TMT 2021

Last Updated February 19, 2021

India

Law and Practice

Authors



AnantLaw is a full-service law firm with a well-established TMT practice and a strong understanding of the legal and regulatory regime concerning the technology, media and telecoms sectors. The firm advises and represents clients (foreign and domestic) and works closely with all stakeholders on public policy issues. The members of the firm have worked and led TMT practices at top-tier firms in India and have been consistently rated as leading lawyers in the TMT space. AnantLaw also draws strength from the team members who have worked as in-house counsel in some of the largest media and broadcasting companies (including online streaming companies). Members of the TMT practice group also actively practise in competition law and this provides them with a deeper understanding of the regulatory regime, especially in the rapidly evolving regulatory-competition environment in the digital space.

Statutory Framework for Cloud Services in India

While there is no active regulatory or statutory framework for the regulation of cloud services in India, the Telecom Regulatory Authority of India (TRAI) in its recent Recommendations on Cloud Services has made a number of recommendations to the Department of Telecommunications (DOT) for a "light touch regulatory" approach towards cloud services in India.

On 16 August 2017, the TRAI issued recommendations in response to the DOT’s queries with regard to cloud services. TRAI recommended the creation of an industry body for regulation of cloud services with participation from all cloud service providers (CSPs). The induction to the industry body was to be by way of registration; which necessitated fulfilling eligibility criteria, payment of entry fees and specification of the duration of registration. After accepting all recommendations, the DOT sought further recommendations on the framework for CSPs, which resulted in the TRAI’s Recommendations on Cloud Services in September 2020. These recommendations mandated that no telecom service provider would be allowed to share infrastructure or platforms with a CSP which is not registered under the CSP industry body (under the DOT).

This move effectively mandates that every CSP has to be registered with the CSP industry body. In a letter dated 09 October 2020, CSPs representing the cloud service industry opposed this move of the TRAI on two primary grounds. Firstly, the CSPs argued that they are not telecom or internet service providers (TSPs/ISPs, respectively) and are in fact, customers that offer cloud services using their infrastructure. Secondly, the CSPs opposed the move on jurisdictional grounds. Citing the Government of India Allocation of Business Rules, 1961, the CSPs stated that it is the Ministry of Electronics and Information Technology (MeitY) that is responsible for developing policies for information technology and the internet and the same being taken over by the DOT/TRAI trespasses onto the jurisdiction of MeitY.

MeitY, in furtherance of its MeghRaj policy, which is aimed at providing cloud-based services for government departments and public sector undertakings (PSUs), invited applications for empanelment of CSPs with MeitY for the same.

Under the MeghRaj cloud initiative, MeitY has conducted two rounds of empanelment of CSPs, in 2016 and 2017, respectively. The empanelment process is akin to an accreditation process, wherein MeitY invites applications from prospective CSPs to get empanelled with MeitY for provision of cloud-based services to government and the public sector. The empanelment process requires CSPs to comply with guidelines issued by MeitY pertaining to cloud architecture, cloud security best practices, and additional guidelines as issued. The CSPs are then audited in respect of compliance and thereby certified and empanelled.

Apart from the consultations, which may provide a dedicated regulatory framework, the overarching statutes governing the IT sector must also be complied with. The primary statue in that regard is the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules).

Regulated Sectors

Regulated sectors in India – such as the banking, securities and capital markets and insurance sectors – are regulated by representative agencies; these being the Reserve Bank of India (RBI) for the banking sector, the Securities and Exchange Board of India (SEBI) for the securities and capital market sector, and the Insurance Regulatory and Development Authority of India (IRDAI) for the insurance sector. Players in these sectors have begun to implement and use cloud technology for ease of doing business.

Banking

The RBI has undertaken the formation of a working group to explore cloud computing options in the banking sector and released a Working Group Report on Cloud Computing Option for Small Size Urban Cooperative Banks (Working Group Report) wherein the standards of practice, use, security measures, maintenance of data privacy, etc, pertaining to the use of cloud technology are provided. The RBI’s Guidelines on Information Security, Electronic Banking, Technology risk management and Cyber Frauds provides an extensive checklist related to information security, which is required to be complied with if banks use cloud computing. The checklist covers aspects of information security such as security policy, asset control, personnel and systems security. Certain higher security measures prescribed by RBI in its Working Group Report include the use of multiple CSPs to provide diversity and redundancy in networking and data processing or to use modern devices that recognise denial of service (DoS) signatures and prevent DoS traffic. In view of outsourcing of activities by banks, the RBI issued guidelines on IT outsourcing in 2011. These guidelines mandate that "Banks must be required to report to the regulator [RBI], where the scale and nature of functions outsourced are significant, or extensive data sharing is involved across geographic locations as part of technology/process outsourcing". The RBI Guidelines further provide a higher standard for encryption for online services related to the banking sector.

Securities and capital markets

SEBI has also adopted a private cloud computing model for big data solutions that use HDFS, a document management system, mail and messaging, the SEBI website, investor portals etc. Pursuant to this, SEBI invited bids for implementation of a private cloud system, wherein it recommended the use of a defined user management (administrative and access control) mechanism to ensure security and privacy in the intended cloud-based architecture. On 03 November 2020, SEBI released an advisory to financial sector organisations using software as a service (SaaS) to comply with the advisory on security measures to be undertaken by them as issued by Indian Computer Emergency Response Team (CERT-In).

Insurance

The IRDAI has mandated that:

  • all information and data pertaining to core business records shall be hosted in India,
  • encryption techniques shall be implemented for cloud data hosting, such as data-in-transit and data-at-rest for personally identifiable information (PII); and
  • data loss prevention (DLP) solutions be implemented for the monitoring and protection of sensitive data and management of risk.

Furthermore, as per the Insurance Regulatory and Development Authority of India (Outsourcing of Activities by Indian Insurers) Regulations, 2017, insurance companies are required to report all outsourcing arrangements where the annual pay-out is more than INR10 Million. IRDA further mandates under Section 3 (9) of the IRDAI (Maintenance of Insurance Records) Regulations, 2015 that “the records including those held in electronic mode, pertaining to all the policies issued and all claims made in India shall be held in data centres located and maintained in India only.”

Protection of Personal Data in the Context of Cloud Computing

Data protection and privacy

As mentioned above, there is no dedicated law for the regulation and governance of cloud services in India. The lack of appropriate legislation certainly poses a huge challenge for the effective implementation of cloud-based services which store and provide access to data and personal data (sometimes even including sensitive personal data) of millions of persons. Privacy concerns are therefore likely to arise in the event of any information leakage or data breach. Presently, the protection afforded to personal data comes through Section 72 of the IT Act, which lays down the penalty for breach of confidentiality and privacy. The said Section provides for imprisonment up to two years and fine up to INR100,000. Section 80 of the IT Act deals with search and seizure of computer data on connected systems if there is reasonable justification to do so. However, apart from these provisions, the SPDI Rules provide certain liability to persons handling personal information and data by prescribing standards of data security maintenance among other things. 

Provision of data to authorised entities

The IT Act authorises law enforcement agencies to intercept, monitor and decrypt data travelling over domestic internet networks (Sections 69 and 69B of the IT Act). However, the decentralised nature of cloud computing poses a compliance challenge regarding such requests from authorised/law enforcement entities.

