The primary areas of legislation applicable to the digital economy in India include data protection, consumer protection, and the regulatory framework for digital payments. In recent years, India’s antitrust regulator has also increased scrutiny in the digital economy space.

The Digital Personal Data Protection Act 2023 (DPDPA), which is expected to come into force in 2025, will apply to all entities – whether Indian or foreign – that process personal data in India or target Indian data subjects for goods or services.

The Information Technology Act 2000 (IT Act) is India’s primary legislation governing the use of computer resources. Provisions related to cybercrimes, such as identity theft, cheating and misrepresentation, as well as breaches of contract, are relevant to the digital economy.

Consumer protection laws also play a role in the digital economy, as discussed under relevant sections. Entities involved in payment systems must comply with regulations issued by the Reserve Bank of India (RBI). The Payment and Settlement Systems Act 2007 (PSS Act) is the primary legislation for payment systems, requiring RBI approval for any payment system operating in India. The RBI issues regulations that payment systems must follow, along with guidelines like those for payment aggregators and payment gateways, credit card and debit card issuance, and card transaction tokenisation. These guidelines vary depending on the nature of the business.

Large e-commerce entities, such as Amazon and Flipkart, have been under heightened scrutiny by India’s antitrust regulator, the Competition Commission of India (CCI). In 2020, the CCI initiated an investigation into the two platforms for alleged violations of the Competition Act, 2002. Both companies challenged the probe in court, and the matter remains pending. The outcome of this investigation, including any penalties or corrective actions, will depend on the court’s decision. In 2024, the CCI also imposed a fine on Meta for violations of the Competition Act.

Taxation of digital goods and services in India is covered within the goods and services tax (GST) regime of the country. GST is levied on “Online Information Database Access and Retrieval” (OIDAR) services, which are defined as including services where delivery is mediated by information technology over the internet or an electronic network, including services such as digital advertising, cloud services, provision of digital goods or content (such as books, movies, games, music, software, etc), digital data storage, and online gaming.

Taxation for OIDAR services under the GST regime is applicable where the place of supply of the service is in India. In the event the service provider/supplier is located outside India, taxes for B2B supplies are chargeable on a reverse charge mechanism. However, for B2C sales in such situations, the foreign service provider would be liable to pay the applicable GST on such services. As such, all foreign service providers providing OIDAR services to Indian consumers must undertake the necessary compliances under the GST laws, including obtaining the required registration, and filing the applicable returns.

There are no specific tax implications around digital advertising, and these services are also covered within the scope of OIDAR services as discussed in 1.2 Digital Economy Taxation. As such, the tax implications and compliance requirements for digital advertising services are the same as those discussed above.

India has a dedicated consumer protection law, along with other regulations that impact digital goods and services in the TMT sector. Broadly, these include:

• Consumer Protection Act, 2019 (CPA) & Consumer Protection (E-Commerce) Rules, 2020 (the “E-Commerce Rules”) – The CPA outlines consumer rights and the duties and liabilities of platforms, including e-commerce services. The E-Commerce Rules target e-commerce entities, imposing restrictions on unfair trade practices and cancellation charges, requiring grievance redressal mechanisms, and mandating labelling and information obligations. These rules apply to foreign entities that “systematically” offer goods or services to Indian consumers.
• Guidelines on Restriction of False or Misleading Advertisements – In 2022, the Indian government issued these guidelines, which impose restrictions on advertisers, advertising agencies, manufacturers, sellers and traders, outlining conditions for non-misleading advertisements, standards for valid “bait” advertisements, and prohibiting surrogate advertising.
• Guidelines for Prevention and Regulation of Dark Patterns, 2023 – The Central Consumer Protection Authority issued these guidelines, prohibiting entities, including e-commerce companies, from engaging in dark patterns on their websites. The guidelines list 13 specific “dark patterns”, such as false urgency, basket sneaking, subscription traps, bait and switch, and drip pricing.
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “IT Rules 2021”) – The IT Rules 2021 regulate content, media and games offered over the internet and include a grievance redressal mechanism among their provisions.
• Digital Personal Data Protection Act, 2023 (DPDPA) – The DPDPA governs the processing of personal data in the digital realm, imposing obligations on data fiduciaries regarding customer data. The act is yet to be fully implemented, and the Indian government recently published rules (the “draft DPDP Rules 2025”) under the law for public consultation.

Legal Frameworks for Resolving Consumer Complaints in the Digital Economy

The CPA establishes Consumer Disputes Redressal Commissions at three levels – district, state, and national – in a hierarchical and appellate structure. These commissions adjudicate consumer disputes, including those from digital transactions. In February 2024, the government launched the “e-Jagriti” portal, an online mechanism for handling cases across commission levels.

Upholding Consumer Rights and Best Practices

Companies in the sector can uphold consumer rights through:

• transparency – ensuring clear communication about products, services, pricing, terms and conditions, and other relevant information;
• data protection compliance – adhering to applicable data protection laws; and
• grievance redressal mechanisms – establishing systems prescribed under the law to address consumer complaints.

Additionally, companies should ensure fair trade practices and adopt industry best practices, such as:

• easy access to contact information – companies should provide easily accessible customer care support details on their websites;
• robust customer support – companies should offer multiple channels for customer interaction, such as chatbots, emails and helplines;
• staff training – companies should train their staff on consumer rights, data protection, dispute resolution, and relevant laws and mechanisms;
• time-bound dispute resolution – companies should adopt measures to resolve disputes promptly and, where possible, communicate the resolution timeline to consumers; and
• online dispute resolution (ODR) mechanisms – these can help both companies and consumers save time and resources, and can be used for cross-border e-commerce disputes as well.

