India

Introduction: A recent parliamentary session witnessed the mention of “Tokenization Bill” by Mr. Raghav Chadha, a member of Rajya Sabha. The suggestion is particularly interesting because while tokenization of real estate assets is not a very new concept in countries like the United States of America which witnessed a rise in real estate tokenization in the year 2018, it is still a budding concept in India. Contrary to the foresaid, the concept of tokenization vis-à-vis real estate gained traction in India around late 2023-early 2024. To give an understanding of real estate tokenization in one sentence- it will allow retail investors to buy real estate in bite sized portions. The concept involves use of blockchain technology to make a real estate asset divided into small digital tokens which are then offered for investment to the willing investor. In other words, it means dividing up a single property into small tokens that exist on blockchain which is a digital database used to record information in a secure way. Each token would represent separate ownership/claim when bought by different investors. Current position: Currently, India does not have a codified law governing and regulating the tokenization of assets such as real estate and intellectual property. Even though there is no specific authority which governs tokenization in India, currently, the International Financial Services Centres Authority (IFSCA) has taken the most definite steps to regulate tokenization within the zone designated as GIFT city International Financial Services Centre. The IFSCA constituted an expert committee on asset tokenization in September 2023 and have even issued a consultation paper dated 26thFebruary 2025 titled as “Regulatory Approach Towards Tokenization of Real-World Assets” whereby, they sought suggestions from the stakeholders to establish a regulatory framework for the “real world assets”. A codified tokenization law without a doubt has the potential to revolutionize the real estate investment market in India by reducing property disputes as the digitalization would bring about transparency in record keeping. The market would be open to the buyers even at a middle-income level as they would be able to invest in real estate by fractional ownership i.e. without having to buy the entire property, hence, resulting in a democratized structure. Tokenization also has the potential to boost real estate market in non-metropolitan cities in India, and this leap has the potential to enable the inclusion of common people in wealth creation. It could also prove fundamental in boosting technology-based startups thereby generating employment. The investors would be able to purchase real estate with the involvement of fewer intermediaries. This suggestion to codify tokenization law comes at a time where by way of a recent judgement dated 7th November, 2025, the Hon’ble Supreme Court of India, in the matter of “Samiullah vs. the State of Bihar” advocated the adoption of emerging technologies such as blockchain to ensure transparency in maintaining land records among other things and urged the Law Commission to examine the feasibility of adopting such technology. The Hon’ble court observedthat adopting blockchain technology could lead to restructuring and reviewing existing laws such as Transfer of Property Act, 1882, Indian Stamp Act, 1899, and Registration Act, 1908, Information Technology Act, 2000, Data Protection Act, 2023. The Hon’ble court has also observed that implementation of such technology with proper laws and safeguards has the potential to transform land registration into more secure, transparent and tamper proof system.   Key questions that need to be addressed before implementation of a codified tokenization law with respect to Indian market: It’s safe to say that implementation of tokenization bill would not come without its challenges considering India has a history of long-standing property disputes. India functions on a “buyer beware” model when it comes to real estate purchases meaning that the property records maintained by government authorities in India (such as mutation records) are not conclusive evidence of title, they are presumed to be true unless challenged. A buyer is required and advised to conduct comprehensive title search before buying any property by traditional methods. Now, having said that, while implementing a codified law for tokenization, the policy makers would need to address certain critical issues, for instance, the existing registration act requires any instrument transferring right, title and interest in an immoveable property to be compulsorily registered, in light of this the tokenization law would be required to address two very important challenges: the need for execution of a title document every time a willing investor buys a digital token and whether such instrument would also require registration. Additionally, drawing from the judgment “Samiullah