Intermediaries' Obligation to Pursue Complaints Against Infringers: Analysing the Latest Interpretation

The recent interim order dated March 1, 2023, issued by the Delhi High Court in Samridhi Enterprises vs. Flipkart Internet Private Ltd.[1] had sparked a lot of debate and confusion among the public concerning the liability of an intermediary. As per the order of the High Court, an intermediary is not obligated to take action in cases of infringement reported by their users. The Hon’ble Court delved deeply into the interpretation of Rule 3 of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, on the question of whether there exists an obligation on the part of intermediaries to act on complaints against infringers.   

Facts

The plaintiff was in the business of manufacturing and selling car covers under the marks “UK Blue” and “Autofact” and had been selling them on Flipkart since 2018. The plaintiff happened to notice that some other entities started to copy their designs, looks and marketing strategies on the Flipkart platform itself. Apart from the fact that the covers were identical, the infringers also sold these covers in a fashion similar to that of the plaintiff’s company to create confusion and boost their sales.

The plaintiff had informed and reported to Flipkart about the infringement of their products by placing screenshots and other similar evidences of infringement committed by the infringer on record. The platform refused to take any action against the infringers and advised the plaintiff to approach a court of law for redressal of IPR disputes.

The plaintiff approached the Delhi High Court, citing that Flipkart cannot act as an intermediary if it fails to adhere to its obligations as an intermediary and to observe important due diligence mandated by Rule 3(2) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

Law Involved

Rule 3(1)(b)(iv) requires intermediaries to inform their users of their privacy policy, rules and regulations and user agreement and shall make reasonable efforts to ensure that any information that infringes any patent, copyright, trademark, or other proprietary rights shall not be hosted, displayed, uploaded, modified, published, transmitted, stored, updated, or shared by the intermediary.

Rule 3(2)(a) of the IT rules requires the intermediary to publish on its website the details of the grievance officer and the mechanism by which a user could complain about any possible violations. Further, it requires the officer to acknowledge the complaint within 24 hours and resolve the issue within a period of 15 days.  

The plaintiff relied on these two sections to further their claim of infringement against Flipkart. 

Rule 3 (2)(1) (proviso) provides for intermediaries to acknowledge any complaint within 24 hours and resolve all such complaints within 15 days from their receipt. Moreover, the proviso also calls upon the intermediary to develop appropriate safeguards to avoid any misuse by users.

The Ruling

The Hon’ble Court was of the opinion that Rule 3(2)(a) only envisages complaints regarding violations of the obligation imposed on the intermediary under the rules. There is no scope for the intermediary to take any kind of action against the infringer upon receipt of the complaint. The same argument was also put forth by the court when the question surrounding Rule 3(1)(b)(iv) was raised, and the court clarified that the rule merely provides for intermediaries to inform users not to display or host infringing content. The rule does not mandate or require the intermediary to take any action upon receipt of the complaint of infringement.   

The Hon’ble Court stated that it cannot read into IT rules something that the rules do not contain expressly or by necessary implication. It further said that, “where the applicable statutory rules do not envisage action being taken by an intermediary merely on the complaint being made by an aggrieved victim or user regarding infringement of intellectual property rights, by content posted on the platform of the intermediary, the court cannot, by placing reliance on an internal policy of a particular intermediary, read into Clause 3 any such requirement, especially where such a provision existed in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and has consciously been omitted in the 2021 Rules”.  

The Hon’ble Court was of the opinion that the complaint against Flipkart that it is not taking action does not appear to be sustainable due to the above-mentioned reasons. However, a prima facie case of copyright violation was made out by the court and in order to protect the plaintiff from any further damages, an interlocutory injunction was granted against listing the alleged infringing content.

General Observations 

Though the Hon’ble Court did grant the injunction to protect the plaintiff from the ongoing infringement occurring on the platform, the main essence of the IT Act and rules was not taken into consideration while discharging Flipkart of any liability.

The plaintiff erred in not considering the many precedents laid by this very same court. For instance, in Super Cassettes Industries Ltd. vs. Myspace Inc. & Anr1, the court said that “I find that there is no impact of the provisions of Section 79 of the IT Act (as amended in 2009) on copyright infringements relating to internet wrongs where intermediaries are involved and the said provision cannot curtail the rights of the copyright owner by operation of the proviso of Section 81 which carves out an exception for cases relating to copyright or patent infringement”. 

The case witnessed that the Indian Copyright Act, 1957, overrode the provision of the safe harbour granted by the IT Act under Section 79. The Hon’ble Court relied on Section 81 of the IT Act, which provides for an exemption for people exercising their rights under the Copyright Act and the Patent Act. The Hon’ble Court should have recognised this precedent and acknowledged the obligation it posed to the intermediary to remove such infringing products from its platform.   

It doesn’t end here. The court should have considered in what instance the immunity available for intermediaries will be impacted under Section 79 of the IT Act. Section 79(3)(b) of the IT Act states that upon receiving actual knowledge of an unlawful act connected to the computer resource controlled by the intermediary, the intermediary shall expeditiously remove or disable access to such infringing material. If such action is not undertaken by the intermediary, it shall lose the safe harbour guaranteed by Section 79. If safe harbour protection is not available, then allowing an infringement to take place on their platform may constitute abetment and unlawful activity which in turn would make them liable under the law of the land.  

Another striking part of the order is that, even though the Hon’ble Court completely relied on the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the court failed to read into Rule 3 (2) (1) of the IT Rules 2021. The proviso of the rule clearly stipulates that any complaint received from the user other than under Subclauses (i), (iv), and (ix) needs to be expeditiously resolved within 72 hours by the grievance officer. That does not take away the primary obligation of the intermediary to act within the 15 days mandated in the main provision in relation to such excluded matters, including cases of IP infringement. It is astonishing that the court or the parties gave more emphasis to the proviso than the main clause under Rule 3(2)(a)(i). 

Initially, Rule 3(2)(b) was worded as follows: “(i) acknowledge the complaint within twenty-four hours and dispose off such complaint within a period of fifteen days from the date of its receipt;  

(ii) receive and acknowledge any order, notice or direction issued by the Appropriate Government, any competent authority or a court of competent jurisdiction.”.   

On October 28, 2022, the government amended the above rule to read as follows: “acknowledge the complaint within twenty-four hours and resolve such complaint within a period of fifteen days from the date of its receipt: 

Provided that the complaint in the nature of request for removal of information or communication link relating to clause (b) of sub-rule (1) of rule 3, except sub-clauses (i), (iv) and (ix), shall be acted upon as expeditiously as possible and shall be resolved within seventy-two hours of such reporting;  

Provided further that appropriate safeguards may be developed by the intermediary to avoid any misuse by users;” 

The intention of this amendment is to prescribe faster action for certain kinds of wrongdoings and expect them to act within 72 hours. At the same time, for those others (sub-clauses (i), (iv) and (ix)) the original time frame of 15 days for taking action remains. Without a doubt, the goal of this amendment is not to encourage platform users to behave irresponsibly or complacently despite being aware that the platform is frequently used to violate intellectual property rights. It merely provides them with sufficient time and excludes the requirement of compliance within 72 hours.

