Caught on Tape: How SEBI’s Own Rules Create a Privacy Time Bomb

[Aviral is a student at the National Law Institute University Bhopal.]

On 25 March 2026, SEBI cancelled the certificate of registration of Rajiv Kumar Singh, proprietor of Elite Investment Advisory Services, for a catalogue of violations spanning fraudulent inducement of clients, obstruction of inspection, and regulatory non-compliance. Singh had been operating with over 1,400 active clients while registered as an individual adviser, a category capped at 150. His employees were promising guaranteed returns and loss recovery to extract fees. When SEBI’s inspection team arrived at his registered office in January 2024, Singh directed all staff to leave the premises, deleted data from his laptop, and withheld records from the inspection team. There were 174 complaints from 42 unique clients with no evidence of resolution. The order, running to twenty-four pages, is in many respects unremarkable enforcement fare, such as an adviser promising assured returns, charging excess fees, maintaining no records, and directing employees to flee the premises when SEBI inspectors arrived. What deserves closer attention, however, is buried in paragraph 52: the finding that SEBI’s inspection team relied on call recordings of the noticee’s employees to establish that assured returns and guaranteed loss recovery were being promised to clients. That single evidentiary fact opens a question the order does not address and that Indian securities regulation has yet to seriously confront: if a regulated entity is legally obligated to record client communications, and that data is then accessed and deployed by SEBI as enforcement evidence, then where does regulatory compliance end and data protection law begin?

The Record-keeping Mandate and Its Practical Implications

Regulation 19 of the SEBI (Investment Advisers) Regulations 2013 (IA Regulations) requires investment advisers to maintain extensive client records, including investment advice provided “whether written or oral” and the rationale for such advice, duly signed and dated. Building on this, the SEBI Master Circular for Investment Advisers (15 June 2023) (Master Circular) further requires IAs to maintain records of client communications as part of their compliance infrastructure. However, neither the IA Regulations nor the Master Circular defines what qualifies as a “communication” or specifies the format in which oral advice must be captured, leaving IAs to determine, without regulatory guidance, how to satisfy a mandatory record-keeping obligation that has significant downstream privacy consequences. For a retail-facing IA of the kind operating in tier-2 and tier-3 markets, like Elite Investment Advisory Services with over 1,400 active clients, this recordkeeping mandate effectively compels the systematic recording of client calls.

This need for systematic record-keeping is deliberate. SEBI’s inspection framework is premised on the availability of precisely these records. Regulation 25(1) of the IA Regulations obliges every IA to “produce to the inspecting authority such books, accounts and other documents in his custody or control” as the authority may require. The entire enforcement architecture, in other words, rests on the assumption that the IA continuously collects, stores, and produces client communication data.

Where DPDP Act Enters

The Digital Personal Data Protection Act 2023 (DPDP Act) disrupts this assumption in ways that remain under-appreciated. The Act defines “personal data” broadly as any data about an identifiable individual, encompassing a client’s investment objectives, income details, risk appetite, and financial circumstances, all of which flow through advisory calls. More importantly, the DPDP Act requires a “data fiduciary” (which an IA would be, as an entity processing personal data) to obtain free, specific, informed, and unambiguous consent before collecting and processing such data, or to establish that processing falls within one of the legitimate uses enumerated under Section 7.

The SEBI order makes no mention of whether Singh obtained clients’ consent before recording calls. Given that the same order records his failure to execute client agreements, maintain KYC records, or conduct any onboarding process, the absence of a consent mechanism is a reasonable inference. Even if clients impliedly consented by engaging with the adviser, implied consent does not satisfy the DPDP Act’s requirement of free, specific, and informed consent. Thus, the absence of consent not only accompanies the regulatory violations already established: it independently compounds them.

The problem for IAs is structural. Recording client calls for regulatory compliance is not straightforwardly captured by any of Section 7’s legitimate use categories. The provision most relevant is Section 7(b), which covers processing for compliance with any law for the time being in force in India, and could arguably cover mandatory record-keeping. However, while the DPDP rules were notified on 14 November 2025, the operative bulk of the rules, including consent obligations, notice requirements, and data principal rights, are subject to a staggered commencement and do not come into force until May 2027. The legal question of whether mandatory sectoral record-keeping qualifies as a lawful basis under Section 7(b), therefore, remains untested and unresolved, leaving investment advisers to navigate this gap without any regulatory guidance for the foreseeable future. What this means in practice is that an investment adviser recording client calls without a consent notice, a privacy policy, or a data processing agreement may simultaneously be complying with SEBI’s record-keeping mandate and violating the DPDP Act. This is not a hypothetical tension. It is the daily operational condition of most retail IAs in India.