Bans on Cryptocurrencies

The RBI, in its Circular titled Prohibition on dealing in Virtual Currencies (VCs), dated 06 April 2018, prohibited all transactions with respect to virtual currencies in India. Pursuant to the disruption caused in the world of cryptocurrencies due to the ban, the Supreme Court of India was approached through a specialised industry body, the Internet and Mobile Association of India (IMAI) challenging the RBI Circular. As a result, the RBI Circular in question was set aside by the Supreme Court of India in March 2020 holding that the ban was not justified on grounds of proportionality.

The Department of Economic Affairs, Ministry of Finance drafted the Banning of Cryptocurrency & Regulation of Official Digital Currency Bill, 2019 (2019 Bill). The 2019 Bill prohibits all cryptocurrencies, their use and further penalises the same. Risks associated with the use of cryptocurrencies include their potential use for money-laundering, risks to consumers and the threat they pose to the country’s financial stability. While the draft 2019 Bill prohibits use of cryptocurrencies, it provides that digital rupees may be issued by the RBI as legal tender.

Blockchain Regulation

India does not have any specific laws regulating the blockchain technology, but there has been discussion on creation of a regulatory framework for same. In January 2020, NITI Ayog, a policy think-tank of the government of India released a paper titled Blockchain: the India strategy and sought comments from stakeholders. As per NITI Ayog, the main issues in the implementation of a blockchain framework in India include integration of the blockchain with existing legacy systems such as national IDs, payment systems and supply chain information; and the amendment of existing laws in light of same. Key industry players expect that the Budget 2021 will give greater clarity on the status of cryptocurrencies in India, given that investment in this sector has seen a surge in 2020.

Due to lack of legislation, the use of blockchain technology gives rise to certain challenges:

Industry-specific regulation

Banking and finance industry regulators, such as the RBI and SEBI, have evolved policies to regulate the use of blockchain technology and distributed ledger technology (DLT). As mentioned above, in a recent decision by the Supreme Court of India, the RBI Circular cautioning and discouraging (banning) the use of cryptocurrencies was struck down as not meeting the proportionality criteria. Pursuant to this, all banks and financial institutions regulated by the RBI are free to provide services in relation to virtual currencies.

Regulatory sandboxing

Agencies regulating insurance, securities, and banking sectors have introduced sandboxing regulations for their respective sectors. The aim of such sandboxing regulations is to provide the stakeholders a safe and controlled environment to experiment with technology in their respective sectors.

In 2019, IRDAI introduced the Insurance Regulatory and Development Authority of India (Regulatory Sandbox) Regulations, 2019, which were implemented on 26 July 2019. These regulations are to remain in effect for two years. The minimum entry criteria for taking advantage are that the insurance entity must have a net worth of INR1 million.

The RBI introduced final guidelines towards its Enabling Framework for Regulatory Sandboxing on 13 August 2019. Since then, the RBI has released two phases of sandboxing for payments. The first cohort on retail payments was released on 17 November 2020 and the second cohort with respect to cross-border payments was notified by the RBI on 16 December 2020. The entities seeking sandboxing are required to have a net worth of INR2.5 million and should be incorporated and registered in India.

SEBI also introduced the Framework for Regulatory Sandbox dated 5 June 2020. Each of the aforesaid sandbox regulations provide for eligibility criteria, application procedure, extent of relaxations, testing duration, etc.

Risks and liability

For any non-compliance, the Consumer Protection Act 2019 (CPA 2019), in the context of a permitted blockchain network, imposes liability on the regulating participant, being equivalent to an electronic service provider.

The lack of consolidated legislation has proved problematic from the perspective of legal enforcement of uniformity or standards with respect to the use of blockchain technology. It remains to be seen how industry regulators will attribute liability from the perspective of tax and contract enforcement to a technology that is inherently decentralised and geographically distributed.

Maintenance of data privacy and cybersecurity poses a major risk for blockchain technology users in India. While there are only industry-specific statutory mandates, the laws such as the IT Act and its underlying rules are to be complied with. In order to overcome the challenges posed by maintenance of data privacy and security, the industry is looking to implement and maintain "reasonable security practices and procedures" in relation to "sensitive personal data or information". Furthermore, industry-specific laws also stipulate encryption standards which are required to be adopted by users of e-transactions, etc.

Intellectual property

The primary challenge to the patentability of a blockchain framework is posed by the Indian Patent Act, 1970 (Patent Act). While the Patent Act clearly states that algorithms amounting to computer programs per se are not patentable, the Indian Patent Office has granted patents under the head of "software as business method" to companies such as Facebook, Google and Apple. This was done on the grounds that the software provided a "technical solution to a technical problem by providing a practical application of the underlying software.

The Delhi High Court, in Telefonaktiebolaget Lm Ericsson v Intex Technologies, 2014, stated that “any invention which has a technical contribution or has a technical effect and is not merely a computer program per se” is patentable. The interpretation of the words "per se" following the patentability of software under the Parent Act has currently not been examined in the light of blockchain technology and is shrouded in debate.

Furthermore, the Indian Copyright Act, 1957 provides that source code of software may be granted copyright protection.

Data privacy

There are no specific laws to ensure data privacy and security in blockchains. However, any use of blockchain technology will need to comply with the general laws on cybersecurity and data privacy as are prevalent in India, which include the SPDI Rules.

A potential challenge with respect to enforceability may arise on account of the inherently decentralised nature of blockchains as the SPDI Rules only apply to bodies corporate or any person situated within the jurisdiction of India. Accordingly, given the decentralised nature of blockchains (which could involve nodes from several jurisdictions) enforcing the SPDI Rules may pose a challenge.

Jurisdictional issues

Issues pertaining to the enforcement of "smart contracts" used in the blockchain protocols, which have the capability of self-execution and self-enforcement (without human intervention) have been under the radar. As blockchain is a decentralised technology framework and blockchain nodes may be placed in several jurisdictions at once, the technology poses complexities in the application and enforcement of such contracts. Furthermore, issues regarding jurisdiction over enforcement and protection of IP are likely to crop up.

Admissibility of blockchain as evidence

Section 65B of the Indian Evidence Act, 1872 allows the admissibility of electronic records as documentary evidence. The section mandates that all such electronic evidence must be submitted with a certificate of its authentication by the person submitting the same (Section 65B(4)). The Supreme Court of India, in the case of Arjun Panditrao Khotkar v Kailash Kushanrao Gorantyal, held that the requirement under Section 65B(4) is a pre-condition to the submission of any evidence by way of electronic record and it is not mere procedural.

Currently, projects involving big data (BD), machine learning (ML) and artificial intelligence (AI) in India are facing the following legal and regulatory issues.

Ownership and IP

Under the Copyright Act, 1957, "source codes" and "object codes" are protected as literary works. The source/object code so developed for any AI project, would be considered the valid and legal intellectual property of the developer or the employer of such a developer (in the event of employment). Issues over IP ownership of AI-created works may arise as it may be difficult to discern whether the parameters of copyrightability are met. These are:

  • whether the idea and expression are intrinsically connected (doctrine of merger);
  • whether the work was created with skill and labour by the author. (sweat of the brow doctrine) or whether the work possess skill and judgment; and
  • whether the work possesses a minimum degree of creativity (modicum of creativity doctrine).

It may be noted that a primary concern for the recognition and protection of IP under the Patents Act poses a more difficult problem as the Patent Act provides that computer programs are not patentable per se.

