India

Universal Legal is pleased to announce that we acted as legal counsel to Stratechem (India) Private Limited, a leading manufacturer and exporter of chemicals, in acquiring 60% stake of S.L Organics a chemical manufacturing firm. The transaction marks a strategic milestone for Stratechem (India) Private Limited, strengthening its growth trajectory and providing them access to the factory located on MIDC  land in Amravati. The transaction was led by Apurva Agarwal, Partner, and Angshuman Chaliha, Associate Partner and Noopur Thakkar, Associate at Universal Legal.

We are pleased to announce that Argus Partners has acted as India counsel to Ampere Computing  (“Ampere”), a leading semiconductor design company specialising in high-performance, energy-efficient and sustainable AI compute built on the ARM platform, on its acquisition by Japan’s SoftBank Group Corporation (“SBG”). The acquisition was completed through SBG’s subsidiary, Silver Bands 6 (US) Corporation, for a total consideration of USD 6.5 billion. The team at Argus Partners advising Ampere consisted of Pallavi Kanakagiri and Anantha Krishnan Iyer (Partners). Read more at: Ampere Press Release, Softbank Press Release, NASDAQ, BusinessLine.

The Insolvency and Bankruptcy Code, 2016 (“Code”) was enacted in 2016 to unify India’s fragmented insolvency framework to ensure a time-bound Corporate Insolvency Resolution Process (“CIRP”). The jurisprudence of the Code since its enactment has been continuously evolving through frequent landmark judgments and regulatory amendment to address the procedural bottlenecks and lacunas in the practical application of the Code. The Lok Sabha on 12 August 2025 introduced the, Insolvency and Bankruptcy Code Amendment Bill, 2025 (“Bill”), which is the most comprehensive and substantial reform proposed since the enactment of the Code in 2016. KEY AMENDMENTS AND THEIR IMPLICATIONS Stricter Enforcement of Statutory Timelines and Removal for Judicial Discretion The Bill casts an obligation upon the Adjudicating Authority to dispose of applications under section 7,9 and 10 of the Code within 14 days failing which reasons for delay are to be recorded in writing. The amended sections mandate admission once (a) the default is established, (b) the application is complete, and (c) no disciplinary proceedings are pending against the proposed Resolution Professional. The judicial discretion of the Adjudicating Authority recognized in “Vidarbha Industries Power Ltd. v. Axis Bank Ltd”[1] has also been neutralised and dispensed with. Appointment of Interim Resolution Professional (Section 10 of the Code) In the case of voluntary application for insolvency under section 10 of the IBC, the Corporate Debtors right to proposes an Interim Resolution Professional (“IRP”) has been removed. The amendments enhances transparency and prevents the backdoor entry of erstwhile promoters or management. Upon admission of the Section 10, Application under the Code, the Adjudicating Authority will seek IBBI’s recommendation for an IRP. Restricted Withdrawal (Section 12A of the Code) Stricter compliances for withdrawal of CIRP applications have been proposed, which would permit withdrawal only after CoC has been constituted, there is a 90% vote of the COC in favour of the withdrawal, and the withdrawal is permitted only up till the first call for resolution plans. Further the Adjudicating Authority would also be required to dispose of such applications within 30 days. Enhanced Supervisory Role of CoC (Section 21) The CoC would be empowered to supervise the liquidation process conducted by the liquidator under Chapter III thereby strengthening creditor oversight. Transfer of assets of Guarantor of Corporate Debtor during process (Section 28A of the Code) Proposes amendment to section 28A of the Code permits Creditors of the Corporate Debtor who have taken possession of guarantors to transfer/sell such assets, and proceeds will form part of the CIRP or liquidation estate. Where the guarantor is also under CIRP/Liquidation or personal insolvency, the COC of the Guarantor must also grant approval (except during liquidation where approval is not needed if the creditor has not relinquished the asset under Section 52.) The sale proceeds shall form part of the corporate insolvency resolution process or the liquidation estate of the Corporate Guarantor Mandatory Minimum Amount for Dissenting Creditors (Section 30) Dissenting financial creditors shall receive an amount not less than the liquidation value or what they would receive under the plan if proceeds were distributed, whichever is lower, as determined under Section 53. This protects dissenting creditors while reinforcing