vs. the State of Bihar”, the tokenization law would need to address whether the traditional record keeping be completely replaced with digital record keeping of the property offered for real estate token (RET) investments or would both methods exist in harmony? Currently, Real Estate Regulation and Development Act, 2016 (RERA) operates to ensure transparency in the real estate sector by regulating construction, development, sale, purchase of plots, buildings etc. With the implementation of a tokenization law, RERA’s role would need to be clearly defined specifically in cases where construction is undertaken over the piece and parcel of land which is offered as RET to a willing investor. The tokenization law must very clearly define the role of Securities and Exchange Board of India (SEBI) considering the RETs could be sold in real time similarly to the listed securities. Further, property laws are very state specific in India, and a centralized tokenization law needs to be implemented in a way which would operate harmoniously with the state laws.   Conclusion: With proper regulation and safeguards, tokenization can transform real estate ownership in India. Adoption of blockchain technology whether for tokenization or for maintenance of records to do away with colonial system of record keeping could prove revolutionary to the real estate market which India is in dire need of. It would be a very bold step towards financial inclusion in India. An ambitious approach towards tokenization may lead to complete digitalization of records ensuring transparency and potentially resolving India’s long standing title dispute challenges. However, the success of introducing tokenization into the Indian economy would depend on clear and harmonized framework, addressing interstate legal inconsistencies and clearly defining the role of each regulatory body in the tokenization framework by avoiding any regulatory overlaps. It remains to be seen whether blockchain can finally replace colonial ledgers in the long run.   Author: Shruti Choudhary (Senior Associate at Ahlawat & Associates)

By Prashanth Kumar Muddana Telangana State has witnessed a remarkable digital transformation in urban governance. The state’s building permission process — once plagued by manual delays and bureaucratic hurdles — has now evolved into an intelligent, AI-powered approval ecosystem known as BuildNow Telangana. This transformation marks a major leap toward efficiency, transparency, and smart urban planning. The Manual Era — Before 2015 Before digitization, building and layout permissions were handled manually by local authorities such as GHMC, HMDA, DTCP, and various Municipalities and Gram Panchayats. Applicants had to submit physical files and visit multiple departments for No Objection Certificates (NOCs). This process was time-consuming, lacked transparency, and was prone to inconsistencies and corruption. The Early Digitization Phase — 2015 to 2019 Recognizing the need to modernize, Telangana introduced early online systems such as OBPMS (Online Building Permission Management System) by GHMC and ODPMS (Online Development Permission Management System) by HMDA. These allowed online submission and tracking of building applications but had limited integration and required manual scrutiny. TG-bPASS Scheme — Telangana’s First Unified Digital System (2020–2024) In 2020, the Telangana Government launched TG-bPASS (Telangana State Building Permission Approval and Self-Certification System), a single-window platform for online approvals. It brought transparency, reduced human intervention, and provided instant approvals for small residential plots. Key highlights in TG-bPass, Scheme include: - Self-certification-based instant permissions - Online submission and tracking - Departmental integration for NOCs - Citizen convenience and transparency BuildNow Telangana — The AI-Driven Smart Era (2024–Present) With rapid urbanization and the exponential growth of building activity in Telangana, the Government recognized the need to enhance capacity, efficiency, and scalability in urban service delivery. In 2024, the State Government of Telangana introduced BuildNow Telangana, an advanced AI-powered building and layout approval platform replacing TG-bPASS. It integrates all departments under one system and uses artificial intelligence for faster, more accurate approvals. This next-generation integrated platform serves as a single digital window for processing all types of building and layout permissions, offering contactless and self-certification-based approvals. It is designed to deliver services within stipulated timelines, ensuring transparency and accountability at every stage. Building a Smarter Telangana BuildNow Telangana symbolizes the state’s evolution from manual file-based approvals to AI-enabled smart governance. Through this initiative, Telangana reinforces its commitment to efficiency, accountability, and innovation, ensuring