In this Eminent Conversation, Mr.Supratim Chakraborty , Partner at Khaitan & Co, speaks with Mr. Chirkankshit Bulani* about his remarkable journey from a science student to becoming one of India’s leading voices in data privacy and technology law. Reflecting on his formative years, professional milestones, and the evolving landscape of AI and digital regulation, he shares insights on mentorship, responsible innovation, and the future of India’s privacy framework under the Digital Personal Data Protection Act (DPDPA).

 

1. Personal Journey & Motivation

Q: You began your academic journey in science before transitioning to law. What inspired that shift, and how has your scientific background influenced your thinking as a legal professional?

In my +2, I opted for the science stream which gave me a background inclination towards technology. However, given the day and age, it is the bent of  one’s mind which is a driving factor. The second factor was that during my initial days, I worked at a boutique firm which was engaged in technology law where I responded to client queries on technology, data and related issues. Overall, it was a cumulative factor.

Q: When you joined Khaitan & Co, the Mumbai office was still developing. What were the early challenges and learnings from being part of that growth story?

When I joined Khaitan, it was a growing, upcoming firm. Starting small, it was a great journey due to the close-bonding between the team members, the learning which has been very cohesive to this date. One of the primary factors is the culture, which is the bedrock of the Firm, is quite different from other law firms. From January 2011 to until now, I relate to the closely bonded culture which makes Khaitan & Co different.

Q: Looking back, what personal values or habits helped you stay motivated through the more challenging phases of your career?

As I mentioned earlier, it is the culture, the human values which are here at the Firm. I don’t think many organizations deal with the ‘culture part’ in the same manner. We have to be top-notch in the areas we practice in, however at the same time, we must not forget that we are humans. I recall the Covid period, when we had one or the other team members falling sick, all of us became safety nets for each other. We never let the client realize this, ensuring seamless delivery. We were always standing with each other, helping out team members and their families. This was particularly an eye-opener for me, being the epitome of the caring culture at Khaitan & Co. 

2. Professional Growth, Leadership & Achievements

Q: From corporate M&A to becoming a recognized voice in data privacy and technology, how did you build niche expertise in this evolving area?

Well, the M&A work is still there as a part of the work we do, but as I mentioned my first workplace, there were a lot of technology related queries from clients. I myself was quite inclined on this from my college days. But that was a factor which nudged me to think towards data and technology laws. Reading on foreign legislations and certain sectoral legislations in India, I did spot a dire need, but at that time, country wasn’t ready to understand the need for data privacy. Thankfully, we have seen the ecosystem come into existence and mature to understand the relevance of data privacy.

Q: What have been some of the most defining or proudest milestones in your legal career so far?

Well, thinking about that, joining Khaitan & Co was a pivotal moment. Before that I was in a boutique firm, and that allowed me to channelize my thoughts about what I want to do. And Khaitan & Co was very supportive of this. That might be the reason that I have been able to establish a practice which is among the most respected and prominent in the country. Another defining milestone was my decision to join law school in Pune. At that time, unlike today, many of us were still exploring our career paths, and choosing to study law there set the foundation for everything that followed.

Q: You’ve often spoken about the importance of mentorship. How do you now mentor young professionals in your team, particularly in specialized areas like data privacy?

When it comes to data privacy, there is no alternative to reading legislations like GDPR. For conceptual clarity, it’s a great starting point, preparing you to deal with future scenarios. It is also important read the journey of data privacy in India, since we have to primarily deal with the Indian jurisdiction. These are the first stepping stones. But I also tell them that data privacy must not be a practice area on a standalone basis, and explore ancillary areas such as cybersecurity and AI, so you are not siloed, but are a well-rounded tech law professional.

 

3. Evolving Role of AI in India

Q: How do you think AI will grow in India in next 5-7 years?