Impact on the TMT Sector

The integration of blockchain technology has enhanced transparency, security and efficiency in digital transactions and services. The Ministry of Electronics and Information Technology (MeitY) released the “National Strategy on Blockchain” in 2021, aiming to establish a comprehensive framework for blockchain adoption across various sectors in India. This strategy focuses on creating a national blockchain infrastructure to support the TMT sector’s growth.

However, the legal status of cryptocurrencies remains ambiguous. In 2018, the RBI imposed a blanket ban on cryptocurrencies, which was overturned by the Supreme Court of India in March 2020. While cryptocurrencies are still not recognised as legal tender, it is legal to hold and trade them and gains from this are taxable in India.

Challenges

• Regulatory uncertainty – The absence of specific laws regulating cryptocurrencies creates ambiguity for businesses and investors. In 2021, the government attempted to legislate the domain with the “Cryptocurrency and Regulation of Official Digital Currency Bill” aimed at creating a framework for an official digital currency issued by the RBI and prohibiting private cryptocurrencies with certain exceptions. However, the Bill never saw the light of day.
• Compliance requirements – Entities dealing with virtual digital assets must comply with applicable anti-money laundering laws in India.

Opportunities

• Innovation and growth – Blockchain technology offers opportunities for innovation in the TMT sector, enabling the development of new services and business models.
• Regulatory sandboxes – In February 2024, the RBI issued the latest version of the “Enabling Framework for [a] Regulatory Sandbox”, allowing innovators and fintech companies to test products in a controlled environment. The framework includes blockchain technologies but expressly excludes cryptocurrency/crypto-asset services.

Regulation of Blockchain and Cryptocurrencies

While there is no specific legislation governing blockchain and cryptocurrencies, several laws and guidelines apply.

Income Tax Act, 1961

Under the law a “virtual digital asset” broadly means any information, code, number or token (not being Indian currency or foreign currency) generated through cryptographic means, and also includes NFTs and any other digital assets as notified by the government. The Act imposes a flat 30% tax on income from cryptocurrency transactions, with an additional 1% tax deducted at source on transactions exceeding INR50,000 (approximately USD570) annually.

Companies Act, 2013

This is the primary company law in India and it makes reporting of crypto/virtual currency mandatory for companies.

Prevention of Money Laundering Act, 2002 (PMLA)

Entities dealing with virtual digital assets must register with the Financial Intelligence Unit – India (FIU-IND) and comply with the Anti-Money Laundering & Countering the Financing of Terrorism Guidelines. In the past, the FIU-IND has imposed penalties on unregistered exchanges, such as Binance.

Foreign Exchange Management Act, 1999 (FEMA)

This is applicable to cross-border transfers of digital assets and requires adherence to foreign exchange regulations.

CERT-In Guidelines

These apply to blockchain, virtual assets, and exchanges, mandating compliance with cybersecurity standards.

Additionally, the RBI has launched a pilot for the digital rupee (e₹-R), representing legal tender in digital form, indicating the government’s interest in exploring official digital currencies.

Currently, no specific laws regulate cloud or edge computing in India, and no specific regulatory licences are required for service providers. However, a broad range of laws is applicable.

Privacy

Under the DPDPA (once in force), the processing of personal data may only be justified by consent from the data subject or under a narrow set of legitimate purposes.

The draft DPDP Rules 2025 mandate that privacy notices to data principals must provide an itemised list of the personal data being processed and the purposes of processing. They also require the notice to be comprehensible and in plain language, with an option for withdrawal of consent. Additional obligations are imposed on “significant” data fiduciaries (the criteria and thresholds for being classified as significant data fiduciaries are yet to be provided) to undertake yearly data protection impact assessments and audits.

CERT-In Notification

On 28 April 2022, the Indian government notified a requirement for all service providers, intermediaries, data centres, body corporates and the government itself to report all cybersecurity incidents to the Indian Computer Emergency Response Team (the “CERT-In”) within six hours of these incidents being noticed. Such cybersecurity incidents include a wide variety of occurrences, such as unauthorised access to IT systems, identity theft, data breaches and data leaks. CERT-In has been set up under the IT Act as the national agency for addressing cybersecurity issues, including collecting information on cybersecurity incidents, providing for emergency measures to deal with them, and co-ordinating responses to them.

IT Rules 2021

Cloud service providers may be classified as “intermediaries” under Indian law. To claim intermediary safe harbour, they must meet compliance obligations under statutes like the IT Rules 2021.

Interception, Monitoring and Blocking

The Indian government and certain state governments have powers to demand access to information, decryption and monitoring for public order, crime prevention, or national security. Blocking orders can also be issued under the IT Act and through subordinate legislation called the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009.

India’s banking regulator, the RBI, imposes a number of obligations on Indian banks. Regarding storage of payment information, on 6 April 2018, the RBI issued a direction to all banks and payment system operators to store all payment data in systems located in India only, except in the case of cross-border transactions, where a copy of the payment data may also be stored abroad.

Additionally, the Insurance Regulatory and Development Authority of India requires insurers to maintain records of policies and claims within India only.

Challenges to the Utilisation and Functioning of Cloud and Edge Computing Services

The following aspects, in the context of the Indian legal landscape, may present challenges to the utilisation and functioning of cloud and edge computing services.

