TMT 2024

Last Updated February 22, 2024

India

Law and Practice

Authors



G&W Legal is a full-service business law firm that assists its clients at the intersection of law and pragmatism by combining the experience of big-law with the expertise of a boutique. The firm’s attorneys advise and assist clients across intersecting areas such as corporate law, intellectual property, franchising and distribution, advertising and marketing, privacy and data protection, product liability and consumer protection, international trade, foreign investment, antitrust/competition, regulatory affairs, and dispute resolution. G&W Legal’s TMT practice team has extensive experience in handling cross-border technology transactions, intricate licensing agreements, delicate data protection issues, fintech, platforms and intermediary regulations/liability, trust and safety, internet and social media, e-sports, and online gaming. The team handles all facets of data protection and privacy, traditional and new media, and digital business.

As is the case with the laws of most other countries, there are no specific Indian laws designed to deal with the metaverse. In fact, the metaverse finds no mention and has not been defined under any Indian statute. The following regulations stand out as some of the most important from an Indian perspective.

Intellectual Property

  • Trade marks – Trade marks may be used to protect branding and logos of brand owners from unauthorised use over the metaverse. While no cases of note have been reported in India, this is a topic that is currently getting a lot of attention. Brand-owners may consider it advisable to ensure that their interests in the virtual world are protected by way of their trade mark registrations.
  • Copyright and personality rights – Indian copyright law potentially has the capacity to be enforced for infringements in the metaverse, as well as to protect programmes.

In an interesting case before the Honourable High Court of Delhi in 2023 (Digital Collectibles Pte Ltd. and Ors. v Galactus Funware Technology), the issue of the use of personality/image rights of sports players on NFTs without authorisation was dealt with in an attempt to obtain an injunction on the grounds of passing off, unfair competition, breach of personality rights, unjust enrichment and tortious interference with economic interests. In this instance, the prayer for an injunction was refused, citing it as unjust, and against the balance of convenience in the circumstances of the case.

Privacy

Pursuant to 2017’s landmark judgment of the Supreme Court in Justice K.S. Puttaswamy v Union of India, the right to privacy has been guaranteed under the Indian Constitution. This means it may be enforced against the state. However, when it comes to private parties, it is still governed by statutes such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”), which are set to be replaced soon by the Digital Personal Data Protection Act, 2023 (DPDPA).

While the SPDI rules only require consent for the purposes of processing sensitive personal data such as sexual orientation, health data, biometrics, financial information and passwords, the DPDPA allows the processing of all personal data (not merely sensitive personal data) only on the receipt of consent of the data subject, or without consent in the event of a very limited range of legitimate purposes – such as for the purposes of responding to a medical emergency, or for the purposes of the state’s performance of its obligations in furtherance of protecting sovereignty and integrity. Exactly how this is expected to play out will only become clear after subordinate legislation is published by the Indian government, which is expected later in 2024.

Intermediary Guidelines

Under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “Intermediary Guidelines”), intermediaries, such as app service providers, are required to comply with its provisions to be able to use their status as an intermediary as a shield against being held personally liable for illegalities perpetrated by users on their platforms. The Intermediary Guidelines place a number of diligence obligations on the intermediary, including the need to publish user agreements and the platforms’ rules and privacy policies in a comprehensible and easily accessible manner, appoint a grievance officer, put together a grievance redressal mechanism, etc.

Free Speech

As with any other form of mass communication, the metaverse is also subject to the same Indian laws as applicable to more conventional means of communication. Where it doesn’t act as an intermediary, the platform would be subject to the same laws on obscenity, defamation, sedition, and hurting of religious sentiment as a normal conventional platform, such as a news channel or a magazine.

The primary areas of legislation applicable to the digital economy in India are those of data protection and consumer protection, as well as the regulatory framework for digital payments. Additionally, as discussed below, the digital economy space has seen increased scrutiny by India’s antitrust regulator in the past few years.

The SPDI Rules and requirements thereunder will be applicable on all aspects of the digital economy pertaining to personal data, such as the requirement of publishing a privacy policy, consent for “sensitive” personal data, purpose limitation and data minimisation. Similarly, the DPDPA, once put into force, will also apply to all entities (whether Indian or foreign) if they are processing personal data in India or if they are pursuing personal data of Indian data subjects with an intent of offering goods/services to them.

In 2019, India’s primary consumer protection legislation, the Consumer Protection Act (CPA) was amended to explicitly include e-commerce consumers within its ambit. In furtherance of extending consumer protections to the digital economy, India has also put in place specific rules which are applicable to e-commerce sellers, which has placed obligations such as a specific restriction on utilising unfair trade practices, putting in place a grievance redressal mechanism, labelling and information obligations on the website, and a restriction on cancellation charges. These rules, in addition to being applicable on e-commerce entities incorporated in India, are also applicable on foreign entities which “systematically” offer goods/services to consumers in India.

In addition to the above, the Indian government has also issued guidelines regarding the restriction of false or misleading advertisements. These guidelines regarding advertisements place specific restrictions on advertisers and advertising agencies as well as manufacturers, sellers, and traders – specific conditions have been prescribed for an advertisement to be considered non-misleading. Additionally, conditions to be met for a “bait” advertisement to be valid have also been prescribed, and surrogate advertising has been prohibited.

In 2023, a set of guidelines was published by the government which restricted e-commerce entities from using dark patterns on their website. These guidelines prescribe 13 specific “dark patterns” and prohibit all platforms which systematically offer goods/services in India, advertisers, and sellers from engaging in any of these specified dark patterns. The dark patterns listed under the guidelines include false urgency, basket sneaking, forced action, bait and switch, and drip pricing.

Entities functioning as payment systems are bound to comply with a host of regulations issued by the RBI. The Payment and Settlement Systems Act (the “PSS Act”) is the primary legislation governing payment systems in the country and prescribes that any payment system must be approved by the RBI prior to operating in India. The RBI is also empowered to issue regulations which payment systems are bound to comply with.

Additional guidelines relevant to payment systems include the Guidelines on Regulation of Payment Aggregators and Payment Gateways, the Master Direction on Credit Card and Debit Card – Issuance and Conduct Directions, and the circular on Tokenisation of Card Transactions. These guidelines and directions govern various disparate aspects of the digital payment economy in India and their relevance must be considered on a case-to-case basis, depending upon the nature of business of the entity.

Large e-commerce entities have been subject to increased scrutiny in terms of antitrust issues over the past few years. In 2020, the Competition Commission of India (CCI), the country’s antitrust regulator, initiated a probe into Amazon and Flipkart, the two largest e-commerce platforms in the country, for alleged contraventions of the Competition Act, 2002 (the “Competition Act”), India’s primary antitrust legislation. These actions were challenged by both Amazon and Flipkart in courts, but these challenges were struck down. It remains to be seen what the findings of the CCI’s investigation are, and whether any penalties or corrective actions are imposed upon these e-commerce platforms.

