference to grievance redressal mechanisms. This omission dilutes the transparency and accountability objectives of the DPDP Act and may render the notice non-compliant with statutory mandates.

Inadequate Enforcement Mechanisms for Child Consent: A Regulatory Vulnerability

While the BRD makes a cursory reference to verifying guardian identity—suggesting mechanisms such as DigiLocker—it falls short of establishing a structured, verifiable consent mechanism as required under Section 9(1) of the DPDP Act. Critically, the document does not propose any enforceable procedures to obtain affirmative parental consent prior to processing a child’s personal data. Moreover, it entirely omits safeguards against behavioural profiling or targeted advertising aimed at minors, thereby contravening the protective mandates of Section 9(3). This deficiency presents a significant compliance risk, especially for digital platforms operating in sectors such as education, entertainment, and gaming—domains with high child user engagement and elevated regulatory scrutiny.

Over-Reliance on Consent to the Exclusion of ‘Certain Legitimate Uses’: A Missed Opportunity for Lawful Flexibility

The BRD disproportionately centers consent as the exclusive legal basis for processing personal data, overlooking the broader spectrum of lawful grounds explicitly recognized under Section 7 of the DPDP Act for non-consent- based processing. These include vital exceptions such as processing for compliance with legal obligations, emergency medical interventions, employment purposes or the performance of state functions. By failing to incorporate these alternate legal bases, the BRD risks fostering a compliance environment that is overly restrictive and operationally inefficient. Such a narrow approach could lead to gaps in implementation, missed opportunities for lawful processing, and unnecessary legal exposure for entities relying solely on user consent.

Gaps in Data Retention and Withdrawal Enforcement: Risks to Compliance and Minimization

Although the BRD mandates that consent withdrawals take effect immediately, it overlooks the nuanced obligation under Section 6(6) of the DPDP Act, which requires Data Fiduciaries to cease—within a reasonable time—all processing activities by themselves and their Data Processors, unless such processing is legally authorized. While the BRD does acknowledge retention and erasure, it frames these as optional, configurable settings rather than mandatory defaults. This approach stands in contrast to Section 8(7) of the DPDP Act, which explicitly requires erasure of personal data once the purpose is fulfilled or consent is withdrawn—unless continued retention is legally justified. The absence of enforced default erasure policies heightens the risk of prolonged or unnecessary data retention, thereby undermining both compliance and the fundamental principle of data minimization.

FIRM’S TAKE

For Data Fiduciaries, business leaders, and compliance officers alike, the implementation of a Consent Management System (CMS) should be viewed not merely as a statutory requirement under the DPDP Act but as a long-term strategic asset within the organization’s broader data governance framework. The introduction of the CMS under the DPDP regime represents a significant step forward in operationalizing consent-based data governance. By standardizing consent flows and introducing lifecycle-based controls, the government has sought to reduce compliance ambiguities and empower data principals with clearer rights and enhanced transparency. The Business Requirement Document (BRD) offers a foundational blueprint in this regard. However, its practical effectiveness hinges on rigorous execution. Organizations must integrate consent workflows into internal systems to facilitate real-time validation, maintain audit trails, and ensure continuity during system or API failures. Intuitive, user-facing dashboards should enable individuals to view, manage, and retrieve their consent history with ease, reinforcing trust.
Yet, as businesses align with this model, implementation gaps must be acknowledged—particularly the BRD’s assumptions around universal digital access and seamless API integration, which may not hold true for SMEs or digitally marginalized populations. Further, the BRD overlooks critical compliance components, such as verifiable consent mechanisms for children and persons with disabilities and fails to account for the statutory role of Consent Managers envisioned under Sections 6(7)–6(9).
Accordingly, organizations should not treat the BRD as a static checklist but rather as a dynamic, evolving framework that must adapt to legislative developments, demographic realities, and user-centric best practices. Proactive measures—such as embedding fallback mechanisms, conducting DPIAs (for Significant Data Fiduciaries), appointing DPOs or authorised personnel, and instituting regular audits—will be essential to building resilient, compliant, and future-ready data ecosystems.