Breach notification

As stated above, cybersecurity incidents are to be reported to CERT-In within six hours of becoming aware of the incident, and a contravention of this directive carries with it penal provisions – imprisonment for up to one year, a fine of up to INR10 million (approximately USD116,000), or both. Even though CERT-In has clarified that penalties for contravention will only be imposed in extraordinary cases for wilful non-compliance, practically speaking, this has led to a lot of friction between cloud service providers and their customers, which consist of corporations providing services to Indian customers and processing their personal information, and has greatly complicated the negotiation of any such agreements. This issue is exacerbated by the fact that the global standard for data breach notifications (including as set out in the General Data Protection Regulation) requires data breaches to be reported within 72 hours of becoming aware of the breach.

In addition to the above, once the DPDPA comes into force, it will require data fiduciaries to give notice of every personal data breach to each affected data subject and the Data Protection Board of India (DPB) without delay after the occurrence of the breach, as well as a detailed report with additional information to the DPB within 72 hours of becoming aware of a breach.

Jurisdiction

The question of jurisdiction also poses a challenge in contravention by cloud and edge computing services. Even though the IT Act and DPDPA have been granted extraterritorial jurisdiction, actual enforcement against foreign entities without a tangible presence in India is challenging. Such entities might claim that Indian laws do not apply to them. 

Cross-border data transfers

The draft DPDP Rules 2025 bring some clarity on the issue of cross-border data transfers. While the DPDPA only allows for the government to blacklist certain countries to which the personal data of Indian data principals may not be transferred, the draft DPDP Rules 2025 place an additional data localisation requirement on significant data fiduciaries. As per the draft DPDP Rules 2025, the government may, at the recommendation of a committee constituted by it, notify categories of personal data which are restricted from being transferred outside India.

Laws and Regulations

There is no sui generis law governing AI in India. Different existing laws/guidelines/policies regulate AI, including issues on protection of a person’s likeness, deepfakes, AI in self-driving cars, drones, etc. Some of the primary ones are listed below.

Information Technology Act, 2000 (IT Act)

The IT Act, being the primary legislation for regulating all things online/digital in India, will apply along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the “SPDI Rules”) and IT Rules 2021 in regulating AI. They impact issues such as right to privacy, web scrapping, etc.

IT Rules 2021

It is possible, depending on the use made of AI in each instance, that a platform may be considered as an intermediary. In order to qualify as such, it would need to meet the test laid down in Section 79 of the IT Act – namely, that it does not initiate a transmission, select a receiver or exercise any editorial control. In the instance of AI-generated content, it is unlikely that the third part of this test would be met. Additionally, even if all three parts of this test are met, the intermediary claiming safe harbour will be required to comply with the obligations placed upon it by way of the law, including specifically under these rules.

The DPDPA and the draft DPDP Rules 2025

The soon-to-be-implemented law along with its rules (once finalised) will have implications for the deployment and use of AI where these concern digital personal data. This is likely to have implications for generative AI and regulate the right to privacy against private entities. However, it is to be noted that the DPDPA specifically excludes publicly available personal data from its purview, and this exclusion would mean that training AI models on publicly available datasets (including personal data) may not fall foul of the DPDPA specifically.

Consumer Protection Act, 2019

The CPA can come into play and govern AI, if AI systems are considered to be a product or a service from the point of view of a customer.

IPR laws

Deployment and use of AI is also regulated by the Copyright Act, 1957 and the Patents Act, 1970 as far as they concern content/inventions generated by and/or using AI. There is also the potential impact on a person’s personality rights and rights of privacy in the case of unauthorised use of the person’s likeness/use of deepfake technology. Indian courts have taken cognisance of this and in 2023, a famous actor secured protection against unauthorised use by AI (among others) of his personality rights. 

MeitY’s Advisory on Deepfakes

In November and December 2023, MeitY issued advisories to social media intermediaries under the IT Act and IT Rules 2021 to regulate misinformation on their platforms by AI-generated deepfakes.

MeitY’s Advisory on large language model (LLM) and/or generative AI

This was released on 15 March 2024, for intermediaries  and platforms under the IT Rules 2021, in relation to the use of AI model(s)/LLM/generative AI. The advisory restricts the display/hosting of unlawful content; does not permit any bias or discrimination or threat to the integrity of the electoral process; and mandates that such models should be made available to users in India only after appropriately labelling the possible inherent fallibility or unreliability of the output generated.

Guidelines for Prevention and Regulation of Dark Patterns, 2023

The guidelines, discussed in 1.4 Consumer Protection, also apply to AI service providers.

Drone Rules, 2021

These rules govern the deployment of drones by private entities. The rules specifically include “unmanned aircraft system”, which can operate autonomously, and require, among other things, their mandatory registration with the Directorate General of Civil Aviation.

BIS draft Indian standard on AI

In January 2024, the BIS released the draft Indian equivalent of IS/ISO/IEC 42001:2023, which provides guidance for establishing, implementing, maintaining and continually improving an AI management system within the context of an organisation.

There are no specific regulations for autonomous vehicles yet, but there are autonomous bodies, which provide platforms for the development of advanced driver-assistance system (ADAS)/autonomous vehicle functionality. Vehicles in the Indian market with existing ADAS facilities are governed by the regular motor vehicle laws of the country.