The intermediary is still obligated to undertake the due diligence described in Rule 3(1)(b)(iv), and if they do not do so and do not take action within fifteen days even after becoming aware of the infringement, the immunity from liability specified in Section 79 will end. The safe harbour will be eliminated because the proviso to Section 81 of the IT Act clearly indicates that IP rights are to be expected to be protected by the intermediary.

Conclusion

The Hon’ble Court was right in granting the injunction in favour of the plaintiff to restrain Flipkart from allowing such infringing products on their platforms.

However, the Hon’ble Court erred by not making a harmonious reading of Rule 3 (2) (a) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, with Section 79 (3) (b) and the proviso to Section 81 of the IT Act. An isolated reading of the provision and discharging Flipkart of their liability under the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 seems to be an oversight.

The proviso appended to the said section provides that nothing contained in this act shall restrict the exercising of any right by any person under the Copyright Act. This, along with Section 79 (3) of the IT Act, mandates the intermediary not to conspire, abet or aid any infringement and to remove the infringing material on receiving actual knowledge of it.  

The above-referred order will only help the intermediaries and platforms to behave irresponsibly and indifferently even when an intellectual property owner notifies them of infringement on their platforms. It compels aggrieved intellectual property owners to initiate legal action for every infringement, which is expensive to carry out. IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, was primarily made to make the platforms more responsible and ethical. Allowing them to act irresponsibly through a limited interpretation of law is unconscionable.

References:

1. CS (COMM) 63/2023

The recent interim order dated March 1, 2023, issued by the Delhi High Court in Samridhi Enterprises vs. Flipkart Internet Private Ltd. (CS (COMM) 63/2023) had sparked a lot of debate and confusion among the public concerning the liability of an intermediary. Though the Hon’ble Court did grant the injunction to protect the plaintiff from the on-going infringement occurring on the platform, the main essence of the IT Act and rules was not taken into consideration while discharging Flipkart of any liability.

POST A COMMENT

Decoding IT Amendment Rules: The Hits and Misses

On April 6, 2023, the Ministry of Electronics & Information Technology (MeitY) notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023 to amend the 2021 Rules. In this article, the important changes introduced to the Rules are highlighted.

Introduction

Through the amendment, the Ministry intends to make a few changes to the intermediary eco-system by introducing new due-diligence requirements for intermediaries. It can be broadly summarised under two heads – partial censorship of digital media, and regulation of online gaming intermediaries. 

Partial censorship of digital media

The new amendment requires social media intermediaries, significant social media intermediaries and online gaming intermediaries to follow additional due diligence. It aims to regulate digital media by disallowing the publication of such information related to the business of the Central Government which is identified or declared as fake, false, or misleading by a fact-checking unit set up by the Central Government. This addition to the rules would make it mandatory for the intermediaries to take down (when given a notice by the user) any piece of information that is declared fake or misleading by the fact-checking authority. It is unclear from the amendment if the information checked by the already established fact-checking authority would warrant take-down, but with the available information, it would be reasonable to assume that any information fact-checked and deemed fake by the PIB fact-check mechanism would warrant takedown.

This part of the amendment has been challenged by a political satirist, Mr. Kunal Kamra. He filed a writ petition with the Bombay High Court with the averment that the amendment with respect to establishing a separate unit by the Central government to fact-check digital media is violative of Articles 14, 19(1)(a), and 19(1)(g) of the Indian Constitution and that it is ultra vires Section 79 of the Information Technology Act, 2000. The Bombay High Court has now directed MeitY to file its response within one week on why the IT Amendment Rules, 2023 should not be stayed, and also describe the factual background that necessitated the issuance of the amendments. The affidavit has been ordered to be filed by April 19, 2023, and the matter has been listed on April 21, 2023.

Regulation of online gaming intermediaries

Earlier, a draft of the amendment (pertaining to online gaming) to the 2021 Rules was released in January 2023; though the draft lacked clarity on the kind of online games it intended to regulate (click here to read more). Further, it did not delve into differentiating between games that are in the form of wagering/betting and those which are not. The current amendment attempts to overcome these shortcomings by providing for an ‘online gaming intermediary’ and stipulating the due-diligence requirements for such intermediaries.  

The amendment defines an online gaming intermediary as one that enables users to access one or more online games. It further defines an ‘online real money game’ that is played with real money, where the users are asked to deposit money. The amendment allows the online gaming intermediary to host only those games which are permissible online games and are certified by the online gaming self-regulatory body.

Disallowing online wagering and betting games.

As per the new amendment, social media intermediaries or online gaming intermediaries are not allowed to host an online game which is not verified as a ‘permissible online game’, or any information or content which is in the nature of an advertisement or a surrogate advertisement of such non-permissible online games. It also prohibits the hosting of such games that causes harm to the user.

Permissible online real money game

The amendment further clarifies that for a game to be certified as a permissible online real money game, any member of the online gaming self-regulatory body that enables online real money game can make an application to the online gaming self-regulatory body. The said private body is set up for the sole purpose of acting as an online-gaming self-regulatory body and is notified by the Central Government. It has the power to decide whether an online game is permissible or not. The regulatory body will inquire and ensure that the game does not involve any wagering and that the gaming intermediaries or the online game undertakes all the due diligence laid down in the Rules. Additionally, it shall also ensure that the permitted games are not against the interest of the country. It also has safeguards that protect users against harm, risk of addiction, financial loss, fraud, etc by providing repeated warnings or such. The body is required to adhere to the principles of natural justice. While the self-regulatory body has the power to certify an online game as a permissible one, the Central Government still reserves the right to suspend the certification if it believes that the said game is not in conformity with the Rules.

This is a private body set up for the sole purpose of acting as an online-gaming self-regulatory body and is notified by the Central Government. In brief, they have the power to decide whether an online game is permissible or not.

Due-diligence requirements

Previously, Rules 3 and 4 of the Rules stipulated the due-diligence requirements for social media intermediaries and significant social media intermediaries. With this amendment, such due-diligence requirements in Rules 3 and 4 are extended to online gaming intermediaries too.

Through these amendments, in addition to the existing due diligence requirements under Rules 3 and 4, the online gaming intermediaries that enable permissible real money games have certain additional due-diligence requirements like requiring to display a visible mark of verification, and inform the users about the policy related to the deposit and withdrawal of money, the KYC norms that they follow, the measures taken to protect the deposits made amongst others.  

Online games which are not real-money games do not have to follow the additional due-diligence requirements by default, the Central Government by notification may direct an intermediary to undertake certain due-diligence requirements.

Conclusion

The IT amendment rules are an improvement on the previously proposed amendment to the 2021 Rules. The definitional ambiguity is removed and a step is taken toward regulating online games that are based on wagering. It also makes the self-regulation of online gaming intermediaries more transparent by stipulating for disclosure of decision-making reasons, etc.

Image Credits:

Photo by anyaberkut: https://www.canva.com/photos/MADCr_H7g_U-it-concept-information-technology-diagram/ 

The new amendment requires social media intermediaries, significant social media intermediaries and online gaming intermediaries to follow additional due diligence. It aims to regulate digital media by disallowing the publication of such information related to the business of the Central Government which is identified or declared as fake, false, or misleading by a fact-checking unit set up by the Central Government. This addition to the rules would make it mandatory for the intermediaries to take down (when given a notice by the user) any piece of information that is declared fake or misleading by the fact-checking authority. It is unclear from the amendment if the information checked by the already established fact-checking authority would warrant take-down, but with the available information, it would be reasonable to assume that any information fact-checked and deemed fake by the PIB fact-check mechanism would warrant takedown.

