CERT-IN's Cyber Security Breach Reporting: An Update

The Indian Computer Emergency Response Team (CERT-In) was constituted in 2004 under section 70B of the Information Technology Act, 2000. It is the national nodal agency that responds to cyber security threats within the country and is under the Ministry of Electronics and Information Technology, Government of India. Recently, CERT-In released a direction [1] relating to information security practices, procedures, prevention, response and reporting of cyber security threats.

Key Features of the Cyber Security Breach Reporting Directions 

 

Mandatory Reporting

The direction mandates all service providers, government organisations, data centres, intermediaries and body corporates to mandatorily report within 6 hours of noticing or being brought to notice of any cyber incident. Rule 12(1)(a) of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 provides for a list of cyber security incidents that needed to be reported mandatorily by these entities mentioned above. The rules had previously listed 10 different types of cyber security incidents which need to be mandatorily reported. Apart from these 10 types, the new direction has also categorised data breaches, data leaks, attacks on IoT, and payment systems, fake mobile apps, unauthorised access to social media accounts and attacks or suspicious activities affecting software/servers/systems/apps relating to big data, blockchain, virtual assets, 3Dand 4D printing, drones as cyber security incidents which should be mandatorily reported. 

 

 

Point of Contact

All service providers, intermediaries, data centres, body corporates and Government organisations shall appoint a point of contact within their organisation, who shall ensure effective coordination with the CERT-In. The name and other details of the point of contact shall be sent to CERT-In and the entity should also ensure that it is updated every now and then when there is a change.

 

 

Log Retention and Data Localisation Requirement

The direction mandates all entities mentioned in the direction to mandatorily maintain and secure logs of their ICT systems for a period of 180 days. All such logs should be stored within the jurisdiction of the country and the same should be handed over to the CERT-In in the event of a cyber security incident or any order or direction from CERT-In.

 

 

Registration of Information

The direction has mandated data centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers to register certain information with CERT-In. All these entities are required to maintain such information for a period of 5 years or longer duration as mandated by law, even after the cancellation or expiration of the registration. The following information is required to be registered with CERT-In:

  • Validated names of subscribers/customers hiring the services.
  • Period of hire, including dates.
  • IPs allotted to/being used by the members.
  • Email address and IP address and time stamp used at the time of registration/on-boarding.
  • The purpose of hiring services.
  • Validated address and contact numbers.
  • Ownership pattern of the subscribers/customers hiring services.

 

KYC Requirement

This decade has witnessed the rise of cryptocurrencies across the globe and most countries, including India, still lack a dedicated framework to regulate this space. These new directions from CERT-In intend to regulate and streamline some aspects of this exponentially expanding sector. The directions mandate that virtual asset service providers, virtual asset exchange providers and custodian wallet providers to obtain KYC information from their customers. Further, these entities are also obligated to record all their financial transactions for a period of 5 years. Entities are also directed to maintain information about the IP addresses along with timestamps and time zones, transaction ID, the public keys, addresses or accounts involved, the nature and date of the transaction, and the amount transferred. 

 

 

Integration into ICT System

The direction calls on data centres, body corporates and government organisations to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) for synchronisation into the ICT system. Moreover, where ICT infrastructure of the entities are scattered in multiple locations, the entities are free to use accurate and standard time sources other than NPL and NIC.

 

Non-compliance

In the event that the above-mentioned entities fail to adhere or comply with these directions issued by CERT-In, they shall be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to one lakh rupees or with both under subsection (7) of section 70B of the IT Act, 2000.

 

Conclusion

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a corporate body in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared with the CERT rules 2013, the new directions have an expanded scope and applicability as well as a significantly increased compliance bracket for entities.

The European Union enacted the EU Directive on Security of Networks and Information Systems (called the NIS Directive), which supervises the cyber security of European markets. Unlike the present directive, the scope and applicability of the NIS directive are much larger. Certain critical sectors such as energy, transport, water, health, digital infrastructure, finance, and digital service providers such as online marketplaces, cloud and online search engines are all required to comply with these directives.

CERT-In has provided the entities with a 60-day window to comply with the directions. The increased compliance requirements and the added cost that comes along with such compliance will make smaller entities anxious. Hence, the effectiveness of these directions can only be judged with the passage of time. Significant concern can also be placed on the fact that these new directions will merely add to the compliance burden rather than improve the cyber security environment of the country.

References:

[1] https://www.cert-in.org.in/Directions70B.jsp

Image Credits: Image by Pete Linforth from Pixabay

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a body corporate in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared to the CERT rules 2013, the new directions have an expanded scope and applicability and a significantly increased compliance bracket for entities.

POST A COMMENT

New Labour Codes : How to Prepare for the Challenges Ahead?

A couple of years ago, India’s Parliament approved four new Labour Codes that cover important areas such as Wages, Social Security, Industrial Relations and Occupational Safety and Health. Labour reforms have been a long-pending agenda item for successive governments. The creation of these codes was aimed at modernizing, rationalizing and strengthening India’s arguably archaic labour-related laws. The new codes are also intended to attract investments into various sectors and make it easier to do business in India.

Although the Central Government notified these four new Labour Codes in September 2020, even now, a majority of states have not notified rules; less than half the states have even come up with draft rules. There has been some talk in recent days that the government may decide to implement the new codes effective 1 July. While this has not been officially confirmed, the inevitability of the implementation of the new codes makes it important for state governments to quickly come up with their draft rules and allow time for consultation so that loopholes and lacunae can be plugged before they come into effect. There will naturally be protests against the new laws because any change causes pain by forcing people outside their zones of comfort.

Once the new labour codes come into effect, two key changes will occur that will directly impact employees and organizations:

Working hours: It is expected that working hours may increase from the current 9 hours a day to 12 hours a day. The flip side, however, is that employees will need to work only four days a week, instead of the current five.

Take-home salary: The new wage code stipulates that an employee’s “basic salary” must be at least 50% of the total salary. This will cause changes to allowances and other perquisites that are widely used for tax planning purposes. A higher Basic Salary also means that deductions towards retirement benefits such as provident fund and gratuity will increase. In turn, this will reduce the net take-home salary for employees. However, this also means that employees will accumulate a much larger corpus of money when they retire, in effect, trading off current consumption with future security.

Adapting to this change will require companies to revisit policies, employment terms and contracts and even operating procedures. It may require fresh investments in amenities for workers and other employees at factories, construction sites, stores etc. New compliance requirements will arise, which means that business leaders, HR teams and those responsible for compliance must gear up to ensure that the organisation remains compliant with the new set of rules. This task becomes more difficult because the new codes have amalgamated a number of laws. For example, four laws have been amalgamated into the Wage Code, three into the Industrial Relations Code, nine into the Social Security Code and thirteen laws into the Occupational Safety, Health and Working Conditions Code, 2020.

