India – Developments In Data Privacy And Data Protection.

Conventus Law: In what ways have the last twelve months brought about significant developments in data privacy and data protection?

Cyril Amarchand Mangaldas: Some of the key developments that occurred in the last twelve months are as under:

1. Data Protection Bill, 2021 (“DP Bill”) (December 2021): After almost two years, the Joint Parliamentary Committee (“JPC”) submitted its report on the Personal Data Protection Bill, 2019 (“PDP Bill”) and a revised draft, i.e., the DP Bill, to Parliament;   
2. Cyber Security Directive (“Directive”) (April 2022): The Indian Computer Emergency Response Team (“CERT-In”) has released the Directive requiring reporting of certain cyber incidents, including data breaches, within six hours of becoming aware of the same. Further, the Directive requires maintenance of registration information and logs of customers by data centres, Virtual Private Server (VPS) providers, cloud service providers, and Virtual Private Network Service (VPN Service) providers; 
3. National Data Governance Framework Policy (“Draft NDGF Policy”) (June 2022): The Ministry of Electronics and Information Technology (“MEITY”) released the Draft NDGF Policy for consultation. The draft policy mandates government bodies and encourages private organisations to share non-personal data and create a searchable database. It proposes creation of an Indian Data Management Office which would be responsible for establishing guidelines, rules and standards to build and access anonymised non-personal data;  
4. Draft Master Direction on Outsourcing of Information Technology (“IT”) Services (“Draft Master Direction”) (June 2022): The Reserve Bank of India (“RBI”) has released the Draft Master Direction to regulate and consolidate the directions around outsourcing of IT services by RBI-regulated entities. The Draft Master Direction include several obligations relating to data protection and cyber security, such as reporting of data breaches by IT service provider to the regulated entity and by the regulated entity to the RBI, maintaining of confidentiality of customer data, and providing access to data to IT service provider on a need-to-know basis; 
5. Securities and Exchange Board of India’s (“SEBI”) Circulars on Cyber Security and Cyber Resilience (May-July 2022):  Over the past few months, SEBI has released a slew of circulars prescribing and amending the cyber security and cyber resilience frameworks for stock exchanges, clearing corporations and depositories, qualified registrars to an issue, share transfer agents, KYC Registration Agencies, and mutual funds/ asset management companies. Some of the key features of these frameworks include periodic vulnerability assessment and penetration testing (VAPT), remediation of those vulnerabilities within the prescribed timelines, and carrying of periodic cyber audits;  
6. National Payment Corporation of India (“NPCI”) Circular on Collection of Location Data: Most recently, on July 05, 2022, NPCI issued a circular laying down the guidelines for collection of location data where domestic payments are initiated by an individual and clarified that collection of location data in such cases would be optional and based on the consent of the individual; and 
7. Other Developments: In November 2021, the National Health Authority (“NHA”) launched a consultation on health data retention policy. In June 2021, the Bureau of India Standards (“BIS”) introduced IS 17428 for data privacy assurance.

CL: What impact has the Joint Parliamentary Committee’s report on the proposed data protection law had on the Data Protection Bill of 2021?

CAM: The DP Bill proposed by the JPC is broader in scope than the previous draft as it also sought to include non-personal data (currently defined as all data which is not Personal Data) within its ambit. However, more recent reports suggest that this is still being deliberated by the government and non-personal data may be excluded in the final version of the DP Bill. 

Additionally, the DP Bill proposes: 

1. that data principals be given certain options in relation to the treatment of their data upon their demise; 
2. restricting the grounds for refusing data portability by removing trade secrets and limiting the scope of technical infeasibility as grounds for refusal; 
3. the requirement for disclosing “fairness” of algorithms and methods used for processing to ensure transparency and prevent their misuse; 
4. certain threshold seniority for Data Protection Officers (“DPO”), i.e. that they be senior level officers in the state or key managerial personnel of private entities; 
5. that social media intermediaries be treated as significant data fiduciaries; and 
6. additional public policy and state policy tests against which contracts or intra-group schemes for cross border transfers will be tested.

“The government has recently proposed draft amendments to the IT Rules 2021 which propose to require intermediaries to ensure compliance with their user policies, reduce the time for acting on certain types of reported content to 72 (seventy-two) hours, require intermediaries to ensure free speech of users, and propose the creation of a government appointed Grievance Appellate Committee.”

Arun Prabhu Partner (Head – TMT), Cyril Amarchand Mangaldas

CL: How broad is the data protection bill under the latest draft, in the event that Indians are subjected to foreign-based companies’ data processing activities?

CAM: The DP Bill has always applied to processing that takes place in India, as also to processing of personal data by entities based outside India where such processing is with respect to: (a) any business carried on in India; or (b) any systematic activity that involves offering of goods or services to individuals residing in India; or (c) any activity that involves profiling of residents in India.  