that urban development keeps pace with the aspirations of its people and the momentum of its growth. Digital Governance and Citizen Empowerment The vision behind BuildNow Telangana is to provide citizen-friendly, technology-driven services that are both transparent and efficient. The platform leverages advanced IT infrastructure, AI-powered automation, and real-time digital tracking to create a contactless approval process that minimizes human intervention and maximizes reliability. By digitizing traditional workflows and enabling data-driven monitoring, BuildNow is helping to: Reduce delays and eliminate discretionary decision-making, Empower citizens through self-service digital applications, and Strengthen governance through integrated inter-departmental coordination. Collaboration and Future Vision The MA&UD Department continues to collaborate with national and international institutions to introduce global best practices in urban management. By focusing on innovation and data-driven decision-making, Telangana aims to: Develop transparent, citizen-centric, and cost-effective services, Simplify complex approval processes through one-stop digital access, and Enhance ease of doing business to accelerate state-wide growth and infrastructure development. Key Features of AI-Driven Automation in BuildNow: AI-Powered Drawing Scrutiny — Automatically checks uploaded plans for compliance with building codes and zoning laws. Automated GIS Integration — Validates land use, boundaries, and site details using real-time maps. Predictive Approval Analytics — Forecasts approval timelines and identifies workflow bottlenecks. Smart Workflow Automation — Seamlessly routes files to relevant departments digitally. Transparency and Tracking — Citizens receive updates and digital copies of permissions instantly. Data-Driven Planning — Enables better urban planning using aggregated data insights. Timeline of Evolution Before 2015 – Manual Local Systems: Physical files, multiple NOCs, and high delays 2015–2019 – OBPMS / ODPMS: Partial digitization, limited integration 2020 – TG-bPASS: Unified online approval and self-certification 2021–2023 – TG-bPASS: Enhancements including GIS integration, online payments, faster processing 2024–Present – BuildNow Telangana: AI-based scrutiny, unified digital platform Conclusion From manual file submissions to AI-driven automation, Telangana’s building permission journey showcases the power of innovation in governance. BuildNow Telangana represents a model of efficiency, transparency, and smart governance - transforming how citizens and developers interact with the government.

By Vanga Sai Keerthan Reddy INTRODUCTION The Indian insolvency framework continues to evolve to address the restructuring and resolution of companies unable to perform their operations due to overwhelming financial debt obligations and financial distress. A pivotal step in this process involves inviting resolution plans from prospective applicants and distributing proceeds as per the approved Resolution Plan. The recent Supreme Court judgment in Kalyani Transco Ltd v. JSW Steel Ltd[1] left open the issue of the distribution of EBITDA (Earnings Before Interest, Tax, Depreciation, and Amortization) accrued during the Corporate Insolvency Resolution Process (CIRP) of the Corporate Debtor. THE FRAMEWORK AND FINDINGS IN THE BHUSHAN POWER AND STEEL CASE In the ‘Kalyani Transco Ltd v. JSW Steel Ltd’ case, arising from the ‘Bhushan Power and Steel Ltd’ resolution process, the Supreme Court remained silent on the issue of EBITDA distribution, noting the absence of any statutory provision or precedent governing it. The creditors contended that they were entitled to the EBITDA, as they provided financial assistance for operations during the CIRP, while the Resolution Applicant argued that ownership and control of the assets and liabilities were transferred to them upon approval of the Resolution Plan by the Adjudicating Authority. The Court observed that the resolution plan had already been implemented after a significant delay. Entertaining new claims at this stage—described by the Court as “Hydra Heads Popping Up”—would undermine the sanctity and finality of the resolution plan, reiterating principles established in *Essar Steel Ltd v. Satish Kumar Gupta*. In ‘Essar Steel Ltd’, the Court held that profits or proceeds should be distributed as per the Request for Resolution Plan (RfRP). If the RfRP does not specify the treatment or distribution of such profits, they shall be retained by the Corporate Debtor. However, ‘Essar Steel’ dealt with the distribution of resolution proceeds, not profits generated during the CIRP. In contrast, ‘Bhushan Power and Steel Ltd’ is concerned with operating profits (EBITDA) generated before plan approval. This distinction reveals a legal lacuna that remains unresolved and open to future litigation. REFLECTIONS ON LAW Under Section 30 of the Insolvency and Bankruptcy Code, a