Organizations must also keep in mind that these new codes will need to be implemented in tandem with hybrid ways of working. Even when employees were required to work for only 9 hours a day, there have been many instances of individuals (across industries and companies) working for 14 hours a day in a “work from home” model. Care must be taken to ensure that work-life balance is not further damaged by the extended working hours that the new codes provide for.

Business organizations with offices and production facilities in multiple locations spread across a number of states will need to be extra careful to ensure compliance with every state’s laws. Enterprises considering M&A will need to evaluate the costs of compliance with the new labour codes as part of their due diligence and strategic/financial assessment during valuation. Expert advice will be needed to minimize the pain that will inevitably accompany the transition. But given the intent of the new labour codes, it is fair to say that if they are backed by pragmatic rules, they will surely play a key role in accelerating the country’s economic growth in the years ahead.

Image Credits: Photo by Pop & Zebra on Unsplash

Adapting to this change will require companies to revisit policies, employment terms and contracts and even operating procedures. It may require fresh investments in amenities for workers and other employees at factories, construction sites, stores etc. 

POST A COMMENT

Revised Guidelines and Standards for Charging Infrastructure for Electric Vehicles: An Analysis

To promote e-mobility in India, the Ministry of Power, on 14th January 2022, introduced the revised consolidated Guidelines & Standards for Charging Infrastructure for Electric Vehicles (hereinafter, the Guidelines).[1] The Guidelines play a pertinent role in facilitating the e-mobility transition in India by increasing the affordability, accessibility, and reliability of the charging infrastructure. These guidelines are comprehensive as they deal with issues ranging from public charging stations to the tariff for the supply of electricity.[2] This article aims to study the provisions under the recent Guidelines, analyse the same, and delve into the suggestions for their effective implementation.

Exploring the Contours of the Electric Vehicle Infrastructure Guidelines

 

The Guidelines allow individuals to charge the Electric Vehicles (hereinafter, “EV”) at their residences and places of work with the help of their existing electricity connections.[3]  A private entity is free to set up a public charging station till the time it complies with the standards and protocols laid down by the Ministry of Power, Bureau of Energy Efficiency and Central Electricity Authority (CEA) from time to time.

The government, through the new Guidelines, aims to establish a grid of 3x3km for the EVs.[4] On the highways, a charging station would be available within every twenty-five kilometres. These charging stations would be present on both sides of the highways. To facilitate this goal, the government may resort to the installation of public charging stations at the existing outlets of the oil marketing companies.[5] It is interesting to note that the Guidelines also target heavy-duty EVs such as trucks and buses. A separate list of compliances, such as the requirement of at least two chargers of a minimum 100 kW (with 200-1000 V) each, has been specified for the long-distance and heavy-duty EVs.[6]

Under the Guidelines, the public charging stations can apply for electricity connection and the distribution licensee would provide the same as per the timelines provided under the Electricity (Rights of the Consumers) Rules, 2020.[7]  The public charging stations set up in metro cities would be able to have connectivity within the seven days of applying.[8] The deadline extends to 15 days in the case of other municipal areas and 30 days in rural areas. The Guidelines also present the option of procuring power from any power generating company through open access.

To provide for advanced remote or online booking of charging slots, it is necessary for the public charging station to have a tie-up with at least a single network service provider. This would allow the EV owners to have the requisite information pertaining to various aspects such as a number of the installed and available chargers, location, and applicable service charges. While acknowledging that few public charging stations would be set up for internal use of an entity, the Guidelines additionally mention that no network service provider tie-ups are needed in that instance.

One of the key features of these Guidelines is that they provide for the single part tariff for the electric supply to the public charging stations, which would not extend the average cost of the supply until March 31st, 2025.[9] A separate meeting arrangement would be provided for the public charging stations, as opposed to the domestic charging, so as to ensure that the consumption is recorded and billed in line with the applicable tariffs. To further reduce the cost, the government has provided electricity at concessional rates along with the subsidies to set up the Public Charging Stations. Moreover, the state governments would be fixing the ceiling of service charges, which are to be levied on these charging stations.[10]  The Guidelines, inter alia, provide that the DISCOMs may leverage on the funding from the Revamped Distribution Sector Scheme for the augmentation of the general upstream network, which is necessitated due to the upcoming charging infrastructure. It specifies that the “cost of such works carried out by DISCOMs with the financial assistance from the Government of India under the revamped scheme should not be charged from the consumers for the Public Charging Stations for EVs.”[11]

The recent guidelines play an instrumental role in ensuring the process of charging is made affordable for EV users. The public charging stations would be set up on a revenue-sharing basis at the fixed rate of Rs 1/kWh.[12] More and more public charging systems would be set up by using the land available with the government and private entities.

It is pertinent to note that a phased manner would be followed with respect to the rolling out process. Phase I, which ranges from the first to third year, would target all the megacities having a population of over four million. In this phase, all the existing expressways and important highways linked with the above megacities would also be included. Thereafter, under the second phase (which would range from the third to the fifth year) would cover certain big cities, state capitals, and headquarters of the Union territories.[13]

Moreover, these Guidelines are made technology agnostic because they provide for prevailing international charging standards available in the market as well as new Indian charging standards.

The Bureau of Energy Efficiency would be the central nodal agency for the rollout of the EV public charging infrastructure.[14] Moreover, every state government can have its own nodal agency for the purposes of setting up the requisite infrastructure.

 

Requisites of Electric Vehicle Charging Stations

 

The Guidelines can be perceived as a massive step forward to promote the adoption of EVs in India by increasing accessibility and affordability. They should be lauded for introducing a reliable economically viable and coordinated system to regulate the charging of such vehicles. They further tend to address the long-existing lacunae, which persisted with respect to the applicable tariffs.

In India, one of the reasons as to why the adoption of EVs has been quite staggered is because, according to the data with the Ministry of Road Transport and Highways (“MORTH”), for 9,47,876 registered cars, only 1028 public charging stations are there.[15] This was observed by the Bureau of Energy Efficiency. Therefore, from the above figure, it could be clearly observed that the country does not have the necessary infrastructure to cater to the growing demand for EVs. These guidelines have identified the existing problem and provided appropriate solutions for the same. As discussed above, apart from the installation of an adequate number of public charging stations, the individual consumers will also have the option of charging the EVs at their homes or places of work. The Guidelines state that under private charging, the batteries of the privately owned cars are charged through the domestic charging points and the billing is done via the home or domestic metering.  On the other hand, for charging outside the home premises, the power needs to be billed and payment needs to be collected. Moreover, the power drawn from these chargers is regulated from time to time.