I think the wave has already begun, and it would be quite dramatic in the next few years for both law and law practice. Almost every area of law has an influx of tools. However, I believe we need to have better training modules for juniors joining the profession. It is making life easier, but they must learn to use AI responsibly and not miss out on ground level training. It is our responsibility to ensure that they are taught to adopt AI through a gradual and responsible shift. 

Q: What is your take on the divide in the legal fraternity about the adoption of AI, where one particular group welcomes it while the other group expresses apprehension?

I think AI’s role is steadily gaining acceptance, but the concerns raised about it are not unfounded. One must be very thorough with their checks while using AI, because the zone of knowing to the zone of not knowing but still relying on what you are getting as an output is a very tricky area. It might even cause one to hallucinate. Considering the journey we are in, it is advisable to cross-check the output you get, and the reviewer must be thorough with the subject, since they cannot rely on something they are unaware of.

Q: With AI now being deeply integrated in Data protection, e.g. Modern LLMs training on data, after which the data is consumed and consent revocation for data is not possible, how do you see these contradictions being settled?

This issue is not unique to India but a global one. Because most data protection laws were enacted before the rapid rise of large language models (LLMs), their application to such technologies is still taking shape. Consent revocation after model training, for example, presents a particularly complex challenge. Encouragingly, a variety of privacy-enhancing technologies and technical approaches are being developed to address these concerns. For instance, when data is aggregated and anonymised, it generally falls outside the scope of data protection laws. Under the DPDP Act, there is also an exemption for research activities, which in some circumstances may be relevant to AI-related processing. Beyond consent revocation, areas such as data minimisation and lawful grounds of processing also highlight the friction between deploying AI technologies and meeting data protection principles. Nevertheless, both globally and in India, the trend is toward practical, balanced solutions that support innovation while maintaining robust personal data protection—rather than treating these objectives as mutually exclusive.

 

4. India’s Data Privacy Landscape 

Q: Moving on to India’s privacy landscape, given that the DPDP rules haven’t been notified yet. Once the DPDP Act comes into effect, what will be its impact on cross-border transfers and address the jurisdictional challenges?

The first thing, is that when the DPDP Act was redrafted, its ethos was very clear. It is important to protect an individual’s personal data, but that shouldn’t hinder genuine innovation, entrepreneurship, and ease of doing business (to the extent possible). Looking at the DPDP Act itself, the Act allows for cross-border data transfer, with the caveat that the government can restrict transfer of personal data to certain jurisdictions. Secondly, if there is a stricter law in this regard (such as in finance or healthcare), that will prevail over the DPDP Act. I believe these are fair guardrails, but the intent is not to create hindrances around transfer of data.

Q: Given how modern day MNCs operate in multiple jurisdictions and that we do not have a uniform international legislation on data protection, how do you think it will play out?

I believe that this issue exists even today, and the solutions MNCs would have to devise is according to the jurisdiction they operate in. Two ways are there that I can think of, one is abiding by the strictest of the law to ensure compliance with the less-stricter jurisdictions, and second is following a siloed approach, by ensuring compliance with whatever region the MNCs are operating in, differing it with each jurisdiction.

Q: Do you think the DPDP Act strikes the right balance between imposing meaningful obligations on organisations to protect personal data while still allowing for practical and manageable compliance?

If one looks at the drafting, it takes a middle of the road approach, having principle-based and rule-based approaches. Some places there is granularity when read along with the rules, and in some places, there is leeway given about exact compliance, but if principles are followed, that would be fine. 

5. India’s Regulatory Landscape & the Road Ahead

Q: In your opinion, which are the 2 biggest shortcomings of India’s digital privacy landscapes which need resolution to achieve the purpose of the DPDPA?