POST A COMMENT

Transcribing Court Proceedings with AI Technology: An Analysis

The Supreme Court of India has recently come up with the decision to make use of AI-powered natural language processing technologies in transcribing court proceedings. The idea is to capture what people inside the court were speaking and convert it from speech to text.

This intelligent automation will speed up the process of creating transcripts that are later made available to various stakeholders such as lawyers, parties involved in the concerned case, etc. Quicker access to transcripts will benefit lawyers, especially during multi-day hearings. This AI solution, named – Technology Enabled Resolution (“TERES”), developed by Bangalore-based Nomology Technology Private Limited, was already being used for transcribing arbitration matters and has proved its value because specialist transcribers often had to be hired from abroad, adding significantly to the overall cost borne by the parties.

With AI already permeating much of human society, it was only a matter of time before the judiciary also adopted it in the sphere of litigation. Nonetheless, the decision to move ahead with the experiment is laudable and especially so in light of the apex court’s recent decision allowing live-streaming of certain hearings (i.e., of only those hearings that relate to the interpretation of our constitution and where the bench comprises five or more judges).

These two steps will force all stakeholders in our legal ecosystem to change their mindsets, ways of working, and in-court behaviour. Over time, one hopes that such changes will collectively yield various benefits some of which are listed below:

  • Improved justice delivery system (based on better arguments and more efficient access to and assessment of evidence).
  • Reduced pendency of cases (based on faster disposal of matters as well as a decline in the tendency to approach courts for frivolous matters).
  • Easier and cost-effective access to legal recourse for larger sections of our society.
  • Minimised use of time-wasting tactics (e.g., needless adjournments).
  • Higher standards of courtcraft and a better understanding of the context in which certain comments are made by the bench or the bar.
  • Better recordkeeping.
  • More accountability.
  • Enhance learning for newer generations of lawyers.

For years, the government has sought to make India a preferred centre for international arbitration and mediation. Progress on the ground has however been slow. The wider use of modern technologies may prove to be a catalyst in this regard. This can also be a boost to improve the ease of doing business in India, especially at a time when, for various geopolitical and economic reasons, foreign direct investment is on the rise. At the same time, the burgeoning start-up scenario in India is attracting significant private equity and venture capital. A lot of intellectual property is being created in India and needs to be suitably protected. Especially because much of it has to do with emerging areas that are critical to the future of our country and indeed, the world.

To be sure, there will still be various practical challenges that need to be ironed out. As pointed out by the Hon’ble Chief Justice of India, Dhananjaya Y Chandrachud, multiple voices at the same time may well confuse the AI tool and hinder accurate transcription. Different accents and loudness of voices may also potentially complicate matters. Also, unless the entire judiciary (across all courts) adopts such technologies, the benefits will be limited. Such widespread adoption may still be derailed by objections from various quarters.

Therefore, it is too early to conclude with any level of certainty that the above-mentioned benefits (and possibly, others) will indeed be realized, and if yes, how long it will take. However, the Supreme Court’s decision to use technologies to usher in greater levels of efficiency and transparency is a clear signal of intent. As the old saying so presciently reminds us, even a journey of a thousand miles begins with the first step. That step has been taken.

Image Credits:

Photo by Tara Winstead: https://www.pexels.com/photo/clear-mannequin-on-dark-blue-background-8386365/

For years, the government has sought to make India a preferred centre for international arbitration and mediation. Progress on the ground has however been slow. The wider use of modern technologies may prove to be a catalyst in this regard. This can also be a boost to improve the ease of doing business in India, especially at a time when, for various geopolitical and economic reasons, foreign direct investment is on the rise. At the same time, the burgeoning start-up scenario in India is attracting significant private equity and venture capital. A lot of intellectual property is being created in India and needs to be suitably protected. Especially because much of it has to do with emerging areas that are critical to the future of our country and indeed, the world.

POST A COMMENT

An Analysis of the Regulation of Children's Online Activities Under the Digital Personal Data Protection Bill, 2022

The DPDP Bill was tabled by the Ministry of Electronics and Information Technology on November 18, 2022, for comments. The purpose of the Bill was to provide for the processing of digital personal data in a manner that recognized both the right of individuals to protect their personal data and the need to process personal data for lawful purposes. Though the object behind the proposed DPDP Bill appears to justify the need of the hour, the DPDP Bill has imposed certain additional obligations with respect to children.

Introduction

The internet has become an indispensable part of modern life. The significance it bears and the impact it has on young minds cannot be overstated. It provides them with access to a vast array of information and resources, including educational content, news, and entertainment. It also allows them to connect with others and form communities, whether it be through social media, gaming, or online forums. The use of the internet in day-to-day affairs of life has considerably grown over the past two decades. The leitmotif of this article is not to regurgitate the importance of the internet but to reflect on the intriguing debate over the regulation of the internet by parents with respect to children under the proposed Digital Personal Data Protection (“DPDP”) Bill, 2022.

The Gordian Knot

Section 10[1] of the proposed DPDP Bill deals with the processing of the personal data of children. The section states that ‘The Data Fiduciary shall, before processing any personal data of a child, obtain verifiable parental consent in such manner as may be prescribed’. Under the Bill, a child is defined as someone who has not completed eighteen years of age[2]. Every time a child creates an account, be it social media, gaming, or an OTT account, the Data Fiduciary[3] involved, which would be the platform providing the service, would necessarily have to secure the consent of the parent or legal guardian of the child before processing their data. The DPDP Bill also prescribes a penalty of up to Rs. 200 crores for its non-compliance[4].

The implications of this proposed section are vast. Currently, most social media platforms including Twitter, Facebook, and Instagram require the user to be above the age of thirteen years to create an account, without any requirement of parental consent. Practically speaking, these platforms do not verify the age as claimed by the user and thus, it is possible to provide incorrect age in order to create an account. The same goes for all other prospective Data Fiduciaries. From knowledge-providing platforms like YouTube and Quora to entertainment or gaming platforms like Spotify and Stream, all these platforms currently have set thirteen years as the minimum age to create an account and enjoy these services. To comply with the DPDP bill, in case it is passed, the platforms would not just have to modify their own terms and conditions for the Indian jurisdiction but also have to come up with a verifiable parental consent requirement mechanism. Since most platforms and websites on the internet require the creation of an account to access the features or services fully, enforcing Section 10 of the DPDP bill would require an entire overhaul of how the internet functions. There would have to be parental consent forms and verification mechanisms in almost all corners of the internet.

While mandating such monitoring of every online activity of a child might sound fit in an average conservative Indian household, it is important to understand that doing so fundamentally alters the very forte of the internet – accessibility to information. Curtailing this would have detrimental effects on any child’s development, by allowing the parents to restrict any chances of the child’s exposure to perspectives that might not agree with their own. This would also be in defiance of Article 13 of the Convention on the Rights of the Child[5], which India had signed and ratified on December 11, 1992. The Article promotes the “right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers” for children.

