Conventus Law: When it comes to adhering to multiple regulatory guidelines from CERT-IN, MEITY, as well as RBI, IRDAI, and SEBI, what are the major challenges that tech companies facilitating regulated entities face? n relation to digital transactions and e-commerce, what are the latest tax developments in Singapore?
Kritika Krishnamurthy: There is an array of services that tech companies provide to regulated entities in India, to facilitate in turn the provision of services by the regulated entity to their end users. Regulation by authorities, such as RBI, IRDAI, SEBI, CERT-IN, or MeitY, will generally depend on the activity undertaken by the entity, irrespective of whether the entity is providing facilitation services or services to the end user. That said, it is simpler to identify the regulations applicable to a regulated entity than for tech companies providing facilitation services to regulated entities. A major reason for this is attributable to the fact that different tech companies have varied business models, which can create regulatory overlap or even lacuna in applicability.
Since the legislative and regulatory framework of certain aspects indispensable to tech facilitation (such as data protection and privacy, patents, digitisation, competition, and advanced technology such as blockchain, artificial intelligence, etc.) are still under development or revision, the lack of clarity in this regard does pose a hurdle to tech companies. An example of this is when the Reserve Bank of India (RBI) released the Guidelines on Digital Lending on September 2nd, 2022 (“Guidelines”) – which, inter alia, restricted data storage and order of fund flow – and soon after, there were reports of fintech companies who had begun restructuring their business models to adhere to the Guidelines and make accommodation for the increased operational costs, etc. Then there are the new Master Directions on outsourcing IT services to become operational from October 1, 2023. It mandates the storage of data in India and for fintech to segregate and keep data for regulated entities at all times.
A few compliance issues were also reported after the Indian Computer Emergency Response Team (CERT-In) through the Ministry of Electronics and Information Technology (MeitY) released directions relating to information security practices, procedures, prevention, response and reporting of cyber incidents for safe and trusted internet on April 28th, 2022 (“Directions”). The Directions had several requirements, including those regarding reporting cyber security incidents within six hours to CERT-In, and maintenance of logs for one hundred and eighty days within India. The Directions have been challenged before the Hon’ble Delhi High Court and the matter is pending adjudication, as of the time of publication. On this point, a lack of liaison between the industry and authority can lead to an impasse that ultimately ends in litigation, the exit of important players, etc.
Moreover, maintenance of records is also important, as the same can be called for by authorities and departments, or can be used by tech companies to show compliance or goodwill whenever necessary. For example, when MeitY recently resorted to banning almost one hundred loan applications (explained in detail in the next answer), it was reported that several fintech companies fearing the inclusion of their applications in the ban, rushed to submit certificates on their shareholding and management patterns, as well as regulatory licenses, to MeitY, as part of negotiation efforts to arrive at an amicable solution to the issue.
“The government’s active step in regulating the lending landscape in India has had a two-prong impact. On one hand, it is making lending applications more compliant and transparent in their mode of work. On the other hand, it is creating a safe environment for the borrowers who seek loans from such applications.”
Kritika Krishnamurthy, Founding Partner- AK & Partners
What impact has the recent ban on several apps by MEITY and issuance of show cause notices to Indian companies had on the tech industry’s ability to adhere to regulatory guidelines?
Recently, the Ministry of Electronics and Information Technology (MeitY), on instructions from the Ministry of Home Affairs, issued an order of ban on certain applications which provided unauthorised loans, betting and gambling platforms. Although there is not much information available to understand the rationale behind the order for blocking the applications as it was issued under Section 69A of the Information Technology Act, 2000, we can see a few probable reasons behind this move. MeitY found that certain lending platforms were communicating to servers located in certain hostile countries, functioning in a non-transparent manner, charging exorbitant interest rates, collections malpractice, data security concerns, multiple user complaints, not mentioned in RBIs whitelist, shell firms practice, lacking authorization from RBI and using or renting licences from inactive NBFCs to conduct lending operations also known as “licence mulling”. Eventually, the ban on a few companies was lifted after providing 48 hours to submit the documents proving their compliance.
The government’s active step in regulating the lending landscape in India has had a two-prong impact. On one hand, it is making lending applications more compliant and transparent in their mode of work. On the other hand, it is creating a safe environment for the borrowers who seek loans from such applications. This also conveys the fact that the Indian finance market is now seeking fair and long-term players who are actually interested in the country’s economic growth in a healthy manner.
It was fairly observed that while several companies thanked the government for lifting the ban, they also appreciated the recent ban as it eliminated several proxy applications from the lending landscape and kept the space for the original applications.