resolution plan must be approved by (i) the Committee of Creditors (CoC) with at least 66% voting share and (ii) the Adjudicating Authority (NCLT). Once approved, under Section 31, the plan becomes binding and extinguishes prior financial obligations of the Corporate Debtor. A Successful Resolution Applicant (SRA) does not hold any ownership or control over the assets and liabilities of the Corporate Debtor until the plan is duly approved. Hence, the SRA cannot claim any interest in the Corporate Debtor’s earnings prior to that approval. Conversely, creditors cannot independently claim EBITDA unless it is recognized as part of the Corporate Debtor’s estate or distributed as per the approved plan. EBITDA represents the operational earnings generated by the Corporate Debtor during CIRP and forms part of the estate managed by the Resolution Professional. In the absence of explicit statutory guidance, the treatment of such earnings should ideally be addressed within the Resolution Plan approved by the COC. EXPERTS’ AND INSOLVENCY PRACTITIONERS’ VIEWS Upon commencement of the CIRP, the Resolution Professional assumes control over the management of the Corporate Debtor’s assets and liabilities. Creditors, who have extended loans in good faith, often face significant haircuts on their claims. Under Section 53 of the IBC—which governs liquidation distribution but is often referred to by analogy for fairness in CIRP—the interests of secured creditors and financial institutions must be carefully protected. These creditors, entrusted with public funds, play a crucial role in maintaining economic stability, and any losses sustained by them can have broader implications on the financial system. Hence, it is essential that the interests of financial and secured creditors be safeguarded in the distribution of any proceeds, EBITDA, interim profits, or net gains generated during the CIRP, prior to the approval of the Resolution Plan by the CoC. CONCLUSION The objectives and interests of financial creditors, operational creditors, and secured creditors must be protected to the greatest possible extent to ensure that repayments are recycled into the economy, strengthening financial health and safeguarding depositors’ rights. Legislative or regulatory amendments may be required to clarify the treatment and distribution of EBITDA and interim profits generated during CIRP. Such clarity would promote equitable treatment among stakeholders while upholding the principles of transparency and fairness envisaged under the Insolvency and Bankruptcy Code [1] 2025 INSC 1165

Lessons From The Apple Data Breach And Remedial Steps That Can Be Taken By India In Light Of The New Data Privacy Act By K. Sidharth Reddy   INTRODUCTION In an era where personal data is a currency as valuable as gold the Government has taken commendable steps towards protecting this aforesaid new age currency by enacting The Digital Personal Data Protection Act, 2023 and associated rules (“DPDPA”) with the aim to protect personal data, deter data aggregators from collecting more data than what is required and to ensure such breaches do not take place in India. The step taken by the Government to enact DPDPA is particularly relevant in light of the recent Apple Inc. (“Apple”) privacy breach that arose due to Apple’s voice assistant namely “Siri”[1] serves as yet another wake-up call. Apple, a company that has long prided itself on its commitment to security and user privacy, now finds itself at the center of controversy. The breach not only exposes vulnerabilities in even the most fortified digital ecosystems but also raises critical questions about how much control users truly have over their data especially with respect to voice assistants like Siri, as it continuously monitors conversations, potentially collecting sensitive personal data without explicit user consent. This undermines users' right to control their own information, exposing them to unauthorized data access and surveillance risks. This incident underscores the evolving nature of cybersecurity threats, the limits of corporate safeguards, and the urgent need for stronger regulatory frameworks. As we dissect the implications, one thing remains clear—data privacy is no longer a given; it’s a battle that must be fought continuously. IMPLICATIONS The recent breach of personal data by Apple’s Siri has raised concerns among users about the actual level of protection offered by technology companies, despite their claims of prioritizing data privacy. This incident is particularly alarming given Apple’s reputation as a leading advocate for user privacy in the smartphone industry. Furthermore, the settlement arrived at by Apple in the class action lawsuit[2] which prima facie amounts to a $95 million settlement but upon perusal of the finer details it can be discerned that individuals are entitled to receive a paltry compensation of $20 only upon satisfaction of the following conditions (“Relevant Conditions”): If the individual claiming the compensation has owned a Siri-enabled Apple device (such as an iPhone, iPad, Apple Watch, Mac, HomePod, or AirPods) in the United States between September 17, 2014, and December 31, 2024; and If the individual has experienced any unintentional Siri recordings during private or confidential conversations. An analysis of the Relevant Conditions highlights the limited nature of the compensation being awarded to the affected users highlights the value given to data privacy of the users and citizens as the paltry compensation can be further disputed by analysing whether a conversation can be deemed as “private” or “confidential”. However, data privacy should be of paramount importance to any company processing personal data as provided for under the California Consumer Privacy Act, 2018 (“CCPA”) and the California Privacy Rights Act, 2020 (“CPRA”)[3] which is the applicable law for Apple as the company is incorporated in California. The CCPA and CPRA (collectively referred to as “California Privacy Laws”) are akin to the European Union’s General Data Protection Regulation (“GDPR”)[4]. However, unlike the interpretation of GDPR by the European Courts which levies stringent deterrent penalties on any entity that breaches privacy of any individual in Europe, the American Courts did not interpret the penal provisions of the California Privacy Laws in a similar manner despite the similarities of provisions with GDPR and established precedents for levying exemplary damages. In this instant class action lawsuit against Apple, the American district courts elected to pass an award for damages which is more of a slap on the wrist despite a grave breach of privacy and utilizing personal data in an unauthorized manner. Despite the heightened awareness of data privacy in developed countries, citizens' personal data continues to be exposed to severe breaches, often with inadequate compensation. Thus, it is even more crucial for Indian legislators to deter such actions, given the insufficient awareness of data protection within Indian society. Hence, the onus falls on the Government to safeguard the valuable data of the world’s largest digital population which the DPDPA has been enacted for by the Government of India. In light of the above, we will be analysing the relevant provisions of DPDPA that companies need to adhere by to ensure that they are not affected by penalties and we will also analyse how the Indian legislators can modify the DPDPA to further protect data privacy in our country. ANALYSIS Relevant provisions of DPDA: Section 2(i): Definition of Data Fiduciary: A data fiduciary means any person who, either alone or in conjunction with other persons, determines the purpose and means of processing personal data. Section 2(j): Definition of Data Principal A data principal means the individual to whom the personal data relates. Section 3: Applicability and Scope The Act applies to the processing of digital personal data within India. It also applies to processing outside India where any entity offers goods or services to individuals in India. Section 4: Grounds for Processing of Data Personal data must be processed only for lawful purposes, in a fair and transparent manner, and only after obtaining free, fair, and unambiguous consent from the data principal. Section 5: Notice Collection of personal data must be limited to what is necessary for the stated purpose, as specified in the notice provided to the individual while seeking consent.  Section 6: Consent Consent for collecting personal data must be free, specific, informed, unconditional, and unambiguous, expressed through a clear affirmative action. It must indicate agreement to process personal data for a specified purpose and be limited to data necessary for that purpose. Such consent must be easily withdrawable, and upon withdrawal, data processing must cease within a reasonable period. Section 8: General Obligations of Data Fiduciary Data fiduciaries are required to implement reasonable security safeguards to prevent personal data breaches. They are solely liable for damages if any provision of the DPDPA is breached during the collection or processing of personal data. Section 10: Additional Obligations of Significant Data Fiduciaries The Government may notify a data fiduciary as a “Significant Data Fiduciary” based on factors such as the volume and sensitivity of personal data processed, risks to data principals or democracy, and concerns relating to state security or integrity. Once classified, such fiduciaries are subject to additional compliance requirements, including appointing a Data Protection Officer, conducting audits, and meeting other obligations prescribed under the DPDPA. Section 11: Right to Access Information about Personal Data Data principals have the right to access their personal data and obtain information regarding how such data is being processed. Section 12: Right