The provision of private charging, in addition to public charging, would overall result in consumer welfare as now the private users do not have to rely completely on the government for the charging process. They can bridge the implementation gap by setting up their own charging stations. Further, the government has also been taking the right steps to bring down the price of electric vehicles by providing subsidies. At present, the price of the majority of Electric two-wheelers and three-wheelers are almost equivalent to their petrol counterparts.[16]

India has set the target of meeting 30% EV sales penetration for private cars, 70% for commercial vehicles, 80% for two and three-wheelers, and 40% for buses by 2030.[17] However, earlier this goal seemed unachievable due to the high costs associated with EVs and lack of the required infrastructure for public charging stations. The new Guidelines strive to make certain that the country is back on the track to meet the above-mentioned objective. This has been possible due to the subsidies that have been provided by the government. It is predicted that the sale of the total electric vehicles in India would reach approximately 10 lakh units. This number is equal to the units sold collectively in the last fifteen years.[18] Apart from this, the government has introduced a portal called e-Amrit to make India a more conducive place for the manufacture and adoption of EVs.[19]

Furthermore, the Guidelines aim to strike a balance between accessibility and safety. By allowing private entities to set up charging stations, the government has not only made the charging of EVs more feasible for individuals but has also reduced its burden of being the sole provider of the charging stations.  Annexure 3 lay down a list of requirements to ensure that the safety protocols have been followed[20]

Instrumental Role Played by EV Charging Infrastructure

 

The Guidelines would play an instrumental role in transforming and shaping the future of the use of EVs in India. They have efficiently recognized the existing issues and have formulated promising ways for addressing the same. Not only would they help in promoting energy security, but would also help in the reduction of emissions that are harmful to the environment which is a major concern at the global level. This would enable the country to take a step forward in the direction of its concern to save the environment and sustainable development.

However, the success of these Guidelines entirely depends on their effective implementation. Therefore, both central and state governments shall play a crucial role in its success in introducing a user-friendly EV policy. It is suggested that the Central Government or the Central Nodal Agency should keep a check on the performance of all the States with regards to the Guidelines. It should ensure that the development is taking place in a continuous and coordinated manner. Moreover, since the private individuals and entities for public use are free to set up their own charging stations, measures should be taken to ensure that the safety standards are strictly being met.

References:

[1] https://powermin.gov.in/sites/default/files/webform/notices/Final_Consolidated_EVCI_Guidelines_January_2022_with_ANNEXURES.pdf

[2] https://www.business-standard.com/article/economy-policy/power-ministry-revises-norms-for-pro-actively-setting-up-ev-charing-infra-122011500778_1.html

[3] https://auto.economictimes.indiatimes.com/news/industry/guidelines-and-standards-for-ev-public-charging-stations-released-owners-can-charge-at-home-or-office-too/88941883

[4] https://economictimes.indiatimes.com/industry/renewables/what-budget-2022-can-do-to-power-up-ev-charging-scene/articleshow/89069935.cms

[5] https://mercomindia.com/ministry-of-power-guidelines-ev-charging-infrastructure/#:~:text=As%20per%20the%20new%20guidelines%2C%20public%20charging%20stations%20will%20be,30%20days%20in%20rural%20areas.

[6] https://powermin.gov.in/sites/default/files/webform/notices/Final_Consolidated_EVCI_Guidelines_January_2022_with_ANNEXURES.pdf.

[7] https://powermin.gov.in/sites/default/files/uploads/Consumers_Rules_2020.pdf

[8] https://www.news18.com/news/auto/government-allows-ev-owners-to-charge-cars-using-existing-electricity-connections-4666697.html

[9] https://www.thehindu.com/news/national/revised-guidelines-for-charging-infrastructure-for-electric-vehicles-issued/article38275645.ece

[10] https://indiaesa.info/resources/ev-101/3924-public-ev-charging-infrastructure-in-india.

[11] https://powermin.gov.in/sites/default/files/webform/notices/Final_Consolidated_EVCI_Guidelines_January_2022_with_ANNEXURES.pdf

[12] https://www.freepressjournal.in/india/owners-of-evs-can-now-charge-them-at-their-residenceoffices-using-their-existing-electricity-connections

[13] https://economictimes.indiatimes.com/industry/renewables/govt-land-to-ev-public-charging-stations-through-bidding/articleshow/88917938.cms?from=mdr

[14] https://beeindia.gov.in/content/e-mobility

[15] https://www.hindustantimes.com/india-news/govt-allows-use-of-existing-power-connections-to-charge-evs-101642392095051.html

[16] https://www.hindustantimes.com/india-news/govt-allows-use-of-existing-power-connections-to-charge-evs-101642392095051.html.

[17] https://www.hindustantimes.com/india-news/budget-2022-special-mobility-zones-for-evs-soon-101643699503104.html#:~:text=her%20budget%20speech.-,India%20has%20set%20a%20target%20of%2030%25%20EV%20sales%20penetration,and%20three%2Dwheelers%20by%202030.

[18] https://www.news18.com/news/auto/electric-vehicles-sales-in-india-expected-to-touch-10-lakh-units-in-2022-smev-4630505.html.

[19] https://www.india.gov.in/spotlight/e-amrit-accelerated-e-mobility-revolution-indias-transportation#:~:text=e%2DAMRIT%20is%20a%20one,%2C%20charging%20stations%2C%20business%20requirements.

[20] https://powermin.gov.in/sites/default/files/webform/notices/Final_Consolidated_EVCI_Guidelines_January_2022_with_ANNEXURES.pdf.

Image Credits: Image by Photo by Michael Marais on Unsplash

The success of these Guidelines entirely depends on their effective implementation. Therefore, both central and state governments shall play a crucial role in its success in introducing a user-friendly EV policy. It is suggested that the Central Government or the Central Nodal Agency should keep a check on the performance of all the States with regards to the Guidelines. It should ensure that the development is taking place in a continuous and coordinated manner.

POST A COMMENT

IS17428 -A New Privacy Assurance Standard in India

Recently, Aditya Birla Fashion and Retail Ltd (ABFR) faced a major data breach on its e-commerce portal. As per the reports, personal information of over 5.4 million users of the platform was made public. The 700 GB data leak included personal customer details like order histories, names, dates of birth, credit card information, addresses and contact numbers. Additionally, details like salaries, religion, marital status of employees were also leaked.  Forensic and data security experts were pro-actively engaged to implement the requisite damage-control measures and launch a detailed investigation into the matter.[1] This demonstrates the need to have wider awareness and establish standardized protocols for personal data management. 

The battle of data protection and privacy currently stands at a juxtaposition with a flourishing data economy. 2021 was a watershed moment in the privacy & data protection dialogue in the country. The need for comprehensive data protection law was louder than ever and there were major initiatives on the legislative and executive front.

In June of 2021, the Bureau of India Standards (BIS) introduced IS 17428 for data privacy assurance. It is a privacy framework designed for organisations to handle the personal data of individuals that they collect or process. The certification provided by BIS for IS 17428 can be deemed as an assurance extended to the customers/users by the organizations of well-implemented privacy practice. The BIS being a statutorily created standard-setting body of our country will bring some welcome change in our data management.  

IS 17428 is divided into 2 parts[2]:

  • Part 1 deals with the Management and Engineering parameters that are mandatory for an organization to comply with. This part provides for establishing and cultivating a competent Data Privacy Management System.
  • Part 2 deals with the Engineering and Management guidelines which enable the implementation of Part 1. These guidelines are not mandatory in nature but a reference framework for an organization to implement good practices internally.

