1. CLOUD COMPUTING
1.1 Laws and Regulations
Legal Framework
Over the past few years, governmental and regulatory authorities in India have increased their focus on the TMT sector in the hope of developing legal jurisprudence that could help the evolution of a robust regulatory framework for governance.
In 2018, the National Digital Communications Policy was launched, which outlined several strategies for the growth and development of cloud services in India. One of the key strategies was to evolve an enabling regulatory framework and incentive structure for promoting the establishment of international data centres, content delivery networks and independent interconnect exchanges in India. The policy also suggested developing a light-touch regulation for the proliferation of cloud-based systems.
In 2019, the Telecom Regulatory Authority of India (TRAI) issued another consultation paper dealing with the governance structure and industry body for dealing with cloud services in India. An open house discussion was also facilitated by TRAI in February 2020, prior to the outbreak of the COVID-19 pandemic in India. In September 2020, TRAI released its paper on recommendations for cloud services in India and stated that the Department of Telecommunications (DoT) of the Indian government may initiate the setting up of the first industry-led body and require all cloud service providers to become its members. TRAI also recommended that telecom service providers would not be allowed to provide infrastructure services to unregistered cloud service providers.
The Indian government has also launched an initiative called “MeghRaj”, which focuses on accelerating the delivery of e-services in the country while optimising the government’s information and communications technology spending. Under the policy, the government has empanelled several cloud service providers who are helping provide these services to various governmental departments across the country. The government has also prepared several reports that help assist and grow this sector, including reports on best practices for cloud security, the adoption of cloud services and the procurement of cloud services.
Despite these developments, there are currently no laws or regulations that specifically deal with cloud services in India. However, existing provisions under broader legislations could be interpreted to extend their application to cloud services and computing.
Developments in the Regulated Sector
Certain sectors in India, such as banking, capital markets and insurance, are regulated by specific authorities set up by the Indian government. The Reserve Bank of India (RBI) regulates the banking sector, while the Securities and Exchange Board of India (SEBI) regulates the capital markets sector and the Insurance Regulatory and Development Authority of India (IRDA) governs the insurance sector. Each of these regulatory bodies has explored the impact and power of cloud computing on their respective sectors.
The RBI constituted a working group on cloud computing options for small urban co-operative banks, which noted that several large urban co-operative banks in India as well as software companies have been offering cloud type services in the private cloud environment. The group also expressed that banks must adopt caution while implementing cloud computing solutions, since this was an emerging technology for which standards and technology
management processes were still evolving. However, no regulations or specific mandates were issued under this report.
The RBI has also issued guidelines on managing risks and codes of conduct in banks’ outsourcing of financial services. It is important for banks and regulated authorities in the financial sector that utilise the cloud platforms of various third-party cloud service providers to ensure that they continue to comply with the requirements prescribed under these guidelines, particularly in relation to evaluating the ability of the service provider, confidentiality and security, business continuity and management of a disaster recovery plan, and the monitoring and control of outsourced activities.
The Ministry of Electronics and Information Technology of the Indian government (MEITY) has also informed SEBI that financial sector institutions are using or thinking of using cloud-based solutions to manage their governance, risk and compliance functions, so as to improve their cybersecurity. The ministry noted that cloud based solutions provide ease of doing business but represent a significant risk to the health of the financial sector, since the data of the institutions moves beyond the legal and jurisdictional boundary of India due to the nature of shared cloud systems, thereby posing a risk to data safety and security.
The Indian Computer Emergency Response Team has also issued an advisory to financial sector organisations, noting that certain critical data including credit risk, liquidity risk and market risk had to be protected using a layered defence approach for seamless protection against external and internal threats. Financial sector organisations were advised to exercise direct control and supervision over their critical systems, and to ensure that the critical data was kept within the legal boundaries of India.
SEBI extended this advisory to various capital markets organisations, and has mandated that compliance with the advisory should be reported in the half-yearly report issued by stock brokers and depository participants, along with an undertaking to this effect.