Concerns of the Market Regulators

Use of BD by market players has raised several concerns from a fair competition point of view. AI and BD are used to determine market trends, identify and target consumers, predict consumer choices, etc, through mass collection of data. This owning and usage of large consumer and market trend databases is likely to attract the intervention of market regulators such as the Competition Commission of India (CCI). Recently, the CCI has noted that e-commerce companies such as Amazon and Flipkart – by having access to, and using information and data collected from, the market – is leading to the creation of barriers to entry for new entrants and smaller enterprises which do not have access to such data.

The effects of using AI to determine prices, control discounting, or produce preferential listing of products by market aggregators are on the radar of the CCI as they have the potential to create an appreciable adverse effect on the e-commerce market in India.

Attribution of Liability

As there is no legal or regulatory framework for the use of AI, BD and ML in India so far, the concerns that may arise with respect to the attribution of liability are unlikely to receive straightforward and conclusive decisions from courts.

Specifically, concerns regarding attribution of liability in the event of data breaches, infringement of intellectual property and decisions made by companies and organisations based on AI algorithms pose difficult and complex legal and social challenges.

The fintech sector in India is seeing constructive and ever-increasing use of BD, ML and AI. The RBI has encouraged regulated entities to make use of artificial intelligence in conducting e-KYC and online onboarding of consumers in order to maintain accuracy and efficiency of their systems.

Data Protection

Protection of data and prevention of privacy breaches is one of the biggest concerns of the use of AI, BD and ML-driven projects. The Supreme Court of India has held, in a recent judgment, that the right to privacy is a fundamental one and recognised the same under Article 21 of the Constitution of India – right to life and liberty.

The Personal Data Protection Bill of 2019 is due to be placed before the Parliament of India for its approval. Due to the lack of detailed law on the protection of data, the primary statute providing guidance are the SPDI Rules. The SDPI Rules mandate companies to maintain privacy policies and obtain consent of individuals for the protection of data.

Infrastructure Challenges

Certain infrastructure challenges to the use and implementation of AI in India have been identified by NITI Ayog in its discussion paper on AI. These include:

  • absence of collaboration and data sharing between stakeholders;
  • unavailability of industry-specific data sets;
  • concerns of privacy and security of data; and
  • high sunk costs, heavy investment in skilled human resources.

To tackle these challenges, NITI Ayog has recommended certain actions to be taken by the Government of India in order to promote:

  • research in the AI (including ML and BD) sector (setting up of research centres, research fellowships, etc);
  • reskilling and training of the workforce (including AI in schools and higher education, promoting the formation of an AI service sector);
  • accelerating the adoption of AI (enabling and promoting data sharing, open resource government assets, etc); and
  • privacy and security (creating a legal and institutional framework for secure data transactions and privacy of data).

Use of AI, AL and BD in Governance

In January 2020, NITI Ayog released a vision document which proposed the formation of a National Data and Analytics Platform (NDAP), an initiative that is aimed at the progress of data-driven discourse and decision making in India. The NDAP aims to bring all government data assets under one platform in order to create better accessibility and enable analytics. The initiative seeks to use all publicly available data assets and convert them into machine readable formats, which will allow the decision-making bodies to do so with greater clarity and on the basis of scientifically segregated data. The NDAP also envisions the formation of a Technical Advisory Group, consisting of industry experts who will guide the formation of the platform and management of data among other things. The first version of the NDAP is set to release in 2021.

As there are several stakeholders involved in internet of things (IoT) projects, the service providers will need to establish secure systems to accumulate, process and secure the data. Certain policy challenges in the use of IoT devices have the potential to act as restraints on a project, these are detailed below.

Privacy and Security of Machine-to-Machine (M2M) Communications

M2M communications are subject to a host of privacy concerns – from collection of large amounts of data to its storage and transfer. Primarily M2M communication requires storage of data by way of cloud computing, which is at a nascent stage of development and is prone to data breaches, information leakage and theft by third parties. In order to successfully run an IoT project, such data leakages will need to be plugged. The lack of regulation and fragmented penal provisions may pose a challenge to such projects.

Cybersecurity and Warfare

Growing connectivity and control of AI over sensitive data poses serious cybersecurity concerns. The use of AI in sensitive sectors such as the defence forces and intelligence wings of the Indian government is susceptible to corruption and infiltration by more advanced malware. It has been recommended by the MeitY in its "report on cyber security, safety, legal and ethical issues" that establishment of nationwide best practices for security should be undertaken by the government. This should be facilitated by the existence of a safety certification from a central body. Furthermore, it has been recommended that human intervention (ie, physical interruption and shut down of operations) should be provided for by the AI systems in order to stop any malicious use of AI.

In order to promote initiatives on cybersecurity, MeitY has announced a Grand Challenge for Cyber Security for budding entrepreneurs in January 2020. This initiative seeks to nurture start-ups and test their innovation and final product building capacities by way of a challenge.

Lack of Infrastructure and Standards

In India, one of the biggest challenges to the effective implementation of the IoT and its usage is the lack of stable and high-speed internet in several rural areas of the country. The lack of infrastructure will leave out a major chunk of the country when implementing systems run on the IoT and may hamper the quality of the data collected. Recognising the growing use and connectivity of the IoT, MeitY released a draft policy on the IoT in 2015, wherein it recognised infrastructural concerns with respect to the use of the IoT and implementation of digital infrastructure. Under this policy, initiatives such as institutional incubation, creation of centres of excellence to support start-ups, provision of training and creation of systems for transfer of knowledge between stakeholders is envisioned.

Lack of Legal Framework

While the right to privacy has been hailed as a fundamental right by the Supreme Court of India, presently, there is not an adequate legal framework to support the same. The SPDI Rules mandate certain measures to be undertaken for the protection of data and sensitive personal data; however, these are rendered inadequate by the rapidly changing environment. With the use of the IoT for processing and using large amounts of data, each value chain of the system will need to be protected via legal, contractual and standardised measures. The absence of such protections gives rise to risk accumulation within one entity, which may prove to be detrimental for IoT projects. The IoT policy released by MeitY provides for the formation of an advisory committee (AC) for the formation of IoT-specific regulations and laws.

Jurisdiction/Applicable Law

As most of the technology-related agreements are based on decentralised models, which are spread over a number of jurisdictions, it poses a complex jurisdictional issue pertaining to applicable law and its jurisdiction. Data localisation requirements by Indian regulators such as RBI give rise to jurisdictional and privacy issues.

Data Localisation

The RBI had, in its Circular on Storage of Payment System Data, mandated that all payments related data to be stored on servers within the territory of India owing to data security concerns. Pursuant to RBI’s guidelines, the National Payments Corporation of India (NPCI) issued a circular on 12 May 2020 stating that a system audit would be undertaken on all payment systems within India. The NPCI directive is linked to the RBI’s new guidelines on data localisation. Such regulation and cross-border data transfer mandates are required to be taken into account.

Confidentiality of Data

It is key to identify the data which is to be considered "confidential" and therefore protected under confidentiality obligations in IT agreements. In the light of the SPDI Rules and the IT Act, maintaining strict confidentiality obligations on the use and transfer of personal data and sensitive personal data and information is essential.

Liability

In cross-border technology transactions it is essential to ensure that the liability of parties is clearly defined while ensuring compliance with local IT/cyber laws. As there are no specific laws which address specific IT-related concerns, it is essential to strictly comply with competition law and related laws of India, in order to steer clear of claims of, inter alia, undue price restrictions or arrangements which may be identified as anti-competitive.

Security

Under the template issued by MeitY for master service agreements for cloud services, it is mandated that all CSPs obtain certification for the levels of digital security as provided in the template (ISO standards). In addition to the security standards, MeitY has also provided extensive provisions for maintenance of privacy, confidentiality and location of data (which clearly states that all data must be stored within the geographic limits of India).