the collective decision-making authority of the CoC, thereby reducing instances of strategic dissent and litigation over payout disputes. Opportunity to Rectify Defects: Two-Stage Approval of Resolution Plan (Section 31 of the Code) The Bill, introduces a proviso to Section 31(1)(a), to establish a dual approval process for the resolution plan. The Adjudicating Authority will (a)first approve the resolution plan for implementation and management of the corporate debtor, enabling it to resume operations as a going concern and (b) lastly within 30 days, a second order will be passed approving the distribution of proceeds to creditors. By separating implementation from distribution, the amendment facilitates quicker revival of the corporate debtor, preserves business value and employment, and minimizes delays and disputes over creditor payouts thereby ensuring a more efficient and timely resolution process. Further, the bill proposes that Adjudicating Authority may before rejecting a Plan, give notice to the CoC to rectify such defects. Avoidance of Preferential and Fraudulent Transactions (Sections 43–49) The look-back period for identifying preferential, undervalued, and extortionate transactions, has been revised to two years or one year from the date of filing, instead of from the date of admission, and to include the period during which a CIRP application is pending. The Bill further empowers creditors to initiate action where the Resolution Professional or Liquidator has failed to take action and the proceedings may continue even after the completion of CIRP, liquidation, or dissolution. Stricter Timelines The Bill mandates stricter timelines with the requirement that the Adjudicating Authority record its reasons for delay in concluding the following: Withdrawal of CIRP: within 30 days Liquidation/Dissolution orders: within 30 days Challenge to CIRP initiation: within 30 days Withdrawal of liquidation: within 14 days Other Key Changes Expanded definition of service provider to include all IBBI-regulated entities. • Extended moratorium under Section 14 to the liquidation stage. • Stricter penalties for frivolous litigation. • Government dues clarified as unsecured under Section 53. • Liquidation to be completed within 180 days, extendable by 90; voluntary liquidation capped at one year. • Interim Moratorium under Sections 96 & 124 not applicable for personal guarantors during resolution and bankruptcy. New Concepts Introduced Creditor-Initiated Insolvency Resolution Process (CIIRP) (Sections 58A–58K) The Bill introduces CIIRP for specified corporate debtors and financial creditors. The process may be initiated jointly by notified financial creditors having a 51% voting consent, after notice to the corporate debtor for 30 days. If uncontested, CIIRP starts with a public announcement. The Board of Directors remains in control under the supervision of the IRP/RP. Moratorium may be sought if approved by 51% creditors. CIIRP shall be completed within 150 days, extendable by 45 days. Failure or non-cooperation may lead to conversion into regular CIRP. Group Insolvency Framework (Section 59A) The Bill introduces the concept of coordinated resolution of multiple interconnected group companies belonging to the same corporate 'group' by allowing joint creditor committees, a common insolvency professional, and joint hearings before a single bench. This prevents duplication and maximizes recovery. Cross-Border Insolvency Framework The Bill introduces a globally aligned cross-border framework that will provide for recognition of foreign insolvency proceedings, cooperation between Indian and foreign courts, and coordinated resolution of multinational group insolvencies, thereby enhancing investor confidence. III. Concerns and Challenges Litigation Risks under CIIRP CIIRP, despite its aim of avoiding delay, may result in litigation regarding default verification, creditor documentation, and oversight. In the absence of detailed rules, this can become highly contentious. Rigidity in Withdrawal Rules Limiting withdrawal to post-CoC stage may discourage early settlements, undermining the Code’s objective of negotiated resolution where disputes can be resolved without formal proceedings. Uncertainty in Two-Stage Approval of Resolution Plant The second stage of approval of Resolution Plant for distribution may lead to fresh rounds of litigation, regulatory delays, and prolonged recovery especially for operational creditors. Mandatory Admission of Sections 7 & 9 Applications May Incentivise Malicious Filings Compulsory admission upon proof of default eliminates judicial discretion and, therefore, may motivate creditors to utilize insolvency for