The space of mobile OS and app ecosystems has also seen scrutiny from antitrust regulators. As an illustration, the CCI in 2022 passed an order imposing substantial fines on Google. In its order, the CCI found that Google’s practices regarding the Android OS and the Android app ecosystem amounted to a violation of the Competition Act. The mandatory installation of the Google suite of apps (including Gmail, Google Maps, etc) and the denial of access to competing web search service providers, among other things, were held to be violative of the Competition Act by the CCI. Additionally, in a separate order, the CCI held Google’s practice of mandating that app developers use Google’s billing system to carry out in-app purchases also violates the Competition Act.

No specific laws regulate cloud or edge computing in India. No specific regulatory licences need to be obtained from service providers. As with the response in 1. Metaverse, a similar range of broad laws will be applicable.

Privacy

The SPDI rules will apply to the parties. Wherever sensitive personal data is being processed, this may only be done with consent that is obtained at the front end by the data controller (this is a practical observation, as no distinction between a data processor and data controller exists in the SPDI Rules). Under the DPDPA, such processing may only be justified as a result of consent obtained from the data subject, or through a reliance on a narrow band of other legitimate purposes. It is important to note here that the SPDI rules prescribe that the processor needs to have the same level of data protection standards as the party transferring the data to it. Under the DPDPA, there are no obvious restrictions on cross-border data transfers, save the fact that the central government may notify a list of countries to which such transfers shall be restricted.

CERT-In Rules

On 28 April 2022, the Indian government notified a requirement for all service providers, intermediaries, data centres, body corporates and the government itself to report all cybersecurity incidents to the Indian Computer Emergency Response Team (the “CERT-In”) within six hours of these incidents being noticed. Such cybersecurity incidents include a wide variety of occurrences, such as the unauthorised access of IT systems, identity theft, data breaches and data leaks.

Intermediary Guidelines

As is the case in the response to 1. Metaverse, cloud service providers may well fall within the purview of an “Intermediary” as has been defined under Indian law. It is, however, important to note that in order to be able to successfully claim intermediary safe harbour, the other compliance obligations that are placed on the intermediary by way of statutes like the Intermediary Guidelines should be met.

Interception, Monitoring and Blocking

The Indian government, and in some instances, certain state governments, have powers to demand access to information, decryption and monitoring of information – for the purposes of public order, crime prevention/investigation and in the interest of national security. A failure to abide by a valid direction may lead to imprisonment and a fine. The Indian government may also issue blocking orders under similar provisions included within the IT Act and through subordinate legislation called the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009.

India’s banking regulator, the Reserve Bank of India (RBI), imposes a number of obligations on Indian banks. When it comes to storage of payment information, on 6 April 2018, the RBI issued a direction to all banks and Payment System Operators to store all payment data in systems located in India only, except in the case of cross-border transactions where a copy of the payment data, including the domestic component, may also be stored abroad.

Additionally, the Insurance Regulatory and Development Authority of India (Maintenance of Insurance Records) Regulations, 2015, require that all insurers are to maintain records of their issued policies and claims, and these records, whether maintained electronically or otherwise, are to be maintained in India only.

The following aspects, in the context of the Indian legal landscape, may present challenges to the utilisation and functioning of cloud and edge computing services.

Breach notification

As stated above, cybersecurity incidents are to be reported to CERT-In within six hours of becoming aware of the incident, and a contravention of this directive carries with it penal provisions – imprisonment of up to one year, a fine of up to INR10,000,000 (approximately USD120,000), or both. Even though CERT-In has clarified that penalties for contravention will only be imposed in extraordinary cases for wilful non-compliance, practically speaking, this has led to a lot of friction between cloud service providers and their customers, which consist of corporations providing services to Indian customers and processing their personal information, and has greatly complicated the negotiation of any such agreements. This issue is exacerbated by the fact that the global standard for data breach notifications (including as set out in the General Data Protection Regulation) requires data breaches to be reported within 72 hours of becoming aware of the breach.

Jurisdiction

As is the case with all internet-enabled technologies, the question of jurisdiction also poses a challenge in contravention by cloud and edge computing services. Even though the IT Act has been granted extraterritorial jurisdiction, actual enforcement against foreign entities who have no tangible presence in India is highly unlikely, and such entities may simply claim that the IT Act has no jurisdiction over them and refuse to comply with any requirements provided under the IT Act or rules framed thereunder while dealing with Indian consumers or business entities.

Cross-border data transfers

The Indian government may choose to restrict or block data transfers to countries which it feels are a threat to its national security. The DPDPA also has a specific provision which allows the Indian government to notify countries to which data transfers may be blocked. In 2022, the Indian government banned over a hundred apps with Chinese links, including major global players such as TikTok. This also presents a potential challenge to foreign cloud computing services operating in India, as a chance of being restricted or banned by the Indian government exists. As may be expected, the degree of this risk is contingent on India’s geopolitical stances.

There is no single Indian law that governs the use of AI in the country. A host of more general statutes, such as the IT Act, privacy law (currently through the SPDI Rules and in the near future, the DPDPA), and copyright law would be relevant in this space. Some of the things that stand out when considering laws that would govern AI apps, particularly those relevant for AI-generated content (AIGC) applications, are the following.

Web Scraping

The potential access to computer resources without permission of the owner has the potential to fall foul of various provisions of the IT Act. The scraping of information through automated means from websites that prohibit this under their terms of service may well also be considered a violation of contract. Clickwrap agreements have been held to be enforceable if they meet the other requirements of the Indian Contract Act, 1872, and a breach would open the door to remedies available under the law. Additionally, scraping may entail storing of copyright-protected works and their reproduction, which may give rise to claims of infringement. Each such scenario will need to be considered based on possible defences available under the law.

Intermediary Guidelines

It is possible, dependent on the use of AI made in each instance, that a platform may be considered to be an intermediary. In order to qualify thus, it would need to meet the test laid down in Section 79 of the IT Act – namely, that it does not initiate a transmission, select a receiver or exercise any editorial control. In the instance of AIGC specifically, it is unlikely that the third of these tests would be met. Additionally, even if this test is met, the intermediary claiming safe harbour shall be required to comply with the obligations placed upon it by way of the law, including specifically under the Intermediary Guidelines.

Free Speech

Any content-generation AI will be subject to laws applicable to conventional forms of media, such as those prohibiting the hurting of religious sentiment, sedition and defamation.

Privacy

Even after being recognised as a fundamental right, the right to privacy is only guaranteed against the state, whereas its enforcement against private entities is dependent on statutes passed by parliament (such as the DPDPA) or subordinate legislation (such as the SPDI Rules). While the SPDI Rules continue to be applicable until rules that bring the DPDPA into effect are in force, the following considerations need to be borne in mind:

  • the processing of any sensitive personal data will need specific consent; and
  • data subjects will need to be provided the right to withdraw from further processing, as well as the right to correct their information.