In order to ensure that the master service and service level agreements being entered into by government departments with technology service providers cover the essential technology-related aspects, MeitY has released a template/guiding document for such agreements. Although this template is specific to the agreements pertaining to cloud services.

The overlap between data protection and competition law is being actively debated around the world – and is likely to gain traction in India too. In the case of India, the overlap between data privacy and concerns arising under the IT Act and due to competition law may give rise to jurisdictional issues. The CCI, in the case Vinod Kumar Gupta v WhatsApp Inc. (in 2016), held that the concerns pertaining to data protection and privacy were in the domain of the IT Act and not the CCI. Noting the heavy rise in digitisation and the shift of most services online, the CCI is set to examine and conduct a study on the rise of "digital anti-competitive practices". It has been reported that currently, the CCI is studying mergers and acquisitions in the digital sphere and is also likely to shortly release a study on anti-competitive practices in the telecom sector.

Core Rules Regarding Data Protection

Presently, India does not have any consolidated law on the protection of data and privacy. However, the SDPI Rules formulated under the IT Act may be considered as the core rules regarding the protection of data. The SDPI Rules make it compulsory to adopt certain reasonable security practices and procedures to safeguard any data collected or processed.

MeitY constituted a committee of experts to deliberate on a data protection framework for India in an office memorandum dated 31 July 2017. Subsequently, the data protection committee released a report in July 2018. The report analyses key issues in the creation of a framework for the protection of data in India. Certain key aspects include jurisdiction and applicability, data processing, obligations of data fiduciaries and enforcement. On the basis of this report, the PDP Bill 2019 took form.

The Personal Data Protection Bill, 2019 (PDP Bill), formulated to ensure statutory protection of data, is likely to be presented during Budget 2021 before the Parliament of India. The PDP Bill seeks to ensure that all persons, legal and natural, provide and maintain systems that are secure and prevent any leakage or misuse of personal data of the data principals (those to whom the data pertains). The PDP Bill proposes that all critical and sensitive data shall be physically housed and stored within the jurisdiction of India and the storage of the same outside India would be prohibited. Transfer of any critical/sensitive data will require explicit consent of the data principals. The same is likely to have a major business impact in terms of the infrastructure costs (storage and protection of data in India).

It has been reported that the non-personal data protection committee, which was formed by MeitY has proposed the formation of a new regulator exclusively for the regulation of non-personal data or data which has been anonymised. Following the recent changes in the privacy policy of WhatsApp, the joint parliamentary committee, which is presently reviewing the PDP Bill has indicated that it may also include sensitive non-personal data within the ambit of the PDP Bill. It has been a focus of the advocates for the PDP Bill to invite intervention and legal remedies for any arbitrary change in the terms of use and privacy policies of intermediaries and online service providers.

Distinction between Companies/Individuals

Presently, the data protection framework in India only envisages the protection of data of natural persons. The proposed PDP Bill 2019 defines a "data principal" as “the natural person to whom the personal data relates”.

A "body corporate" means “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”. While the proposed PDP Bill defines “data processor” as “any person, including the state, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary”, it must be noted that the offences and penalties for non-compliance or contravention of the PDP Bill are primarily stipulated for body corporates or companies. Section 82 of the PDP Bill provides that if any person reidentifies or processes data which has been "de-identified", without the consent of the data processor, then that person will be punishable through imprisonment or a fine as per the provision of Section 82 of the PDP Bill.

General Processing of Data and Processing of Personal Data

The SPDI Rules do not define personal data; however, "personal information" is defined as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”.

The PDP Bill uses a wider definition and defines "personal data" as “data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling”.

In 2019, MeitY constituted a Committee of Experts to deliberate on a Data Governance Framework. The goals of this committee include the study and analysis of various issues pertaining to non-personal data (NPD) and to make specific recommendations to the central government on the regulation of NPD. While there is no current legislation regulating NPD, the committee, in its Report by the Committee of Experts on Non-Personal Data Governance Framework, recommended the formation of an NPD Authority, which is tasked with the formulation and implementation of NPD regulations/legislation. The committee report finished its public consultation stage on 27 January 2021.

The National Association of Software and Service Companies (NASSCOM), in its response to MeitY’s report, has:

  • drawn attention to issues in NPD regulation, including the overlap of provisions of the PDP Bill and the committee report on NPD and their avoidance; and
  • recommended the creation of a “negative list” for the exclusion of certain NPD from the ambit of regulation.

With regard to personal data and personal information, the SPDI Rules specify that any body corporate or person processing personal information should provide a privacy policy.

SPDI Rules provides sub-rules for the collection of information. Rule 5 of the SDPI Rules applies to all types of information, and compliances for collection of information, which “includes data, message, text, images, sound, voice, codes, computer programs, software and data bases or micro film or computer-generated micro fiche” in addition to sensitive personal data and information are also provided under Rule 5.

The PDP Bill proposes that processing of personal data should comply with the following principles for processing, namely:

  • processing of personal data should be done in a "fair and reasonable" manner while ensuring the privacy of data principal;
  • it should be for a specific and lawful purpose;
  • only personal data necessary for the purpose should be collected;
  • adequate notice of the processing should be provided to the individual;
  • quality of the data should be maintained, (ie, personal data processed should be complete, accurate and not misleading); and
  • personal data can be retained by the data processor only as long as reasonably necessary to satisfy the purpose for which it is processed.

Furthermore, the PDP Bill provides for transparency and accountability measures to be taken by the data processors for processing of personal data.

The SPDI Rules allow employers to monitor their employees' use of company-provided computer resources. It must be noted that that the data can only be monitored and subsequently limited in line with the employer's privacy policy and for the purposes (as mentioned in the policy) for which the data owner has given their consent. As per the SPDI Rules, the employer must obtain express written consent of the employees.

The Supreme Court of India has, in its landmark decision in the case of Justice KS Puttaswamy (Retd.) & Anr. v Union of India & Ors, held that the right to privacy is a fundamental right of persons.

In light of this, the practices adopted by employers for monitoring of their employees’ computer systems and their usage should be "reasonable" and in accordance with the SPDI Rules. Monitoring and surveillance should not contravene data privacy principles such as consent, notice and purpose of data so collected. The employer can monitor official emails of employees or web traffic and can create back-ups of employee data (prevention of data loss software); however, it must be borne in mind that it may be considered a breach of the employees’ right to privacy if their private emails or their personal data (or sensitive personal data) is stored and used without their consent.

Under the Policy on Use of IT Resources of Government of India, MeitY provides for the monitoring of employees’ use of IT resources provided by the government of India, wherein it reserves the right to monitor, restrict, access, review and delete the data of employees.

In the event of any failure to secure data, the data principal (to whom the data pertains) has the right to seek compensation under Section 43 of the IT Act.

The telecommunication sector in India is regulated by the TRAI and the DOT as a licensor; both provide regulation and governance of a variety of sectors.

Television and Radio Platform Services

Please refer to 9.1 Audio-Visual Service Requirements and Applicability.

Internet and Broadband Services

The provision of internet and broadband services requires appropriate licensing from the DOT under the unified licence regime. (For approval requirements, please refer to the Approval subsection under Cellular and Mobile Services below.)