debt recovery purposes. Ambitious Timelines and Capacity Issues The proposed timelines of 14 days for admission and 180 days for liquidation may not be feasible due to the prevalent backlog with the Adjudicating Authority and shortage of qualified insolvency professionals. The Insolvency and Bankruptcy Code (Amendment) Bill, 2025 is a significant step toward a faster and more transparent, and globally aligned insolvency regime. By introducing CIIRP, group insolvency, and cross-border frameworks, it modernizes the Code and reinforces creditor empowerment. However, effective implementation will require detailed rules, institutional strengthening, and calibrated judicial oversight to prevent misuse and ensure that the reforms achieve their intended impact. [1] 2022 SCC OnLine SC 841

The Government of India has operationalized the Digital Personal Data Protection Act, 2023 (“Act”), through the notification of the Digital Personal Data Protection Rules, 2025 (“Rules”) on November 13, 2025. Together, the Act and the Rules have created India’s first privacy legislative text that confers new rights to citizens, such as the right to revoke consent for processing personal data, the right to correct and erase personal data and right to redressal against grievances relating to misuse of personal data. In this Article, we aim to provide a comprehensive breakdown of the newly notified Rules and explain its implementation. The Rules outlay a pragmatic, phased implementation schedule that gives institutions time to build governance capacity before the full-scale compliance begins. Nonetheless this period does not lessen the gravity of the forthcoming obligations and timely commencement of compliance preparations shall be determinative in preventing future lapses. THREE PHASED IMPLEMENTATION The Rules and the provisions of the Act are to be implemented in three phases, with the initial phase being effective immediately, the second phase to commence in twelve (12) months and the final phase commencing eighteen (18) months post notification. It is important to note that the first phase, which is now in effect is focused entirely on the establishment of the Data Protection Board (“Board”), the State’s adjudicatory machinery under the Act. This initial phase establishes the Board's structure, its composition, authority, and the appointment processes for its chairperson, members, officers, and staff. The next phase of enactment begins in November 2026, when the provisions relating to the registration of Consent Managers comes into force. Finally, the 18-month timeline, ending in May 2027, is the final and most crucial phase, activating all remaining provisions of the Act including the obligations relating to reasonable security safeguards, privacy notices, breach reporting, data erasure, and verifiable parental consent. CLICKWRAP TO CONSCIOUS CONSENT: One of the key requirements under Rule 3 mandates that data privacy notices be “presented and be understandable independently of any other information”, signalling the end of ‘clickwrap’ prompts where crucial terms are buried within lengthy privacy policies, which are accepted comprehensively by Data Principals through a single “I Accept” checkbox. Notices must instead now use clear and plain language with itemized descriptions of the personal data to be processed, the specific purpose linked to specific goods or services and explicitly address mechanisms for Data Principals to withdraw consent, exercise rights or file complaints with the Board. This itemized requirement forces businesses to abandon vague justifications like “improving our services”. This operates in the benefit of Data Principals and triggers substantial implementation work for Fiduciaries, spanning legal redrafting, UI/UX redesign and the development or modernisation of consent management mechanisms. MANDATORY SAFEGUARDS AND THE 72-HOUR BREACH REPORTING CLOCK: By mandating “reasonable security safeguards”, Rule 6 transforms the internal IT security measures from a voluntary best practice into a binding legal requirement. In particular, all Data Fiduciaries must implement, at a minimum, appropriate data security measures such as encryption, obfuscation, masking or the use of virtual tokens, while taking measures to effectively control access to the physical computer resources. Data Fiduciaries are required to retain access logs for a period of one year, which will necessitate corresponding investments in storage infrastructure and audit capabilities. Rule 7 operationalizes the most high-pressure obligation with a detailed, two-part breach reporting mechanism: (a) one with respect to notifying Data Principals and (b) with respect to