Untying the Knot

Perhaps one way to mitigate the issues that could arise if the proposed section is brought into effect is by introducing gradation in the age limit that it specifies consent for. In this respect, inspiration can be taken from the Indian Penal Code, 1860,[6] which categorizes children and provides for classification based on age (below 7, from 7 to 12, etc.) to determine the law applicable to them. Even the much popular General Data Protection Regulation, 2016 of the European Union allows member states to lower the age of the child to 13 years to determine if parental consent would be needed or not[7].

The rigidity with respect to parental consent should also be based on a model which considers the evolution and development of children at different ages. France’s model of children’s data privacy rights under the French Data Protection Act, 1978 which was heavily amended recently in 2018, could also be looked at. Article 45 of the said Act[8] introduces the concept of “Joint Consent”. It states that ‘If the child is under 15 years of age, the processing will be lawful only if consent is given jointly by the child and the holder(s) of parental responsibility over that child.’ This, in essence, means that the consent is based on a mutual agreement between the child and the parent(s) holding parental rights. With respect to children above the age of 15 years, the Act allows them to give their own consent.

Conclusion

Thus, while it is ultimately up to the lawmakers to resolve, they must keep in mind the logistical and sociological effects of enforcing mandatory parental regulation on children’s online activities. If not by reducing the age to a more reasonable one, as done by other jurisdictions, systems like gradation in age or joint parental-child consent should be put in place. In the case of Faheema Shirin R.K. vs State of Kerala[9], the Kerala High Court, specifically speaking in the context of students, stated that the right to access the internet forms a part of freedom of speech and expression guaranteed under Article 19(1)(a) of the Constitution. In the said case, it was held that ‘Enforcement of discipline shall not be by blocking the ways and means of the students to acquire knowledge’. The concept of “best interest of the child” which is much popular in custody and guardianship cases and puts the best possible alternative for the child before the rights of the parents, could perhaps be interpreted broadly and acknowledged by the lawmakers with respect to the present debate as well.

References:

[1] Section 10, The Digital Personal Data Protection Bill, 2022.

[2] Defined under Section 2(3), The Digital Personal Data Protection Bill, 2022.

[3] Defined under Section 2(5), The Digital Personal Data Protection Bill, 2022.

[4] Section 25, The Digital Personal Data Protection Bill, 2022.

[5] Article 14, Convention on the Rights of the Child, 1989 [General Assembly resolution 44/25].

[6] Sections 82 and 83, Indian Penal Code, 1860.

[7] Article 8, General Data Protection Regulation, 2016.

[8] Article 45, French Data Protection Act, 1978.

[9] Faheema Shirin R.K vs State of Kerala, 2019 [WP(C)No.19716 OF 2019(L)].

Image Credits:

Photo by Pavel Danilyuk: https://www.pexels.com/photo/woman-using-a-laptop-with-her-daughter-7055153/

While it is ultimately up to the lawmakers to resolve, they must keep in mind the logistical and sociological effects of enforcing mandatory parental regulation on children’s online activities. If not by reducing the age to a more reasonable one, as done by other jurisdictions, systems like gradation in age or joint parental-child consent should be put in place.

POST A COMMENT

Music on the Block: How Music Artists can Benefit from Blockchain Technology

All of us make use of music streaming services quite frequently. But have we ever stopped to wonder how the creators or artists get paid for their music? More often than not, music artists are forced to settle with modest royalty earnings. Nevertheless, the advent of blockchain technology has ushered in a new era and this technology has the potential to ensure that music artists get adequate compensation for their efforts and talent.

All have enjoyed music throughout the ages. The music industry has evolved from EP records to Cassettes to CDs to MP3s. Currently, music is enjoyed predominantly via digital streaming platforms such as Spotify, and Apple Music, and closer home services such as Airtel Wynk, Times Music, JioSaavn, etc.

However, the growth in streaming services like Spotify has not benefited individual artists who typically receive very little royalty overall because of slowing album sales. Taylor Swift, a famous musician, went to the extent of removing her music from Spotify due to the low per-stream royalty.

The advent of blockchain technology has set the stage for the music industry to undergo another evolution. With the blockchain, artists can create a token-based economy where the value is derived from an artist’s work. When a token is created, the artists convert their intellectual property into a financial asset that all of us can purchase. All holders of this token receive a portion of the artists’ revenue. Hence the more consumers of the content, the higher the token’s value. An artist thus can raise revenue through the launch of a token.

Tokenization of the asset also assists in the removal of the middleman. Currently, recording labels take away the majority of the gains. Recording labels also act as hindrances many a time for the entry of new artists into the business. A system based on blockchain eliminates the middleman, thus putting the power back into the hands of the creators. Funds are raised by fans rather than the recording label via tokenization. The flip side of this model is the lack of users.

A few platforms exist such as Theta.tv,  the YouTube of Web 3.0, or Audius (which is said to be the equivalent of Spotify or Apple Music). Having used these platforms, it is safe to say that though there is a vast scope, their success and similar platforms will depend on the consumers or users.

Artists can also utilize Non-Fungible Tokens (“NFT”) to create a new vertical of revenue generation from their work. Purchasing music as NFTs holds much value for both the creator and the collector. For one, there is a transfer of ownership.

In a world driven by music streaming, the conundrum arises of why a purchase of the rights in music would be required. The answer, as always, lies in the monetization of the asset. The purchaser sees value in buying the rights and reselling them later for a potential profit. Such music NFTs benefit artists at both the initial sale pricing and the secondary sales. Artists can earn from secondary sales in the form of royalties, especially if the underlying smart contract attached to the music NFT is so that they can earn future royalties on such sales.

Platforms such as Async.art help artists mint NFTs of their musical works, and Catalog Works let music fans bid on digital records. Award-winning artist, Ross Golan who has worked with renowned artists like Ariana Grande and Justin Bieber, and rock bands such as Maroon 5 and Linkin Park, also recently minted The World’s First NFT Musical, The Wrong Man.  

There is still much grey area regarding the synergy between blockchain and music. However, the benefits, as well as the various avenues, are something that cannot be denied. In time, we are confident of innovative music-focused NFT projects, which will hopefully allow the creators or artists to get the compensation they deserve for their craft.

Image Credits:

Photo by Matthias Groeneveld: https://www.pexels.com/photo/set-of-retro-vinyl-records-on-table-4200745/

The advent of blockchain technology has set the stage for the music industry to undergo another evolution. With the blockchain, artists can create a token-based economy where the value is derived from an artist’s work. When a token is created, the artists convert their intellectual property into a financial asset that all of us can purchase. All holders of this token receive a portion of the artists’ revenue. Hence the more consumers of the content, the higher the token’s value. An artist thus can raise revenue through the launch of a token.

POST A COMMENT

The Curious Case of the Robolawyer (No, it's not a Perry Mason Novel!)

With the advent of technology, there is a drastic increase in the use of AI (Artificial Intelligence) which has significantly altered the way technology is perceived and will have a far-reaching impact in the future. Hence, it becomes necessary to try to minimize its shortcomings and make prudent use of the technology.

I do not know how many of you have heard of Joshua Browder, the 26-year-old founder of DoNotPay, a US-based venture that has developed a “robolawyer”- essentially an AI-powered bot that helps users in use cases such as appealing vehicle parking tickets, negotiating airline ticket refunds, and contesting service provider bills. Although the app was first released in 2015, to be honest, until recently, I too had not heard of him or the app!

