India: Trends and Developments in 2020
India is among the five largest economies with a GDP of USD2.94 trillion and has a vision of becoming a USD5 trillion economy by 2024. India has second largest internet user base and which acts a huge strength for India. This will not only enable the expansion of existing technologies and services but also lead to development of newer technologies/platforms. India has already witnessed an exponential growth in the fintech sector, especially relating to payment services/wallets and the regulatory regime relating to newer, modern age service offerings is developing. The launch of 5G services is likely to fire the growth of bandwidth dependent services. Differentiation between pure telecom – media and technology players will become even more difficult. Operators who are known for pure telecom offerings are also entering digital media space and are ready to compete in e-commerce market space.
Among all of this, several traditional industries are still facing legal and regulatory challenges. Indian outsourcing sector, which is primarily governed under the Other Service Provider (OSP) policy issued by the Department of Telecommunications (DoT), Government of India has been demanding a re-visit to the policy/regulatory regime surrounding establishment and provisioning of services. OSP sector is looking at an uninterrupted integration/interconnection of telecom resources between various locations as well as between International and Domestic OSP centres. The reforms in OSP regulatory regime will result in ease of doing business and bring clarity on issues such as interconnection, work from home, utilisation of cloud based services/servers/data centres, etc. With increased usage of internet as well internet based applications, there is a requirement to allow the domestic OSP traffic over internet (as opposed to traditional PSTN lines/plain, old telephone lines (POTS)).
Software as a Service (SaaS) has becoming increasingly popular as a service offering; however, the companies providing such services may have to look at their arrangements/agreements with both the subscribers as well as telecom operators. It will be important for the SaaS companies to ensure that none of their services are categorised as "reselling" of telecom resources. The same may also apply to companies selling/providing integrated communication solutions to large corporates. The extant telecom regulations prohibit interconnection between public and private networks (ie, private leased circuits and PSTN networks) and reselling of licensed telecom services.
Online streaming services are becoming increasingly popular; however, there a gap still exists in terms of regulation of such services/content – as opposed to traditional mediums of broadcast. It is unclear whether the same should be regulated by the Ministry of Information & Broadcasting (under its regulations/policies) or by the DoT. Several cases are pending before various High Courts in India on regulation of online content and service providers.
The Supreme Court of India’s recent judgment on payment of a licence fee on the basis of adjusted gross revenue (AGR) along with interest on delayed payment is among the key issues currently being faced by licensed telecom operators. The Supreme Court’s judgment brings an end to 14-year-old telecom litigation and much debated interpretation on AGR.
The AGR Case: An end to the Prolonging Telecom Litigation
The telecom sector is today characterised by a burgeoning debt burden which can be traced all the way back to the infamous “2G spectrum scam” case. The Comptroller and Auditor General of India’s (CAG) report in 2010 estimated that the decision to offer 2G spectrum at a throw-away prices caused the government exchequer a revenue loss of almost USD24.66 billion. Post this controversy, the telecom sector witnessed a period of "policy paralysis" wherein the Government fixed the price of spectrum in future auctions to 3G rates. This resulted in highly competitive bidding which then led to an unreasonably high cost of auction prices. In order to keep pace with this form of bidding, telecom companies started to take loans from banks and this was the start of a vicious cycle of the constant burden of debt. The fortunes of companies also plummeted which further changed the landscape of the Indian telecom sector. Share price of several companies went, and stayed, down, while several others had to shut down their operations. In the aftermath of the 2G case, the telecom sector has been turbulent and plagued with issues of stifling growth, in what was once described as the “sunshine sector”.
The Supreme Courts’ ruling in the Union of India (UOI) vs Association of Unified Telecom Service Providers of India and Ors (or AGR case) has once again raised the fear of one of the three telecom operators closing down the business. This case has wide ramifications for both the operators and the consumers. The primary issue at hand in this case was regarding the definition of AGR. As per telecom operators, the DoT, via its demand notice dated 26.07.2001 had illegally included various elements of income in the definition of AGR which did not accrue from the operations as given in the license agreement regarding dividend income, interest income on short term investment, discounts on calls, revenues from other activities separately licensed etc. The argument taken by the telecom operators was that the AGR should be accrued from core telecom operation and in this regard relied heavily upon the recommendations issued by the TRAI on 31.08.2000.