Voice-over IP (VoIP)

ISP licensees in India are currently only permitted to provide VoIP between voice signals offered through public internet by the use of personal computers (PCs) or IP-based customer premises equipment (CPE). The licensee is not permitted to have public service telephone network (PSTN)/public land mobile network (PLMN) connectivity. Voice communication over IP to and from a telephone connected to PSTN/PLMN is prohibited in India.

Cellular and Mobile Services

The cellular and mobile services were historically governed by:

cellular mobile telephone service (CMTS) licences; and

basic telecom service (basic) licences.

However, the DOT, in the National Telecom Policy of 2012, introduced a unified licence (UL) consolidating the licensing mechanism for a number of telecommunication related services. Presently, anyone who wishes to provide cellular and mobile services in India must obtain a licence from the DOT for the same.

Approval

Under the UL, a one-time non-refundable entry fee for each authorised service has to be paid by the applicant. The total amount of entry fee shall be a maximum of INR150 million. In addition to the entry fee, an annual licence fee as a percentage of adjusted gross revenue (AGR) has to be paid by the licensee service-area wise, for each authorised service from the effective date of the respective authorisation. The licence fee is to be 8% of the AGR.

Value Added Services (VAS)

While VAS are not independently regulated by the TRAI or the DOT, the TRAI has issued a number of directions on the use and operation of VAS. In its consultation paper on Mobile Value Added Services, the TRAI recognised that the VAS sector is now an essential part of the telecom value chain and separate inclusion of the same in licensing or the creation of new licence may be considered.

Approval

Presently, VAS providers are not required to be separately registered or licensed. However, all existing licences including the UL, unified access service licence and the ISP licence provide references to VAS, though the same may not be explicit. As per the DOT, all cellular mobile telephone service providers (including those migrated to UASL) should inform the licensor (ie, the DOT) about provision of any new service/facility along with details of provision made for lawful interception/monitoring of these facilities at least 15 days in advance of the introduction of these services/facilities.

As the telecoms sector has no specific registration or licensing for VAS, another category of service providers was introduced by the DOT under the national telecom Policy 1999. The other service provider (OSP) policy was further amended by the DOT on 5 November 2020 (Amended OSP Policy).

In terms of the Amended OSP Policy, an OSP has been defined as an Indian company, registered under the Indian Companies Act, 2012 or an LLP registered under the LLP Act, 2008 or a partnership firm or an organisation registered under the Shops & Establishments Act or a legal person providing voice-based business process outsourcing (BPO) services.

In the earlier regime, the DOT required all OSPs to be registered. However, under the Amended OSP Policy, the registration requirement has been scrapped in its entirety. In the light of this, OSPs are not required to hold any certificate of registration from the DOT.

Instant messaging

Instant messaging, including voice and audio-visual modes of communication, are presently nor under any regulator regime in India. The aforementioned services are categorised as over-the-top (OTT) services. The TRAI, in its 2015 consultation paper on the regulatory framework for OTT services, defined OTT provider as a service provider which offers information and communication technology (ICT) services, but neither operates a network nor leases network capacity from a network operator. Three types of services were included within the OTT ambit, including:

  • messaging and voice services (communication services);
  • application ecosystems (mainly non-real time), linked to social networks, e-commerce; and
  • video/audio content.

Radio Services

Please refer to 9.1 Audio-Visual Service Requirements and Applicability.

Radio frequency identification (RFID)

Presently, the use of RFID does not require any approval or licence. The relevant section is reproduced hereinbelow:

“3. Use of wireless equipment in the 865-867 MHz. - Notwithstanding anything contained in any law for the time being in force, no licence shall be required by any person to establish, maintain, work, possess or deal in Radio Frequency Identification Devices (RFID) or any other low power wireless devices or equipments, on non-interference, non-protection and non-exclusive basis, in the frequency band 865-867 MHz with maximum 1 Watt transmitter power, 4 Watts Effective Radiated Power and 200 KHz carrier bandwidth.”

OTT Services

At present, there is no regulatory framework for OTT platforms Recently, however, several individuals and social organisations have been seeking the regulation of OTT players such as Netflix and Hotstar owing to the content being shown on such entertainment platforms. Presently, there is no certification requirement for the content on OTT platforms, such platforms do not fall within the ambit of the television domain and therefore also do not need to comply with the laws pertaining to the censorship compliances of the television and theatrical media. The Supreme Court has issued notice to key OTT entities and the Ministry of Information and Broadcasting (MIB) and IAMAI in a public interest litigation (PIL) seeking regulation of OTT platforms. At present, there are no specific regulations for OTT communication services. However, through the newly notified Government of India (Allocation of Business) Three Hundred and Fifty Seventh Amendment Rules, 2020, the OTT platforms providing audio-visual content-related services have been brought under the purview of the Ministry of Information and Broadcasting.

Establishing the Broadcasting Framework

Telecom Regulatory Authority of India Act, 1997

The TRAI regulates tariffs, including the pricing of channels, the terms of interconnection between broadcasters and distributors, the manner of provision of channels in terms of bundling, a la carte provision, etc, and the standards for quality of service at the consumer end.

The Quality Of Service Regulations provide a uniform framework for quality control across different television platforms such as Cable TV, DTH etc.

The TRAI regulates the pricing of television channels and all such pricing has to comply with the tariff orders released by the TRAI.

Registration and licensing procedure for different television service providers

Direct to home (DTH)

The licence for providing a DTH service in India is obtained from the MIB through an application made in the format prescribed by the MIB (Form A of the "Guidelines for obtaining license for providing DTH Broadcasting Services in India" and subsequent amendments to the same).

Registration fee

The applicant would be required to pay an initial non-refundable entry-fee of INR100 million to the MIB upon completion and clearance of the application form for DTH services. Furthermore, the licensee will have to submit a bank guarantee from any scheduled bank to the MIB for an amount of INR50 million for the first two quarters, and, thereafter, for an amount equivalent to the estimated sum payable, equivalent to a licence fee for two quarters and other dues not otherwise securitised.

Cable television

The application for registering as a cable operator has to be made in accordance with The Cable Television Networks Rules, 1994 (CTN Rules). As per the CTN Rules, the applicant must duly fill Form I and submit the same to the Head Post Master of the jurisdiction where the applicant wishes to operate. The application form must be accompanied by an application fee of INR500.

Terrestrial television

Presently, all terrestrial television services in India are solely and exclusively operated by the government of India, whose terrestrial service is titled Doordarshan and is owned by the MIB.

Internet protocol television (IPTV)

IPTV services can be provided by any service provider after having duly obtained the licence to do so from the DOT. The licence to be procured is termed the Internet Service Provider licence (ISP).

Radio services

The allocation of radio frequencies is undertaken by the Wireless & Planning coordination (WPC) wing of the DOT. The Standing Advisory Committee on Frequency Application (SACFA) is a wing of the DOT that provides approval and clearance for radio frequency (spectrum) used by telecom service providers. In addition to the DOT and WPC, a prior clearance from SACFA is also required for commencing services.

Policy guidelines by the MIB for up-linking and down-linking of television channels, 2011

All uplinking and downlinking of television channels in India requires the prior consent of the MIB.

All television channel operators must obtain prior permission from the MIB through the submission and approval of the completed application form for uplinking and downlinking as provided on the website of the MIB.

Registration of television channel names

The MIB has launched a portal for all broadcasting entities (radio and television). All registrations of channel names, subsequent changes to language, logo, uplinking permissions etc, are to be obtained from the same.

Content Regulation

The Cable Television Networks (Regulation) Act, 1995 and CTN Rules contain the programme code, which provides guidelines for the content of programmes aired on television. Furthermore, the advertisements are governed by the advertisement code.