Lastly, the IRDA has also issued guidelines on information and cybersecurity for insurers in India, which provide that one of the key objectives is to ensure that any information processed, transmitted and stored on cloud architecture is secure. The guidelines accordingly provided that policy, procedures and guidelines should be framed to provide direction for hosting the information and understanding its criticality and the level of security controls to be adopted, either on the cloud or on any external hosting infrastructure. The IRDA also noted that the electronic maintenance of core business records should be hosted within India.
The guidelines also deal with access to information on the cloud and note that appropriate access control mechanisms should be implemented with reliable authentication mechanisms to ensure that data is not shared accidentally with other customers on the cloud. The IRDA also prescribed encryption as an additional safeguard for data on the cloud.
2 . B L O C K C H A I N
2.1 Legal Considerations
Legal Framework
There is currently no legal framework governing blockchain or the related crypto-assets or cryptocurrencies. The RBI has previously issued circulars cautioning individuals from dealing in any form of cryptocurrency.
In 2018, the RBI issued a circular that effectively banned all regulated entities, such as banks, financing institutions and non-banking financial institutions, from dealing with cryptocurrencies. In 2020, the Supreme Court of India set aside this RBI circular.
Over the last couple of years, there has been increased speculation about the regulation of blockchain and cryptocurrencies in India. To this end, the Indian government released draft legislation entitled The Banning of Cryptocurrency and Regulation of Official Digital Currency Act, 2019, which indicated that it was seeking to ban any person from “mining, generating, holding, selling, dealing in, issuing, transferring, disposing of or using cryptocurrency in the territory of India”.
Under the bill, a “cryptocurrency” was defined as any information, code, number or token generated through cryptographic means or otherwise that provides a digital representation of value that may be exchanged, with or without consideration, with the promise or representation of having an inherent value in a business activity that may involve the risk of loss or expectation of profits, or that functions as a store of value or unit of account.
The bill carved out an exception for the use of the underlying technology of cryptocurrencies, which can be interpreted to refer to blockchain, for experimental, research or educational purposes, provided that the cryptocurrency was not used to make or receive payment.
Pursuant to the Supreme Court of India setting aside the RBI circular, in 2020 the RBI also clarified that there was no prohibition on banks providing bank accounts to cryptocurrency exchanges or cryptocurrency traders.
The government also listed the Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 in the Indian parliament, but this bill is yet to be introduced and has not been tabled.
The RBI also clarified that banks and financial institutions must ensure that they carry out customer due diligence in line with the relevant regulations and standards for know-your-customer (KYC), anti-money laundering (AML) and combating of financing of terrorism (CFT) obligations under the Prevention of Money Laundering Act 2002, while allowing their accounts to be used for the purpose of trading, purchasing or using cryptocurrencies in India.
In 2021, the Ministry of Corporate Affairs of the Indian government issued a notification making it mandatory for companies to disclose any dealings in cryptocurrency in their annual balance sheets.
In February 2022, while announcing the annual budget and introducing the Finance Bill, 2022, the finance minister of India announced that India would tax all “virtual digital assets” at 30% from 1 April 2022. The finance minister also introduced a 1% tax deductible at source, which would be applicable to every single transaction involving cryptocurrencies. While this was initially interpreted by the market as a step towards legalising cryptocurrencies in India, the RBI and the finance minister have made it expressly clear that the taxation of cryptocurrency should not be interpreted as legitimising the position and use thereof in India.
Industry Associations
In the absence of a legal framework, several industry participants in India have come together to help develop a self-regulatory mechanism that could lead to the development of legal jurisprudence of the sector in India. These associations, including the Blockchain and Virtual Currency Association, the Blockchain Foundation of India, the Digital Asset and Blockchain Foundation of India and the Internet and Mobile Association of India, include industry participants and government representatives.
National Digital Currency
The Indian government has expressed its intention to harness the power of blockchain and launch a central bank digital currency, which will be issued and governed by the RBI.
Intellectual Property
Patents in India are obtained under the Patent Act, 1970, which provides that an invention must involve an inventive step and must be capable of industrial application. The legislation necessarily requires a patentable article to be a new product or process, and an inventive step necessarily requires the invention to involve technical advancement over existing knowledge or to have economic significance that is not obvious to an otherwise skilled person in the relevant field.