The DoT on the other hand claimed that AGR should also include dividends, handset sales and rent, and revenues from other activities separately licensed. On this issue, the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) had earlier, by its order dated 30.08.2007, held that the definition of AGR would include only the revenue from licence activities, ie, favouring the case of telecom operators. The 30.08.2007 order of TDSAT was challenged before the Supreme Court in the AGR Case. The current case, as before the Supreme Court, is the culmination of a second round of litigation on this issue regarding the definition of AGR
In its judgment, the Supreme Court upheld the wide interpretation of the definition of AGR, which has been adopted by the DoT. This would, apart from license fee, also include dividends, handset sales and rent, and revenues from other activities separately licensed. This determination of the various revenue heads has clarified and expanded the scope of what all can be levied as part of AGR by the DoT. The implications of this on the telecom operators are immense as they now have to pay the DoT for other "non-core" services also as part of their licence fee.
Pursuant to the decision given by the Supreme Court in the AGR case, the DoT issued demand notices to all telecom operators or licensees, Internet Service Operators (ISP’s), Virtual Network Operators, etc, and their associations to pay licence fees, spectrum usage charges (SUC) and other dues. The big defaulters as per DoT calculations are; First, Vodafone has to pay USD7.42 billion in licence fees, spectrum usage charge (SUC), interest and penalties; Second, Airtel's AGR dues are over USD4.98 billion in licence fees, SUC’s, interest and penalties; Third, Tata Teleservices has to payUSD1.94 billion in licence fees, SUC’s, interest and penalties. DoT has also issued notices to telecom operators to submit the requisite documents to ensure compliance with the timeframe of three months. The Supreme Court has also rejected the request made by parties for deferred payment and directed companies to make payment immediately or face contempt proceedings.
The impact of the AGR case has a cascading effect on other sectors as well, and not only the telecom sector. It can have an impact on any entity that has taken a telecom service licence. DoT is likely to raise demand for payment of licence fee on the basis AGR on other companies – which hold telecom licenses but do not operate telecom laws.
Over the Top services: TRAI’s Attempt to Regulate the Free Rider
Over the Top service providers (OTTs) pose significant challenges for conventional telecom operators in terms of their revenues and a required increase in telecom infrastructure investment. This is particularly because of the increase in internet traffic due to the expansion of OTT services. Increased mobile internet penetration, affordable data and the availability of low-cost smartphones and video capable devices has led to a rapid increase in OTT messaging, voice calls and video calls. The consequent increase in data traffic logically seems to benefit telecom operators through an increase in business. However, the average price per GB has sharply declined from Rs.75.57 (approximately) per GB in 2016 to Rs.12.06 per GB in 2018. To meet the increase in demand, telecom operators are required to invest in expanding capacity after conducting a cost-benefit analysis, or such a decision may be forced upon a business in light of the QoS (Quality of Service) regulations. Theoretically, therefore, telecom operators are mandated to invest in their own expansion even when such expansion benefits OTT services that directly compete with telecom networks. Telecom operators are not, however, completely devoid of revenue opportunities since an increase in demand for data necessarily implies a growth in internet connectivity revenues.
The Telecom Regulatory Authority of India (TRAI) actively recognises that a level playing field for all market players is an important part of requirements for any regulatory framework. It is argued that OTT players do not have licensing and regulatory obligations at par with the telecom operators and that OTT service providers have an opportunity to earn revenue from alternative sources using data of their subscribers and can offer services which may be prohibited for TSPs. The TRAI has noted that an impact on revenue streams to telecom operators from the growth of traffic due to OTT services on account of regulatory imbalances,if any, may require a fix, while other reasons of impact may be left to the market to deal with. While the growth of OTT services has led to tremendous social and economic benefits, telecom operators have served as the backbone for enabling access to OTT services.
TRAI in its Consultation Paper on OTT has also broadly highlighted the regulatory imbalance between OTTs and telecom operators. On the one hand telecom operators are mandated to pay origination charge, carriage charge and termination charge specified under The Telecommunication Interconnection Usage Charges (IUC) Regulations from time to time. They are also required to follow the QoS Code of Practice for Meeting and Billing Accuracy Regulation 2006, QoS benchmarks are notified by the Authority and in case of non-compliance. Additionally, telecom operators are also liable to pay financial disincentives. Further, in terms of fees and applicable taxes, telecom operators are required to pay a one-time non-refundable entry fee prior to signing of the licensing agreement. They also have to pay an annual licence fee which is a percentage of the AGR which is currently set at 8%. In case the telecom operators obtain spectrum, they are also expected to pay spectrum related charges, including payment for allotment and use of spectrum.