In addition to the above, television programmes and advertisements are also governed by self-regulatory codes and mechanisms such as those established by the Advertising Standards Council of India (ASCI) and the Broadcasting Content Complaints Council (BCCC).

In addition to the provisions regulating the programme and advertisement content, the Cinematograph Act, 1953 regulates all cinematograph films. It provides that all cinematograph films need to be certified before their airing or theatrical release. This is essential from the point of airing on television as no such cinematograph film can be aired on any television channel without the appropriate certification from the Central Board of Film Certification (CBFC), which is established as the certifying authority under the Cinematograph Act.

Online Curated Content Providers (OCCPs)

One of the most heavily contested issues in India with regard to online content providers, OTT platforms and media streaming platforms has been the regulation of content. The courts in India have witnessed an increased filing of petitions with respect to so called objectionable and adult content over such online/digital platforms. The regulation of content, in traditional media platforms, is the responsibility of the Ministry of Information and Broadcasting (MIAB). However, in the case of online/digital content, the MIAB, itself (before the High Court of Delhi) stated that the said content is regulated under the provisions of the Information Technology Act, 2000 and the MIAB has no jurisdiction over such online content providers/OTTs.

However, the President of India, on 9 November 2020, issued a notification under Article 77(3) of the Constitution of India amending the Government of India (Allocation of Business) Rules, 1961. These additions allow the MIAB to regulate online content providers, including news and current affairs aggregators, formulate policies and guidelines, and issue directions and notifications with respect to online/OTT content.

Legal Requirements Governing the Use of Encryption Technology in India

Section 84A of the IT Act allows the government of India to prescribe encryption standards and methods to secure electronic communications and to promote e-governance & e-commerce. However, the overarching IT Act does not specify any other provision for encryption.

While India does not have dedicated legal statutes for encryption, the requirement for encryption, in sectors such as banking, finance, and technology, are provided under sector-specific statutes, rules and regulations. These statutes specify situations wherein certain encryption-related standards/precautions are to be met and complied with.

In the banking sector, for example, the RBI Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, 2011 and Master Direction - Information Technology Framework for the NBFC Sector (RBI Guidelines) provide that “critical web applications should enforce at least SSL v3 or Extended Validation –SSL / TLS 1.0 128 bit encryption level for all online activity.” Furthermore, the RBI Guidelines also provide standards, procedures, and secure methods for effective key management. Similarly, for online transactions, SEBI has notified Guidelines on Internet Based Trading and Services, which prescribe a 64/128 bit encryption standard.

Companies engaged in provision of internet services must comply with the provisions of their licence agreement for provision of internet services entered into with the DOT. The same provides that individuals/groups organisations are permitted to use encryption up to 40 bit key length without obtaining permission from the DOT. However, if encryption equipment higher than this limit are to be deployed then prior written permission of the DOT would have to be obtained.

The Ministry of Health and Family Welfare, in its circular dated 30 December 2016, provided that all healthcare data stored in an electronic format must be protected by the best available encryption key standards.

Use of Encryption Does Not Provide Exemption from Other Applicable Laws

As there is no specific encryption-related statue in India, all individuals and organisations that are not governed by sector-specific statutes (which prescribe encryption standards) are exempted from it. However, it must be noted that overarching central statutes and rules – such as the IT Act (including all applicable guidelines and rules under it), Information Technology (Intermediaries Guidelines) Rules, 2011 (Intermediary Guidelines Rules), the Indian Copyright Act, 1957, (Copyright Act) and the Copyright Rules, 2013 (Copyright Rules) – which provide for intermediary liability and the responsibility of intermediaries with regard to content, are applicable to all, with no exemptions for use of encryption.

Essential Telecommunications Services

The Ministry of Home Affairs (MHA), in an order (ref: no 40-3/2020-D) dated 24 March 2020, has issued certain guidelines wherein telecommunication services are described as essential services. The order states that:

"Telecommunications, internet services, broadcasting and cable services, IT and IT-enabled services (ITeS) only (for essential services)" are the essential services and are exempt from the lockdown.”

However, the same was only provided for the uninterrupted functioning of technology support functions and organisations so that all internet-operated businesses could seamlessly operate in a work-from-home situation.

Pandemic-Related Regulatory Relaxations

Owing to the pandemic, the DOT provided relaxations to OSPs, as detailed below.

  • The requirement to provide a security deposit and agreement for a work from home (WFH) facility for OSPs was exempted.
  • The requirement for authorised service providers providing secure VPN was exempted, the OSPs were allowed to use secured VPN configured using static IP/dynamic IP for the purposes of interconnection between home and the OSP centre.
  • OSPs were exempted from seeking prior permission from the DOT for a WFH facility.

On November 05, 2020, the DOT released new guidelines for OSPs, wherein the changes mentioned hereinabove, among others, were made permanent.

Further, while there are no specific financial relaxations for the TMT sector, the RBI issued relaxations on repayment of loans by allowing banks to provide a moratorium of three months on payment of all instalments in respect of loans. The telecom companies have benefited from this relaxation, owing to their state of their existing debt.

Technological Solutions to COVID-19 and Its Effects

In order to tackle the spread of COVID-19, the government of India developed a technological solution, an app called the Aarogya Setu, which is aimed at mapping the health statistics and data of all persons who chose to download and use the app (Response Data). MeitY issued the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, wherein a framework for the use and sharing of sensitive personal data of all data principals is specified. The protocol provides extensive rules for the sharing of Response Data, privacy and confidentiality obligations of the data collectors, and the processing of the same.

MeitY further issued an advisory to all intermediaries (dated 20 March 2020) to ensure that no false information/fake news is circulated in respect of COVID-19. Certain state governments have adopted online tools for providing job assistance to returning migrant labour. This is being undertaken by the creation of online job portals for skill mapping to make job opportunities available to skilled personnel and migrant labourers.

AnantLaw

A-2/2, Vasant Vihar
New Delhi 110057
India



ANANTLAW

+91 98 99 027 144 ; +98 11 26 44 74

rahul.goel@anantlaw.com; anu.monga@anantlaw.com www.anantlaw.com

Trends and Developments


Authors



AnantLaw is a full-service law firm with a well-established TMT practice and a strong understanding of the legal and regulatory regime concerning the technology, media and telecoms sectors. The firm advises and represents clients (foreign and domestic) and works closely with all stakeholders on public policy issues. The members of the firm have worked and led TMT practices at top-tier firms in India and have been consistently rated as leading lawyers in the TMT space. AnantLaw also draws strength from the team members who have worked as in-house counsel in some of the largest media and broadcasting companies (including online streaming companies). Members of the TMT practice group also actively practise in competition law and this provides them with a deeper understanding of the regulatory regime, especially in the rapidly evolving regulatory-competition environment in the digital space.

The Internet Shutdown Case

The year 2020 was unprecedented in many ways. Although the issues involved and the judgment thereon in the case of Anuradha Bhasin v Union of India, in relation to the internet shutdown in Kashmir (Internet Shutdown Case), have continued to remain a landmark in Indian TMT case law since January 2020, the global pandemic (COVID-19) has allowed the magnitude of the socio-economic legal rights tied to the issue tested in the Internet Shutdown Case to be appreciated more almost a year from the judgment. The Supreme Court of India on 10 January 2020, in its judgment on the issue of the imposition of internet (and telecom) shut-down orders under, inter-alia, the Telecom Suspension Rules, 2017 in the Internet Shutdown Case held that broad suspension/blocking/prohibition in perpetuity, being drastic in nature, must be considered by the state only if "necessary" and "unavoidable", and mandated adherence to the "principle of proportionality" when any curtailment of fundamental rights is resorted to by the state.