 

The Context – Privacy & Data Protection laws in India

 

The Data protection bill was expected to be tabled in parliament back in 2019 but was postponed due to the ongoing pandemic. The country was hoping to pass the bill last year, however, it was sent to the Joint Parliament Committee (JPC) for perusal. The JPC made its report on the bill public in the month of December 2021.

Also, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 had been implemented back in 2011, primarily to safeguard the sensitive personal data of individuals that are collected, processed, transferred, or stored by any organisation and enumerate security practices. The rule lays down certain practices and procedures to be followed by a stakeholder while dealing with sensitive personal data. International Standard IS/ISO/IEC 27001 is one such acceptable standard.

Later ISO27701 was specifically introduced that focused on Privacy Information Management.  However, our Indian enactment has not specifically endorsed any such standards though Standards formulated by the industry association that is approved and notified by the Central Government are also deemed appropriate.  In this background, BIS introducing a standard is a welcome initiative as it will help in bringing uniformity in terms of the implementation of privacy practices across Indian industries.

Components of Part 1 of IS 17428[3]

 
Development of Privacy Requirements:

While developing the privacy requirements of the organisation in relation to the data collected or processed, the organisation has to take into consideration various factors such as jurisdiction, statutory requirements and business needs.

Personal Data Collection and Limitation:

The organisation is permitted to collect the personal information of the individuals, provided the same has been consented to by such individuals.

Privacy notice: 

The organisation is bound to provide a notice to individuals while collecting information from them and when such collection is through an indirect method employed by the organisation, then it is the duty of the former to convey by the same in an unambiguous and legitimate means.

The contents of a privacy notice at the minimum should include the following[4]:

  • Name and Address of the entity collecting the personal data
  • Name and Address of the entity retaining the personal data, if different from above
  • Types and categories of personal data collected
  • Purpose of collection and processing
  • Recipients of personal data, including any transfers
Choice and Consent:

As mentioned earlier, while collecting information, the organisation should get the consent of the individual at the initiation of the process while offering such individuals the choice of the information that they consent to disclose. This entire process should be done in a lawful manner and according to the privacy policies implemented by the organisation.

Data Accuracy: 

The data collected by the organisation should be accurate, and in case it is inaccurate, it should be corrected promptly.

Use Limitation: 

The data collected by the organisation should be used for the legitimate purpose for which it was agreed upon and it shall not be used for any other purposes.

Security: 

The organisation should implement a strict security program to ensure that the information collected is not breached or compromised in any manner.

Data Privacy Management System: 

The organisation is required to establish a Data Privacy Management System (DPMS). The DPMS shall act as a point of reference and baseline for the organisation’s privacy requirements/objectives.

Privacy Objectives: 

The privacy objective of the organisation shall be fixed and set out by the organisation itself. While determining the objectives the organisation shall also look into various factors such as the nature of business operations involving the GDPR processing of personal information, the industry domain, type of individuals, the extent to which the processed information is outsourced and the personal information collected. Moreover, the organisation shall also ensure that the objectives are in alignment with its privacy policy, business objectives and the geographical distribution of its operations.

Personal Data Storage Limitation: 

The organisation shall be allowed to retain the information collected from the individual only for a specific time period as required by the law or the completion of the purpose for which it was collected in the first place. The individual shall have the right to delete their personal information from the organisation database upon request.

Privacy Policy: 

The organisation shall create and implement a privacy policy that shall determine the scope and be applicable to all its business affiliates. The senior management of the organisation shall be in charge of the data privacy function. Moreover, the privacy policy should be in consonance with the privacy objectives of the organisation.

Records and Document Management

The organisation shall keep a record of its processing activities which shall, in turn, ensure responsibility towards the compliance of data privacy. The possible way to achieve such a standard is to lay out procedures that help to identify various records. While laying out procedures, the organisation shall take into consideration certain factors such as a record of logs that demonstrate affirmative action and options chosen by individuals on privacy consent and notice, evidence of capture events related to access or use of personal information, and retention period of obsolete documents.

Privacy Impact Assessment: 

A privacy impact assessment shall be carried out by the organisation from time to time. Such an assessment shall help in estimating the changes and the impact that they can possibly have on the data privacy of the individuals.

Privacy Risk Management

The organisation shall put in place and document a privacy risk management methodology. The methodology shall determine how the risks are managed and how the risks are kept at an acceptable level.

Grievance Redress:  

A grievance redressal mechanism shall be established by the organisation to handle the grievances of the individuals promptly. The organisation shall ensure that the contact information of the grievance officer shall be displayed or published and that they have the channel of receiving complaints from the individuals. Moreover, the organisation shall also make it clear as to the provision for escalation and appeal and the timelines for resolution of the grievance.

Periodic Audits: 

The organisation shall conduct periodic audits for the data privacy management system. The audit shall be conducted by an independent authority competent in data privacy, internal or external to the organization, at a periodicity appropriate for the organization, at least once a year.

Privacy Incident Management: 

Privacy breaches and data privacy incidents shall be reported regularly and the organisation shall come up with a mechanism to manage such incidents. The process shall involve identifying the incident at the first stage and investigating the root cause, preparing analysis and correcting the incidents in the second stage. The last stage is basically informing the key stakeholders including Data Privacy Authority about the breach or incident.

Data Subject’s Request Management: 

The organisation shall develop a mechanism to respond to requests from individuals concerning their personal data. This process shall include the means to verify the identity of the individual, provision access to the information and the means to update the information.

 

How IS 17428 would help in Privacy and Data Protection? 

 

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (RSPP and SPDI rules) had been the only law for organisations to follow. The rules did not prescribe or detail any specific requirements or standards in relation to personal data management and in the absence of formulated standards for the protection of the sensitive personal data of individuals, industry bodies were struggling to have uniform procedures. 

This being the case, introducing specific standards for personal data management will bring more clarity and will help companies to adhere to an approved standard prescribed by a government agency. Moreover, principles narrated in this standard are in accordance with the Internationally recognised privacy principles and will help Indian companies to proffer confidence when dealing with their commercial counterparts.

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

 

The proposed data protection legislation and the IS 17428

 

The IS 17428 standard has been inspired primarily from the principles dictated from OECD privacy principles, GDPR and ISO27701. The proposed data protection legislation on the other hand has many divergences from the above instruments in many respects. For Instance, the IS standard has an elaborate description provided for the privacy objective of the organisation and the factors that need to be taken into account. Most of these objectives are covered under Sections 22 and 23 of the draft Bill but nevertheless, the standard has recommended a few other factors such as geographical operation, industrial domain and type of individuals as specific factors to be taken into consideration while drafting the privacy objectives. How much discretionary privacy standards can be created, what is allowed freedom for industries in this regard is unclear.