Government Reports

In December 2024, MeitY’s AI governance subcommittee published its Report on AI Governance Guidelines Development, outlining a framework for AI regulation in India. The report emphasises three principles: regulating AI across its life cycle (development, deployment, diffusion); considering all ecosystem stakeholders (data subjects, providers, developers, deployers and users); and adopting a “techno-legal” governance approach to address the dynamic nature of AI technologies. It recommends a gap analysis to identify deficiencies in current regulations related to AI governance, such as those relating to deepfakes, cybersecurity and intellectual property rights. Key recommendations include establishing an interministerial authority for cohesive governance, creating a technical secretariat to oversee AI systems and maintain incident databases, and encouraging voluntary commitments from AI developers, including transparency reports and security assessments. While comprehensive, the report is not legally binding.

In the absence of specific laws governing machine-to-machine communications or IoT, the more general laws on privacy, interception, monitoring, blocking, etc, apply to this space as well. Additionally, as mentioned earlier, upon the enactment of the DPDPA, extra requirements will be put in place, as well as greatly enhanced penalties for failures to ensure compliance.

Other than the above, the following may be of particular note.

• In 2018, the Indian government issued a directive that issuers of SIM cards to be utilised for the purposes of M2M communications were to follow verification norms prescribed under the unified licence regime for telecoms operators. The directive also prescribed a number of restrictive features to be implemented on such SIMs for M2M communication. The restrictive features were relaxed somewhat in 2019, further to representations by industry.
• In January 2022, the government issued a directive stating that a no-objection certificate (NOC) would need to be issued by the Department of Telecommunication (DoT) for the sale or rental of international roaming SIMs/global calling cards of foreign operators – including for the purpose of M2M communications. Only companies registered under the Indian Companies Act may make applications for an NOC, and in the case of companies with foreign investment, they must be compliant with the extant foreign direct investment regulations of India. The directive also stated that where innovative app-based solutions were to be offered through the use of such SIMS, they would be approved by the DoT on a case-by-case basis, pursuant to presentations and other requested information being submitted. NOCs are valid for a period of three years, with further renewal for up to three years at a time.
• In 2022, the government of India issued guidelines for the granting of a unified licence for telecoms services, which included authorisation for three categories of M2M services. Additional guidelines were also issued by the DoT in 2022 which, among other things, required the registration of M2M service providers.

In addition to the above, on 24 December 2023, the Indian parliament passed the Telecommunications Act 2023 (the “Telecom Act”), which aims to replace the archaic Telegraph Act, 1885 (the “Telegraph Act”) and the Wireless Telegraphy Act, 1933 (the “Wireless Telegraphy Act”). Provisions of the Telecom Act are discussed in detail under 6. Telecommunications. The new law will also be applicable to the M2M space, and will require holders of existing licences, registrations and permissions to eventually seek authorisation from the government.

As no specific legislation exists in India governing the IoT sphere, companies must be mindful of a host of laws and regulations (as highlighted above) while deploying IoT solutions. Importantly, the enforcement of the upcoming DPDPA will result in a sea change in India’s data protection regime, as compliance requirements and penalties under the DPDPA are more stringent as compared to the current SPDI Rules. Companies must ensure that they are prepared to meet the additional compliance burdens which will be put in place by the DPDPA, including the requirement for specific and itemised consent notices, providing for data subject rights, having mechanisms in place for the data breach reporting requirements, and ensuring adherence to requirements around processing of minors’ personal data.

In addition to the above, companies must ensure that all requisite licences and certifications (the requirements of which have been highlighted above) in relation to their IoT solutions are in place prior to their implementation. Risks arising from this could be mitigated by way of conducting adequate due diligence on any service providers, and having contractual provisions in place in the event of an issue with any such licences/certifications, or arising from non-compliance with any applicable laws.

As no specific legislation exists for IoT companies in India, legal requirements with respect to data sharing by IoT companies are governed by Indian privacy law (currently the SPDI Rules, set to be replaced with the DPDPA).

Under the SPDI Rules, sharing of “sensitive personal information” with a third party may only be done with the consent of the data subject or for fulfilment of a contract with the data subject, unless such sharing is required for compliance with an applicable law. Additionally, the transfer of sensitive personal information to a third party may only be carried out where such parties can ensure the level of data protection required under the SPDI Rules.

The DPDPA relies on consent as the primary basis for processing of personal data, except in the case of certain “legitimate purposes” where personal data may be processed without consent. As such, once the DPDPA is brought into force, for any data-sharing activities, IoT companies will have to seek specific consent (as required under the DPDPA) for any processing activities involving data sharing, and will have to comply with all the other requirements imposed on data fiduciaries under the DPDPA.

A number of different legislations govern the provision of audiovisual media services in India. However, these were put in place prior to the advent of the internet as an audiovisual medium, and as such, most do not include internet-based services within their ambit.

Cable Television Networks (Regulation) Act, 1995

The Cable Television Networks (Regulation) Act, 1995 (the “Cable Television Act”) governs the operation of cable television networks in the country, defined specifically as systems which are designed to provide cable services for reception by multiple subscribers. This legislation is restricted to terrestrial broadcasting mediums and does not include satellite television within its scope. The Cable Television Act requires all entities intending to operate as a cable operator to register themselves with the relevant authority. All cable operators are required to comply with the prescribed programme code and advertisement code. The Cable Television Act also imposes certain other obligations on cable operators, such as the requirement to mandatorily broadcast “Doordarshan” channels (TV channels operated by the Indian government), maintain certain registers, and transmit certain programmes/channels as prescribed by the Indian government.