COVID-19 and Its Effect on the TMT Sector

The COVID 19 pandemic has coerced people (naturally social creatures) to live, socialise and entertain in "isolation" and that became the catalyst for most trends and developments in the telecommunications, media and technology sector in 2020–21; around the globe and definitely in India. Digital growth, integration, investment and development all grew and there was a surge in television and content viewership by almost 43% in the first week of (nationwide) lockdown in India (ie, immediately after 21 March 2020). The day-to-day use of technology also changed. Whether it was the judicial-legal system in India; pharma and healthcare; education (schools and universities); or the banking, financial and payment systems – there were online applications introduced and improvised (almost on an hourly basis) to support as many everyday functions as possible. Over-the-top (OTT) television subscriptions grew by 47% and OTT advertising revenue by 24%. As per leading Indian newspapers, by July 2020 – between the period of the first lockdown and the fifth lockdown in India – every major e-sports portal reported a surge of 80-100%. The digital entertainment sector is expected to continue growing in double digits through 2021 (with impressive growth of 26% in 2020) and the spend on digital media advertising in the year 2021 shall be more than on traditional television. 

India is world’s second-largest telecommunications market with tele-density at 86.23%, as of 31 August 2020, and as per the Telecom Regulatory Authority of India (TRAI) average wireless usage per wireless data subscriber being 11 GB in financial year 2020–21. The telecommunications sector, especially Jio Platforms Ltd., remained particularly agile during 2020, with several back-to-back stake-sales and continuous fundraising across several global investors and multinational companies, including Facebook and Google.

Technology and telecom companies played a significant role in the delivery of services ranging from healthcare and education sector services to digital payments for online shopping etc. This also opened doors and avenues for several start-ups, especially those focused on e-learning, education, basic utilities, COVID 19-related medical utilities etc. However, this also brought to the forefront the digital divide in India; and an opportunity for the government to introduce laws/policies to bridge the same.

The government of India is now pushing for “Atma-nirbhar Bharat” (ie, a self-reliant and self-sufficient India). It may not be wrong to say that many policy decisions of the government of India will be based on Atma-nirbhar Bharat. The government, in its Union Budget for the financial year 2021–2022 has strongly pushed for the growth of domestic innovation and production capabilities. The auction of the spectrum for 5G services, which is likely to commence on 1 March 2021, has been planned with the ambition to give opportunities to companies having their manufacturing and R&D facilities in India. It is also anticipated that roll-out of 5G services in 2021 will bring about a revolution in the delivery of services and products.

The government of India has also not been oblivious to the difficulties and demands of companies operating in the TMT sector in India. Some of the key policy changes and events that will shape future trends are highlighted in the paragraphs below.

Amendment to the Other Service Providers Policy

The Department of Telecommunications (DoT), under the National Telecom Policy 1999, introduced the Other Service Provider (OSP) Policy. The OSP Policy was aimed at regulating misuse of the international bandwidth by illegal telephone exchanges, resulting in huge revenue losses to the government. The OSP Policy required all entities operating call centres or business process outsourcing centres to register themselves with the DoT. The OSP Policy has strict conditions for sharing of infrastructure, working from home, remote access, cloud based branch exchanges, etc.

However, during the lockdown, the DoT issued guidelines relaxing compliance with several restrictions. It was also realised that delivery of services in the outsourcing industry has significantly changed from the year 2000 and, in order to support the industry, it is important that the OSP Policy is brought in line with the present requirements. On 5 November 2020, the DoT brought in one of the most important changes affecting all companies in the outsourcing as well as the IT-enables Services (ITeS) industry. The OSP Policy was amended and all non-voice-based operations were exempted from compliance with the OSP Policy. It was further mentioned that only voice-based business process outsourcing (BPO) operations will be covered under the OSP Policy and they will not be required to register with the DoT. The voice based BPO companies, under the amended OSP Policy, are required to implement a self-regulatory model. The amendment to the OSP Policy has also ended the stifling bureaucracy which was significantly affecting the growth of the ITeS/outsourcing sector. The said change is also in line with the government of India’s mission of “Less Government – More Governance”.

Foreign Direct Investment in Uploading/Streaming of News and Current Affairs through Digital Media

The government of India, in September 2019, permitted up to 26% foreign direct investment (FDI) under the approval route for entities engaged in uploading and/or streaming news and current affairs through digital media. In October 2020, the government clarified that the said FDI policy will apply to entities registered or located in India and engaged in streaming or uploading of news and current affairs on websites, apps or other platforms; or by news agencies, which gather, write or distribute news (including news aggregators).

Furthermore, in November 2020, the government issued detailed guidelines, with respect to compliance with the said FDI policy. The clarification/compliance guidelines are targeted essentially at entities, which are already operating in India and which have foreign direct investment.

The existing companies/entities involved in uploading or streaming of news and current affairs through digital platforms were directed to comply with the FDI policy by 16 December 2020. The companies, with FDI up to 26%, were directed to furnish details of their shareholding pattern, significant beneficial owners, balance sheet, accounts etc, to the Ministry of Information and Broadcasting (MIB). Those entities having FDI beyond 26% were directed to provide similar details and were also instructed to bring down the level of FDI to 26% on or before 15 October 2021.

In addition, it was clarified that all fresh FDI in businesses involved in uploading or streaming news and current affairs through digital media shall be with prior approval of the central government.

The above-stated clarification, as issued by the government, has settled many concerns with respect to existing FDI. Furthermore, this allows the government to regulate ownership over such digital platforms. 

Regulation of OTT Platforms by the Ministry of Information and Broadcasting 

One of the most heavily contested issues in India with regard to online content providers, OTT platforms and media streaming platforms has been the regulation of content. The courts in India have witnessed an increased filing of petitions with respect to so called objectionable and adult content over such online/digital platforms. The regulation of content, in traditional media platforms, is the responsibility of the Ministry of Information and Broadcasting (MIAB). However, in the case of online/digital content, the MIAB, itself (before the High Court of Delhi) stated that the said content is regulated under the provisions of the Information Technology Act, 2000 and the MIAB has no jurisdiction over such online content providers/OTTs.

The COVID-19 pandemic and subsequent nationwide lockdown, resulted in increased demand for/subscription to OTT platforms and digital/ online media platforms. This allowed several content providers/creators to avoid the regulatory mechanisms put in place by the MIAB.

In response to this regulatory gap, the President of India, on 9 November 2020, issued a notification under Article 77(3) of the Constitution of India amending the Government of India (Allocation of Business) Rules, 1961. With respect to the powers of the MIAB two sub-entries were introduced.   

These additions allow the MIAB to regulate online content providers, including news and current affairs aggregators, formulate policies and guidelines, and issue directions and notifications with respect to online/OTT content. The said additions will also ensure that no constitutional challenge will be sustainable, if any of the notifications, guidelines, policies, etc (issued by the MIAB) are challenged in any court of law (for being ultra vires or unconstitutional or beyond the jurisdiction of the MIAB).

This will also provide a level playing field to all content, whether provided through online/digital platform or traditional mediums. This will also immediately affect several well-established online/digital/OTT platforms or online curated content providers, such as Amazon Prime, HotStar, Voot, Netflix, Zee5 and ALTBalaji.