Section 28 of the draft bill talks about the records and document management of the data collected or processed and the standard covers almost every bit of the section. In addition to the consideration mentioned under the bill, the standard goes forward and echoes the need to establish a policy on the preservation of obsolete policies and process documents. Data and record-keeping should be for a defined period. The majority of other legislation prescribes an average of 7 years of data-keeping. Keeping any data beyond such a reasonable period may not serve many purposes. Why this standard has prescribed such obsolete data retention is again unclear.

The standard could be made effective by only having an enactment for data protection legislation in place. For instance, the grievance redressal mechanism, though the standards do envisage an appeal mechanism, they do not establish appeal machinery. This part of the standard can be put to use only after the Data Protection Authority as per section 32 is constituted. The standard also calls for an investigative process in the event of any breach or compromise of data. The organisation is welcome to conduct an onsite or internal investigation into the breach or incidents, but once again an independent authority to investigate in a legitimate and fair manner is required.

In short, I am afraid, has it failed to take into account the special requirements contemplated under the PDPB, 2019 which may eventually become the law of the country thereby, once this law is enacted, this standard will also be required to be modified. The government has not made any announcement as per the RSPP and SPDI rules, that IS 17428 is an appropriate standard certifying the compliance of personal data management. In the absence of such explicit endorsement, the ambiguity continues as to whether the adoption of this standard is sufficient compliance under the said rules.

Finally, with the Data protection bill around the corner, the Data Protection Authority envisaged being constituted under the legislation which shall have the power to issue code, guidelines, and best practices for protecting the privacy of data subjects. How IS 17428 standards framed by the BIS will be looked at by the DPA or the proposed rule will offer a different set of practices shall be an interesting development to observe.

References:

[1] https://economictimes.indiatimes.com/industry/cons-products/fashion-/-cosmetics-/-jewellery/abfrl-faces-data-breach-on-its-portal/articleshow/88930807.cms

[2] The IS 17438 was established on November 20, 2020 and notified in the official gazette on December 4, 2020. Please see the notification available at: https://egazette.nic.in/WriteReadData/2020/223869.pdf (last visited Jan 18, 2022).

[3] Supra note 2.

[4] Sub-clause 4.2.2 of the IS Requirements: “Privacy Notice”.

 

 

Photo Credits:

Image by Darwin Laganzon from Pixabay 

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

POST A COMMENT

Global Captive Centers in India: Can Add Value if Set Up Differently

Major forces of change, such as the emergence of new technologies, maturing of platform-based business models and other competitive threats are forcing businesses to transform themselves. Another driver of large-scale change is the pandemic, which has led to new ways of working. Hybrid models, where a large chunk of employees work remotely and not from a designated office space, are now becoming the norm. Although some companies have begun to announce plans for their employees to return to workplaces, the consensus opinion is that a hybrid model is going to become the new norm because it significantly reduces operating costs; also, employees are finding it more convenient.

One area where the above changes are clearly visible relates to how large and medium enterprises across industries are looking at outsourcing to countries such as India. In recent years, the contours of both IT outsourcing and BPO have evolved rapidly; the above-mentioned forces of change are only accelerating the velocity of change.

A survey by NASSCOM recently found that by 2025, MNCs are likely to set up 500 new Global Captive Centers (GCCs) in India. Until two years ago, the number of such units established annually was around 50. This demonstrates that India’s large talent pool continues to be attractive. But it’s a different world we live in than even five years ago.

Earlier, most MNCs viewed their GCCs in India as low-cost delivery centers and design, architecture, prioritization of projects etc. were all the exclusive domain of Business/Technology leaders in the parent company. Cost arbitrage opportunities still exist in India vis-à-vis western countries, and thus, cost savings will remain an important objective for evaluating GCC performance. However, the ongoing shifts are raising the bar on how GCCs are expected to contribute to their parent organizations. Along with cost-efficient service delivery, enhancing automation, driving process innovation and enabling adoption of new technologies and architecture paradigms will all become important performance criteria. In some cases, there may even be expectations of new product innovations coming out of the Indian GCC.

MNCs will need appropriate operating models and talent to deliver on the potential. Employee contracts need to be suitably structured. IPR must be appropriately protected. Compliance with data privacy and other regulations must be ensured. As MNCs plan and implement their GCCs in India, they must keep in mind that India too is changing rapidly. They must formulate their strategies keeping in mind four specific factors:

  • Quality infrastructure (including reliable electricity and broadband connectivity) is now available across the country, and not limited to Tier 1 cities. This gives companies a wider choice of locating their GCCs.
  • As a result of reverse-migration triggered by the pandemic, talent too is available in smaller cities across the country. Given the possibility of remote working, the proximity to families and lower cost of living have become significant incentives; in fact, many employees prefer to live and work from such locations.
  • Many state governments are offering incentives to companies establishing operations in less-developed parts of their states and creating employment opportunities.
  • The country’s FDI, income tax and GST regimes are also frequently being tweaked to make India more competitive and business-friendly.

All this means that making choices and decisions around business objectives, investment routing, structuring and locations based on criteria and checklists that were relevant even a couple of years ago may lead to sub-optimal outcomes. Your GCC in India has the potential to be a global Centre of Excellence- so make sure that you make the right decisions so that your investments deliver ROI in ways that go far beyond cost arbitrage.

Mr. Sandip Sen, former Global CEO of Aegis and a well-known veteran of the BPO industry, put it thus: “These are exciting times for the Business Process Management industry for many reasons. Use of Artificial Intelligence (AI), analytics and higher levels of automation mean that players at the lower end of the value chain will need to raise their capabilities. In the next phase, GCCs will focus more on innovation as well as technology enablement aimed at enterprises to embrace ecosystem-based business models and higher levels of customer-centricity. But to achieve all this, companies have to take an approach that is very different from what they might have taken some years ago”.

 

Image Credits: Photo by Alex Kotliarskyi on Unsplash

MNCs will need appropriate operating models and talent to deliver on the potential. Employee contracts need to be suitably structured. IPR must be appropriately protected. Compliance with data privacy and other regulations must be ensured. 

POST A COMMENT

Project Cost in Infrastructure Projects: Concept, Challenges and Way Forward

The IMF and Central Statistic Organization had dubbed the Indian economy as the fastest growing economy back in 2019. Moving forward, in 2021 despite the havoc wrecked by the pandemic on advanced economies across the globe, the IMF has kept India’s growth forecast unchanged at 9.5%. In order to sustain India’s growth momentum, the development of country’s infrastructure sector is cogent. The National Infrastructure Pipeline has been the focus of current policies, with an unprecedented increase in capital expenditure allocation for FY 2021-22 by 34.5% to INR 5.5 lakh crore to propel infrastructure creation. However, the April-June 2021 report of The Ministry of Statistics states that 470 projects sanctioned by the centre suffered from a cost overrun of 61.5 percent, that is Rs 4,46,169.37 crore[1].