I would not call them as shortcomings, but point of concerns which need to be ironed out along the way. The first is in the context of data breach reporting. Looking at it, this is a bad day for an organization which has just suffered from a data breach or a cyber-incident. We are expecting them to report to the CERT-in (Computer Emergency Response Team of India), which has to be reported within 6 hours, with an additional obligation to report to sectoral regulator if it is applicable. On top of it, they have to report twice to the Data Protection Board as per the DPDPA, along with the individuals. I would wish to make lives easier for these organizations given they have already had a bad day. If they can make one reporting for regulators, which can reduce the compliance burden. The second concern is some of these aspects which are hanging like a sword on top of organizations. For example, who would be Significant Data Fiduciaries? Or which countries would be in the negative list of no-cross border data transfer ? The sooner these are clarified, the better, given there would be more time for compliance and being ready for business.

Q: Given that the DPDPA doesn’t create distinction between kinds of data, in your opinion, which way would the Indian landscape opt for? A sectoral one like the US, which has legislations like HIPAA or creation of distinctions within the DPDPA itself?

I don’t believe we have scope for distinction within the DPDPA itself, as it was always supposed to be a mother umbrella legislation. Under it, sectoral legislations are supposed to play their own role. If one were to consider DPDPA, it has a flat structure, considering all kinds of personal data to be handled in the same matter. One should interpret the law with a practical lens, keeping in mind its intent and recognising that its application will depend on several factors. For example, if one were to consider the penalties, its not like if there is a data breach, one is supposed to pay INR 250 Cr as penalty straightaway. Before that there are certain factors which determine the rigor of the law. Factors like repetitiveness of the breach, impact of the penalty on the organization, nature of the data involved, etc. would be of consideration. It pushes one to think that if the nature is sensitive like Aadhar or PAN, we must protect it more dearly. On the practical aspect, we must have extended protection for sensitive data.

 

6. Reflections & Guidance for Young Professionals

Q: What qualities do you look for when hiring or mentoring juniors in your team?

When I hire or mentor juniors, the first thing I look for is a clear and authentic story, a sense of purpose and consistency in their choices. It is perfectly fine for interests to evolve over time, but it helps when a candidate can explain how their experiences, internships and projects have led them to the role they’re seeking. A CV that reflects exposure to corporate law through internships or coursework shows intentional preparation and direction. Equally important is the ability to substantiate what’s on the CV. If you’ve listed a skill or area of experience, be prepared to discuss it in depth, it signals genuine engagement and builds trust. Overall, I value curiosity, clarity of purpose, and the willingness to learn, because these qualities not only make a candidate stand out but also set them up for success in the profession.

Q: What do you expect from an intern working under your guidance?

Honestly, as an intern or even a junior lawyer, it is the intent to work. Nobody expects top-notch or 100% refined work, but if you have the hunger to do the work, to jump into it, to work hard, to find out what is possible  that is what matters. If you ask me that one super-important aspect, is the hunger and the intent to do the work.

Q: If you could revisit the early years of your career, what’s one advice you would give to your younger-self?

If I could give my younger self one piece of advice, it would be to prioritise work–life balance. When I started out as a corporate M&A lawyer, my schedule often meant getting home at 4 a.m. and returning to the office after only a quick shower. Over time, I realised how much this affected my family life, social life and overall well-being. Today, I consciously reserve my weekends, take long walks by the lake as “me-time” to reset for the week, and spend quality time with my family. I’ve come to believe that, rather than seeing work and life as opposing forces, we should aim for a peaceful coexistence of both. Some downtime and deliberate “rebooting” are essential for every professional to sustain energy and perspective over the long term.

Q: How is your vision towards the future as a work professional in India’s digital privacy landscape, and what is your one advice to professionals who join this landscape?

When I look at the future, I see that it will not be one kind of work, but rather technology as a bigger umbrella, having data privacy, cyber laws, AI, Intermediary liability and more. This is the trend we are observing, and the advice is that, be proficient in most of these areas, looking at it as a larger ecosystem, aware of all the elements inside it.

*Interview conducted by Mr Chirkankshit Bulani, Intern at CLAonline and a 4th year student at Rajiv Gandhi National University of Law, Punjab