EU AUTHORITY BLOCKS DATA TRANSFER TO INDIA AND THE FUTURE OF CROSS-BORDER TRANSFERS FROM THE EU UNDER THE DPDP ACT

On 23rd April 2025, the European Data Protection Supervisor (“EDPS”), an authority under the EU released its annual report, in which, under the ‘International Transfers’ section, it denied the request of the European Investment Bank (“EIB”) to transfer data, specifically contact details, to a number of non-EU countries including Brazil, India, Fiji. The brief reason stated by the EDPS in the said report was that there was not enough evidence and proof that these countries could guarantee the protection of individuals’ personal data in the same way that the EU does, otherwise known as an “essentially equivalent level of data protection” under the European Union’s General Data Protection Regulation (“GDPR”).
On 19th May 2025, a clarificatory statement was provided by the EDPS to a financial news agency stating that the denial of transfer to India was merely procedural, and not a verdict on the Digital Personal Data Protection Act, 2023 (“DPDP Act”). The EDPS further stated that the data controller (i.e. the EIB) could not demonstrate the presence of appropriate safeguards in accordance with the GDPR and accordingly recommended relying on “derogations” under the GDPR that are exceptions allowed for occasional, low-risk data transfers.
The EDPS has therefore clarified that the denial of the request of data transfer from EIB in Europe to India was based on the lack of the necessary justification of the required legal safeguards by the EIB, and also noted that it has not carried out an ‘adequacy’ assessment of India’s upcoming legal framework– the DPDP Act. This anyway is the responsibility of the European Commission (“Commission”) and not the EDPS.
Chapter V of the EU GDPR regulates international transfer from the EU to third countries and/or international organisations. Chapter V has been built on the premise that protection accorded to personal data under the GDPR should travel with the data.
While this instance has been clarified, it does trigger an important discussion on whether the DPDP Act framework will be considered by the Commission to be satisfactory and pass the muster of ‘Adequacy decisions’ under the EU GDPR, therefore allowing easier data flow from the EU to India. If not, reliance will continue to be placed on the alternative modes of cross-border data transfer from the EU under the EU GDPR, i.e. Standard Contractual Clauses and Binding Corporate Rules.

MECHANISMS FOR INTERNATIONAL DATA TRANSFER UNDER THE GDPR

The general principle under the GDPR pertaining to the transfer of data is to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined. Accordingly, any transfer of personal data which is undergoing any ‘processing’ or is intended for processing after transfer to a third country or an international organisation should only take place under one of the protective mechanisms set out in Chapter V. Overall, Chapter V places the following conditions to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined by such data transfers:

Adequacy decision under Article 45
Appropriate safeguards under Article 46, and
Derogations for specific situations under Article 49

Under Article 45, Data can be transferred to a third country where the Commission has issued an adequacy decision confirming that such countries offer an adequate level of protection.
The adoption of an adequacy decision involves:
- A proposal from the Commission;
- An opinion of the European Data Protection Board;
- An approval from representatives of EU countries;
- The adoption of the decision by the Commission.
The Commission makes this decision based on various factors listed in Article 45(2) and 45(3) of the GDPR. These factors inter alia include the rule of law, respect for human rights, data protection rules, and international commitments the third country or international organisation concerned has entered into. While making this assessment, the Commission, in particular, must take into account the ‘effective and enforceable data subject rights’ for data subjects whose personal data are transferred. To date, fifteen (15) countries have been recognised by the Commission as providing an adequate level of protection. The effect of such a decision is that personal data can flow from the EU to a third country without any further safeguards being necessary.
In the absence of an adequacy decision, international data transfer may take place subject to the appropriate safeguards provided under Article 46 of the GDPR and “on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” The appropriate safeguards include binding corporate rules (“BCRs”) under Articles 46 and 47, and standard data protection clauses (“SCCs”) adopted by the Commission.
SCCs assure a GDPR-conform data transfer to third countries with a non-adequate data protection level through model contract clauses that have been “pre-approved” by the Commission. On 4th June 2021, the Commission, in view of the Schrems II verdict, issued modernised standard contractual clauses under the GDPR for such data transfers. These SCCs are solely intended to provide contractual guarantees that apply uniformly in all third countries and consequently, independently of the level of protection guaranteed in each third country
BCRs are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. These BCRs must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. BCRs require approval from the competent data protection authority in the EU that in turn must ensure the consistency mechanism set out in Article 63 of the GDPR.
Therefore, BCRs can only serve as a transfer tool within the data transfer of a group of companies, and single enterprises exporting personal data to non-adequate third countries can only use tools like SCCs for compliance with GDPR.
Lastly, in the absence of an adequacy decision and appropriate safeguards, the transfer of data may take place based on ‘derogations for specific situations’ set out under Article 49 of the GDPR. Article 49 lists out specific derogations from sub-clauses (a) to (g) and include when the data subject has explicitly consented to the proposed transfer, such transfer is necessary for the performance of a contract, or such transfer is necessary for important reasons of public interest. This is meant for occasional transfers and not routine exchanges.