"E-governance" – Modes and Models

While the central government has not remained behind in implementing and using advanced technological solutions for e-governance (involving the use of artificial intelligence (AI) and big data) in the healthcare, national security and surveillance sectors, the corresponding legal framework for the collection and use of data (including sensitive personal data) has yet to be implemented. 

The outbreak of COVID-19 accelerated e-governance and technology-based solutions, leading to substantial changes in the functioning of healthcare and several other sectors. In April 2020, the government launched its COVID-19 tracking app called Aarogya Setu. The app is aimed at collecting and processing the users’ geographical and health-related data in order to provide information on the likelihood of the user catching the virus. The Aarogya Setu app gave rise to privacy concerns and those opposing it on grounds of "violation of privacy" protested that the privacy policy around the said app was unclear. In particular, with regard to how the data collected through the app (which contains sensitive personal data) is being used or whether it would be shared with third parties.

The courts have held that the use of Aarogya Setu should not be made mandatory, thus preventing the government from mandatorily soliciting the data. However, in the absence of a data privacy law, the use of any information so collected remains entirely within the discretion of the collecting entity.

In the domain of law enforcement, the central government has resorted to the use of tools involving facial recognition, biometric identification, criminal investigations, etc, in order to identify perpetrators. In March 2020, the Central Home Minister made it public that the police authorities in New Delhi have arrested several persons through facial recognition technology (FRT) for their involvement in crimes. He clarified that the information used for FRT was derived from the voter IDs of the alleged violators. While the collection of data for voter ID creation may have been voluntarily given to the government authorities, the sharing of such data with third parties is not envisioned under any existing law and is not done after obtaining the informed consent of the persons involved. This use of data poses several privacy concerns: issues related to bias within the database or discrimination on the basis of locality, religion, gender, etc.

In order to strengthen the law enforcement, the government of India undertook the Automated Facial Recognition System (AFRS) initiative, wherein AI will be trained to recognise the faces of Indian citizens (from their pictures).

In late April 2020, Broadcast Engineering Consultants India Limited (BECIL) released a tender inviting the supply of devices for technology-based tools such as patient tracking, online high fever scanning and thermal imaging systems, all of which require the input or collection of personal and sensitive personal data of the users. The use of such tools for tracking of sensitive healthcare data has kept the debate around privacy concerns live while the issues related to the use and sharing of data collected through the Aarogya Setu app remain open. While these tools are specifically sought to be used for healthcare monitoring and containing the spread of COVID-19, it is important to point out that the tender states that the platform/tool should be able to “detect, prevent and investigate threats to national security”, which is a clear indication of surveillance beyond healthcare.

The Government of India Issued Notification Banning Several Apps

In an unprecedented step, the Indian government (the Ministry of Information Technology) while invoking its power under Section 69A of the Information Technology Act, 2000 read with the relevant provisions of the Information Technology (Procedure and Safeguards for Blocking of Access of Information by Public) Rules, 2009, issued several notifications (over a period of six months) and blocked around 267 apps.

The Indian government stated that, based on information available, these apps were engaged in activities which were prejudicial to the sovereignty and integrity of India, the defence of India, the security of the state and public order. It was also stated that there were reports of these apps (available on Android and iOS platforms) stealing and surreptitiously transmitting users’ data in an unauthorised manner to servers which were located outside India.

Furthermore, the emergency measures were justified on the grounds that the compilation of this data, its mining and profiling by elements located outside of India and hostile to the national security and defence of India, impinged upon the sovereignty and integrity of India and was a matter of very deep and immediate concern.

Accordingly, a notification was issued by the government to disallow the use of certain apps, used in both mobile and non-mobile internet-enabled devices. Some of the banned apps were extremely popular in India, such as TikTok, which had more than 100 million users in India and on which Indian users spent around 5.5 billion hours. The decision to ban the apps has jolted companies like ByteDance, which counted on India as an important growth market for TikTok and had plans to invest USD1 billion in India. Another pertinent app which was blocked was WeChat. It is interesting to note that WeChat was heavily used by Tibetan refugees/residents in India to speak with their families in Tibet (where other apps such as WhatsApp do not have permission to operate). 

All the banned apps were developed, owned and operated by entities located outside of India (mostly in China). Owing to the background of an ongoing international border and defence/security issue with China, the fact that the apps were owned and operated by Chinese companies explains some of the government’s willingness to monitor and take strong action against them.

None of the banned apps, or their owners/developers have challenged the ban before any court of law (in India); however, the courts have objected to lawyers using the banned app such as CamScanner during court proceedings. The ban has also raised a debate around fundamental rights and the right to free speech versus emergency procedures and national security, and ways of creating or maintaining balance between the two.

Be the above as it may, the courts in India have always been sensitive to the (fundamental) rights of parties and have tried to balance the same against the provisions of the Constitution of India. The same was echoed in the recent judgment of the Supreme Court of India in the Internet Shutdown Case, wherein the Supreme Court observed that an indefinite suspension of the internet could amount to an abuse of power. It also held that, under Section 69A of the Information Technology Act, 2000, the government has the power to impose narrowly tailored restrictions on access to content and not to restrict complete access to internet.

Farmers' Protest

More recently, the government of India has issued direction Section 69A of the Information Technology Act, 2000, to Twitter to block/suspend more than 1200 handles/accounts and also a URL for allegedly spreading misinformation and provocative content in connection with the farmers' protest in India. Twitter will be regarded as an ‘Intermediary’ under the Information Technology (Intermediary Guidelines) Rules, 2011. However, it is understood (on the basis of information in the public domain) that Twitter has not complied with the directions of the government of India. Also, it is reported that Twitter's global CEO had "liked" several tweets made by foreign-based celebrities in support of farmer protests. This has raised several significant questions with respect to the neutrality of platforms like Twitter, and also mechanisms for ensuring compliance with applicable Indian laws.

AnantLaw

A-2/2, Vasant Vihar
New Delhi 110057
India




ANANTLAW

+91 98 99 027 144 ; 98 11 26 44 74

rahul.goel@anantlaw.com; anu.monga@anantlaw.com www.anantlaw.com

Law and Practice

Authors



AnantLaw is a full-service law firm with a well-established TMT practice and a strong understanding of the legal and regulatory regime concerning the technology, media and telecoms sectors. The firm advises and represents clients (foreign and domestic) and works closely with all stakeholders on public policy issues. The members of the firm have worked and led TMT practices at top-tier firms in India and have been consistently rated as leading lawyers in the TMT space. AnantLaw also draws strength from the team members who have worked as in-house counsel in some of the largest media and broadcasting companies (including online streaming companies). Members of the TMT practice group also actively practise in competition law and this provides them with a deeper understanding of the regulatory regime, especially in the rapidly evolving regulatory-competition environment in the digital space.

Trends and Development

Authors



AnantLaw is a full-service law firm with a well-established TMT practice and a strong understanding of the legal and regulatory regime concerning the technology, media and telecoms sectors. The firm advises and represents clients (foreign and domestic) and works closely with all stakeholders on public policy issues. The members of the firm have worked and led TMT practices at top-tier firms in India and have been consistently rated as leading lawyers in the TMT space. AnantLaw also draws strength from the team members who have worked as in-house counsel in some of the largest media and broadcasting companies (including online streaming companies). Members of the TMT practice group also actively practise in competition law and this provides them with a deeper understanding of the regulatory regime, especially in the rapidly evolving regulatory-competition environment in the digital space.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.