Applications for approval to function as a cable operator are to be accompanied by the prescribed fee. Only individuals who are citizens of India, or companies incorporated under the laws of India, are permitted to register as cable operators.

Guidelines for Uplinking and Downlinking of Television Channels

In 2022, the Indian government issued the Guidelines for Uplinking and Downlinking of Television Channels to regulate satellite television operations. These guidelines set different fees for uplinking and downlinking TV channels, with annual permission fees required for such activities in India. They also prescribe minimum net worth requirements and make the programme and advertisement codes under the Cable Television Act applicable to satellite TV channels, with penalties ranging from advisories to suspension or revocation of permissions.

Operating an Over-The-Top (OTT) Platform

For internet streaming, no specific legislation has been introduced. Operating an Over-The-Top (OTT) platform does not require registration or approval. However, OTT platforms are classified as “intermediaries” under the IT Act and must comply with the IT Rules 2021. These rules require intermediaries, including social media platforms hosting user-generated content, to follow due diligence provisions to benefit from the “safe harbour” protection granted by the IT Act.

IT Rules 2021

Obligations imposed by the IT Rules 2021 include the publication of the terms of use and privacy policy of the platform on its website or mobile app; the need to provide annual notice of these to users as well; and the obligation to inform users annually that in case of non-compliance with the platform’s terms of use or privacy policy, their right to use the platform may be restricted. Additionally, intermediaries are required to make “reasonable efforts” to ensure that content hosted on the platform is compliant with certain conditions, such as those regarding obscenity, infringing upon intellectual property rights, content being deceptive as to its origin or information, or content which threatens the unity, integrity, defence, security or sovereignty of India, among other conditions. Intermediaries are also required to put in place a grievance redressal mechanism by instituting a “grievance officer”, who is required to acknowledge any complaint within 24 hours of receipt and resolve it within 15 days of receipt.

Applicable Law and Scope

As mentioned previously, the Telecom Act is the “new” primary legislation governing the telecommunications sector in India, replacing the Telegraph Act and the Wireless Telegraphy Act. The Telecom Act regulates various aspects, including extra-territorial applicability, biometric verification for telecommunications services, right of way, critical telecommunications infrastructure, government interception powers, reduced penalties, protection against unsolicited commercial communication, and a grievance redressal mechanism. Not all provisions of the Telecom Act are currently in force, particularly those related to registration and telecoms licences, which continue to be regulated under the previous laws.

The Telecom Act provides a broad definition for “telecommunications services” as any service for telecommunications, and this potentially covers all existing technologies and services in the industry. This includes traditional voice communication (mobile and landline phones), data services (internet and broadband), broadcasting services (radio and television), satellite communication/internet, and OTT services (VoIP, messaging and streaming).

Pre-Market Requirements

The DoT holds the authority to issue telecoms licences under the Telegraph Act and Wireless Telegraphy Act. Following the National Telecom Policy 2012, the DoT now grants “unified” licences covering multiple telecommunications services, including access services, internet services, and national and international long-distance services.

Only companies registered under the Indian Companies Act may apply for a unified licence. There are prescribed minimum net worth and equity requirements, along with an entry fee and a bank guarantee. India’s Foreign Direct Investment (FDI) policy allows up to 100% FDI in telecoms entities, but security clearance from the Ministry of Home Affairs is mandatory before such investments.

Upon the granting of a licence, the service provider must pay an annual licence fee for each service area and authorised service, calculated as a percentage of the company’s adjusted gross revenue. Licences are issued for 20 years, with the option to renew for ten years at a time upon payment of a renewal fee.

The DoT also conducts periodic auctions to provide telecoms companies with access to radio spectrums for operating telecoms networks. This process is separate and independent from the licence acquisition process.

Once the Telecom Act’s relevant provisions are enforced, telecoms licences will fall under the new law, and spectrum assignment will mainly occur through auctions (except for certain specific purposes, as listed, for which assignment will be done through an administrative process).

Security Requirements

In November 2024, the government gave notice of The Telecommunications (Telecom Cyber Security) Rules, 2024, which establish a comprehensive framework to enhance the cybersecurity of India’s telecommunications infrastructure. These rules require telecoms providers to implement robust cybersecurity measures, report security incidents promptly, and conduct regular compliance audits. Key provisions include the mandatory appointment of a chief telecommunication security officer (CTSO) and enabling government agencies to monitor traffic data to ensure network security.

India has implemented regulations to ensure net neutrality, requiring internet service providers (ISPs) to treat all data equally without discrimination. The Telecom Regulatory Authority of India (TRAI) and the DoT are the primary agencies overseeing this area. In February 2016, TRAI issued the Prohibition of Discriminatory Tariffs for Data Services Regulations, which prohibits ISPs from offering or charging discriminatory tariffs for data services based on content (ie, different websites or services).

In 2018, following TRAI’s recommendation, the DoT issued the Regulatory Framework on Net Neutrality, imposing strict net neutrality principles on ISPs. The DoT enforces these regulations through ISP licence agreements.

Entities in the telecommunications sector must ensure non-discriminatory access for all users, providing a level playing field for all online services and applications. Non-compliance with these regulations results in penalties for ISPs.

Emerging technologies are actively shaping the legal landscape in the country, and the laws governing these technologies have been discussed in previous sections. As highlighted in 3. Artificial Intelligence, the Indian government has introduced new directives and guidelines to address the evolving AI landscape. These include both proactive laws for generative AI and reactive measures to combat issues such as deepfakes and dark patterns.