notifying the Board. In the event of a personal data breach, Fiduciaries must notify the affected Data Principals without delay in clear language, outlining consequences and mitigation steps. Simultaneously, a report must be filed with the Board, which is further divided into two steps. An initial breach intimation must be sent without delay, followed by a detailed report within 72 hours starting from the point of becoming aware of the breach. This detailed report requires a comprehensive breakdown of the events, root causes and any findings regarding the perpetrators of the breach. This creates a unique dual clock scenario where legal and technical teams must meet this reporting standard while simultaneously complying with the existing 6-hour CERT-In mandate requiring the same incident to be reported through two separate disclosures. VERIFIABLE CONSENT FOR VULNERABLE PRINCIPALS: Rule 10 clarifies the mechanism for obtaining “verifiable parental consent”. It requires that before collecting or processing personal data of a child, the Data Fiduciary must ensure that the parent approves such collection and processing on the basis of reliable verification of the child’s identity and age. Reliable identity details may be retrieved from data already held by the Data Fiduciary or can be voluntarily provided through virtual tokens like Aadhaar Virtual ID and authenticated via digital locker services like DigiLocker. This establishes a de facto technical standard for parental verification tied directly into the India Stack ecosystem. While innovative, this presents significant integration challenges, particularly for non-Indian entities who must build entirely new workflows to accommodate these authentication requirements. These conditions are however subject to certain legitimate exemptions under Rule 12 and the Fourth Schedule to the Rules. Similar obligations are placed with respect to the data of persons with disability under Rule 11, wherein the Data Fiduciary must verify the guardianship status requiring the ingestion and verification of legal guardianship documents. SIGNIFICANT DATA FIDUCIARIES, ALGORITHMS, AND THE SUNSET CLAUSE: Rule 13 sets a higher burden for Significant Data Fiduciaries (“SDFs”). Going beyond Data Protection Impact Assessments (“DPIAs”), cross-border transfer restrictions and independent audits, the Rules also add the requirement to verify that any "algorithmic software" employed by SDFs do not pose risks to user rights. This effective inclusion of a continual algorithmic audit forces SDFs to scrutinize artificial intelligence and automated decision-making systems for possible bias or harm to Data Principals. These systems introduce an additional layer of complexity which grants Data Principals the right to access, correct, erase and nominate. SDFs must now ensure that the algorithmic systems they employ can also operationally support such user rights. Rule 14 also operationalizes the grievance redressal right by mandating Fiduciaries to establish an accessible 90-day grievance redressal system, which must be statutorily followed before a complaint may be escalated to the Board. This encourages companies to resolve most issues internally, thereby preventing the Board from being burdened with simple or frivolous complaints at the first instance. Further, Rule 8 provides for the data retention limits, mandating that data must be erased once its deemed purpose is served. CONCLUSION With a hard deadline of May 2027 set, the notification of the Rules signals a reset for India’s digital economy and the prevailing business logic that taught to capture as much data as possible, even if for undefined future use. The DPDP regime fundamentally inverts that model, replacing infinite data hoarding with a system based on purpose limitations and mandatory erasures. While the 18-month implementation window may appear generous, it practically offers little cushion for businesses that have not already begun reorienting their data handling practices. The operational overhaul from re-engineering user interfaces to integrating India Stack mechanisms, demands both institutional unlearning and substantial new infrastructure. Businesses may now have to dismantle legacy systems built on implicit consent and rebuild them around the strict architecture of privacy-by-design, a transition that requires more than just IT upgrades. With the Rules relying on qualitative thresholds like 'reasonable security safeguards' and 'demonstrable consent,' compliance under this new regime ultimately demands both robust engineering and strategic legal guidance that can navigate ambiguities and ensure technical implementations withstand regulatory scrutiny.