While the legal jurisprudence around the patentability of blockchain technology is still at a nascent stage, a key challenge could be that computer programs are excluded from obtaining a patent under the legislation. Furthermore, the guidelines issued by the Office of the Controller General of Patents, Designs and Trademarks in India also clarify that a database is excluded from patentability under the legislation.
Since blockchain technology is primarily a set of computer programs or codes and is primarily a database, it would be difficult to obtain a patent under Indian law. It is important to note, however, that the Indian patent office has granted patents in the past to certain companies for their software programs or codes on the grounds that these codes or software provided a “technical solution to a technical problem by providing a practical application of the underlying software”.
Recent grants by the Indian patent office also indicate that an improved technical effect of the underlying software could also be patented and, therefore, if the blockchain technology offers a significant improvement on the underlying technology, there could be a claim to obtain a patent on the technology.
Until the Indian patent office specifically addresses this issue and considers an application for the patenting of blockchain in India, the ambiguity and debate around this will continue.
Court Jurisdiction
In the absence of any specific courts being vested with powers to deal with cryptocurrencies or blockchain technology in India, lower courts and tribunals can exercise their jurisdiction, in addition to an appeal before the state high courts and the Supreme Court.
3. LEGAL CONSIDERATIONS FOR BIG DATA, MACHINE LEARNING & ARTIFICIAL INTELLIGENCE
3.1 Challenges and Solutions
Legal Framework
Over the past few years, the Indian government has increased its focus on artificial intelligence) and machine learning. In 2017, the Ministry of Commerce and Industry of the Indian government set up a taskforce on artificial intelligence, which recommended that an inter-ministerial national artificial intelligence mission should be funded under the national budget of India, and that such mission should act as the nodal agency for co-ordinating all artificial intelligence related activities in India. The ministry also recommended the development of operational standards and protocols for artificial intelligence.
In February 2021, the NITI Aayog released a report titled “Responsible AI”, which discussed the need for artificial intelligence, the legal and regulatory approaches to managing artificial intelligence systems and the principles for the reasonable and responsible use of artificial intelligence. The report noted that there was a need to balance soft governance measures with regulation in India, towards artificial intelligence. Since India does not have an overarching guidance framework for the use of artificial intelligence systems, the report noted that establishing such a system would be crucial to provide guidance and support to the stakeholders and market participants.
In the absence of an overarching framework, independent regulatory authorities have attempted to assess and develop policies to govern and use artificial intelligence and machine learning in India. In 2019, SEBI issued a circular to various financial sector participants, including stock brokers, depository participants, stock exchanges, mutual funds and asset management companies, requiring them to report details of the artificial intelligence and machine learning applications and systems being offered and used by them. SEBI’s approach here was to create an artificial intelligence database that could be analysed to help guide future policies.
Similarly, the National Digital Health Mission of the Indian government identified the need for the creation of standards the ensure the reliability of artificial intelligence systems in healthcare in India. The data empowerment and protection architecture of the NITI Aayog also presents a technical framework for people to retain control over their personal data, and the means to leverage it to take advantage of benefits and services.
The Personal Data Protection Bill proposed to be introduced by the Indian government also provides for various protections that would be applicable to Indian citizens while using artificial intelligence-based solutions. The bill is yet to be enacted into law.
Key Challenges
In the absence of an established legal or regulatory framework, the development and use of artificial intelligence, machine learning and big data have largely been left to market practice. This has created several challenges, most notably pertaining to ownership or protection rights. At this nascent stage of the development of big data, artificial intelligence and machine learning, it is difficult to answer the question of whether these applications are to be covered under copyright law or whether they qualify as inventions under patent law. Since computer programs are largely not patentable under Indian patent law (see 2.1 Legal Considerations), this creates a big challenge for the incentivisation of the development of these sectors.