MECHANISM FOR TRANSFER UNDER INDIAN LAW:

In India, the current regime of data protection is prescribed under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”). The SPDI Rules are rudimentary and rely heavily on consent and notice for collection, transfer and disclosure of personal data. The SPDI Rules are set to be replaced by the DPDP Act, which was notified in August 2023, but has not come into force yet.
As per the SPDI Rules, a body corporate can transfer (including cross-border transfers) personal information and sensitive personal data or information (such as password, financial information, sexual orientation etc.), after obtaining consent of the provider of information, unless such transfer is necessary for the performance of the contract between the body corporate or any person on its behalf and the provider of information.
The DPDP Act applies generally to the ‘processing’ of digital personal data. The term ‘processing’ is wide and is defined to mean wholly or partly automated operation or set of operations performed on digital personal data including inter alia ‘storage’, ‘use’, ‘sharing’, ‘disclosure by transmission’, ‘dissemination or otherwise making available’ the personal data. Accordingly, any transfer of personal data would qualify as ‘processing’ under the DPDP Act and would either be processed based on consent or non-consent (i.e., certain legitimate uses under Section 7 of the DPDP Act).
For cross-border transfer under the DPDP Act, the delegated legislation or ‘rules’ (which have not been introduced yet) will prescribe the countries that will be notified for restricted transfer of data outside India. The extent of these restrictions is not clear at this stage and will likely be prescribed through the rules themselves. Further, sectoral laws pertaining to data localisation or restrictions on the transfer of data must also be followed. Accordingly, sectoral regulations on data transfer restrictions or data localisation requirements, such as the RBI Directive on Data Localisation, will continue to apply to the sectors they regulate.
The EPDS also stated that “given the limited volume and the occasional character of the envisaged transfers, the EDPS recommended considering the use of derogations to carry out such transfers, decision that is ultimately taken by the controller.” Further, the EDPS said that it is currently not engaged in adequacy talks with India. If, in the future, it is consulted by the European Commission on a draft adequacy decision in relation to India, the opinion will focus on the assessment of both the general GDPR aspects of the draft decision, as well as on the access by public authorities of India to personal data transferred from the European Economic Area (“EEA”) for law enforcement and national security. This will further include legal remedies available to individuals in the EEA.

FUTURE OF DATA TRANSFER FROM THE EU TO INDIA

While the EDPS decision in this particular instance (i.e. the EIB’s request) appears to be limited to the lack of the necessary justifications and safeguards provided by the EIB, it does trigger the question of whether India can meet the necessary standard on “essential equivalence” under the GDPR.
The EDPS, in its follow-up statement, said that it is currently not engaged in adequacy talks with India. As noted above, if, in the future, it is consulted by the Commission on a draft adequacy decision in relation to India, the opinion will focus on the assessment of both the general GDPR aspects of the draft decision, on the access by public authorities of India to personal data transferred from the EEA for law enforcement and national security, and legal remedies available to individuals in the EEA.
This raises concerns about whether the DPDP Act can offer the framework the EU trusts. The key considerations under the DPDP Act that may pose issues for adequacy assessments by the Commission are summarised below-
- Access of public authorities to personal data – The DPDP Act provides broad exemptions to the state and its instrumentalities under Section 17 and does not provide any measures for review or necessary safeguards.
- The Data Protection Board of India and its independence – The appointment and management of the Board will be carried out by the central government, thereby sparking concerns about its independence.
- Cross-border transfers – The DPDP Act has not provided details on the necessary safeguards for personal data from India to outside India. There are also no measures provided for cross-border transfer to territories or countries that may be restricted by the government.
- Enforcement of Data Principal Rights – The DPDP Act requires the Data Principal to first exhaust the grievance redressal mechanism provided by a Data Fiduciary before it raises a complaint before the Board. Additionally, the Board can also impose penalties on the Data Principal for false and fraudulent complaints. This raises concerns about the effectiveness of the DPDP Act to enforce Data Principal rights.
- Lack of precedents – The Commission must also examine case laws pertaining to effective administrative and judicial redress for the data subjects whose personal data are being transferred, which at the moment is not available.
Unless the above issues, amongst others, are addressed, India will continue to be outside the purview of jurisdictions that ‘ensures an adequate level of protection’. This in effect is a roadblock to businesses in India that want to partner with European companies. Taking necessary efforts in due time to meet the necessary requirements of an adequacy decision will help facilitate safe and free data flows thereby promoting business between India and the EU.