My curiosity was piqued when I recently read the news that his company is willing to pay a million US dollars to any person or lawyer willing to repeat verbatim in front of the Supreme Court judge all that their robolawyer asks them to. It remains to be seen whether someone will take Josh up on that offer, whether the US Supreme Court will grant permission and what the outcome will be. However, it is being reported in the media that the DoNotPay app will help two defendants argue speeding tickets in US courts next month. The company has promised to pay the fines on behalf of the users if the robolawyer loses their appeals.

The app runs on the AI model known as “Generative Pre-trained Transformer” or GPT. This is the same technology that runs ChatGPT, which reportedly hit a million users in less than a week of its launch. AI technologies are constantly improving, and there is now greater emphasis on “ethics” and “explainability.” Essentially, the software must be able to explain how it arrived at a certain conclusion or output. This is important to minimize, if not altogether eliminate, the risk of biases and prejudices that creep into AI software simply because it is trained using hundreds of millions of content elements on the web (articles, images, reports, videos, etc.) that were all created by humans, and as such, carry the individual beliefs, prejudices, convictions, etc. of their original creators.

Over the coming decades, AI will shake up many fields including legal practice, healthcare, finance, etc. Not all fields will be impacted at the same pace or to the same extent but change they will. Already, AI is being used by healthcare professionals in improving the efficacy of diagnosis and confirmation of lines of treatment. Law firms too are beginning to use AI to simplify the tedium of the process of trawling through case laws and legal judgments to identify precedents and the reasoning of the benches involved. Soon, lawyers will simply be able to type in questions into ChatGPT, which will provide well-reasoned answers in a matter of minutes. Of course, the real skill will be to ask the right questions and figure out how sensible the answers are, and decide on further courses of action. Think of it as an advocate briefing a senior lawyer before the latter argues in court.

Half-baked knowledge is dangerous. For many years, patients (and/or caregivers) have used search engines to find information about symptoms, diagnostic tests, and lines of treatment and then argue with qualified medical professionals about their choices, at times forcing doctors to explain their hypotheses and reasoning. It is quite likely that in the foreseeable future, clients of lawyers and law firms too will be tempted to adopt a similar approach, which means lawyers too will end up spending time and effort on educating clients on matters of law and jurisprudence. Maybe it is worth coming up with new pricing models to dissuade frivolous “brainstorming” and “legal strategy” sessions!

Note to myself: Try out ChatGPT to explore the kind of responses it provides and start preparing for a future that will undoubtedly be more closely linked with AI tools.

References:

[1] Design Application Numbers 274917, 274918, 284680, 276736, 260403

[2] 24 U.S.P.Q.2d (BNA) 1614 (BPAI Apr. 2, 1992)

[3] Apple, Inc. v. Samsung Elecs. Co., 926 F. Supp. 2d 1100 (N.D. Cal. 2013) (partially affirming jury damages award).

[4] US6763497B1

[5] US10915243B2

Image Credits:

Photo by cottonbro studio: https://www.pexels.com/photo/person-using-macbook-3584994/

Over the coming decades, AI will shake up many fields including legal practice, healthcare, finance, etc. Not all fields will be impacted at the same pace or to the same extent but change they will. Already, AI is being used by healthcare professionals in improving the efficacy of diagnosis and confirmation of lines of treatment. Law firms too are beginning to use AI to simplify the tedium of the process of trawling through case laws and legal judgments to identify precedents and the reasoning of the benches involved.

POST A COMMENT

Regulating Online Gaming Intermediaries - The Rules and their Implications

The Ministry of Electronics and Information Technology (MeitY) has released the draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules to bring online gaming intermediaries within the ambit of the IT Rules, 2021.

Background

Online gaming is one of the fastest-growing industries in India with the number of gamers expected to increase by 30 million from 2022 to 2023[1]. Following the increase in the number of users, it has become imperative that appropriate laws are introduced to regularize the online gaming industry. On January 02, 2023, the Ministry of Electronics and Information Technology (“MeitY”) proposed an amendment to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules”). The IT Rules, in its current structure, provide regulation for social media intermediaries and significant social media intermediaries. The Draft[2] “Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules” (the “Draft”), which is open for consultation from the public, proposes to extend its ambit to ‘online gaming intermediaries’ forming a part of Part II (that relates to other intermediaries).

The Draft defines “online gaming intermediaries” and “online games” but lacks to provide a clear distinction between “games of chance” and “games of skill”, which has been a sticky issue over the years. The Draft further proposes (inter alia) the following changes –

  • All online games would be required to be registered with a ministry-approved self-regulated body by creating a self-regulatory framework, to be registered with MeitY. The self-regulatory body will be responsible for reviewing and registering the online games offered by its members, subject to certain prescribed factors. Games approved by the self-regulatory body may be offered with a visible mark signifying their registration.
  • The proposed rules also mention certain compliances that need to be made by the social media firms such as checking the registration of the online gaming intermediary and consulting the self-regulatory officer before allowing any advertisement on their platform.
  • The online gaming intermediary shall comply with the requirement of due diligence and shall additionally ensure they do not host any online game that does not conform with Indian laws and shall make additional disclosures to the users including the refund and withdrawal policy, financial risks, and other risks associated with gaming, measures that are in place to ensure the safeguarding of deposits, etc.
  • In addition to the above, a new set of due diligence requires compliance with mandatory know-your-customer(KYC) norms for user verification as per Reserve Bank of India norms.
  • Similar to the requirement for social media intermediaries, requirements of appointment of a resident ‘compliance officer’ and ‘grievance officer’ have been mandated along with ‘nodal officers’ for round-the-clock coordination with law enforcement agencies and officers.
  • The online gaming intermediaries need to have a physical address in India and the same is required to be published on their website.

Purpose of the Draft

The purpose of the Draft, if it becomes the law, is to protect the interests of different stakeholders, ensure the safety of players and encourage responsible gaming.  The Draft is also put together to bring about uniformity of laws that online gaming intermediaries may be required to follow by reducing the burden of following state-specific gaming measures making it, not just easier for online gaming intermediaries to comply with the law, but also helps the enforcement agencies since it becomes difficult for the governments of different states to ensure geographical checks are in place. According to the ministry, the final amendments to the IT rules would be notified by April 2023.

Discussions & Implications

While the Draft seems to have been aiming at shaping a burgeoning gaming industry, the concerns around the Draft seem to be supplementing the already existing questions on the existing IT Rules.

At the outset, the question of whether ‘online gaming’ should remain a subject of the ‘States’ (as betting and gambling have traditionally been) or the ‘Centre’, remains unresolved. MeitY had earlier, in affidavits before the High Courts, consistently stated that is not within its purview and power to legislate on the subject and that rests solely on the states. Therefore, the introduction of the Draft without consultation and consensus amongst states seems not quite in line.

The ambiguity further extends to a lack of clarity on whether the Draft bans ‘gambling’. While IT Minister, Rajeev Chandrasekhar stated that “online games that allow wagering on the outcome are effectively a no-go area” there is no clear prohibition on ‘gambling’. The Rules only state, as a part of due diligence, online gaming intermediaries shall make reasonable efforts to ensure that online gaming platforms do not contravene any gambling or betting laws in India, which again differs from state to state.