The following points are of particular note under the DPDPA:

  • consent, or other legitimate justifications permitted under the DPDPA, shall be required in each instance where personal data is processed (and not merely for sensitive personal data) as under the SPDI Rules;
  • the definition of personal data under the DPDPA expressly excludes publicly available information;
  • personal data of a data subject that has withdrawn consent is required to be erased unless reasonably required under any law;
  • there are specific provisions under the law with regard to the processing of a minor’s data which include the prohibition of behavioural monitoring; and
  • there are other specific provisions that would be applicable to any AI app provider in the event it meets the threshold to be classified as a Significant Data Fiduciary – the threshold for which is yet to be notified. These shall include the need to carry out a data protection impact assessment, data audits, and the appointment of a Data Protection Officer.

Reports/Advisories/Best Practices and Guides

In 2018, the Ministry of Electronics and Information Technology, Government of India (MeitY), formulated multiple committees to work on different areas on AI to promote technology and develop a policy framework. These committees submitted multiple reports, including one on the Cyber Security, Safety, Legal and Ethical Issues associated with AI (the “MeitY Report”). It covers the new opportunities and challenges AI presents in the field of cybersecurity, including its potential use in combating cyberwarfare, the safety and privacy implications associated with such use of AI in the cybersecurity field, and the weaponisation of AI.

The MeitY Report also prescribes a comprehensive set of guidelines for the establishment of an accountability framework regarding AI technology.

In addition to the above, the apex public-sector think tank, NITI Aayog, in 2018 published a strategy document titled the National Strategy for Artificial Intelligence (the “NITI Report”), based on the premise that India is in a position to emerge as one of the world’s leaders in the AI space, focusing on the principles India can adopt to achieve social and inclusive growth “in line with the development philosophy of the government”.

The NITI Report covers five major topics – global developments in AI, AI and India, focus areas for AI intervention, key challenges to AI adoption in India, and the way forward to harness AI (including research, re-skilling, accelerating adoption, and ethics, privacy, and security concerns).

It is important to note that neither the MeitY Report, nor NITI Report are in any manner legally binding.

There are no bespoke Indian laws that govern machine-to-machine (M2M) communication or IoT. The more general laws on privacy, interception, monitoring, blocking and breach reporting requirements would continue to apply.

It is important to point out here that there will be additional requirements that will be brought forth by the soon to come into force DPDPA, which would include a parallel data breach reporting requirement as well as greatly enhanced penalties for failures to ensure compliance.

Other than the above, the following may be of particular note.

  • The government of India, in December 2016, approved 13-digit numbers for the purposes of M2M communication. Pursuant to this, allocations of 13-digit numbers to telecom service providers was carried out in 2018.
  • In 2018, the Indian government issued a directive that issuers of SIM cards to be utilised for the purposes of M2M communications were to follow verification norms prescribed under the unified licence regime for telecom operators (as discussed in 7. Telecommunications). The directive also prescribed a number of restrictive features to be implemented on such SIMs for M2M communication. The restrictive features were relaxed somewhat in 2019 further to representations by industry.
  • In January 2022, the government issued a directive stating that a no objection certificate (NOC) would need to be issued by the Department of Telecommunication (DoT) for the sale or rent of International Roaming SIMs/global calling cards of foreign operators – including for the purpose of M2M communications. Only companies registered under the Indian Companies Act may make applications for the NOC, and in case of companies with foreign investment, they must be compliant with the extant foreign direct investment regulations of India. The directive also stated that where innovative app-based solutions were to be offered through the use of such SIMS, they would be approved by the DoT on a case-to-case basis pursuant to presentations and other requested information being submitted. NOCs are valid for a period of three years, with further renewal for up to three years at a time.
  • In 2022, the government of India issued guidelines for the grant of a unified licence (as discussed in 7. Telecommunications) which included authorisation for three categories of M2M services. Additional guidelines were also issued by the DoT in 2022 which inter alia required the registration of M2M service providers.

In addition to the above, on 24 December 2023, the Indian Parliament passed the Telecommunications Act 2023 (the “Telecom Act”), which is aimed to replace the archaic Telegraph Act, 1885 (the “Telegraph Act”) and the Wireless Telegraphy Act, 1933 (the “Wireless Telegraphy Act”). The new law will also be applicable to the M2M space, and will require holders of existing licences, registrations and permissions to eventually seek authorisation from the government. Provisions of the Telecom Act have been discussed in more detail in 7. Telecommunications.

Currently, a number of pieces of legislation govern the provision of audio-visual media services in India. However, this legislation was put in place prior to the advent of the internet as a medium for audio-visual media, and as such, most do not include internet-based services within their ambit.

The Cable Television Networks (Regulation) Act, 1995 (the “Cable Television Act”) governs the operation of cable television networks in the country, defined specifically as systems which are designed to provide cable services for reception by multiple subscribers. This legislation is restricted to terrestrial broadcasting mediums and does not include satellite television within its scope. The Cable Television Act requires all entities intending to operate as a cable operator to register themselves with the relevant authority. All cable operators are required to comply with the prescribed programme code and advertisement code, and not broadcast any programmes or advertisements which contravene the requirements of the respective codes. The Cable Television Act also imposes certain other obligations on cable operators, such as the requirement to mandatorily broadcast “Doordarshan” channels (TV channels operated by the Indian government), maintain certain registers, and transmit certain programmes/channels as prescribed by the Indian government.

Applications for approval to function as a cable operator are to be accompanied by the prescribed fee. Only individuals who are citizens of India, or companies incorporated under the laws of India, are permitted to register as cable operators.

Satellite television saw widespread adoption in India since the Indian government permitted its utilisation in 2000. In 2022, The Guidelines for Uplinking and Downlinking of Television Channels (the “Television Channel Guidelines”) in India were issued by the Indian government to update and consolidate the regulations regarding operation of TV channels over satellite television. Different fees are prescribed for uplinking and downlinking of TV channels from within and outside India. Permission forms for a TV channel are to be accompanied by a prescribed fee. Annual permission fees as prescribed by the Television Channel Guidelines are to be paid for uplinking/downlinking TV channels in India as well. Additionally, the Television Channel Guidelines prescribe minimum net worth requirements to carry out these activities. The Television Channel Guidelines have also made the programme and advertisement codes prescribed under the Cable Television Act applicable on the TV channels being broadcast using satellite television, with penal actions ranging from an advisory being communicated to the entity to suspension or revocation of permission.

With regard to internet streaming of audio-visual media, no specific legislation has been instituted yet. No specific registration or approval is required to operate an Over-The-Top (OTT) platform in the country. However, the provisions of the IT Act and the subordinate legislation framed thereunder, specifically the Intermediary Guidelines are applicable on such OTT platforms, as they fall under the definition of “intermediary” prescribed in the IT Act.