Globally, the use of big data has also led to various questions from an antitrust perspective. Entities and market participants using artificial intelligence and big data have a substantial advantage over entities that do not have access to these tools or are unable to afford these tools, and numerous jurisdictions have analysed whether this situation could lead to an appreciable adverse effect on competition in the market. The Competition Commission of India is yet to pass any order directly dealing with the use of big data or artificial intelligence having an adverse effect on competition in Indian markets, but recent orders made while analysing the role of large e-commerce giants in India have appreciated the impact of large-scale data collection and information gathering on smaller competitors in the market.
It is safe to say that Indian antitrust laws will need to evolve to ensure that artificial intelligence and big data are not used as a loophole for large-scale organisations to impact the market. Beyond antitrust laws, an overarching legislative framework must also be developed to directly encompass big data, machine learning and artificial intelligence. The framework must be developed in consultation with the market participants and first movers who have already helped to develop these systems in India.
4. LEGAL CONSIDERATIONS FOR INTERNET OF THINGS PROJECTS
4.1 Restrictions on a Project’s Scope
Since the release of the Indian government’s Internet of Things Policy of 2015, there have been numerous developments in this space. The National Telecom Cell of the Indian government released a National Telecom Machine to Machine (M2M) Roadmap in 2015. It has since introduced KYC norms for SIM-embedded M2M devices, a numbering scheme for M2M and the registration of M2M service providers. TRAI also released a consultation paper in 2016 on this issue.
One of the key challenges in the development of the M2M space in India is the lack of a stringent privacy and security protocol to deal with the transmission and transfer of information and data between machines and devices. The protection of sensitive personal data or information is only covered under the Indian Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). Entities failing to implement reasonable security practices and procedures in respect of sensitive personal data or information are liable under this legislation. However, the infrastructure for M2M communications is currently at a nascent stage and prone to data breaches, leakages and loss. Unless stringent penal provisions are introduced, dealing directly with data loss and leakages on account of M2M communications, and unless the M2M service providers are held liable under an overarching provision of law, it would be difficult to expect the market and participants to address these issues.
Another key challenge in this space pertains to the ownership of data and rights related thereto. Due to the transmission and transfer of data and information between machines, in the M2M space questions arise as to the ownership of this data/information. It is critical to review and understand the privacy policies of the M2M service providers, to ensure that no ownership rights are unwillingly transferred or renounced.
Lastly, while not a legal or regulatory issue, the lack of high-speed, stable internet connectivity in certain parts of India also restricts and impedes the development of this space. The Indian government is focused on addressing these infrastructural issues and concerns, and has also released a policy to help develop and upgrade the digital infrastructure and boost the adoption of M2M technology and operations.
5. CHALLENGES WITH IT SERVICE AGREEMENTS
5.1 Legal Framework Features
Applicable Law
Given that the scope of work under IT service agreements is often cross-border or multi-jurisdiction in nature, questions arise as to the jurisdiction and applicable law.
Data Localisation
In 2018, the RBI introduced a directive on payment system data storage in India, pursuant to which banks and other payment system operators were required to store payment data within India and to begin complying with relevant regulations within a period of six months. The RBI’s approach here was to ensure the ready availability of payment data in India for regulatory oversight. In 2020, the National Payments Corporation of India updated its guidelines, and provided that third-party application providers in this space would also be required to store all payment data in India. These factors will need to be considered when preparing IT service agreements.
While the proposed Personal Data Protection Bill prescribes less stringent data localisation obligations than were recommended by the Justice Srikrishna Committee that was formed to develop the bill, the data localisation provisions of the bill give rise to their own unique set of issues.
The bill proposes to limit data localisation to sensitive personal data and critical personal data alone, and stipulates that sensitive personal data may be transferred if it continues to be stored in India; it also states that critical personal data shall only be processed in India.
In addition to the requirement for express consent from the data principal, sensitive personal data may be transferred outside India only if such transfer is pursuant to a contract or intragroup scheme approved by the Data Protection Authority proposed to be created under the bill.
Confidentiality
The SPDI Rules prohibit the disclosure of sensitive personal information without the consent of the provider of such information (unless the disclosure is required under law).