An online game has been defined in the Draft as a “game that is offered on the Internet and is accessible by a user through a computer resource if he makes a deposit (in cash or in-kind) with the expectation of earning winnings”- In the absence of a definition of “gambling” and “betting” in the Draft and clarity on which category of games are sought to be regulated if the online game for consideration is sought to be regulated on one hand and gambling or betting content is prohibited on the other hand, remains a question[3]. While it may be assumed that the ‘kind’ component in the definition has been introduced to cover ‘non-monetary token’ or ‘online gaming currencies’, it may lead to the consequence where games that do not require any monetary incentive may also be included within the meaning of online games here. The definition can almost broadly cover all ‘gambling games’ within the purview of ‘makes a deposit (in cash or in-kind) with the expectation of earning winnings’. Would that mean that ‘gambling’ is brought within the purview of these Rules?

The Draft classifies online gaming platforms as ‘intermediaries’. Our understanding of the term ‘intermediary’ includes one that acts on behalf of another entity. However, in the case of online gaming platforms, we notice that most of them publish the gaming content themselves and do not host games on behalf of another. In view of the above, in an earlier debate, a government task force submitted a study stating that gaming platforms should be categorized as ‘publishers’ and not as ‘intermediaries’[4]. The question that remains unanswered is why we now bring online platforms within the purview of intermediaries thereby giving them passage to ‘safe harbour protection’ under Section 79 of the IT Act.

Apart from the few above-mentioned points, the Draft may expect push-back from various industry stakeholders on the Government’s over-arching power on issues of revocation of registration of self-regulatory bodies and exercising regulatory power for KYC. It is to be observed therefore how MeitY resolves the already existing issues on the IT Rules pending before the courts and accordingly brings about an amendment to the current online gaming Draft Rules catering to the purpose it mentioned in its notes[5] accompanying the Draft Rules.

An online game has been defined in the Draft as a “game that is offered on the Internet and is accessible by a user through a computer resource if he makes a deposit (in cash or in-kind) with the expectation of earning winnings”- In the absence of a definition of “gambling” and “betting” in the Draft and clarity on which category of games are sought to be regulated if the online game for consideration is sought to be regulated on one hand and gambling or betting content is prohibited on the other hand, remains a question.

POST A COMMENT

Private Sector Fuels India’s Space Economy

The Indian National Space Promotion and Authorization Centre (IN-SPACe) was set up in 2020 as an independent body to oversee regulation of all space related activities in India, including the authorization of private rocket launches. The government’s decision to allow the private sector into India’s space sector was aimed at broad-basing innovation capabilities and speeding up India’s ability to compete in the global market for space technologies- a high-growth market that has historically been dominated by a small number of players from the US and Europe.

This decision seems to be paying off, because India’s private sector has already become quite active across the value chain in the space sector. Nearly 300 entities are already registered with IN-SPACe, of which 30% are startups. On 18th November 2022, Vikram-S, a small single-stage rocket developed by Hyderabad-based startup Skyroot Aerospace, was successfully flight tested. This marks the beginning of “Prarambh”, the company’s sub-orbital mission. By year-end, Chennai-based Agnikul Cosmos expects to launch its small rocket too. Pixxel, another space startup, has already launched Shakuntala, India’s first privately built earth imaging satellite and a second satellite Anand. A consortium of L&T and HAL has been awarded a contract to build five PSLVs. This is the first time anyone other than ISRO has been tasked with this key responsibility- an indication of the government’s rising confidence in our private sector. The success is testament to the robust space sector ecosystem being built as a result of close collaboration between ISRO, IN-SPACe, academic institutions, and the private sector (both startups and established companies).

 

Why the Private Sector is Important for India’s Space Economy?

The capability to launch small rockets is critical because smaller rockets can place their payloads in more precise orbits. Also, they can be produced in shorter timelines by using 3D printing technologies. Miniaturization of components means that required functional capabilities can be achieved through smaller satellites. All this means that satellites with specific functional capabilities can be quickly assembled and launched. Smaller rockets can be easily fueled by liquid propellants, which are inherently easier to manage; they are also less prone to vibrations, which can become a challenge for launch vehicles that carry sensitive payloads.

Given rising geopolitical uncertainties, there is now a higher risk of conflicts between countries arising at short notice. Increasingly, wars will be fought using cyberattacks and directed energy weapons to degrade the enemy’s vital assets such as communication satellites and missile defence batteries. Swarms of weaponized drones too will be deployed to target and destroy vital military installations in remote, hard-to-access areas. In such a scenario, it becomes critical that as a country we can launch new satellites and other space assets quickly to replace lost capacities or augment and complement new space-based capabilities that are needed.

ISRO has successfully designed, developed, and launched heavy, multi-stage rockets into space. These technologies/capabilities have helped place many satellites in orbit and in turn, these are playing a key role in India’s development. ISRO has also developed the SSLV (Small Satellite Launch Vehicle), but unfortunately, its technology demonstration mission failed earlier this year. It is this gap that the private sector can help plug at short notice.

 

Public-Private Cooperation is Vital to Power India’s Space Economy

As various countries seek to build/enhance their space-based defence capabilities, countries like India can benefit from commercial contracts to launch satellites/other payloads and conduct defence missions in space. With defence capabilities increasingly relying on assets deployed in space, the evolution of India’s private sector space capabilities will also boost our credibility as a builder of solutions and not just as a provider of reliable, cost-effective space launch services. While ISRO continues to build its reputation as a reliable partner, it needs to scale up its ability to launch satellites for its customers. In October 2022, ISRO successfully launched 36 satellites for UK-based OneWeb (partly owned by the Bharti group), marking the use of the LVM3 rocket; this was also one of ISRO’s largest commercial orders. More such opportunities can come ISRO’s way because satellite-based internet services are rapidly becoming cost-competitive and an easy way to deliver connectivity to far-flung areas where building fibre-based infrastructure is difficult due to terrain and weather conditions.

It is estimated that by 2025, India’s space business will grow to US$12.8 Billion from US$9.6 Billion in 2020 (source: https://timesofindia.indiatimes.com/india/how-indias-space-startups-are-aiming-high/articleshow/95637043.cms). ISRO is a shining example of a public sector entity that has consistently overcome huge odds (including sanctions from time to time) to indigenously develop world-class capabilities in frontier areas like space technologies. Its ability to do much more has arguably been limited by budgetary support. And although launches are the most visible part of a space economy, they are by no means the only facet: design, development, manufacturing, building technology demonstration prototypes etc. are all just as important. Now, with the innovative energies and other resources available to the country’s private sector, significant synergies can be unleashed through public-private partnerships in the space sector.

References: 

Image Credits: Photo by Pixabay: https://www.pexels.com/photo/space-technology-research-science-41006/

With defence capabilities increasingly relying on assets deployed in space, the evolution of India’s private sector space capabilities will also boost our credibility as a builder of solutions and not just as a provider of reliable, cost-effective space launch services. While ISRO continues to build its reputation as a reliable partner, it needs to scale up its ability to launch satellites for its customers.