On the other hand, OTT players may, without a licence, provide the same services as telecom operators. They do not require permissions from any regulatory body or from telecom operators. There is no requirement of interconnection or for any commercial agreements between OTT providers and telecom operators. They are also not bound by any regulatory obligations to address consumer concerns such as quality of service, interconnection and unsolicited communication. These concerns are addressed through a self-regulatory or a market drivenapproach.
The Consultation Paper suggests possible regulatory and market approaches to regulate the OTT players. First approach provided by the Consultation Paper is to subject OTT players providing services that can be regarded as being the same/similar to the services provided by telecom operators, to the same licensing/registration obligations which are required to be adhered by the telecom operators or extend the regulatory framework of the relevant existing laws such as data protection and privacy laws, consumer protection laws, etc, to include OTT players into the ambit. Other approaches include a separate regulatory practices for communication services and non-communication services (as followed in Germany and France); or use of price discrimination on traffic to ensure development of broadband infrastructure (as followed in the United Kingdom and Korea); or use of a FRAND approach in dealing with regulatory issues concerning OTT players (as followed in Korea, ETNO). Two more approaches were proposed by TRAI in its Consultation Paper and that was to relax the regime governing telecom operators and make it sector-neutral instead of proposing equal regulation for OTTs; or to leave the issue to be resolved through market forces, without the need for any specific regulatory intervention.
The TRAI wants to take a "practical approach" to the OTT issue and since OTT usage is increasingly benefiting TSPs given the spike in data consumption and traffic, arguments about such services riding free on existing networks do not find sufficient basis in theory or practice. Economic aspects therefore, are not the primary focus for the new regulatory framework being debated and proposed. Questions about security concerns have gained ground because the government wants to change IT rules to seek greater accountability from OTT service providers. Self-regulation of OTT market players is believed to be the best policy for advancing free and open internet access for all while also fostering a space for innovation. Until the TRAI concludes its deliberations on the issue, OTT service providers will not be subjected to the same legal requirements as telecom operators and the judicial route seeking regulations for the former remains tightly sealed.
Further, in one of the cases pending before the High Court of Delhi, the Ministry of Information and Broadcasting (MIB) has stated that online media streaming services and applications are outside the ambit of regulations and policies issued by MIB and the same at the best can be regulated in terms of Information Technology Act, 2000 (as amended from time to time).
Draft National E-Commerce Policy
In order to keep in pace with the recent developments in the e-commerce industry and to streamline laws inter alia on data protection and privacy, a need was felt to formulate a comprehensive framework for regulating the digital economy. In February 2019, the Department for Promotion of Industry and Internal Trade formulated the Draft National E-Commerce Policy (“Draft Policy”). The objective of this Draft Policy as stated was to enable India to benefit from digitisation by creating a governance framework for various stakeholders and strategies for data localisation, consumer protection and promoting micro, small and medium enterprises (MSMEs) and start-ups. The Draft Policy considers six broad issues relating to the e-commerce ecosystem, encompassing data; infrastructure development; e-commerce marketplaces; regulatory issues; stimulating the domestic digital economy; and export promotion through e-commerce.
In relation to each of these six issues, the Draft Policy sets out general principles to be considered as well as specific strategies to be adopted to achieve stated goals. This article set out the general observations on the Draft Policy along with specific comments in relation to some of the major proposed strategies and recommendation.
The Draft Policy inter alia has widened the concept of "E-Commerce". The Draft Policy rightly observes that “e-commerce” has been defined differently across the globe. It further clarifies that “e-commerce”, “electronic commerce” and “digital economy” are interchangeably used. With these caveats, the Draft Policy, while taking into consideration the main constituents of the definition of e-commerce world-wide, has defined "e-commerce" in the following manner:
“e-commerce includes buying, selling, marketing or distribution of (i) goods, including digital products and (ii) services; through electronic network. Delivery of goods, including digital products, and services may be online or through traditional mode of physical delivery. Similarly, payments against such goods and services may be made online or through traditional banking channels, ie, cheques, demand drafts or through cash”.
Thus, the Draft Policy has tried to be sufficiently specific and attempted to provide an all-inclusive definition of e-commerce. Further the Draft Policy provides that Indian data is to be regarded as sovereign resource. The Government to be given access to source code, and algorithms of artificial intelligence (AI) systems. The Draft Policy also highlights that the current practice of not imposing custom duties on electronic transmissions must be reviewed in the light of the changing digital economy and the increased role that additive manufacturing is expected to take. A UNCTAD report from 2017 suggests that it would be mostly developing countries which would suffer loss in revenue if the temporary moratorium on custom duties on electronic transmissions is made permanent. The permanent moratorium on electronic transmissions further implies that everything will be traded at zero duty, assuming that everything is traded electronically except non-agricultural products. As such, the protection that is available to India for the nascent industries in the digital arena will disappear at once.