CL: Could you tell us more about the IS 17428 standard issued by Bureau of Indian Standards (BIS) regarding data privacy?

CAM: In June 2021, BIS introduced IS 17428 for data privacy assurance. The standard is divided into two parts: 

1. Part 1 which deals with the management and engineering parameters that are mandatory for an organisation to comply with for establishing an effective Data Privacy Management System; and 
2. Part 2 deals which with the engineering and management (non-mandatory or prescriptive) guidelines which enable the implementation of Part 1. 

At present, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) require implementation of reasonable security practices and procedures to safeguard sensitive personal data or information. The SPDI Rules specify that implementation of International Standard IS/ISO/IEC 27001 as certified annually (or as otherwise required under the SPDI Rules) by a CERT-In empanelled auditor will be deemed compliance with the requirements of having in place reasonable security standards and practices. 

IS 17428 does not expressly enjoy such deemed compliance and compliance with it will not result in application of the deeming provisions under the SPDI Rules.  

CL: The Ministry of Electronics and Information Technology codified Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 to balance privacy rights with national security and public order. What do these rules provide?

CAM: The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules 2021”) replaced the erstwhile Information Technology (Intermediaries Guidelines) Rules, 2011 (“IT Rules 2011”) and created:  

1. certain enhanced due diligence requirements on intermediaries (including significant social media intermediaries (“SSMIs”)), for availing safe harbour protection under Section 79 of the Information Technology Act, 2000 (“IT Act”); and 
2. a novel framework for regulation of online publishers of news and current affairs and curated audio-visual content. 

In addition to the requirements for intermediaries under the IT Rules 2011, the IT Rules 2021 have:  

1. modified the categories of content that users are not allowed to upload or share; and 
2. prescribed stricter timelines for taking down content on receiving a court or government order, assisting law enforcement agencies, and for grievance redressal. 

The IT Rules 2021 define social media intermediaries as intermediaries which primarily or solely enable online interaction between two or more users and allow them “to create, upload, share, disseminate, modify or access information.” The FAQs released by MEITY clarified that only those intermediaries whose primary purpose is such would be classified as social media intermediaries and intermediaries whose primary purpose is enabling commercial or business-oriented transactions, or providing internet access, search-engine services, e-mail services or online storage services will not qualify as a social media intermediaries.

Social media intermediaries with more than five million registered Indian users are classified as SSMIs, and are required to: 

1. Appoint chief compliance officer, nodal officer, and grievance redressal officer, both of whom should reside in India;
2. Deploy technological measures to identify certain objectionable content; and
3. Enable identification of first originator of information within India.  

The IT Rules 2021 institute a three-tiered structure for regulating publishers: (i) self-regulation by publishers, (ii) self-regulation by associations of publishers, and (iii) oversight by the central government. The validity of IT Rules 2021 as regards their application to publishers is under challenge before various High Courts for being ultra vires to the parent Act and Union Government’s transfer petition is pending before the Supreme Court. 

The government has recently proposed draft amendments to the IT Rules 2021 which propose to require intermediaries to ensure compliance with their user policies, reduce the time for acting on certain types of reported content to 72 (seventy-two) hours, require intermediaries to ensure free speech of users, and propose the creation of a government appointed Grievance Appellate Committee.   

“In the starting of the year, the RBI set up a separate internal department for fintech that would be responsible for promoting innovation and identifying opportunities and challenges in the sector. Fintech sector is facing many regulatory changes as more new-age start-ups enter the space. Recently, the RBI prohibited non-bank issuing prepaid payment instruments (“PPIs”) like wallets and prepaid cards from offering customers a credit line. This move has disrupted the growing “buy now pay later” segment and other businesses issuing short-term loans to customers to refill their prepaid cards or wallets.”

Arun Prabhu Partner (Head – TMT), Cyril Amarchand Mangaldas

CL: More than three years have passed since the EU General Data Protection Regulation went into effect. Are India’s data protection regulations going to be streamlined like those in the EU? 

CAM: The DP Bill is based on the EU General Data Protection Regulation (“GDPR”) but has certain key differences. 

The DP Bill is more consent centric, provides for a soft localization regime for sensitive personal data, and creates the concept of a fiduciary relationship between the data subject and the entities determining the nature of data processing. Further, the DP Bill does not provide contractual necessity and legitimate purpose as grounds for processing data. 

Other key differences include a higher age for categorising persons as adults, and broader restrictions on how the data of children is processed.

CL: Do you expect them to be sector-specific regulations or/and a general law on data protection?