The Intermediary Guidelines require all intermediaries (including social media intermediaries – which would include hosts of user generated audio-visual content such as YouTube and Instagram) to abide by certain due diligence provisions in order to be beneficiaries of the “safe harbour” protection granted by the IT Act.

Obligations imposed by the Intermediary Guidelines (as discussed earlier) include the publication of the terms of use and privacy policy of the platform on its website or mobile app and provide an annual notice of these to users as well, and the obligation to inform users annually that in case of non-compliance with the platform’s terms of use or privacy policy, their right to use the platform may be restricted. Additionally, intermediaries are required to make “reasonable efforts” to ensure that content hosted on the platform is compliant with certain conditions, such as those regarding obscenity, infringing upon intellectual property rights, content being deceptive as to its origin or information, or content which threatens the unity, integrity, defence, security or sovereignty of India, among other conditions. Intermediaries are also required to put in place a grievance redressal mechanism through instituting a Grievance Officer, who is required to acknowledge any complaint within 24 hours of receipt and resolve it within 15 days of receipt.

Various legislation and policies govern the telecommunications space in India. These include the Telegraph Act, the Wireless Telegraphy Act, and the Telecom Regulatory Authority of India Act, 1997.

The DoT, a department set up under the Ministry of Communications, government of India, has been granted the power to issue telecom licences under the Telegraph Act and Wireless Telegraphy Act. Further to the National Telecom Policy 2012 issued by the Indian government, unified licences are now granted by the DoT covering multiple telecommunications services, including access services, internet services, and national and international long-distance services.

Only companies registered under the Indian Companies Act may apply for the grant of a unified licence. Minimum net worth and equity requirements have been prescribed to apply for a unified licence, along with requirements for an entry fee and a bank guarantee. The extant foreign direct investment (FDI) policy of India allows for up to 100% FDI into entities engaging in the telecommunications space, however, security clearance from the Ministry of Home Affairs, government of India, is required to be obtained prior to such investments.

Upon the grant of the licence, licensees are required to pay an annual licence fee for each service area and each authorised service, calculated as a percentage of the Adjusted Gross Revenue of the company. Licences are issued for a term of 20 years and may be renewed for ten years at a time upon payment of a renewal fee.

In addition to the licence, the DoT conducts periodic auctions to provide telecom companies with access to the radio spectrums for operating telecom networks. This process is separate and independent from the licence acquisition process.

In 2023, the Indian legislature passed the Telecom Act to overhaul and replace the existing telecom regime in the country. Although the Telecom Act has been passed by the Indian legislature, it will come into force at a later date to be notified by the government. This is expected later in 2024.

The Telecom Act updates and streamlines the currently disparate regulations which pertain to entering and operating in the Indian telecom industry. It retains the requirement for obtaining a licence from the government to operate a telecom business and clarifies that licences obtained prior to its institution under the Telegraph Act or Wireless Telegraphy Act shall continue until their date of validity after which they may be migrated to the fresh authorisation. Specific details as to the requirements of the licence under the Telecom Act will be put in place by delegated legislation (referred to as “Rules”), which have not been published yet. The Telecom Act has also been granted extraterritorial jurisdiction, and its provisions will apply to contraventions outside India if the contravention involves telecom services, equipment, or networks located in India.

Assignment of spectrums under the Telecom Act shall be conducted through auctions (except for certain specific purposes as listed for which the assignment shall be done through an administrative process). Similar to the licensing requirements, the requirements for being eligible to receive a spectrum assignment will be prescribed by the Rules.

The Telecom Act also grants the government the power to issue Rules regarding the protection of users, including on topics such as obtaining user consent before sending certain classes of messages, the institution of “Do-not-disturb” registers, a mechanism for users to report contravention of these measures, and the requirement for authorised telecom service providers to put in place a grievance redressal mechanism.

Essentially, while it may be viewed as an oversimplification, a technology transfer agreement is a contract that enables the movement of data, know-how and intellectual property from one organisation to another. The considerations discussed herein are of note while engaging in technology transfer agreements in India.

Foreign Exchange Regulation

Previously under the FEMA (Current Account Transaction) Rules, 2000, remittances for technical collaboration above a particular threshold required government approval, however, through a series of moves aimed towards easing business, these rules were relaxed.

Foreign licensors should, however, be conscious of the fact that the Foreign Exchange Management (Guarantees) Regulations, 2000, framed under the Foreign Exchange Management Act, 1999, do not automatically permit an Indian licensee or its owners to provide a personal or corporate guarantee to a non-resident without seeking permission of the regulator – ie, the RBI. There will be serious hurdles in the enforcement of such a guarantee.

Taxation

The Indian government has recently increased the quantum of withholding tax payable on royalties and fees for technical services of foreign entities by Indian parties.

A withholding tax will be required to be deducted by an Indian licensee from a foreign licensor of intellectual property. Licensors/transferors are advised to specify obligations in this regard in any agreement, including appropriate tax certificates proving payment.

The prevailing tax rate on royalties and fees for technical services is 20% plus applicable surcharge, but foreign licensors of intellectual property would be best advised to take advantage of various double taxation avoidance arrangements (DTAAs) that India has with most other nations.

In order to take advantage of DTAAs, the licensor will require a Tax Residency Certificate from its home country, register with the web portal of the Indian Income Tax Department, and provide a declaration that it does not have a permanent establishment in India.

Applicable Law and Jurisdiction

Usually, a party in the stronger bargaining position would look to ensure that the laws of its home jurisdiction would be the governing laws of the contract. As far as technology transfer agreements are concerned, this would usually be the licensor that would have the upper hand. As a consequence, courts of the home jurisdiction of the licensor would also ordinarily be provided exclusive jurisdiction over adjudicating disputes arising from the licence agreement.

The above having been said, licensors could face challenges enforcing foreign judicial awards, as Indian courts recognise the enforceability of only some foreign courts. Parties should consider this aspect before determining foreign jurisdiction in any agreements which would potentially require enforcement actions by Indian courts. Additionally, licensors would be well advised to retain the power in the agreement to approach courts in the licensee’s jurisdiction to seek injunctive relief, should the relationship between the parties sour.

Adjudicating disputes in Indian courts also carries several challenges, not least the significant backlog of cases in the Indian judicial systems. Resolving disputes in Indian courts may take five to ten years (and possibly even longer).

If parties intend to adjudicate disputes through arbitration, care must be taken to ensure that the arbitration is held in a country that is notified as a reciprocating territory by the Indian government and is a signatory to the New York or Geneva Convention.