The Draft Policy further suggests for the establishment of a Data Authority to regulate the sharing of community data that serves larger public interest. However, it would be beneficial to consider widening the scope of this Data Authority beyond just dissemination of collected data but also to the collection, processing and standardisation of the data in order to ensure security and remove the possibility of mismanagement. Most crucially, collation and insightful assessment of data would allow the Government of India to make informed decisions on policy and strategy.
Further, the Draft Policy provides that e-commerce apps/websites downloadable in India to mandatorily have a registered business entity located within India, as the importer on record/as the entity through which all sales in India are transacted. This is important for ensuring compliance with extant laws and regulations for preventing deceptive and fraudulent practices, protection of privacy, safety and security. Any non-compliant e-commerce app/website will be denied access to operate within India.
The Draft Policy suggests that steps will be taken to develop capacity for data storage in India. It further provides that an assessment needs to be done regarding how data-storage-ready the available infrastructure in the country is. While stating that a timeframe would be put in place for the transition to data storage within the country, it provides that a period of three years would be given to allow the industry to adjust to data storage requirements, ie, data localisation. However, demanding data localisation fails to address the high costs and technical feasibility of implementing the same. This is likely to disproportionately affect smaller organisations (including technology start-ups) in India, who cannot afford the additional cost especially in terms of data storage. This would ultimately affect the ability of these smaller organisations in India to participate in creating high value digital products in India, defeating the objective of the Draft Policy.
In order to secure support from various agencies, data storage facilities will get the "infrastructure-status". Development of data-storage facilities/infrastructure is an important vision of the Draft Policy wherein data centres, server farms, towers, tower stations, equipment, optical wires, signal transceivers, antennae will be granted "infrastructure status" to facilitate last mile connectivity across urban and rural India. This also enables regulation of the listed infrastructure in a more streamlined manner, benefits of which regulation have led to India having one of the largest roadways and railway networks in the world.
The Draft Policy further considering the transition towards a system for electronic redressal of grievances including making available compensation to the aggrieved consumer electronically, the Draft Policy suggests mechanisms to provide for the establishment of e-consumer courts to provide for the online redressal of grievances which will further boost consumer confidence.
The Draft Policy largely seeks to tackle issues which data driven economy poses, such as: free flow of data across borders; monetisation of data (collected and processed within India) by the foreign entities; MSMEs at competitive disadvantage due to free access to huge amount of data; and advent of artificial intelligence and smart bots. The Draft Policy also attempts to suggest viable ways to tackle with "inadequate infrastructure to cater the needs of the digital economy". In addition to aforesaid, the Draft Policy seeks to create level playing field for all participants operating through e-commerce marketplace.
Need for Privacy and Data Protection Laws in India
The most landmark Judgment in terms of the issue of Privacy and Data Protection is the Supreme Court’s verdict in Justice K.S. Puttaswamy (retd) & Anr vs Union of India and Ors (“Puttaswamy Judgment”). The Court stated that privacy is a constitutional right stemming out of Article 21 of the Constitution of India. For the longest time, data protection and privacy issues in India were regulated by the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPD Rules”). Post the Puttaswamy Judgment, a committee of experts chaired by Mr B N Srikrisna brought about a draft Personal Data Protection Bill, 2018 (“2018 Bill”). This was followed by the Privacy Data Protection (Amendment) Bill, 2019 (“PDP Bill 2019”), which has brought about some key changes in the regime.
The 2018 Bill, along with the PDP Bill 2019 (“Data Protection Bill”), when enacted, is likely to replace the existing IT Act and the SPD Rules and will become the only and primary statute governing privacy and data protection in India.
The primary shortcoming of the IT Act is that it only covers the handling of data by a body corporate which is defined as any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Thus, it does not qualify as a comprehensive data protection framework and leaves out certain means of processing of personal data from its ambit and also misses out on processing activities carried out by the Government as well as the private entities.