Sensitive personal information has been defined to mean personal information of a person, relating to the following:
- their passwords;
- financial information such as bank account, credit/debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- biometric information;
- any detail relating to the above as provided to a body corporate for providing services; and
- any such other related information received by a body corporate for processing that is stored or processed under lawful contract or otherwise.
In framing IT services agreements, it is crucial to ensure that obligations relating to the treatment of sensitive personal information are carefully drafted.
Security
The security of the data is dependent on the technical measures and cybersecurity protocols put in place to safeguard such data, and not on its location. While the Indian government is seeking to ensure access to the data of its citizens, which is increasingly considered as one of the natural resources of a country, imposing data localisation measures alone will probably result in more damage than good. A middle ground that ensures the protection of data while enabling data access for the government in justified cases should be explored.
The MEITY also released a template for certain types of services agreements that contain stringent provisions relating to confidentiality, security and data transfer and use.
6. KEY DATA PROTECTION PRINCIPLES
6.1 Core Rules for Individual/Company Data
Core Rules regarding Data Protection and Processing of Data
The Supreme Court of India has held that privacy is a constitutionally protected fundamental right. While discussing the scope of the right to privacy, the Supreme Court recognised the constitutional right to informational privacy. It held that privacy is not an absolute right and that an invasion of privacy may be justified on the basis of a law which stipulates a procedure that is fair, just and reasonable, and any restrictions on such right must be subject to constitutional safeguards.
The SPDI Rules in India recognise two types of personal data:
- personal information; and
- sensitive personal data or information.
While personal information includes information about or relating to a person, which either directly or in combination with other information likely to be available to a company is capable of identifying such person, sensitive personal data or information has been defined to cover the following:
- passwords;
- financial information such as bank account, credit/debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- biometric information;
- any detail relating to the above as provided to a body corporate for providing services; and
- any such other related information received by a body corporate for processing that is stored or processed under lawful contract or otherwise. Under the SPDI Rules, sensitive personal data or information can only be collected in the following circumstances:
- if the prior written consent of the data provider of such sensitive personal data is obtained and the data provider has knowledge of:
- the fact that information is being collected;
- the purpose for which such information is collected;
- the intended recipients of the information; and
- the names and addresses of the agencies collecting and retaining the information;
- if the data is collected for a lawful purpose and its collection is necessary for such purpose;
- if the data is not retained for longer than required to fulfil the purpose for which it was collected (or for a period otherwise required by law); and
- if the data provider is given the option to:
- review and correct any sensitive personal data collected;
- not provide the sensitive personal data intended to be collected; and
- withdraw the consent provided earlier. Under the SPDI Rules, sensitive personal data can only be disclosed or transferred to a third party with the prior express permission of the data provider or if such disclosure has been agreed to under a lawful contract between the data provider and the collector. The SPDI Rules also require a privacy policy to be in place, containing details of reasonable security practices and procedures implemented by the company, which are compliant with international standards prescribed under the SPDI Rules. In view of the need for the development of a more comprehensive data protection regime in India, the Personal Data Protection Bill, 2019 was introduced by the Indian government, and is currently under consideration by the Indian Parliament (see 3.1 Challenges and Solutions). The bill proposes to bring about major changes to the existing data privacy regime in India, including expanding the scope of what constitutes sensitive personal data, the provision of additional rights to the data provider or principal (including data portability and the right to be forgotten), the maintenance of a “privacy by design” policy by the body corporate that is collecting sensitive personal data, differential consent requirements and obligations to notify security breaches. The bill also prescribes stringent obligations relating to data localisation and cross-border transfer of what the government of India may notify as being in the nature of “critical personal data”.
Distinction between Companies and IndividualsThe data protection framework in India currently only envisages the protection of the personal data and sensitive personal data of natural persons.
- if the prior written consent of the data provider of such sensitive personal data is obtained and the data provider has knowledge of:
7. MONITORING AND LIMITING OF EMPLOYEE USE OF COMPUTER RESOURCES
7.1 Key Restrictions
An employer may monitor their employee’s use of company-provided resources, subject to the employer’s privacy policy and subject to receiving the consent of the employee in advance for such monitoring. As indicated in 6.1 Core Rules for Individual/Company Data, the Supreme Court of India has established that the right to privacy is a fundamental right of every person and, therefore, any practice adopted by the employer must be reasonable and in accordance with the SPDI Rules and the Indian Information Technology Act, 2000.