Stamp Duty

This is often a stumbling block from the point of view of foreign entities. For an agreement to be entered as evidence before Indian courts of law, it is necessary that the requisite stamp duty under the Indian Stamp Act, 1899, needs to have been paid. Until such requisite duties have been paid, the agreement may not be validly enforced or placed in evidence before an Indian court, which would then be bound to impound such an agreement and insist that the parties pay the applicable penalties. Licensors should be conscious to insist that such obligations are completed by the Indian party from the get-go, and that the licence agreement itself carries a specific obligation in this regard.

Competition

Often, technology transfers are riddled with restrictive covenants, as well as minimum pricing directions upon the licensee. Licensors would be best served seeking specific legal assistance from local counsel on antitrust issues, such as restrictions on owners of the licensees to ever engage in competing businesses in the future, or deal with other parties that may be seen as competitors of the licensor. Provisions in agreements that have the propensity to be violative of Indian antitrust laws may be held to be void.

Similarly, provisions within these agreements that are overly restrictive on the business activities of the licensee as well as the owners of such licensee may be seen as agreements in restraint of trade and, as a result, unenforceable.

Intellectual Property

Under Indian law, patent licences are only valid if made by written agreement. Such licence needs to be registered with the Controller of Patents by way of the submission of a prescribed form with requisite fee.

Similarly, copyright licences are required to be in writing and duly executed in accordance with applicable law. However, there is no express requirement in the law for such licences to be registered with the Copyright Office.

Confidentiality

Strong confidentiality provisions in an agreement where information is the most important asset are a must. Even prior to the execution of the actual agreement, discussions between the parties should be subject to an NDA. The licensor should make it a point to mark information that is not for outside eyes as confidential specifically, to remove all doubt from the mind of a licensee’s representative. The confidentiality provisions within the agreement should specify the requirement for access control measures, as well as the technological measures that the parties should put in place. Agreements should also specify the period after the termination and/or expiry of the licence agreement pursuant to which the confidentiality obligations shall continue to be applicable.

Various provisions of law may classify the unauthorised sharing of confidential information as a “breach of trust”, while the IT Act also provides remedies against breaches of confidentiality as they relate to electronic records.

Indemnity and Related Provisions

Complications with regard to seeking guarantees from owners of the licensee have already been highlighted above in the heading titled “Foreign Exchange Regulation”.

In addition, foreign licensors should be cognisant of the fact that liquidated damages according to Indian law may not be permitted to be unreasonable, and may not be inserted with the intent of penalising the breaching party.

Regulation of trust services in India is limited to legislation governing electronic signatures. Electronic signatures, their issue, use and legal validity are governed by the provisions of the IT Act and rules issued thereunder. The IT Act grants legal recognition to electronic records and allows for the authentication of electronic records by way of digital signatures or electronic authentication techniques, which are considered reliable and are specified in the provisions. Conditions for reliability include the signature/authentication data being linked to the signatory, being under control of the signatory at the time of affixing, and any alterations to the signature/authentication or to the information after it is signed/authenticated being detectable.

Certifying Authorities are defined as those persons/entities who have been granted licences to issue Digital Signature Certificates (DSC) to end users under the provisions of the IT Act. Eligibility requirements for obtaining this licence include prescribed minimum paid-up capital and net worth requirements, as well as an FDI cap of 49%. Applications for licences are to be accompanied with a fee and a bank guarantee of the prescribed amounts.

Licences are valid for a period of five years from date of issue and may be renewed upon applications for such renewal. Certain obligations regarding reliability, security procedures, publishing of information, etc, are also imposed on Certifying Authorities by the IT Act.

End users may apply to a licenced Certifying Authority for obtaining a DSC and pay the prescribed fees for obtaining a DSC with a validity of two years.

India has adopted a digital identity system called Aadhar, which was initially launched in 2009. The Aadhar ecosystem is administered by the Unique Identification Authority of India, a statutory body set up by the Indian government. Aadhar numbers are unique 12-digit identity numbers which may be obtained by Indian residents. The assignment of the Aadhar number is linked to biometric and demographic data. Aadhar numbers are a mandatory requirement for availing of many government-provided services, subsidies and benefits.

As part of a challenge raised in courts against the constitutionality of mandatorily requiring Aadhar numbers for statutory benefits, the Supreme Court of India, in Justice KS Puttaswamy v Union of India, held that the right to privacy is enshrined with the fundamental right to life and liberty granted by the Indian Constitution (as discussed above). Via this judgment, the Supreme Court also struck down the provisions of the Aadhar legislation which allowed private entities to use Aadhar authentication. Such authentication is now only permitted when it is made permissible by a law in force.

G & W Legal

C-9 / 9624,
Vasant Kunj
New Delhi
110070
India

+91 124 4402666

srijoydas@gnwlegal.com www.gnwlegal.com
Author Business Card

Trends and Developments


Authors



IndusLaw is a top-tier Indian law firm. With over 450 lawyers spread across Bengaluru, Chennai, Delhi and NCR, Hyderabad and Mumbai, IndusLaw is one of the sixth largest law firms in India. It is a full-service law firm offering legal services to a wide range of international and domestic clients. IndusLaw advises and counsels across a broad spectrum of practice areas including telecommunications, media and technology (TMT); financial services – regulatory; employment law; capital markets; litigation and arbitration; and private equity, venture capital and acquisitions. The TMT practice group is a national practice and consistently advises clients on complex and cutting-edge matters including on data protection and privacy-related laws, AI, content and interactive media, intellectual property, information technology and e-commerce, Web3 offerings such as cryptocurrencies, structuring of contracts and advising on regulatory compliance for new product offerings.

Introduction

It is, undoubtedly, a period of evolution for TMT laws in India. The last several months have witnessed not just landmark developments across different sectors but have also given us a glimpse of how regulators have been promptly reacting to them by enforcing new regimes to counter the ever-changing business landscape. Whether it is the governance of digital lending applications or online real-money games, or whether it is dealing with cryptocurrency and other virtual digital assets, or content that can be viewed on an OTT app, there has been a considerable amount of development in the last few months which has or is likely to significantly impact how businesses in such domains function and serve their customers.

A couple of years ago, as soon as the inertia of the pandemic period was over, businesses bounced back with twice the energy and innovation. India’s media and entertainment industry is expected to grow to USD100 billion by 2030 at a CAGR of 10-12% (as per Invest India, the official portal of the National Investment Promotion and Facilitation Agency of India). Similarly, the Indian fintech industry’s market size is estimated to reach USD150 billion by 2025. 

Due to the pandemic-induced inertia as well as some widely reported regulatory lapses, Indian businesses have now been forced to sit up and take governance and compliances seriously. Also, the need to showcase India as the destination for global investments has meant that regulators had to drive enhanced accountability. Consequently, the government and sectoral regulators have also realised the need for contemporary and meaningful oversight, which has led to a flurry of laws and regulations in recent times.

In this article, the authors attempt to decode and make sense of some of the key changes that have occurred in the TMT sector in India over the past year.