CAM: While the DP Bill is a sector agnostic, horizontal regime, several sector specific regulations also govern privacy and data protection. For instance, 

1. The RBI has issued numerous guidelines related to cyber security for compliance by entities regulated by it. The RBI has issued guidelines for “Cyber Security Framework in Banks”, “Sharing of Information Technology Resources by Banks”, and “Information Technology Framework for the NBFC Sector.” The RBI has also notified “Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks” which also cover data security aspects; 
2. Similarly, Insurance Regulatory and Development Authority of India (“IRDAI”) has issued “Guidelines on Information and Cyber Security for Insurers” in 2017 and IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017; 
3. SEBI issued a Cyber Security & Cyber Resilience Framework for Stock Brokers and Depository Participants in 2018, and Guidelines on Outsourcing of Activities by Intermediaries in 2011; and
4. Unique Identification Authority of India (“UIDAI”) regulates collection and use of Aadhaar information and has issued Aadhaar (Authentication and Offline Verification) Regulations, 2021 which include requirements relating to collection, usage, storage, and sharing of Aadhaar data.  

CL: Could you tell us more about the Reserve Bank of India’s restrictions on payment aggregators mentioned in the RBI’s Guidelines on Regulation of Payment Aggregators and Payment Gateways (“PA Guidelines”)?

CAM: PA Guidelines govern (a) payment aggregators (“PAs”) which are entities that facilitate e-commerce sites and merchants to accept various payment; and (b) payment gateways (“PGs”), which are entities that provide technology infrastructure to route and facilitate processing of an online payment transaction without any involvement in handling of funds.

The PA Guidelines require PAs to mandatorily obtain authorisation form RBI under Payment and Settlement Systems Act, 2007 (“PSSA”) for operation. The PA Guidelines also require PAs to create an escrow account, adhere to the prescribed schedule for settlement of payments, check compliance with PCI-DSS and PA-DSS standards by merchants, follow KYC/AML/CFT provisions, establish customer grievance redressal and dispute management framework, and put a security, fraud prevention and risk management framework in place. The PA Guidelines prohibit PAs and merchants from saving card credentials. 

Industry stakeholders have been finding it technically and commercially infeasible to comply with the restrictions on storage of card details. Due to this, the RBI has extended the deadline for compliance with this requirement multiple times, latest being in June 2022. The current deadline for compliance is September 30, 2022. 

CL: What important developments are taking place in the regulation of digital payments and fintech?

CAM: In the starting of the year, the RBI set up a separate internal department for fintech that would be responsible for promoting innovation and identifying opportunities and challenges in the sector. Fintech sector is facing many regulatory changes as more new-age start-ups enter the space. Recently, the RBI prohibited non-bank issuing prepaid payment instruments (“PPIs”) like wallets and prepaid cards from offering customers a credit line. This move has disrupted the growing “buy now pay later” segment and other businesses issuing short-term loans to customers to refill their prepaid cards or wallets. Additionally, this measure is contrary to the principle of uniformity across PPI issuers, which was emphasised by the RBI Governor while extending the cash withdrawal facilities, which were initially allowed only for full-KYC PPIs issued by banks, to full-KYC PPIs issued by non-banks.

RBI’s recent directions on co-branded cards have also limited the role of co-branding entities to marketing and distribution of cards and providing access to the cardholder for the goods and services that are offered, and denied them from accessing information relating to transaction undertaken through the card. Further, non-bank payment system operators (“PSOs”) are also required to take RBI’s approval before authorising any sale or acquisition, irrespective of whether it would result in change in management or not. As many non-bank issuing PPIs and PSOs are start-ups, these requirements would significantly impact them. Going forward, we may expect more regulatory changes by RBI in this space as described in RBI’s vision document on payments, called “Payments Vision 2025”. The core theme of the vision document is “E-payments for Everyone, Everywhere, Every time (4Es)” and it aims to provide users with safe, secure, accessible and affordable e-payment options. 

Further, as per the Report of the Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps, the RBI may also soon regulate and tighten the rules around fintech firms, and cover aspects such as KYC norms, credit operations, data sharing and so on.  

CL: What other legal changes in the regulation of online space, specifically digital commerce, can be expected in India in the coming year?

CAM: There is a lot to look forward to in terms of regulatory changes for online space and digital commerce. The most significant being the government’s project to overhaul the IT Act. According to media reports, government is working on “Digital India Act” to replace IT Act. The new law is expected to be more comprehensive and cover aspects such as deliberate misinformation, publishing private information online (doxing), artificial intelligence, algorithmic accountability, net neutrality, and blockchain. The new law may also address the challenge to legislative competence of the government in enacting IT Rules 2021. 

Other key developments expected to take place in the coming future include policies and regulations around non-personal data, online gaming and e-sports, e-commerce, cryptocurrency and blockchain, and health data.