Project cost remains the central concern for any seminal discussion on infrastructural projects in India or around the world. This is the nebulous point where a host of stakeholders would converge to dispute, disagree, or litigate. This article aims to discuss the concept of project cost and its various implications for the different stakeholders involved.

Introduction to Infrastructure and Projects

 

Costs that are reasonably incurred for the acquisition and construction of infrastructure are referred to as infrastructure costs. Hence, Project cost could mean the total cost of an infrastructure project.  In India, there is no clear definition of the term infrastructure. However, on 1st March 2012, the Cabinet Committee on Infrastructure approved the framework to include a harmonised master list of sub-sectors to guide all the agencies responsible for supporting infrastructure in India. These sub-sectors include transports and logistics, energy, water and sanitation, communication, and social infrastructure. Out of the plethora of these sub-sectors, during the fiscals of 2020-2025, it is expected that sub-sectors such as Energy (24%), Roads (19%), Railways (13%) and Urban (16%) shall constitute 70%of the projected capital expenditure in infrastructure in India[2]. The total capital expenditure as per the report is expected to be 102 lakh crore Indian rupees. Furthermore, in India, the current investment in infrastructure is USD 3.9 Trillion, and the required investment is USD 4.5 Trillion, leaving a gap of USD 526 Billion[3]. Therefore, the energy and infrastructure sector are instrumental in generating tremendous employment opportunities and drive a substantial increase in GDP per annum in India as well as countries all over the world.

 

Structure of Project Finance Transactions

 

The main parties involved in a project finance transaction structure are (i) The Authority or the Government (ii) The Private Party Investors/Developers, Sponsors or Promotors and (iii) the Lenders. These three parties are key players responsible for the determination of project costs in infrastructure and construction projects. The principal point of convergence for these three players is the project company (i.e., also known as special purpose vehicle) set up by the private party investors under which the infrastructure project is formed and under which the project exists in the concession agreement. The project cost is mainly estimated by the private party and the lenders who would finance in the form of equity and debt. The typical financial structure for infrastructure projects has a debt-to-equity ratio of 75:25. However, the ratio may vary depending upon the risks involved.

                Illustration I: Key parties that influence the project cost of an infrastructure project

                                                                                                                     

 

Risks that affect the Determination of Project Cost

 

Every project has certain risks attached to its completion. These risks influence the determination of project costs by the authority, the private parties and the lenders. The risks, in turn, then affect the total cost of the project. The risks affecting the three parties are explained below:

 

                                Illustration II: Risks that affect the determination of project cost

    

 Risk for Authority

Risk for Private Party
Investors

Risk for Lender

Technical or physical risks

Economic or market risks

Economic or market risks

Risk relating to land acquisition

Construction and completion risk – cost overrun/time
overrun/delays

Financing risks

For eg. Technical or physical risks may include risks
associated with
technology during
construction and operation as well as social and environmental risks.

For eg. Economic or
market risks may include input and output price variations, variation in
demand, debt/equity financing as well as counterparty risks.

For eg. Economic or
market risks may include input and output price variations, variation in
demand, debt/equity financing as well as counterparty risks.

The other risks that affect the cost of the project are contractual and legal risks, resource and raw material availability risks, demand risks, design risks, force majeure, property damage, permits, licenses, authorization, supply risk, social and environmental risks.

 

The Major Risks affecting Project Cost in India: Cost Overrun and Time Overrun

 

Out of the myriad of risks affecting project cost, the major risks in India are the risks associated with cost and time overruns. As many as 525 infrastructure projects were hit by time overruns, and as many as 470 infrastructure projects, each worth Rs 150 crore or more, were hit by cost overruns of over Rs 4.38 Trillion owing to delays, according to a report by the Ministry of Statistics, cited previously[4] The main causes for time overruns are delay in obtaining forest and environmental clearances, delay in land acquisition,  and lack of infrastructure support.  As per the report, there are other reasons like delay in project financing, delay in finalisation of detailed engineering, alteration in scope, delay in ordering and equipment supply, law, geological issues, contractual complications and delay in tendering.

 

The Key Elements of Project Cost

 

The elements of ‘costing’ include variables such as raw materials, labour, and expenses. Thus, for infrastructure projects as well, at the time of estimation of cost, these variables would come into play. The factors affecting cost for a public-private partnership project could be the following:

 

                        Illustration III: Factors affecting Cost of Projects: PPP model projects

FACTORS AFFECTING COST OF PROJECTS : PPP MODEL PROJECTS

Materials

Labour

Consultants

Contractor

Client

External
Factors

Dispute
Resolution

Costs and delays
associated with procurement and delivery of materials, import costs

Availability or non –
availability of skilled labour.

Recurring changes in
design

Poor site management
and supervision

Change orders

Force Majeure events
and weather changes.

International dispute
resolution in outside jurisdictions[1]

Unavailability of raw
materials

Poor management of
labour

Delay in approvals and
inspections

Inept subcontractors

Political and policy
changes such as MII[2]

Approvals from
authorities

Costly and time-consuming
domestic litigation

Wastage and theft of
materials – 13 to 14 million construction waste (FY 2000-2001)[3]

Increasing cost of
labour

Inaccuracy in design,
costs associated with knowledge transfer

Poor planning,
scheduling and cash flow management by Contractors

Poor communication for
quality and cost

Accidents

High legal costs and high
arbitrators fees[4].
Non-realisation of arbitral awards and court decree amounts.

 

 

Case Study: The Mumbai Monorail – An EPC Contract Model

 

Time and cost overruns in projects lead to disputes and arbitrations. A suitable example is the  Mumbai Monorail which has entered disputes and arbitration between the Contractor and the Authority over its project cost[9]. The development authority MMRDA entered into a contract with L&T Scomi Engineering for the construction of the Mumbai Monorail project. The original project cost between the Private Party Investors and the Authority was estimated to be Rs 2,700 crore, after which disputes arose. The Authority had claims against the Contractor for not completing the project task on time. The arguments of the Contractor pertained to the cost escalations caused by delays due to the fault of the Authority.  In 2019, the Bombay High Court appointed an arbitrator to settle the dispute. Currently, the dispute is still in the arbitration stage. Furthermore, post-December 2018, the MMRDA had taken over the Operation and Maintenance of the Mumbai Monorail project from L&T Scomi Engineering. Due to the Make in India policy, the tenders for manufacturing of the Mumbai Monorail were altered to encourage manufacturers and Indian technology partners to participate and fulfil the demands of manufacturing the additional monorail rakes[10]. Among other issues currently plaguing the Mumbai Monorail project, such as unavailability of a sufficient number of rakes to keep the services running and an inadequate number of spare parts, the widening deficit between revenue and O&M costs, remains primary.   