The Ever-Increasing Due Diligence Obligations for Online Intermediaries

The Information Technology Act 2000 (the “IT Act 2000”) provides an online “intermediary”, such as a social media platform, an exemption from legal liability arising from any third-party content that is hosted on its platform (“Safe Harbour”). To be able to avail the Safe Harbour protection, an intermediary has to, inter alia, adhere to certain prescribed due diligence obligations, which include taking down illegal content upon receipt of an order from a competent court or an authorised government agency. Accordingly, if a social media platform fails to observe the prescribed due diligence obligations, it runs the risk of losing the Safe Harbour protection and being held liable for illegal third-party content posted by its users. Recently, there have been several developments (both regulatory as well as incidents) that have directly impacted social media platforms and threatened the Safe Harbour immunity otherwise granted to them; see the examples below.

Deepfakes

A deepfake of a popular celebrity that was posted and circulated on several social media platforms drew the attention of the federal government to the harm associated with generative artificial intelligence (AI). Soon after the incident, the Union Ministry of Electronics and Information Technology (MeitY) issued an advisory and sent notices (on more than one occasion) to several large social media platforms reminding them of their due diligence obligations under the IT Act 2000 and asking them to inform their users to not share malicious deepfakes. Unlike the EU, there is currently no consolidated and specific regulation addressing AI and deepfakes. However, recognising the imminent need for it, MeitY is said to be working on specific rules under the IT Act 2000 to address these concerns and rules are expected to be implemented in the near future in this regard. 

Takedown orders against apps

The federal government has recently issued block orders against different categories of mobile apps/websites ranging from digital lending apps (at times even legitimate ones which were later unblocked) to gaming apps and also platforms of some foreign virtual digital asset service providers. The reasons for the blocking have ranged from national security issues to non-compliance with anti-money laundering laws. Mobile app stores, being intermediaries, are required to abide by these blocking orders as part of their due diligence obligations.

Fake news

One of the due diligence obligations for social media platforms that was introduced pursuant to the 2023 amendment to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “IT Rules 2021”) is to take down content (relating to the federal government’s affairs) that has been flagged as false/fake or misleading by a federal government-appointed “fact check unit”. In addition to this posing a practical challenge to intermediary platforms at large, this has also raised a very pertinent concern of whether such fact-checking exercise carried out by the federal government is constitutional. The amendment is currently being challenged before the Bombay High Court and consequently “fact check units” are yet to be notified by the federal government.

A Light-Touch Approach to Regulation: Is it the Way Forward for Regulating Tech-Based Businesses?

The current federal government has appreciated the need for having regulations which are flexible and adaptive to emerging technologies and new-age platforms. Increasingly, government representatives on many occasions mooted the need for a light-touch and principle-based approach to regulation. Self-regulation and co-regulatory models are also finding popularity with the legislators to curtail hitherto prescriptive regulations.

Adoption of self-regulation and co-regulation models

While self-regulation as a model started in India more than two decades ago for traditional satellite broadcasting and advertising sectors, the enactment of the IT Rules 2021 signalled a new era for co-regulation. Enacted in February 2021, the IT Rules 2021 brought in a formal three-tiered governance structure for OTT streaming platforms with federal government oversight at the final tier of redressal.

Regulators are also beginning to appreciate the benefits of democratising regulation and putting the onus of compliance on the entity/industry being regulated. 

The last year has seen self-regulation and co-regulation being either enacted or proposed for sectors as varied as fintech and online gaming. Some key instances include those set out below.

Online gaming

In April 2023, MeitY notified a new legal framework for online gaming through amendments to the IT Rules 2021 under the IT Act 2000. These amendments brought in a light-touch, co-regulatory regime whereby MeitY-designated but independent self-regulatory bodies (SRBs) will verify whether an “online real money game” is to be made available to the general public or not – in accordance with the baseline criteria prescribed. These rules attempt to regulate online gaming platforms by treating them as an “online gaming intermediary” and prescribing intermediary due diligence obligations for them under the IT Rules 2021. The co-regulatory regime will come into force after MeitY designates at least three SRBs. Though there have been some discussions within the government regarding the ability of this framework to curb betting, gambling and money-laundering, the co-regulation model is likely to stay. 

Regulated finance

India’s central bank, the Reserve Bank of India (RBI) recently advocated the need for setting up self-regulatory organisations for financial entities regulated by it. The RBI is of the view that with growing “scale of operations, increase in adoption of innovative technologies and enhanced customer outreach”, there is a need to develop better industry standards for self-regulation. In December 2023, the RBI released a draft framework which is proposed to serve as the basis for recognising self-regulatory organisations (SROs) for entities regulated by the RBI (REs). Based on the public feedback received on the said draft, the RBI will finalise the framework for recognising SROs of REs. The draft framework stipulates certain eligibility and membership criteria and other roles and responsibilities of the SROs and will complement the existing regulatory framework.

Fintech

Close on the heels of proposing SROs for REs, the RBI in January 2024 also proposed a draft framework to serve as the basis for recognising self-regulatory organisations for entities in the fintech sector (SRO-FT). The RBI is of the view that fintech entities can show their commitment towards accountability, transparency and responsible decision-making by laying out clear governance structures. The draft framework requires an SRO-FT applicant to be representative of the sector, a not-for-profit company, and free from any influence of its members. While some points have been left open for deliberation such as what incentives an SRO-FT will create for its members and whether the SRO-FTs should consist only of members that are unregulated, the SRO-FT has been welcomed by the industry. 

Broadcasting

In November 2023, the Union Ministry of Information and Broadcasting (MIB) introduced a draft Broadcasting Services (Regulation) Bill (the “Broadcasting Bill”) which seeks to enact a consolidated framework for the broadcasting sector while also bringing OTT content and online news and current affairs within its ambit. The Broadcasting Bill, when enacted, will replace the existing Cable Television Networks (Regulation) Act, 1995, but will not bar the application of other laws including the IT Act 2000. The Broadcasting Bill has proposed a three-tier co-regulatory structure for content-related grievances similar to the one under the IT Rules 2021 for OTT streaming platforms.

However, despite the many positive steps discussed above, there continue to be instances where the government seeks to conflate contrary approaches in some of the proposed regulations. For instance, in the Broadcasting Bill there still looms the fear of censorship on OTT streaming platforms. The Broadcasting Bill proposes that OTT streaming platforms set up “Content Evaluation Committees” (CECs) consisting of eminent individuals representing various social groups for self-certification of OTT content. Also, a recent amendment to an existing tobacco prohibition federal law has mandated stringent compliances in relation to depicting tobacco consumption scenes on OTT streaming content.

Lastly, the recent enactment of a new Telecom Act, 2023 has been keeping OTT communication apps on their toes. While the Union Telecom Minister has clarified that these apps have been kept outside the ambit of the new law, a reading of the law itself does not provide complete clarity and analysts believe that there are provisions which may be invoked against such apps if the need so arises. Moreover, voices from within the government aren’t unanimous on whether these apps should continue to be governed under a light-touch approach or be brought under an entirely new legislative framework.