SEBI’s Access: The Regulatory Exemption

SEBI’s own use of the call recordings during inspection stands on stronger legal ground. Sections 17(1)(b) and 17(1)(c) of the DPDP Act provide the relevant exemptions: the former covers processing by a body entrusted with regulatory or quasi-judicial functions, and the latter covers prevention, detection, and investigation of offences, both of which a SEBI enforcement inspection satisfies. Additionally, Regulation 25’s inspection powers provide the statutory basis for compelled production. Therefore, the argument that SEBI’s access to call recordings during enforcement constitutes a privacy violation is unlikely to succeed, and the order in the present case does not raise it, unsurprisingly, given that the noticee chose non-participation over legal challenge.

However, the regulatory exemption that shields SEBI’s use of the data does not address the fundamental question of whether the IA’s collection of that data was lawful. There is an uncomfortable irony here. The very records that expose the fraudulent conduct, employees promising assured returns in violation of SEBI (Prohibition of Fraudulent and Unfair Trade Practices relating to Securities Market) Regulations 2003, may themselves have been generated through a data collection process that lacked the consent architecture the DPDP Act requires. In effect, the fraud is proved through evidence that is itself potentially tainted. Courts and regulators in other jurisdictions have grappled with the admissibility consequences of such “double illegality” in regulatory proceedings; Indian law has not yet been tested on this point.

The Digital Evidence Problem

A second, distinct concern arises from the order’s silence on evidentiary authentication. The Bharatiya Sakshya Adhiniyam 2023 (BSA) tightens the requirements for the admissibility of electronic records compared to its predecessor. Under the old Section 65B of the Indian Evidence Act 1872, a single certificate from the person responsible for the device sufficed. In contrast, Section 63 of the BSA now mandates a two-part certificate: Part A from the party producing the record, covering device details and hash values, and Part B from an independent expert attesting to the record’s integrity. Thus, call recordings, being electronic records, should ordinarily satisfy this threshold before being relied upon in a quasi-judicial proceeding.

The order proceeds on the basis of the Designated Authority’s findings drawn from call recordings without any recorded discussion of their authentication. Since the noticee never contested the proceedings, the recordings were admitted without scrutiny, but this gap may not survive challenge in a contested case. As SEBI increasingly relies on digital forensics in enforcement proceedings, call recordings, WhatsApp messages, social media posts, trading algorithm logs, the absence of a clear framework for admissibility and authentication in quasi-judicial proceedings is a gap that will eventually need to be addressed, either by SEBI through its internal procedures or by SAT through appellate adjudication.

The Obstruction Dimension and What it Signals

The facts of the Elite case also illustrate the digital evidence problem from the other side. The inspection team recorded that the noticee deleted data from his laptop during the inspection. This act of on-site data destruction in the face of a regulatory inspection is treated in the order as a violation of Regulation 25, non-cooperation and deliberate obstruction. It is that, but it is also more. In a context where SEBI’s enforcement increasingly depends on electronically stored information, the vulnerability of that information to real-time destruction during inspection is a structural weakness. Other regulatory frameworks, the Competition Act 2002’s dawn raid provisions, for instance, have developed more robust procedures for forensic imaging and data preservation during inspections. SEBI’s IA Regulations do not appear to contain equivalent protections, and the present case demonstrates why this matters.

Conclusion

The cancellation of Elite Investment Advisory Services’ registration is a proportionate and well-reasoned enforcement outcome. The violations were serious, systematic, and ultimately uncontested. However, the order inadvertently surfaces a regulatory design problem that deserves attention in its own right. SEBI’s IA framework mandates data collection. The DPDP Act conditions data collection on consent frameworks that most retail IAs have not built. SEBI’s inspection powers assume the data exists and is producible. The BSA imposes authentication standards for electronic evidence that quasi-judicial proceedings have yet to consistently apply. These four legal regimes do not currently speak to each other in any coherent way, and the compliance burden falls on the IA operating at the intersection of all of them.

Three interventions would go a long way. SEBI and MeitY should issue joint guidance before May 2027 clarifying that Regulation 19 recordkeeping constitutes a lawful processing basis under Section 7(b), so that IAs are not left to navigate two conflicting statutory regimes without direction. SEBI should also develop forensic imaging protocols for inspections, drawing on the Competition Act 2002 framework, to prevent real-time destruction of electronic evidence. And SEBI should develop internal authentication standards for digital evidence in quasi-judicial proceedings consistent with Section 63 of the BSA, rather than waiting for SAT to resolve the question in a contested appeal.

As SEBI’s enforcement machinery grows more sophisticated in its use of digital evidence, the legal infrastructure governing how that evidence is collected, stored, accessed, and authenticated will need to grow with it. The Elite case, modest as it is in terms of legal novelty, offers a useful prompt for that conversation.