   

Way Forward

 

As per the report by the Ministry of Statistics cited above, the reason for cost and time overruns can be largely attributed to the state-wise lockdown due to the COVID-19 pandemic, which has been causing great hindrance to the implementation of infrastructure projects. Time and cost overruns in projects lead to disputes and arbitrations. Furthermore, in the procurement stage of projects, biddings in India happen with the project sponsor underbidding for the project so as to survive the competitive market. However, the underbidding combined with lack of margin included in the overall costs by contractors or sponsors often overlook inevitable hidden and unforeseeable costs which in turn enhance the final costs of the project. For instance, the Mumbai-Monorail project is a classic example of cost overrun. The solution would be to have a clear understanding of the project agreements, risks involved in the project particularly the conditions of force majeure, an objective evaluation of project cost while bidding taking into account uncertainties relating to raw material procurement, labour laws, land acquisition and risks related to cost and time overruns due to decisions of the awarding authority or public policy or any of the factors described above. The compensation clauses should be coherent and unambiguous, and in line with actual project cost incurred in the project leaving less scope for future disputes and arbitrations. Furthermore, it would be useful for the contractors / concessionaires , while making claims in an infrastructure project, to do it in a timely manner while maintaining clear and systematic evidentiary documentation, to substantiate the claims that may have arisen during the course of the project.

References: 

[1] http://www.cspm.gov.in/english/flr/FR_Mar_2021.pdf

[2] Finance Minister Smt. Nirmala Sitharaman releases Report of the Task Force on National Infrastructure Pipeline for 2019-2025, dated 31 December 2019, Press Information Bureau, pib.gov.in (2019), https://pib.gov.in/Pressreleaseshare.aspx?PRID=1598055 (last visited Sep 17, 2021).

[3] Forecasting Infrastructure Investment Needs and gaps, Global Infrastructure Outlook – A G20 INITIATIVE, https://outlook.gihub.org/ (last visited Sep 17, 2021).

[4] 422nd Flash Report on Central Sector Projects (Rs.150 Crore and Above), March 2021, Ministry of Statistics and Programme Implementation Infrastructure and Project Monitoring Division (2021), Available at: http://www.cspm.gov.in/english/flr/FR_Mar_2021.pdf (last visited Sep 17, 2021)

[5] Joseph Mante, Issaka Ndekugri & Nii Ankrah, Resolution of Disputes Arising From Major Infrastructure Projects In Developing Countries Fraunhofer, https://www.irbnet.de/daten/iconda/CIB_DC24504.pdf (last visited Sep 17, 2021).

[6] Make in India Initiative, Government of India.

[7] Sandeep Shrivastava and Abdol Chini M.E. Rinker Sr., Construction Materials and C&D Waste in India, School of Building Construction University of Florida, USA, https://www.irbnet.de/daten/iconda/CIB14286.pdf (last visited Sep 17, 2021).

[8] Amendments to the Arbitration and Conciliation Act, 1996, August 2014, Law Commission of India, Report No.246.

[9] Larsen and Toubro Limited Scomi Engineering BHD vs. Mumbai Metropolitan Region Development Authority MANU 2018 SC 1151, Arbitration Petition (C) No. 28 OF 2017.

[10]Adimulam, S. (2021, March 2). Mumbai: Monorail rakes will be made in India. Mumbai. Retrieved September 17, 2021, from https://www.freepressjournal.in/mumbai/mumbai-monorail-rakes-will-be-made-in-india.

 

 

Image Credits: Photo by Wade Austin Ellis on Unsplash

The solution would be to have a clear understanding of the project agreements, risks involved in the project particularly the conditions of force majeure, an objective evaluation of project cost while bidding taking into account uncertainties relating to raw material procurement, labour laws, land acquisition and risks related to cost and time overruns due to decisions of the awarding authority or public policy or any of the factors described above.

POST A COMMENT

Education in India: Time to Connect the Dots and Look at the Big Picture

In the last few days, I read news reports that are seemingly unrelated on the surface. However, I think there exists a deeper connection for those willing to think outside the box. I thought I would use this article to articulate my thoughts on the connections and their possible implications for India. 

India’s New Education Policy expected to gain traction

The first item was about various initiatives announced by the Union government on the first anniversary of India’s National Education Policy (NEP). While internationalization, multiple entry/exit options, and digital education will be key pillars, one other important component is to enable students to pursue first-year Engineering courses in Indian languages.

In the context of the broad-brush changes envisioned to India’s education system, it is time to rethink the role of the UGC as a body that enables the nation’s higher education system in ways beyond disbursing funds to be recognized universities. There also ought to be more harmony between the various Boards that govern school education. The roles of bodies responsible for governing professional education in India- e.g., AICTE, NMC (which replaced the MCI), ICAI, ICSI, ICWAI, Bar Council of India etc. should also be redefined to ensure that India’s professionals remain in tune with the needs of a fast-changing world.

English will play an important role in our continued growth

The second report that caught my attention was on two main points made by Mr. Narayana Murthy (the Founder of Infosys), in a recent media interaction. He stated that it is high time that English be formally acknowledged and designated as India’s official link language, and greater emphasis is given to its teaching and learning in Indian schools. He said that his opinion is based on his first-hand knowledge of many technically qualified students in Bangalore/Karnataka who lose out in the job market largely because they lack a certain expected level of proficiency in English.

In the same interview, Mr. Murthy went on to say that on a priority basis, India needs overseas universities and vocational educational institutions to set up facilities in India to train students and teachers in key areas like nursing. This too makes sense because our healthcare infrastructure needs massive upgrades- and human resources will be critical.

China’s tightening regulations threaten its US$100 Billion EdTechc industry

The third report was on China’s recent decision to tightly regulate its online tutoring companies. The new rules bar online tutoring ventures from going public or raising foreign capital. There are also restrictions on the number of hours for which tutors can teach during weekends and vacations. In fact, the rules go so far as to make online tutorial businesses “not for profit”.

Different views have been expressed on why Chinese authorities have taken this step. Some see it as a means to reduce the cost of children’s education- and thus encourage couples to have more children. They point to this as a logical enabler of the recent relaxations in China’s two-child policy. Others view it as a step designed to clip the wings of Chinese tech companies that are deeply entrenched in many consumer segments, and have, over the past decade, acquired significant financial muscle.

To put into perspective the size of Chinese EdTech companies, consider this data point: Byju’s, arguably India’s largest EdTech company, was valued at over US$16.5 Billion as of mid-June 2021. Despite this high valuation, Byju’s would have been smaller than the top 5 Chinese EdTech players (on the basis of valuations that existed before the recent draconian rules came into effect).

Implications for India

The majority of China’s EdTech ventures are financed through significant venture capital investments from the west. Analysts expect that China’s sudden actions will, at least in the short run, divert capital to other locations. India could be a potential beneficiary because it already fosters a large EdTech ecosystem.

Given our demographics, we have a significant domestic market for education across all levels- primary, secondary, and college. Since digital education will likely become the norm, this space is ripe for newfangled innovations in the days ahead. If online education can bridge the gaps that employers currently perceive in our fresh graduates, unemployability rates shall notably decline. . This will not only contribute directly to our GDP but also indirectly stimulate innovation and entrepreneurship.