POST A COMMENT

AI Adoption: Behooves Heightened Responsibility & Higher Ethics

In July 2022, UK-based Artificial Intelligence (AI) firm Peak commissioned a benchmarking survey to study AI adoption in the USA, UK, and India. The study, jointly conducted by the Centre for Economics and Business Research, included 3000 senior decision-makers from companies with at least 100 employees; the survey was augmented by responses from 3000 middle-level staff as well.

A key finding was the inaugural Decision Intelligence (DI) Maturity Index, an indicator of how prepared businesses in these three jurisdictions were to adopt AI for commercial decision-making. The study found that over the past six years, the percentage of companies that have adopted AI technologies stood at 28%, 20% and 25% in the US, UK, and India respectively. While it was only expected that the US would be the leader, it was surprising that when it comes to leveraging AI in commercial areas, Indian companies ranked highest- they scored 64 (out of 100), while those in the US and UK respectively scored 52 and 44. 

The study also found that 18 % of US workers were unsure whether the companies they work for used AI at all; for India this figure stood at 2%. It was also revealing that Indian enterprises embedded data sciences capabilities within commercial teams, while their western counterparts relied more on central data teams[1]. Of course, it must be acknowledged that China is perhaps much further ahead in terms of deploying AI, although we will likely not get to know the details anytime soon.

 

AI will play a major role in how our world evolves

 

Consumers like you and me already experience the power of AI in the form of reminders from fitness apps or what books to read, shows to watch or music to listen etc. Intelligent parking assistance in some cars is another example of AI in action. AI is also at work when we see “deep fake” videos that look and sound so real. AI is not a new field; it has in fact been around since the late 1950s, which is when the term was coined. But it is only in recent years that AI has become less esoteric and more mainstream. 

This shift is due to rapid advances in computing power and speeds as also evolution of models and capabilities around natural language processing, voice recognition, machine vision and other allied areas. It is this pace and nature of AI evolution that gives experts the confidence that AI will play a key role in economic and social development, delivery of education and healthcare services, forecasting natural disasters and managing them, national security and much more.

Several national flagship infrastructure backbones in India, including the GST and Income Tax systems, Open Network for Digital Commerce (ONDC), Government e-Marketplace (GeM), the Unified Logistics Interface Platform (ULIP) and the Gati Shakti National Master Plan already have elements of AI embedded in them. India’s private sector too, has been actively working on AI-based projects and products that span different use cases and industry sectors.

 

India is taking steps to prevent unbridled use of AI- but “there are miles to go before we sleep”

 

A couple of decades ago, movie franchises such as “The Matrix” and “The Terminator” conjured up a world where machines take over the world. Today, the world is closer to being at a stage where inadvertent or deliberate misuse of AI can unleash unknowable harm to society. It can be argued that human avarice has already damaged our planet beyond redemption, but we have done that without much help from AI!

There have already been instances reported in media where the use of AI in some applications has thrown up evidence of discrimination and bias-negative traits that are patently human. The companies behind these applications have rolled them back but they signal a clear and present danger. There has also been much debate in recent times about whether AI-based programs are truly “sentient” i.e., capable of feelings. Maybe we are still some years away from truly sentient machines- or maybe they are already here. Either way, it is important to ensure that AI is governed by appropriate ethics to make it “responsible.”

Clearly, AI has great power; it must therefore also be used with great responsibility. “Responsible AI” has many dimensions, including reliability, safety, privacy, transparency, fairness, and accountability. Just as important is for humans to know how an AI system arrived at a certain conclusion or decision. While most of the above have to do with how AI powered devices and applications are designed and built, it is also critical to ensure that ethics govern how these devices and apps are deployed and what they are used for. 

In the absence of such mechanisms (and punitive actions for violators), think of the myriad privacy incursions that can be easily caused by physical surveillance using drones or digital eavesdropping of phone conversations. Even AI-powered software in place to analyze CVs to identify the “best” candidates can be misused to ensure that only candidates of a certain profile are hired.

AI ethics and governance needs to cover more than just individual companies that develop AI tools and applications. All stakeholders must work together to put in place an overarching framework that includes policies, laws, rules, and SOPs to ensure that AI does not become a Pandora’s Box. A key objective must be to ensure that there is mutual trust.

To support India’s burgeoning AI ecosystem, the Niti Ayog has begun to hold consultative discussions. Its report “AI for All” is grounded in the fundamental rights enshrined in India’s constitution. It suggests setting up of an expert committee comprising specialists in AI, cybersecurity, social scientists, law, various industry domains and representatives of government and civil society to create a regulatory/governance framework. 

Such a framework must necessarily be flexible, to accommodate unexpected changes powered by technological innovations. NASSCOM, India’s software industry association, has launched a Responsible AI hub to ensure that key stakeholders are engaged so that broader societal views are considered and factored into strategies and plans related to not just innovations, development, and deployment but also governance.

A survey by IBM Institute for Business Value has found that the responsibility for leading and upholding ethics has shifted to the CEO. 62% of business leaders agree that AI ethics is important to their organizations. It is a given that the world will never be a utopia. It is time that “leaders” in every field from around the world stand up and take necessary steps to prevent the world from becoming an AI-powered dystopia. AI is too important a domain to be left to the whims and fancies of individual countries, companies, or leaders- whether democratic, despotic, megalomaniac, idealistic or somewhere in between.

AI ethics and governance needs to cover more than just individual companies that develop AI tools and applications. All stakeholders must work together to put in place an overarching framework that includes policies, laws, rules, and SOPs to ensure that AI does not become a Pandora’s Box. The key objective must be to ensure that there is mutual trust.

POST A COMMENT

Card Tokenisation: Plugging Personal Information Leaks

Plastic money still captures a large portion of the market share despite the growing use of the Unified Payment Interface (UPI).  Recent data released by the Reserve Bank of India (RBI) indicates that there has been an increase of 16.3% year after year in the usage of debit and credit cards by Indian consumers in the last decade.

Nevertheless, this decade marked a shift to digital technology, augmented by governmental decisions and policies such as demonetisation, the introduction of UPI, and Digital India program, etc. that enabled Indian consumers to make a smooth shift to online payment solutions. The pandemic has also played a big role in this revolution. With face-to-face interaction minimized, the focus on digital products and payments skyrocketed.

Digital transactions are now considered the most sought-after payment mechanism in comparison to hard cash or currency for availing services and goods. As the number of transactions made through a mobile application or platform increases, customers usually prefer to save their card information on the merchant’s site or platform. Information saved on these sites and platforms is critical financial data of consumers and is considered sensitive personal data. The risk of misuse of such sensitive financial data by hackers or fraudsters looms over every individual, and cases of such misuse have garnered the attention of the authorities.

The RBI, through its notification dated 17th March 2020 had made it mandatory for payment aggregators to disable the storage of customer card credentials within the database or server of the company. Though a fixed date for implementation of this rule was not decided, RBI later issued notifications directing merchants to comply with this recommendation of not storing card data by 31st December 2021. Since then, the RBI has been extending the timeline for implementing tokenisation and as of today, the RBI has instructed all parties to delete the card information before 1st October 2022.

Card tokenisation is a process by which sensitive data of the cardholder is removed from the sites/platforms and replaced with randomly generated numbers and letters from the company’s internal network called tokens.