ACCESSIBILITY REQUIREMENTS AND BRIDGING THE DIGITAL DIVIDE

Digitisation and the internet have become integral and fundamental to our daily lives. Right from critical services such as banking to somewhat lighter services like entertainment, the online world dictates how people live and thrive in society. Unfortunately, many people with disabilities in India do not have easy and equal access to such technologies. It has therefore become important to make digital accessibility a priority, not just from an ethical standpoint but a legal one as well. While digital accessibility as a legal requirement is already embedded within several regulations, there appears to be a disregard for its application and enforcement.
In this digital era, ‘the right to life’ under the Constitution must be interpreted along the lines of technological realities. The judiciary, while dealing with issues of accessibility for persons with disabilities (“PwD”), has expressed its discontent with such social marginalization and is taking measures to ensure equal access to all. Relevant orders and judgments by the judiciary have prompted various ministries to reinforce and uphold accessibility related legal requirements amongst relevant stakeholders. For instance, the Ministry of Information & Broadcasting (“MIB”), through its recent advisory dated April 22, 2025, has called upon Online Curated Content Publishers/OTT platforms and their self-regulatory bodies to ensure accessibility of digital content for PWDs.

BACKGROUND

Accessibility in the context of the digital world refers to the design of products, services, systems, technologies, etc., which ensures that all individuals, including those with disabilities, can access, use, and benefit from them fully and independently. This includes not only physical access, but also access to information, communication, and digital platforms.
The United Nations Convention on the Rights of Persons with Disabilities (“Convention”) calls for an environment which removes any barriers that hinder the full and effective participation of PWDs in society on an equal basis with others and sets out explicit obligations of the States Parties to ensure accessibility. India is one of the first signatories to this Convention.
The Incheon Strategy, adopted by India in 2012, offers the first set of regionally agreed-upon inclusive development goals in order to make the rights of the PwDs a reality in the Asia-Pacific region.

LEGAL PROVISIONS

While the Constitution upholds various individual rights and ‘directive principles’, such as the right to life, right to equality, right to information, and right to education, which generally embodies the rights of PWDs, there is a specific legislation that gives effect to India’s adoption of the Convention. The Rights of Persons with Disabilities Act, 2016 (“RPWD Act”) and the Rights of Persons with Disabilities Rules, 2017 (“RPWD Rules”) recognise accessibility vis-à-vis digital space.
Specifically, Section 40 of the RPWD Act requires the Central Government, in consultation with the Chief Commissioner, to formulate rules for PWDs, laying down the standards for accessibility for the physical environment, transportation, information and communications, including appropriate technologies and systems, and other facilities and services provided to the public in urban and rural areas. . A plain reading of this provision appears to indicate that it applies only to the government to ensure accessibility vis-à-vis public facilities and services.
However, Section 46 of the RPWD Act extends the applicability of Section 40 to private establishments as well. Section 46 states that the service providers, whether Government or private, shall provide services in accordance with the rules on accessibility formulated by the Central Government under Section 40 within a period of two years from the date of notification of such rules. As per a 2022 order of the Court of Chief Commissioner for Persons with Disabilities, India, (“CCPD”) in the case of Rahul Bajaj Vs. Practo Technologies Pvt. Ltd, the Court of CCPD stressed that the private establishments are also bound by the provisions of the RPWD Act.
Various other requirements and accessibility standards have been prescribed under Indian laws that are worth examining:
- Section 42, RPWD Act: The appropriate Government must take measures to ensure that all content available in audio, print, and e-media is in an accessible format. Also, PwDs have access to e-media by providing audio description, sign language, and close captioning, and e-goods and equipment which are meant for daily use.
- Rule 15, RPWD Rules: Under this, every establishment is required to comply with the following accessibility standards for Information and Communication Technology (“ICT”). Specifically, under Rule 15(c), the standards for ICT are as follows:
Website standard as specified in the guidelines for Indian Government websites as adopted by the Department of Administrative Reforms and Public Grievances, Government of India.
Documents to be placed on websites shall be in Electronic Publication/Optical Character Reader based pdf format
Websites, apps, ICT based public facilities & services, e-goods & equipment meant for everyday use, etc., have to mandatorily comply with the Indian Standard IS 17802 (Part 1), 2021, and IS 17802 (Part 2), 2022, published by the Bureau of Indian Standards.