8. S C O P E O F T E L E C O M M U N I C AT I O N S R E G I M E
8.1. Scope of Telecommunications Rules and Approval Requirements
Overview
Broadly, the following legislation governs telecommunications and internet-related technologies in India:
- the Indian Telegraph Act, 1885 and the rules framed thereunder;
- the Wireless Telegraphy Act, 1933 and the rules framed thereunder;
- the Telecom Regulatory Authority of India Act, 1997 (TRAI Act) and regulations, orders and directions issued by TRAI; and
- circulars and directions issued by the DoT.
This legislation largely covers internet and broadband services, Voice over Internet Protocol (VoIP), cellular services and radio services.
Approvals and Foreign Investment Caps
100% foreign direct investment is currently permitted in the telecom sector, with a prior regulatory approval required for investments exceeding 49%. Foreign investment of up to 100% in specified “other service providers” (OSPs) in the telecom space is also allowed, without prior government approval.
The establishment of telecom infrastructure in India requires an entity to be registered with the DoT as an “Infrastructure Provider Category – I”. Establishments proposing to provide services relating to information technology, such as call centres, network operation centre services and audio-conferencing services, are also required to register with the DoT and to obtain the requisite licences.
General Authorisation
India issues a unified licence (UL) to Indian-registered service providers, authorising them to offer a range of telecom services for a 20-year licence term. These authorisations are typically for:
- access services;
- internet services (within certain categories);
- national long-distance services;
- international long-distance services;
- global mobile personal communication by satellite services;
- public mobile radio trunking services;
- very small aperture terminal closed user group service;
- INSAT MSS-Reporting services; and
- resale of international private leased circuit services.
TRAI also clarified that telecom service providers in India that have obtained the following licences are allowed to interconnect VoIP and public switched telephone networks/public land mobile network:
- basic service licence;
- unified access service licence;
- cellular mobile telecom service licence; and
- UL
Access and Installation
Prior permission under the Indian Telegraph Right of Way Rules, 2016 is necessary prior to the installation of telecommunications infrastructure on public land.
The establishment of any infrastructure on private land requires governmental clearance and permission from the owner of the private land and from the entity establishing the telecommunications infrastructure.
Radio Spectrum
The Wireless Planning and Co-ordination Wing of the DoT (WPC) is the national radio regulatory authority responsible for frequency spectrum management and licensing. The Standing Advisory Committee on Radio Frequency Allocation of the WPC provides recommendations on major frequency allocation issues and the formulation of the frequency allocation plans, advises on various issues related to the International Telecom Union and attempts to address problems referred to it by various wireless users.
In India, radio spectrum is allocated pursuant to the National Frequency Allocation Plan, which provides for a mechanism for the allocation of radio frequency spectrum to different radio communication services in India.
There are currently approximately 40 radio communication services in India. The plan ensures that the frequency spectrum is divided into frequency bands, and each band is allocated to one (or more) radio communication service.
9. AUDIO -VISUAL SERVICES AND VIDEO CHANNELS
9.1. Audio-Visual Service Requirements and Applicability
Overview
The audio-visual distribution and broadcasting sector in India is governed by the following legislation:
- the Cable Television Networks (Regulation) Act, 1995 (Cable TV Act);
- the Cinematograph Act, 1952; and
- circulars, directions and guidelines issued by the Ministry of Information and Broadcasting (MIB) and TRAI.