History


The groundwork for regulating this space of online payment and ensuring the safety of cardholders has been in line for a couple of years. As India is yet to formulate a dedicated data protection bill, the safety of a cardholder’s sensitive personal data stored on the merchant’s website was one of the major concerns of cardholders as well as the regulators. Moreover, the increase in data theft and leakage of debit and credit card details of cardholders did not really help in containing the concerns of the stakeholders.

In January 2019, the RBI released a notification whereby it permitted card networks to tokenise. This choice of tokenisation was made optional for the customers, and the permission was extended to all use cases like QR code-based payments, NFC, etc. However, such services could only be offered through mobile phones and tablets, and no other devices were permitted to offer such a facility at that time.

RBI later released the guidelines on the Regulation of Payment Aggregators and Payment Gateways, which made it mandatory for a payment gateway to not store customer card credentials within the database or on the server accessed by the merchant, with effect from 30th June 2021. This move reiterated the importance of safeguarding customer card details and the focus once again shifted to the introduction of a tokenisation scheme. Though the guidelines did not mention specifically tokenisation, they did find mention in the subsequent notification released by the RBI on Payment Aggregators and Payment Gateways on March 31, 2021. The guidelines called upon payment system providers to put in place workable solutions such as tokenisation to safeguard the interests of the cardholder.  In order to eliminate any ambiguity in the definition of ‘payment aggregators’ as defined in the Payment Aggregators Guidelines, the RBI explicitly stated that the Payment Aggregators Guidelines applied to e-commerce marketplaces that engaged in direct payment aggregation, and to that extent, e-commerce online markets that used the services of a payment aggregator were to be regarded as merchants.

The RBI further released a notification in August 2021 amending the 2019 notification by extending the scope of permitted devices that could use tokenisation. The present framework for tokenisation was extended to include consumer devices such as laptops, IOT devices, wearable devices, etc. A subsequent notification issued in September 2021 further allowed card-on files tokenisation. This notification permitted card issuers to offer the services of tokenisation as Token Service Providers (TSPs). The TSPs were permitted to tokenise only those cards that were affiliated with or issued by them. The notification also emphasised that no entity in the card transaction/payment chain, other than the card issuers and/or card networks, shall store the actual card data from 1st January 2022. Entities were only allowed to store limited data, like the last four digits of the actual card number and the card issuer’s name, for compliance and tracking purposes.

The earlier notification of removing all card details of customers with effect from 30th June 2021 was again extended to 31st December 2021 in view of the huge compliance hassle. This was again extended until 30th June 2022 and finally, the government set the latest deadline on 1st October 2022.


Functioning of Tokens


An e-commerce website, mobile application, or any merchant site for that matter, offers different payment methods to its consumers, which may range from cash to debit/credit card payment to UPI. When it comes to the authentication of the debit or credit card used by the consumer, the entire responsibility for authenticating the same vests is with the Payment Gateway service provider. The e-commerce platform or websites merely act as an intermediary to facilitate the trade and it is the responsibility of the Payment Gateway service provider to provide the technology to these platforms and websites that authenticates the card details. This process of authentication done by the Payment Gateway service provider is known as 2FA i.e., two-factor authentication. The process of authentication involves the registered bank of the customer sending a Time Password (OTP) to the registered phone number of the consumer to close the transaction. The OTP is the key that helps authenticate that the customer is the rightful owner of the card. Upon entering the correct OTP, the Payment Gateway service provider authenticates it and completes the transaction.

In general, a merchant website or an online portal is only allowed to store details like the cardholder’s name, the 16-digit number on the front of the card, the expiration date of the card and the service code, which is located within the magnetic stripe of the card. On the other hand, these portals and sites are strictly prohibited from storing information such as full magnetic stripe information, PIN, PIN Block and CVV/CVC number of the card.

After the guidelines kicked in on October 1, all the card details of individuals stored on the merchant’s website were automatically erased. All information concerning the cardholder, like the expiry date, PAN, etc., is replaced by the token. This token is a one-time alphanumeric number that has no connection with the cardholder’s account. Unlike the previous system, these tokens so generated do not contain any sensitive personal data of the cardholder.

An individual can tokenise his/her card in the following ways:

  1. The individual will have to visit the preferred merchant’s website for the purchase of any goods or services.
  2. The website will then direct the individual to the preferred payment option, and the individual will be able to enter his/her card details and initiate the transaction.
  3. The website will also contain another option called “secure your card as per RBI guidelines,” which basically generates tokens for the card.
  4. As soon as the individual opts for that option, a One-time Password (OTP) will be generated and sent via SMS or email to the individual.
  5. With the OTP being entered, card details are sent to the bank for tokenisation, which is then sent back to the merchant for storing the same for the purpose of customer identification.

The token so generated from one merchant website will not be applicable to every other merchant website. The cardholder will have to create separate tokens for each merchant website, and the use of the same token will not help in initiating the transaction.


Benefits of Tokenisation


Many customers today prefer digital payment over the traditional mode, mainly due to the convenience of not carrying hard cash.  Since the frequency of transactions across such an online medium among customers rose significantly, they preferred to save the card details on the online portal for convenience’s sake. As the sensitive personal data of customers is stored in such portals, there is always a risk of leakage, theft, or merchant access to such information. Hence, tokenisation provides much-needed safety and assurance, which helps in not exposing the customer’s card details.

Tokenisation helps reduce data theft and leaks, as the tokens are in no way connected to an individual’s personal information. Moreover, the process of replacing sensitive personal information with tokens helps build trust and confidence among consumers.


Effects of these Regulations on the Industry


The RBI is striving to organize payment aggregators by bringing non-banking payment aggregators under its regulation. The RBI’s main goal in introducing these guidelines is to reduce fraud and protect customers’ interests. Placing the burden on payment aggregators to ensure that merchants are genuine and have no malicious intent will go a long way towards removing dishonest merchants from the market and safeguarding customers’ interests.

Payment Aggregators are instructed to credit reimbursements to the primary payment source rather than the e-wallet account. Previously, refunds were credited to an e-wallet, posing a challenge for consumers to utilize the monies somewhere else.

Although the RBI has reduced the required net worth from INR 100 crores to INR 25 crores, it will not be sufficient for small-sized entities (including start-ups) seeking to enter the industry. Many existing players will be forced to exit the market if they fail to meet the net worth requirements. Moreover, small businesses operating as payment aggregators would find it difficult to implement the required baseline technology suggestions owing to the high implementation costs. This will result in the removal of market competition, leading to an oligopoly, which would harm merchants’ interests in the long term.

It can be stated that these guidelines represent an important advancement in the Indian fintech industry and assure that customers’ overall interests are secured.

Conclusion

With the current atmosphere where there is intense scrutiny over an individual’s personal information, the scheme of tokenisation is a breath of relief for a lot of privacy enthusiasts and the public in general.

Image Credits: Photo by energepic.com

Many customers today prefer digital payment over the traditional mode, mainly due to the convenience of not carrying hard cash.  Since the frequency of transactions across such an online medium among customers rose significantly, they preferred to save the card details on the online portal for convenience’s sake. As the sensitive personal data of customers is stored in such portals, there is always a risk of leakage, theft, or merchant access to such information. Hence, tokenisation provides much-needed safety and assurance, which helps in not exposing the customer’s card details.

POST A COMMENT