The development of modern wireless technologies like 5G has also led to the introduction of new laws. The Telecom Act, for instance, facilitates the smoother auction and allotment of 5G spectrum. As noted in 6.1 Scope of Regulation and Pre-Marketing Requirements, the Telecom Act allows for the assignment of spectrum through an administrative route for certain purposes, such as testing and trials of new technologies and the creation of regulatory sandboxes. These can be used to test both 5G and 6G wireless technologies.

Although primarily aimed at overarching issues and not industry-specific, the DPDPA and the new data protection regime in India will also impact emerging technologies like IoT implementations. This includes more stringent compliance requirements relating to personal data, enhanced penalties, and a specific regulatory authority to address contraventions under the law.

Essentially, while it may be viewed as an oversimplification, a technology transfer agreement is a contract that enables the movement of data, know-how and intellectual property from one organisation to another. The considerations discussed herein are of note while engaging in technology transfer agreements in India.

Foreign Exchange Regulation

Previously under the FEMA (Current Account Transaction) Rules 2000, remittances for technical collaboration above a particular threshold required government approval. However, through a series of moves aimed at easing business, these rules were relaxed.

Foreign licensors should, however, be conscious of the fact that the Foreign Exchange Management (Guarantees) Regulations 2000, framed under the Foreign Exchange Management Act 1999, do not automatically permit an Indian licensee or its owners to provide a personal or corporate guarantee to a non-resident without seeking permission from the RBI. There will be serious hurdles in the enforcement of such a guarantee.

Taxation

The Indian government has recently increased the quantum of withholding tax payable on royalties and fees for technical services of foreign entities by Indian parties, which will be required to be deducted by an Indian licensee from a foreign licensor of intellectual property. Licensors/transferors are advised to specify obligations in this regard in any agreement, including appropriate tax certificates proving payment.

Foreign licensors of intellectual property would be best advised to take advantage of various double taxation avoidance arrangements (DTAAs) that India has with most other nations.

In order to take advantage of DTAAs, the licensor will require a tax residency certificate from its home country, and will need to register with the web portal of the Indian Income Tax Department, and provide a declaration that it does not have a permanent establishment in India.

Applicable Law and Jurisdiction

Usually, a party in the stronger bargaining position (which would generally be the licensor in such agreements) would look to ensure that the laws of its home jurisdiction would be the governing laws of the contract. As such, courts of the home jurisdiction of the licensor would also ordinarily be provided exclusive jurisdiction over adjudicating disputes arising from the licence agreement.

However, licensors could face challenges enforcing foreign judicial awards, as Indian courts recognise the enforceability of only some foreign courts. Parties should consider this aspect before determining foreign jurisdiction in any agreements which would potentially require enforcement actions by Indian courts. Additionally, licensors would be well advised to retain the power in the agreement to approach courts in the licensee’s jurisdiction to seek injunctive relief.

Adjudicating disputes in Indian courts also carries several challenges, not least the significant backlog of cases in the Indian judicial system. Resolving disputes in Indian courts may take five to ten years (and possibly even longer).

If parties intend to adjudicate disputes through arbitration, care must be taken to ensure that the arbitration is held in a country that is notified as a reciprocating territory by the Indian government and is a signatory to the New York or Geneva Convention.

Stamp Duty

For an agreement to be entered as evidence before Indian courts of law, it is necessary that the requisite stamp duty under the Indian Stamp Act, 1899, has been paid. Until such requisite duties have been paid, the agreement may not be validly enforced or placed in evidence before an Indian court, which would then be bound to impound such an agreement and insist that the parties pay the applicable penalties. Licensors need to insist that such obligations are completed by the Indian party from the get-go, and that the licence agreement itself carries a specific obligation in this regard.

Competition

In many cases, technology transfers are riddled with restrictive covenants, as well as minimum pricing directions upon the licensee. Licensors would be best served seeking specific legal assistance from local counsel on antitrust issues, such as restrictions on owners of the licensees to engage in competing businesses in the future, or to deal with other parties that may be seen as competitors of the licensor. Provisions in agreements that have the propensity to violate Indian antitrust laws may be held to be void.

Similarly, provisions within these agreements that are overly restrictive on the business activities of the licensee, as well as the owners of such licensee, may be seen as agreements in restraint of trade and, as a result, unenforceable.

Intellectual Property

Under Indian law, patent licences are only valid if made by written agreement. Such licence needs to be registered with the Controller of Patents by way of submission of a prescribed form with the requisite fee.

Similarly, copyright licences are required to be in writing and duly executed in accordance with the applicable law. However, there is no express requirement in the law for such licences to be registered with the Copyright Office.

Confidentiality

Strong confidentiality provisions in an agreement where information is the most important asset are a must. Even prior to the execution of the actual agreement, discussions between the parties should be subject to an NDA. The licensor should specifically make a point of marking information that is not for outside eyes as confidential. The confidentiality provisions within the agreement should specify the requirement for access control measures, as well as the technological measures that the parties should put in place. Agreements should also specify the period after the termination and/or expiry of the licence agreement pursuant to which the confidentiality obligations will continue to be applicable.

Various provisions of law may classify the unauthorised sharing of confidential information as a “breach of trust”, while the IT Act also provides remedies against breaches of confidentiality as they relate to electronic records.

Indemnity and Related Provisions

Complications with regard to seeking guarantees from owners of the licensee have already been highlighted above in the heading titled “Foreign Exchange Regulation”.