It is pertinent to note that the IT Act was not specifically drafted for data protection. The approach of our law makers to amend an outdated, existing legislation to cover the crucial issue of data protection led to problems of definition of scope and sanctions. The technical advancements in the Indian regime have outgrown the existing privacy and data protection legislations. The IT Act and SPD Rules do not differentiate between personal data and sensitive personal data or for that reason critical personal data. Provided the different nature of the data so collected, it is extremely necessary to have separate regulations for each of them, and the same has been introduced by the 2018 Bill and expanded by the PDP Bill, 2019 to include critical personal data.
The EU General Data Protection Regulation (GDPR), enacted in May 2018, established a global norm in personal data protection. The 2018 Bill as well as the PDP Bill 2019 is largely based on the principles of GDPR, with a unique Indian touch to it. A few common principles in GDPR and PDP Bill are: data minimisation, limited grounds of processing, data quality and security and privacy by design.
The 2018 Bill was formulated to cover major concepts of the data protection regime. It elaborates upon the following crucial terms "personal data" as any information which renders an individual identifiable, data "processing" as any operation, including collection, manipulation, sharing or storage of data, "data principal" as the individual whose personal data is being processed, "data fiduciary" as the entity or individual who decides the means and purposes of processing data, and "data processor" as the entity or individual who processes data on behalf of the fiduciary. In terms of applicability,the Data Protection Bill covers processing by government and private entities incorporated in India and also entities incorporated overseas, if they systematically deal with data principals within the territory of India. Additionally, the 2018 Bill allows for data processing by fiduciaries only if consent is provided by the individual. The 2018 Bill inter alia provides for data protection obligations, grounds for processing of personal data, grounds for processing of sensitive personal data, transfer of personal data outside India and constitution of data protection authority of India.
Key Changes to 2018 Bill: Brought in by PDP Bill 2019
The PDP Bill 2019, however, amends few provisions of the 2018 Bill. Firstly, it expands the definition of personal data to "mean data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include inference drawn from such data for the purpose of profiling”. Secondly, the PDP Bill 2019 extends the obligations of significant data fiduciaries to another class of entities called the Social Media Intermediaries (SMIs), ie, intermediaries who solely enable online interaction between two or more users and allow them to create, upload, share, disseminate, modify or access information using its services excluding entities like e-commerce platforms, telecom operators/ISPs, search engines, cloud service providers, online encyclopaedias, and email services. Such SMIs are required to provide users with an option for voluntary verification of their accounts.
As per Section 29, data auditors are required to evaluate SMIs for timely implementation of their obligations under account verification norms. The PDP Bill 2019 had also widened the scope of Governmental access and gives the Central Government power to exempt any government agency from the purview of the Bill at large. The principles of necessity and proportionality as was required in the 2018 Bill have been removed. It is pertinent to note that, while the law tightens rules for companies that handle personal data, it has given the Government, the right to exempt any government agency from legal obligations. This has raised alarm bells among companies, activists and the citizenry, who are rightly worried about unaccountable government surveillance. This is likely to be the most debated provision of the law once it’s tabled in Parliament for voting.
The mandatory requirement for storing a mirror copy of all personal data in India as per Section 40 of the 2018 Bill has been done away with in the PDP Bill 2019. These localisation requirements are only on sensitive and critical personal data. Definition of critical personal data has not been provided and the Act mentions that it means “personal data as may be notified by the Central Government to be critical personal data”. Section 34 of PDP Bill, 2019 lists the conditions stating that sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer and where, the transfer is made pursuant to a contract or intra-group scheme approved by the Authority, the Central Government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organisation, or the Authority has allowed transfer of any sensitive personal data or class of sensitive personal data for any purpose. Another beneficial aspect for a Data Principal in the Indian Regime is that "Right to Erasure"has been added alongside the right to correction of personal data.
Thus, most of the major shortcomings in the 2018 Bill have been rectified by the 2019 amendments to the 2018 Bill. The 2018 Bill as amended in 2019 is likely to become a law in the financial year of 2020, once it is reviewed by the joint parliamentary committee. Reports suggests that the Joint Parliamentary Committee has issued an advertisement inviting the general public and the stakeholders to send in their suggestions. The stakeholders has been given four weeks to respond. Meanwhile, with the draft e-commerce policy being simultaneously worked on, it will be interesting to see how the final laws in relation to e-commerce and data privacy and protection laws strike a balance between consumer interest and the data driven economy at large.
The above being as it is, the companies operating in TMT space may also be subjected to greater scrutiny by the Indian competition regulator, the Competition Commission of India. However, companies in possession of a telecom licence may be saved from a direct scrutiny because, as per the Supreme Court’s recent judgment, any investigation against a telecom licensee can only be initiated after consultation and approval of TRAI.