Appendix read with Rules 8 and 9, IT Rules, 2021: Publisher of news and current affairs, or online curated content, have to observe the Code of Ethics which has been prescribed under the Appendix to Part III of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules, 2021”). The Code of Ethics requires every publisher, to the extent feasible, to make reasonable efforts to improve the accessibility of online curated content transmitted by it to PwDs through the implementation of appropriate access services.

ROLE OF THE JUDICIARY

Suo-moto cognisance by the CCPD in Case No. CCPD/15519/1101/2024 and Case No. CCPD/15530/1101/2024:
- The Court of CCPD, had taken suo motocognizance regarding the inaccessibility of websites, mobile applications, and other digital platforms of Government establishments and private establishments providing various goods and services online. Subsequently, private establishments providing goods and services online were advised by the CCPD, to make their websites/apps and other digital platforms fully accessible to PwDs by ensuring compliance with the Guidelines for Indian Government Websites and BIS Standards IS 17801 Parts I and 2 in relation to Accessibility of Information & Communication Technology Products and Services.
- Additionally, the CCPD also directed private establishments providing goods and services online to get their websites/apps audited for digital accessibility by an expert certified by the International Association of Accessibility Professionals. The establishments, both private and public, were further directed to submit a compliance report within 7 days, failing which the applicable penalty would be imposed under Section 89 of the RPWD Act, 2016. Lastly, the CCPD directed the establishments to provide their accessibility audit report with timelines to resolve accessibility barriers by 15th September 2024.
- On 23rd August 2024, the Court of CCPD advised the UIDAI to submit whether any steps have been taken to ensure that every PwD gets an Aadhaar. UIDAI was also directed to make the e-Aadhaar captcha accessible within 7 days. It was also observed that captcha is still a roadblock for many websites. It was also observed that if the first page is preventing access, then the compliance of the rest of the pages becomes a moot point.
- The Court of CCPD further observed that payment systems are not ‘visually impaired friendly’. In this regard, the Reserve Bank of India was advised to issue, within 10 days, guidelines pertaining to accessibility. Lastly, the observations and recommendations in the proceedings dated 30th July 2024 were reiterated.

On 28th January 2025, the Court of CCPD observed that none of the parties (except a few private establishments) were compliant with the directions. The respondents were directed to submit an access audit report before 5th February 2025, failing which the Court of CCPD shall be constrained to impose a penalty under Section 89 of the RPWD Act. It was also directed that the compliance status (which will be displayed on the CCPD’s website) will be continuously reviewed by the Court of CCPD starting from March 2025.