The tech industry per se now needs to keep one eye on the Government’s as well as the regulator’s action and the other eye on its own mode of action in order to keep away from such inadvertent bans. However, with the government easing up the compliances, and regulations and introducing concept such as compounding it would certainly not be the end of the world for the tech companies in India. India has been witnessing easy digital penetration, holds a favourable demographic profile and ever-growing middle class that would certainly require more such lending applications in the coming times.
It would however be imperative that a mandate for such companies/ applications to make regular disclosures to the regulator or the government where they prove their compliance and show their history be released in the coming times. This shall have a dual benefit as it would ensure ease in operations for both the Government as well as the applications.
How does the new data bill complicate the regulatory environment for tech companies in India, and what steps can they take to ensure compliance?
The recent draft Digital Personal Data Protection Bill, 2022 (“Bill”) proposes major changes in the processing of data and securing the personal information of the users such as bank account details and biometric information. Even though the Bill provides a more forgiving compliance framework than the previous draft, many stakeholders still believe it might complicate the regulatory environment for Indian tech companies. However, nothing can be said for sure at the moment as the bill has not been brought to the table yet. The government has also made it clear that several provisions shall be implemented at different intervals. Till then the basic interpretation by industry experts has found the following points as the point of deliberation.
No clear distinction between data and sensitive personal data –
In the current legal scenario, financial information such as a bank account detail or credit/debit card information or any other payment instrument details of a person is treated as sensitive personal data or information under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. However, there is no mention of “sensitive data” in the proposed legislation. The current approach may result in a higher compliance burden as it appears that the government intends to treat all customer data as ‘sensitive’ data. This implies that graded data protection and penalties applicable to sensitive data may apply to all types of data. Currently, tech companies have policies in place to deal with sensitive personal data, which provides sensitive data with extra security and protection when compared to other types of information. The proposed amendment could extend the aforementioned graded security to all other information, creating a much more stringent and exorbitant regulatory environment for tech companies. This, in turn, would require the tech companies to conduct a conscious check on their mode of action at all times, especially actions concerning the storage or usage of customers’ data.
Ambiguity on cross-border data transfer
In the current legal scenario, IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’) allows the transfer of data to an entity outside India which has the same level of data protection as envisaged under the SPDI Rules. However, under the proposed law personal data can be transferred outside of India but only to countries that the government will notify in the future. This now creates a state of confusion for many tech companies such as fintech, health techs, agri tech and other platforms that are in any way involved with a foreign entity for data interpretation or any other related aspect. The tech companies might feel that the government releasing a list of specific countries time and again to which the data can be transferred, may severely hamper their business in future. However, it is worth noting that the previous draft of the bill completely prohibited sharing of information outside of India. We also need to keep in our mind that the Indian government is pushing for creating a positive and profitable ecosystem for businesses in India and thus all actions by the government or the regulator would be business-friendly in the coming times. Although, it would be helpful to the tech companies in India if the government or the regulator clears the air on countries to which data can be shared or sent over. This is because the lack of clarity on the before mentioned will have a particular impact on fintech companies that are part of a foreign corporate group or use the services of foreign tech companies to assess their customers’ behavioural patterns.
“ Furthermore, with the introduction of the concept such as significant data fiduciaries, major changes in the way consent is obtained to process data, the enforcement mechanism, and the amount of discretionary power given to the central government in the bill, it is expected that the data protection regime will undergo major restructuring in the coming years and accordingly companies have to align their business structure with the dynamic legal ecosystem.”
Kritika Krishnamurthy, Founding Partner- AK & Partners
Excessive Delegation to the Central Government
The Bill delegates many crucial issues to the central government by using the language “as may be prescribed”. This may provide the central government with much more discretionary power on various subjects under the proposed bill. As a result, the government may issue various circulars that will be defining the procedural aspects of the Bill as well. The issue that the tech companies might be facing would be the unpredictable manner in which the regulatory ecosystem may operate in the coming times. Tech companies will need to be much more proactive in this regard thus updating their IT framework on a regular basis.
Furthermore, with the introduction of the concept such as significant data fiduciaries, major changes in the way consent is obtained to process data, the enforcement mechanism, and the amount of discretionary power given to the central government in the bill, it is expected that the data protection regime will undergo major restructuring in the coming years and accordingly companies have to align their business structure with the dynamic legal ecosystem.
1 SNTHostings v. Union of India, W.P. (C) No. 13997/2022