to Correction and Erasure Data principals may request correction, updating, completion, or erasure of their personal data. Section 13: Right to Grievance Redressal Data principals have the right to file complaints with data fiduciaries in case of violation of their rights. The grievance redressal mechanism must be simple and accessible. Section 18: Data Protection Board The Data Protection Board is the regulatory authority constituted under the DPDPA to handle complaints, ensure compliance, and impose penalties. Section 33: Penalties The DPDPA provides for monetary penalties for breaches of its provisions, which may extend up to INR 250 crore. Such penalties are credited to the Consolidated Fund of India. Upon a brief analysis of the relevant provisions set out above it can be noticed that the DPDPA has incorporated the basic tenants of GDPR and California Privacy Laws including exemplary damages for breach and misuse of personal data, thus it is important for companies who intend to collect data to take comprehensive steps to be in compliance with DPDPA including but not limited to taking the following steps: Preparation of a consent notice and privacy policies in line with provisions of DPDPA; Ensuring technological measures are implemented to track the consent being provided along with scope of the consent being provided thus ensuring the data being collected does not exceed the scope of consent being provided; and Should be aware of the sensitivity of personal data being collected and implement technological measures to safeguard personal data for avoiding any breach of the same which in turn could lead to the companies attracting exemplary penalties. While the above actions can be taken by companies who fall under the definition of data fiduciaries, the Central Government could take further steps towards improving the protection afforded to the citizens of India by amending provisions of DPDPA as outlined in the recommendations below. RECOMMENDATIONS Pursuant to the above analysis, the following actions are recommendable to be taken by the Central Government for further protecting the citizens of India: Data collection tax: To ensure companies adhere to a fundamental tenet of the DPDPA—limiting the collection of personal data—it is essential to enforce appropriate consequences. A viable approach is to introduce a data collection tax, wherein data fiduciaries are taxed based on the volume of data they collect. This would incentivize them to restrict data collection strictly to what is necessary for their business purposes. Prescribing relevant technological measures to protect personal data from any breach: While the DPDPA mandates the implementation of technological measures to protect personal data, it lacks quantifiable guidelines for micro, small, and medium-sized enterprises (MSMEs) to understand the necessary measures for compliance. To address this, the Central Government could establish a committee of technological experts to develop clear guidelines, ensuring that all data fiduciaries can effectively adhere to the DPDPA's provisions. Utilization of the penalties being levied in a transparent manner: Section 34 of the DPDPA mandates that penalties imposed under Section 33 be credited to the Consolidated Fund of India. It is crucial to ensure that these funds are used for the welfare of data principals, including compensation for privacy breaches and their consequences. Therefore, the Government should establish guidelines ensuring transparency in the utilization of these funds, specifically towards enhancing the protection of privacy and personal data. CONCLUSION The Apple Siri privacy breach is a stark reminder that even the most privacy-conscious tech companies are not impervious to data vulnerabilities. While regulatory frameworks like the CCPA, CPRA, and GDPR establish strong data protection standards, inconsistent enforcement raises concerns about corporate accountability. India’s Digital Personal Data Protection Act, 2023 marks a significant step in India toward strengthening data privacy, ensuring that companies are held accountable and user data is safeguarded. However, for the DPDPA to be truly effective, it must go beyond mere compliance mandates. Stronger enforcement mechanisms, transparent utilization of penalties, and well-defined technological safeguards are essential to prevent data misuse and protect user privacy. As the digital landscape continues to evolve, both regulators and corporations must remain proactive in upholding data protection as a fundamental right as recognized by the Indian judiciary—because in today’s world, personal data is not just information, it is power. [1] https://www.forbes.com/sites/moinroberts-islam/2025/01/03/siri-privacy-breach-apple-to-pay-95m-settlement-amid-spying-claims/ [2] Lopez et Al. v. Apple, 19-cv-04577-JSW (N.D. Cal.) [3] Cal. Civ. Code §§ 1798.100–1798.199.100 [4] General Data Protection Regulations, (EU) 2016/679.