Distribution and RegulationThe Cable TV Act governs the distribution of content through satellite television, while guidelines and directions issued by the MIB govern issues related to the uplinking and downlinking of television channels. The ministry has also issued guidelines relating to internet-protocol television.Content is largely regulated by the Ministry and the Central Board of Film Certification, while advertisements are governed by the Advertising Standards Council of India (ASCI).Licences and ApprovalsAs indicated above, the approval of the MIB is required for uplinking and downlinking television channels in India. The applicant is required to meet the following criteria in order to undertake these activities in India:- it must be an Indian entity;
- it must maintain the prescribed net worth; and
- it must comply with the caps on FDI in the relevant sector.The television channel is also required to be registered with the MIB. Additional compliance requirements are stipulated for the uplinking or downlinking of channels.OTT PlatformsThe Indian government notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 to regulate intermediaries, over-the-top (OTT) content players and digital news media organisations.The rules were issued by the MEITY under the Information Technology Act, 2000 (IT Act) and supersede the Information Technology (Intermediaries Guidelines) Rules, 2011, which previously regulated intermediaries in India.While “intermediaries” are defined under the IT Act, the rules now recognise the following:
- “social media intermediaries”, which primarily or solely enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information using their services; and
- “significant social media intermediaries”, which is a subset of social media intermediaries based on a threshold of the number of registered users in India, which will be prescribed by the central government.While the earlier rules prescribed due diligence requirements to be followed by intermediaries in order to be eligible to avail safe harbour provisions, the current rules impose additional obligations on intermediaries, including requirements to:
- implement a grievance redressal mechanism in order to acknowledge complaints and resolve disputes in a time-bound manner;
- periodically inform users of any changes to its privacy policy and terms of use, along with the consequences of non-compliance;
- retain records of users for a period of 180 days; and
- promptly provide information to government agencies within 72 hours in cases where the assistance of the intermediary is sought. Failure to comply with these rules results in a loss of safe harbours available to an intermediary under the IT Act. The rules also regulate “digital media”, which includes digitised content transmitted over the internet such as content received, stored, transmitted, edited or processed by an intermediary or a publisher of news and current affairs content or a publisher of online curated content. The rules prescribe a code of ethics along with classification standards, based on the nature and type of content, to be followed by the publishers of news and current affairs and online curated content. The rules prescribe the following three-tier structure:
- self-regulation by the intermediary/publisher;
- regulation by a self-regulating body of the publishers, headed by a retired judge of the Supreme Court or High Court, or an independent eminent person from the relevant field; and
- regulation by an inter-departmental committee constituted by the MIB to exercise oversight and hear and examine grievances.
10. ENCRYPTION REQUIREMENTS
10.1 Legal Requirements and Exemptions
Overview
While the IT Act prescribes encryption standards and methods to secure electronic communication, India does not have specific legislation for encryption and decryption standards and protocols, and the encryption policy in India continues to be confined to sector-specific guidelines.
For example, the RBI issued the Master Direction on Digital Payment Security Controls in 2021, mandating multi-factor authentication, encryption, digital certificates and other controls. The directions do not formulate a new standard or protocol to be followed, and instead only pre scribe that the encryption must be robust and internationally accepted, and must not be demonstrated to be insecure/vulnerable.
Proposed Exemption
The Personal Data Protection Bill, 2019 (yet to be enacted into law) proposes that data fiduciaries implement necessary security safeguards such as encryption and methods to prevent deidentification and maintain the integrity of personal data. The bill also proposes to grant the central government the power to exempt government agencies from establishing adequate safeguards on the collection, use and protection of personal data.
11 . C O V I D – 1 9
11.1 Pandemic Responses Relevant to the TMT Sector
The Indian government initiated a number of proactive regulatory measures that are relevant to the TMT sector, including the following:
• In early 2020, the Ministry of Home Affairs of the Government of India (MHA) issued an order declaring telecommunication services to be “essential services”, exempting the provision of such services from government mandated lockdowns, facilitating the continued availability of telecommunications networks and ensuring that telecom operators were able to deploy field staff for the maintenance of telecom infrastructure.
• A number of compliance requirements regulating “work from home” facilities available to
OSPs under guidelines governing OSPs have been relaxed. This includes dispensation of the following requirements:
(a) to obtain prior permission from the DoT for providing a work from home facility to OSP personnel;
(b) to obtain virtual private network access only from authorised telecom service providers; and
(c) to pay a security deposit and execute an agreement with the DoT.These relaxations were initially provided for a limited time period, but are now permanent.