A New Personal Data Protection Regime in the Field of AI

India’s seemingly perennial quest for an overarching personal data protection law ended in August 2023 when the Indian parliament passed the Digital Personal Data Protection Act 2023 (the “DPDP Act”). Though the DPDP Act is yet to come into force and granular rules are being framed at this moment, the DPDP Act is arguably the most significant TMT development in the recent past because of the sheer extent of its applicability and impact. Some of the key concepts under the DPDP Act are similar to global privacy legislations and include “Data Fiduciary” (data controller), “Data Principal” (data subject), “Data Processor” and “personal data”. However, this section focuses on the interface between this new personal data protection regime and AI.

This theme is significant because data protection regimes will invariably have a crucial impact on how AI grows and develops. The DPDP Act has essentially done away with obtaining “wholesale” consent from a user and mandates that consent should be free, specific, informed, unconditional, unambiguous and with a clear affirmative action. This, along with the need for providing a comprehensive privacy notice, will impact the ability of AI models to scrape data for training and progression. For example, in the health sector, while AI has the potential to revolutionise medical diagnostics and improve patient outcomes, it must be done in a way that respects individual privacy and complies with relevant regulations. In light of the DPDP Act, strict consent mechanisms and data handling norms will need to be implemented to ensure ethical AI practices are carried out in accordance with the law. However, implementation is often seen as a practical challenge. Resultantly, it appears that one way to tackle this challenge is to limit the amount and types of data that AI models can use, which however potentially affects the depth and diversity of the datasets, which are crucial for training robust and generalisable models. Other solutions tend to include implementing data anonymisation techniques and using federated learning approaches that allow AI models to be trained across multiple institutions without the need for “personal data” that is specifically regulated. A need to develop mechanisms for obtaining informed and explicit consent from users in the manner prescribed under the law, in the case of collecting any personal data, is going to be the need of the hour for entities in the AI space that cannot do away with personal data for completing their machine learning processes.

The Rise and Rise of “Super Apps”

As technology and digital service offerings across different sectors continue to evolve, the emergence of an all-inclusive digital experience is the natural progression to cater to a technology-hungry large Indian user market. “Super apps” have been on the rise globally for a few years now and have picked up pace in India as well (Tata Neu and My Jio are prominent examples). Unlike traditional apps that focus on specific functionalities, super apps aim to become a one-stop solution for various needs that allows a user to access and avail a wide variety of services under the same platform. The strengths of super apps (also sometimes called “do-everything” apps) is owing to the ability to offer multifunctionality, ecosystem integration, cross-platform accessibility and, above all, user convenience.

However, the benefits come with their own set of legal challenges. By their very nature, super apps collect and process large amounts of user data for various services. Thus, ensuring compliance with data protection laws is crucial. One of the issues that often comes up is whether an entity collecting personal information/data to offer one kind of service can cross-sell such customer information to another group entity providing a different service on the same super app. A practice often seen and adopted in the market by entities world over is auto/prefilling personal data that was either collected earlier in connection with a completed service or that was taken from a group entity (offering a different service) when completing onboarding processes of its users. This raises concerns as to whether valid consent to pull data that was originally collected in connection with a different service offering was taken to enable the prefilling of data for a different service. Similarly, data collected for one service is often used by other group entities to market their service offerings. Additionally, super apps that offer multiple regulated service offerings that are regulated by different sector regulators often face challenges to ensure compliance with the conditions prescribed by each of the regulators. This could include conditions on segregation of business offerings, data sharing and storage restrictions or any other conditions that could potentially act as a hurdle to efficient operations. 

It is also important for super apps to keep an eye out for competition law issues which may become a regulatory hurdle. Authorities may examine whether a super app abuses its market power to the detriment of consumers or competitors. Super apps that acquire other companies may face competition law scrutiny, especially if such acquisitions lead to increased market concentration and reduced competition. Competition law concerns may also arise if the super app leverages its data advantage to unfairly stifle competition or restrict access to rivals.

Thus, though super apps have shown immense potential, especially in Asian markets, businesses will need to be mindful of legal concerns to be able to successfully navigate them.

The Growing Prevalence and Potential of Embedded Finance

As the name suggests, embedded finance refers to the integration of financial services into non-financial platforms thereby embedding these services into app flows which users interact with on a day-to-day basis. Embedded finance has revolutionised digital payments in India and promoted financial inclusion. UPI payments, Buy-now-pay-later payment modes on e-commerce apps and hyper-personalised insurance on travel booking apps are just some examples of embedded finance. In India, the market for embedded finance is projected to grow from USD54.3 billion in 2022 to USD248.4 billion by 2032. The USP of embedded finance is that it reduces friction in financial transactions and increases their accessibility manifold. It also helps businesses create new revenue streams and partnerships by incorporating financial services seamlessly into their offerings.

Buy-Now-Pay-Later (BNPL) has had a starring role in the story of embedded finance in India. It is estimated that BNPL will account for over 50% of the embedded finance market by 2026. While BNPL as a service itself is not currently regulated, BNPL is offered by fintechs in collaboration with regulated entities like banks and NBFCs, who are subject to compliance with various RBI laws including those relating to KYC processes, outsourcing guidelines, credit check conditions, data sharing, digital lending and the collection of first loss default guarantees, amongst others.

Discussion on embedded finance in India cannot be complete without discussing the success story of one of its key enablers – the Unified Payments Interface (UPI). UPI is a system developed and regulated by the National Payment Corporation of India which facilitates instant real time payments on mobile applications. The interface facilitates inter-bank peer-to-peer and person-to-merchant transactions. The ever-growing transactions volume on UPI (INR18.41 trillion in January 2024) has helped foster a digital payments ecosystem that goes beyond traditional banking channels. UPI is rapidly expanding its reach to multiple foreign countries not just for Indians travelling abroad (such as to France) but also for cross-border remittances from India (such as to Singapore).

From a regulatory perspective, embedded finance requires businesses to be mindful of data sharing and seeking appropriate consent from users. Since the integration happens through APIs, there may be an enhanced cybersecurity risk that platforms should be prepared for. Also, it is vital to ensure that the embedded functionality does not fall afoul of any applicable financial or sectoral regulations.

Government Sharpens Gaze on Misleading Advertisements and Influencer-Led Marketing

One of the most noteworthy recent developments has been the federal government’s sharpening gaze on misleading advertisements. In June 2022, the the Central Consumer Protection Authority (CCPA), the statutory authority under the Consumer Protection Act, 2019 (the “CPA 2019”) released the Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022. The last few months have seen the Union Ministry of Consumer Affairs (MCA) work with the CCPA, the industry stakeholders and the Advertising Standards Council of India (ASCI, a self-regulatory body) to bolster advertisement regulation through the CPA 2019 and through more nuanced self-regulatory codes. The approach of the CCPA and MCA in this regard has been consultative and driven by the intention to prevent user harm and the violation of consumer rights. ASCI’s guidelines are mandatory for broadcast television but they are self-regulatory for online media.