Akshat Baldwa & Anr v Maddock Films Private Limited & Ors
Aggrieved by the lack of disabled friendly accessibility features in the movies released on the OTT platforms, a writ petition was filed. The main arguments of the Petitioners were that the appropriate government, under the RPWD Act, is obligated to ensure that all content available in electronic media is in an accessible format, and that the PwDs have access to electronic media, including audio description and close captioning.
Through an order dated December 19, 2024, the Indian film production company, i.e., Maddock Films Private Limited, was directed to ensure that all movies released on OTT platforms are compliant with the RPWD Act and the IT Rules, 2021.
In furtherance of this order, MIB issued an advisory on April 22, 2025 (“MIB Advisory”), requiring the OTT platforms and their self-regulatory bodies to adhere to accessibility related provisions under the RPWD Act and IT Rules, 2021, for movies released on OTT Platforms.
The ‘MIB Advisory’ has been issued by the MIB under Rule 13(1)(d) of the IT Rules, 2021, which is the third level of grievance redressal mechanism, wherein it can issue appropriate advisories to publishers.
Taking into account the provisions pertaining to accessibility under the IT Rules and the order dated December 19, 2024, passed by the Delhi High Court in this case the MIB Advisory states that OTT platforms should comply with provisions of applicable laws, including the RPWD Act, and the Code of Ethics under the IT Rules, 2021. Further, the self-regulatory bodies should ensure that the published content complies with the applicable laws.
Akshat Baldwa v. Yash Raj Films
- A writ petition was filed, which highlighted the challenges faced by PwDs in accessing audio-visual content in both theatres and OTT platforms. The Delhi High Court observed that even private parties have to ensure that reasonable accommodation measures are taken to enable greater accessibility for the hearing and visually impaired persons.
- While the MIB released guidelines for “Accessibility Standards in the Public Exhibition of Feature Films in Cinema Theatres” in 2024, news reports suggest that it is still in the final stages of drafting comprehensive accessibility guidelines for OTT platforms in a bid to promote inclusivity in the digital content space.
Pragya Prasun & Ors. v Union of India & Ors.
- On 30th April 2025, the Supreme Court in this case held that the right to digital access is an intrinsic component of the right to life and liberty, which necessitates the State to proactively design and implement ‘inclusive digital ecosystems’, serving not only the privileged, but also the marginalized and historically excluded.
- The writs were filed by acid attack victims suffering from facial disfigurement, and those suffering from one hundred (100) percent blindness, seeking directions to formulate rules and guidelines for conducting the e-KYC process, through alternatives, to ensure accessibility.
- While the Respondents (such as the Reserve Bank of India, Pension Fund Regulatory and Development Authority, Department of Telecommunications, etc.) have put in place various mechanisms for PwDs, at ground level, the same is not being adhered to. The Petitioners pointed out their issues, including the following:
Digital KYC providers do not follow accessibility standards while designing their apps/websites.
Presently, thumb impression is not accepted by any of the digital KYC providers.
Biometric devices do not follow the IS 17802 Standard on Accessibility.

The court observed that while digital KYC is the new norm, most platforms do not provide accessibility, and do not take into consideration mobile impairments, intellectual disabilities, etc.
In order to make the process of digital KYC accessible to PwDs, the Supreme Court gave twenty (20) directions to the respondents and regulated entities, such as following accessibility standards, incorporate alternatives to the ‘blinking eyes’ test for KYC protocols, provide options for sign language interpretation, closed captions, etc.

FIRM’S TAKE

The MIB Advisory and the recent case laws are welcome initiatives towards enabling digital accessibility, inclusivity and equality. Unequal access to digital services, facilities, infrastructure, content continues to be a cause for concern that widens the gap for PWDs.

The Supreme Court in the Pragya Prasun case fittingly observed that “Bridging the digital divide is no longer merely a matter of policy discretion but has become a constitutional imperative to secure a life of dignity, autonomy and equal participation in public life.” Given the active involvement of the judiciary and coupled with legislative changes, there is promise of a better future for all citizens in the digital world.

Business Requirement Document For Consent Management Under the DPDP Act, 2023: https://d38ibwa0xdgwxx.cloudfront.net/whatsnew-docs/8d5409f5-d26c-4697-b10e-5f6fb2d583ef.pdf

European Data Protection Supervisor Annual report 2024, https://www.edps.europa.eu/system/files/2025-04/edps_annual_report-2024_en.pdf

General Data Protection Regulation, https://gdpr-info.eu/

About Author

Suvarna Mandal

Suvarna Mandal is a Partner at Saikrishna & Associates. She has over a decade of experience in providing trade & regulatory compliance advice to domestic and international clients for understanding and complying with a wide range of national, state as well as sector-specific legislations and regulations in the spheres of telecommunications, technology law, consumer law, environmental law, product compliance and safety regulations (including packaging standards, labels and safety standards), data protection and privacy, media law, advertising regulations, etc. She provides end-to-end compliance counselling to clients across various industries and sectors such as software services, consumer electronics, technology, telecom, media, intermediaries, e-commerce, online value-added services sectors, consumer goods and medical devices. Suvarna also works closely with clients’ Government Affairs team to prepare strategic policy documents, representations and formal communications towards policy development and policy reform efforts with the Government.