In addition, foreign licensors should be cognisant of the fact that liquidated damages according to Indian law may not be permitted if they are held to be unreasonable, and may not be inserted with the intent of penalising the breaching party.

No specific legal requirements exist for telecoms service agreements in India. Consideration must be paid to ensuring that the service provider has all the requisite licences/permits/certifications in place to provide the telecoms services, and as mentioned under 4.2 Compliance and Governance, due diligence and ensuring adequate contractual provisions relating to indemnity and liability are essential. Such agreements must clearly spell out all relevant service levels required by the service recipient as well, and such terms are governed contractually in India. In addition to these, the general considerations relating to agreements in India as highlighted in 7.1 Legal Framework Challenges must also be kept in mind.

Interconnection agreements in India are regulated under the Telecommunication Interconnection Regulations 2018 (the “Interconnection Regulations”) issued by TRAI. The Interconnection Regulations specify various aspects that companies must comply with regarding their interconnection agreements, including:

• the requirement to enter into interconnection agreements with service providers on a non-discriminatory basis;
• the procedure for entering into interconnection agreements including the documentation and timelines involved in entering the agreements;
• the requirement of furnishing a bank guarantee;
• the procedure and requirements for provisioning and augmenting points of interconnection between the service providers;
• the requirement for any interconnection charges to be transparent, non-discriminatory and reasonable; and
• penalty for contravention (of up to INR100,000 or approximately USD1,150 per day per licensed service area).

Companies must be mindful of and adhere to the requirements imposed by the Interconnection Regulations when entering into interconnection agreements.

Regulation of Digital Signatures and Electronic Authentication Techniques

Regulation of trust services in India is limited to legislation governing electronic signatures. Electronic signatures, their issue, use and legal validity are governed by the provisions of the IT Act and rules issued thereunder. The IT Act grants legal recognition to electronic records and allows for the authentication of electronic records by way of digital signatures or electronic authentication techniques, which are considered reliable and are specified in the provisions. Conditions for reliability include the signature/authentication data being linked to the signatory, being under control of the signatory at the time of affixing, and any alterations to the signature/authentication or to the information after it is signed/authenticated being detectable.

Digital signature certificates (DSCs)

Certifying authorities are defined as those persons/entities who have been granted licences to issue digital signature certificates (DSCs) to end users under the provisions of the IT Act.

Eligibility requirements for obtaining this licence include prescribed minimum paid-up capital and net worth requirements, as well as an FDI cap of 49%. Applications for licences are to be accompanied by a fee and a bank guarantee of the prescribed amounts.

Licences are valid for a period of five years from the date of issue and may be renewed upon applications for such renewal. Certain obligations regarding reliability, security procedures, publishing of information, etc, are also imposed on certifying authorities by the IT Act.

End users may apply to a licensed certifying authority to obtain a DSC and pay the prescribed fees for obtaining a DSC with a validity of two years.

Digital identity system (Aadhar)

India has adopted a digital identity system called “Aadhar”, which was initially launched in 2009. The Aadhar ecosystem is administered by the Unique Identification Authority of India, a statutory body set up by the Indian government. Aadhar numbers are unique 12-digit identity numbers which may be obtained by Indian residents. The assignment of the Aadhar number is linked to biometric and demographic data. Aadhar numbers are a mandatory requirement to take advantage of many government-provided services, subsidies and benefits.

As part of a challenge raised in the courts against the constitutionality of mandatorily requiring Aadhar numbers for statutory benefits, the Supreme Court of India, in Justice KS Puttaswamy v Union of India, held that the right to privacy is enshrined with the fundamental right to life and liberty granted by the Indian Constitution. Via this judgment, the Supreme Court also struck down the provisions of the Aadhar legislation which allowed private entities to use Aadhar authentication. Such authentication is now only permitted when it is enforced by a law.

The online gaming industry in India is regulated at both the central and state levels. At the central level, the IT Rules 2021 primarily govern online gaming. These rules apply to all internet games, but the obligations thereunder primarily apply to those games dealing in real money (where users make deposits in cash or kind) and are called “Online Real Money Games”. The rules define an “online gaming intermediary” as the intermediary offering online games. 

Under these rules, there are two sets of obligations – one that applies to all intermediaries and additional obligations that apply to online gaming intermediaries. The additional obligations on online gaming intermediaries include verification by a self-regulatory body (SRB), appointing a chief compliance officer, a nodal contact person for 24x7 co-ordination with law enforcement agencies, as well as a resident grievance officer, who would be an Indian resident employee of the company, etc. Currently, there are two SRBs – the Federation of Indian Fantasy Sports and All Indian Gaming, with leading gaming intermediaries as members.

Other central laws, including the SPDI Rules, the DPDPA, the draft DPDP Rules 2025, the CERT-In Regulations and tax laws, also apply to the gaming industry. State laws vary, with some states banning online real money games and others permitting games of “skill”.

Issues such as gambling, age ratings and content restrictions are also covered by the above laws, with specific mentions in the IT Rules 2021. For instance, the rules put obligations on online media intermediaries to ensure that they do not, among other things, display/host any content which is obscene or pornographic or paedophilic, which is invasive of another’s privacy, which is racially or ethnically objectionable, which encourages money laundering or gambling, which promotes enmity on the basis of caste or religion, or which incites violence, etc.

SRBs are tasked with creating age-rating mechanisms for online real money games, which are not to be offered to users under 18. In-game purchases and loot boxes are covered by general laws, as there is no specific legislation for them.