Guidelines on “dark patterns”

India is now one of the few countries in the world which has statutory rules on “dark patterns”. The term “dark patterns” refers to the deceptive practices undertaken by an online platform, on its website or app’s user interface, to either mislead, coerce or manipulate consumers or impair their decision-making in relation to their choice of products/services. Dark patterns are designed to cause consumers to do something they did not originally intend to. The CCPA released the Guidelines for Prevention and Regulation of Dark Patterns, 2023 in November 2023 under the CPA 2019 and these are applicable to (i) all platforms that systematically offer goods/services in India, (ii) advertisers and (iii) sellers. Earlier, in June 2023, ASCI released its own set of guidelines on dark patterns.

Guidelines against “greenwashing”

“Greenwashing” refers to unsubstantiated, false, deceptive, incomplete or misleading environmental claims about products, services, processes, brands or operations, which are meant to give the impression that they are less harmful or more beneficial to the environment than they actually are. In January 2024, ASCI released its Guidelines for Advertisements Making Environmental/Green Claims (with effect from mid-February 2024). The MCA and the CCPA have also released draft rules under the CPA 2019 to prevent “greenwashing”.

Betting and gambling advertisements

The MIB, having recognised the growing rate of betting and gambling advertisements, has issued multiple advisories in the past year directing OTTs, social media platforms and advertisement intermediaries to not permit any ads by betting and gambling platforms.

Advertisements of fraudulent loan apps

Recent investigative news reports highlighted how advertisements of fraudulent loan apps have a free run on social media platforms. Consequently, MeitY has issued directions to intermediaries, including social media platforms and mobile app stores, directing them to take additional measures to ban such advertisements.

Influencer-led marketing

In June 2021, ASCI introduced the Guidelines for Influencer Advertising in Digital Media which, inter alia, mandate prominent and upfront disclosure of any material connection between the advertiser and the influencer. Influencers are also required to review and satisfy themselves that the advertiser is able to substantiate the claims being made. In August 2023, in the backdrop of rising concerns over misplaced and ill-informed advice being given by unregistered and unregulated financial influencers (“finfluencers”) on social media platforms, the Securities and Exchange Board of India (SEBI) released a consultation paper on the issue for public comments which, inter alia, provides that enregistered entities (finfluencers) are not allowed to work with registered intermediaries or SEBI regulated entities, or their agents or representatives, to promote or advertise their services or products. ASCI has also amended its aforesaid influencer guidelines to bring in specific provisions for finfluencers.

Other noteworthy efforts

In June 2022, ASCI released the Guidelines on Harmful Gender Stereotypes which, inter alia, prohibit gender stereotyping that is likely to cause harm or serious or widespread offence. The MCA and CCPA are currently discussing a dedicated set of guidelines for advertisements by institutes which help prepare for competitive examinations.

Increasing Radar and Compliances for Cryptocurrency and NFT Platforms

In March 2023, amidst growing popularity of cryptocurrencies and NFTs in India, the federal government notified certain activities in relation to virtual digital assets (VDAs) as activities falling within the ambit of the reporting requirements of India’s anti-money laundering law, the Prevention of Money Laundering Act, 2002 (PMLA). The PMLA prescribes, inter alia, certain monitoring and reporting obligations for entities brought within its ambit. Entities (such as cryptocurrency exchanges) have to now comply with the obligations prescribed for reporting entities under the PMLA, including KYC obligations, reporting of suspicious transactions and other anti-money laundering regulations prescribed under the PMLA and its rules.

More recently, the agency under the PMLA to which the reporting has to be done, namely, the Financial Intelligence Unit-India (FIU-IND) has been issuing notices to several players dealing with any form of VDAs, including several foreign cryptocurrency platforms offering their services in India, asking them to comply with the PMLA. In a recent response to a query asked in Parliament in this regard, the Union Ministry of Finance shared a list of VDA entities that had registered with the FIU-IND under the PMLA and it also stated that offshore crypto-exchanges servicing the Indian market will have to comply with the same. In December 2023, an official press release stated that the FIU-IND had sent blocking requests to MeitY against nine foreign cryptocurrency platforms which were operating without complying with the PMLA. Thereafter, on 12 January 2024, another set of foreign cryptocurrency platforms were blocked.

While stringent compliance requirements have been issued under different laws, no separate law has been promulgated to formally provide legal recognition to cryptocurrencies and NFTs in India. In a couple of recent hearings before the Supreme Court of India in relation to certain cryptocurrency fraud criminal cases, the federal government’s counsel stated on record that the government is still considering the legal framework for cryptocurrencies in India and for investigations related to them. Barring the clarity available on how VDAs are to be taxed in India and the aforesaid governance of VDA service providers from the perspective of AML regulations in India, legal recognition and governance continue to remain elusive.

IndusLaw

101, 1st Floor, Embassy Classic
11 Vittal Mallya Road
Bengaluru
560 001
India

+91 80 4072 6600

bengaluru@induslaw.com www.induslaw.com/
Author Business Card

Law and Practice

Authors



G&W Legal is a full-service business law firm that assists its clients at the intersection of law and pragmatism by combining the experience of big-law with the expertise of a boutique. The firm’s attorneys advise and assist clients across intersecting areas such as corporate law, intellectual property, franchising and distribution, advertising and marketing, privacy and data protection, product liability and consumer protection, international trade, foreign investment, antitrust/competition, regulatory affairs, and dispute resolution. G&W Legal’s TMT practice team has extensive experience in handling cross-border technology transactions, intricate licensing agreements, delicate data protection issues, fintech, platforms and intermediary regulations/liability, trust and safety, internet and social media, e-sports, and online gaming. The team handles all facets of data protection and privacy, traditional and new media, and digital business.

Trends and Developments

Authors



IndusLaw is a top-tier Indian law firm. With over 450 lawyers spread across Bengaluru, Chennai, Delhi and NCR, Hyderabad and Mumbai, IndusLaw is one of the sixth largest law firms in India. It is a full-service law firm offering legal services to a wide range of international and domestic clients. IndusLaw advises and counsels across a broad spectrum of practice areas including telecommunications, media and technology (TMT); financial services – regulatory; employment law; capital markets; litigation and arbitration; and private equity, venture capital and acquisitions. The TMT practice group is a national practice and consistently advises clients on complex and cutting-edge matters including on data protection and privacy-related laws, AI, content and interactive media, intellectual property, information technology and e-commerce, Web3 offerings such as cryptocurrencies, structuring of contracts and advising on regulatory compliance for new product offerings.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.