Industry Code of Conduct

The Internet and Mobile Association of India in collaboration with the two aforementioned SRBs and the E-Gaming Federation have developed a Voluntary Code of Ethics for Online Gaming Intermediaries, emphasising fair gaming, user protection (including age-rating, KYC norms, responsible advertising, etc), and co-operation with applicable laws. The E-Gaming Federation is an independent non-profit organisation, which also offers standards for the online gaming industry.

Key Challenges

Despite the IT Rules 2021 providing clarity and regulation for online gaming, regulatory uncertainty persists due to the divergence between central and state laws. Another challenge is the classification of games as games of skill or games of chance, which varies across states. For example, games like rummy and fantasy sports are often classified as games of skill, but not uniformly across all states.

Taxation is another contentious issue. In 2023, the Indian government imposed a 28% GST on online gaming. Subsequently, many online gaming intermediaries have received notices demanding the 28% tax on a retrospective basis. This matter is currently sub judice before the Supreme Court of India, which has granted an interim stay on the tax notices.

MeitY is the primary agency overseeing the online gaming industry at the national level. Other central agencies, such as the CCI, CERT-In, tax authorities, and others, regulate their respective areas concerning online games. Individual state governments and their departments also exercise regulatory powers based on state laws. These bodies have enforcement powers ranging from approvals, regulation formulation, and investigations to imposing penalties or bans.

In January 2025, to combat offshore tax evasion, the Indian government appointed a nodal officer with the authority to remove online gaming websites not registered under the applicable tax laws. Once the DPDPA is in force, the Data Protection Board (DPB) will become the nodal agency for digital personal data regulation and compliance with the DPDPA’s requirements.

Enforcement Examples

The retrospective GST notices mentioned in 9.1 Regulations are one example of regulatory action. Additionally, in November 2024, the CCI initiated a probe into Google’s policy on online real money gaming on its Google Play platform. This was based on a complaint by the online gaming company WinZO, alleging discriminatory practices by Google.

Given the multifaceted nature of online games and the evolving digital landscape, game developers may encounter issues related to piracy, copyright protection of intellectual property in virtual environments, trade mark issues concerning game titles and logos, and domain name disputes. Developers can seek copyright and trade mark protection for various aspects of their online games.

The identification and correct classification of copyrightable work is crucial for the creators of digital and virtual assets. Copyrightable materials can include literary, artistic and cinematographic works, among others. Trade mark protection also extends to virtual goods and services. In addition to brand protection, the Indian authorities have started granting trade mark protections for NFTs and digital assets in the metaverse and similar domains. Cybersquatting and domain name disputes are also pertinent in the gaming industry from an IP perspective.

User-generated content in online games can lead to IP issues, including third-party infringement. Companies must take active measures to ensure that third-party IP is not infringed, and to establish clear ownership of any IP created, as stipulated in their terms and conditions. The IT Rules 2021 explicitly impose such obligations on online gaming intermediaries.

The laws and regulations applicable to online games, as discussed in 9.1 Regulations, apply mutatis mutandis to social media as well. Specifically, the IT Rules 2021 provide definitions for “social media intermediary” and “significant social media intermediary”. The additional obligations under these rules apply only to significant social media intermediaries (currently, platforms with over five million users) and not to all social media intermediaries. In one of the latest developments, the DPDPA and the draft DPDP Rules 2025 impact the presence of children (under the age of 18) on social media. The draft DPDP Rules 2025 require “verifiable parental consent” to process children’s data, which includes verification of the identity and age of the parent or legal guardian by the data fiduciary. Practically, this may mean that children below the age of 18 may not be able to access social media without explicit consent from their parents or legal guardians.

Industry Code of Conduct

There is no unified industry code of conduct for social media. Instead, different companies have developed their own guidelines for ethical conduct in relation to social media. These guidelines typically cover areas such as content moderation, combating misinformation, fact-checking, user protection, two-step verification, and addressing bots.

Key Challenges

Given the dynamic nature of social media, several legal challenges may arise. One primary challenge is the removal of content and sharing of user data with government authorities during official investigations. Social media companies are often asked by government authorities to provide user data or to remove certain content, and co-operation is not always smooth. Failure to co-operate can result in social media companies losing their “safe harbour” protection under the law. Another significant challenge for social media companies is adopting adequate measures to ensure child safety and address the prevalence of obscenity on their platforms.

In terms of data protection, cybersecurity, and data monetisation, the DPDPA clearly mandates the “explicit consent” of the data subject regarding the purpose and manner of processing their personal data. In the event of a breach, strict timelines are imposed for reporting the breach to government organisations like CERT-In, as well as to the data subjects and the DPB. For issues related to intellectual property, see 9.3 Intellectual Property.

Bodies and Regulatory Powers

The agencies that regulate online games, as discussed in 9.2 Regulatory Bodies, also regulate social media and their enforcement powers apply mutatis mutandis to social media.

Enforcement Examples

In November 2024, the CCI imposed a fine of USD25.4 million in relation to WhatsApp’s 2021 privacy policy, which allowed data sharing with other Meta entities. Meta’s practice of mandating that WhatsApp user data be shared with other Meta entities (as a condition for consumers to use WhatsApp) was found to be an abuse of Meta’s dominant position in the market, in contravention of the Competition Act. WhatsApp was also prohibited from sharing user data with other Meta entities for five years, although this ban was stayed in an appeal in January 2025.

Additionally, MeitY issues regular advisories for the strict implementation of the provisions under the IT Rules 2021.