India has a large technical skill base. Some of these resources can easily be harnessed to develop next-gen education solutions using cutting-edge technologies such as AI, ML, Language Processing, Augmented Reality, etc. To begin with, Indian start-ups can build, test, and scale EdTech platforms and solutions for our domestic market. Over time, these can be refined and repurposed for global markets. Similarly, features built for the global market can be adapted to Indian markets, thus creating a virtual cycle. Such a trend will not only proffer legs to implementing India’s NEP but will also enable us as a society to improve access to education to underprivileged sections of the society. This is critical to sustaining our growth on the path of socio-economic development.

By taking the right decisions now, we can attract capital, talent, and world-famous institutional brands to this critical sector. EdTech in India has the potential to become a powerful engine of growth for our services sector. Done right, I have no doubt that in a few years, India can become a “Vishwaguru” not just in the spiritual sense, but also literally.

PS: As with many other sectors in India, the legal framework that governs education too needs to be made more contemporary and relevant, but that’s for another time.

Image Credits: Photo by Nikhita S on Unsplash

By taking the right decisions now, we can attract capital, talent and world-famous institutional brands to this critical sector. EdTech in India has the potential to become a powerful engine of growth for our services sector. Done right, I have no doubt that in a few years, India can become a “Vishwaguru” not just in the spiritual sense, but also literally.

 

POST A COMMENT

India Needs New Regulations - But Simplification of Compliance is Just as Critical

In earlier posts, I have touched upon the need for Indian laws to be updated to better reflect the current environment and foreseeable changes to it brought about by various forces, primarily technology-led innovation. This is not just because of the need to plug legal loopholes that are exploited to the nation’s detriment but also with the objectives of streamlining compliance and better enforcement.

 

Recently, the union government did exactly this when it announced a new set of rules to govern the operations of drones in India. A new draft of the Drone Rules, 2021, now out for public consultation, will, when approved and notified, replace the UAS Rules, 2021, which were announced in March 2021. The fact that the government has come out with a new set of rules within 4 months of issuing the earlier version is a welcome sign of change, as it signals recognition of a rapidly-changing environment as well as the importance of timely and appropriate responses.

Changes are aimed at simplification and less regulatory control

The new rules are remarkable for other reasons as well. At about 15 pages in length, the new rules are only a tenth of the earlier rules. The changes are not limited to the form; there are substantive changes too. The new rules seek to do away with a large number of approvals (e.g., Unique Authorization Number, Unique Prototype Identification Number etc.).  Licensing for micro drones for non-commercial use has been done away with. Recognizing the immense potential for drones to revolutionize our society and economy, the government proposes to develop “drone corridors” for cargo delivery. Prior authorization of drone-related R&D organizations is being removed. A drone promotion council is to be set up, in order to create a business-friendly regulatory regime that spurs innovation and use of drones. All this augurs well for the development of a robust drone ecosystem in India.

Implementing the “spirit” of underlying regulations is vital

The change to the drone rules is a welcome step- just as the consolidation of 29 of the country’s labour laws into four Codes during 2019 and 2020 was. But rationalization becomes futile if there is no element of reform- e.g., doing away with requirements that have outlived their utility or need significant changes to remain relevant in the current environment? There were many expectations around the Labour Codes, but in the months that followed, it is fair to say that there was also much disillusionment amongst industry stakeholders because sticky issues, such as the distinction between “employees” and “workers”, payment of overtime, role of facilitator-cum-inspector etc., remained.

Simplifying compliance is necessary to improve “ease of doing business” further

The World Bank’s 2020 “ease of doing business” report ranks India 63rd; we were ranked 130 in 2016. The 2020 report considered three areas: business regulatory reforms (starting a business, paying taxes, resolving insolvency etc.); contracting with the government, and employing workers. 

But there are miles to go before we sleep. To ensure that India’s entrepreneurial energies and creative intelligence are directed to areas that will be critical in the years to come- e.g., space, AI, robotics, electric vehicles, clean energy etc. all need new regulations or revamp of existing legislations and rules. But this alone will not suffice. Implementing the spirit, and not just the letter of the law and rules and the simplification of regulatory compliance are important angles that government must pay attention to. These are going to be key determinants in improving our “ease of doing business”.

 

Technology is a necessary enabler but it is not sufficient

All regulatory filings- whether for approvals or compliance- should ideally be enabled in digital format. Digital dashboards in the government and other regulatory bodies should facilitate real-time monitoring. Only exceptions or violations should need further actions. To be sure, the government has initiated some steps in this direction- e,g., “faceless” interactions between business and the Income Tax authorities with the intention to reduce human interventions and thus, the possibility of corruption. But if the underlying income tax portal itself is not working properly, as was widely reported soon after it was launched, the desired outcomes will not be achieved.

Moreover, it is not just about having the right technology platforms in place. It is equally critical to bring about a mindset change in the administrative machinery that helps political leadership formulate policy and thereafter, enable implementation and performance monitoring.

Given India’s large domestic market and attractiveness as a base for exports, we as a nation stand on the threshold of a phase of significant economic growth. Many Indian entrepreneurs are establishing businesses overseas; this means that the benefits of jobs, tax revenues and IPR creation all move to other jurisdictions. The longer anachronistic and irrelevant laws remain on our books, and the harder regulatory compliance remains, the more we stand to lose. In a world where global investment flows, trade and supply chains are facing significant change under the influence of numerous forces, it would truly be unfortunate if India loses out largely because of continued difficulties in regulatory compliance.

Image Credits: Photo by Medienstürmer on Unsplash

The longer anachronistic and irrelevant laws remain on our books, and the harder regulatory compliance remains, the more we stand to lose. In a world where global investment flows, trade and supply chains are facing significant change under the influence of numerous forces, it would truly be unfortunate if India loses out largely because of continued difficulties in regulatory compliance.

POST A COMMENT

Toy Manufacturing - BIS Compliances, Schemes, and Incentives

One of the key flourishing industries in the world, India’s toy market is currently valued at $500 million out of a booming $90 billion global market. Statistics reveal that 80% of Indian toys are Chinese imports, while non-branded Chinese toys account for 90% of India’s market. Even though exports by the toy manufacturing industry from India amounted to $130 million during 2019-2020 with the USA and UK [1]being the lead exporters, the disparity and unutilized potential do not escape one’s attention.

As the second-most populated country in the world with almost 26% of its population below 15 years old, India has one of the largest consumer bases in the world. In fact, when the global average for demand growth is 4.6% [2]it is forecasted to have a growth of 13.3% CAGR [3]within 2026 i.e. almost thrice the global average. Adding on to this the toy industry of the country is also expected to reach $3.3 billion dollars by 2024!

India’s economic growth has also increased the disposable income of its citizens, thus driving up demand in a market with a whopping consumer base of roughly 338 million. Moreover, there has been a major shift from traditional, medium- to low-end battery-operated toys, towards innovative electronic toys, intelligent toys as well as upmarket plush toys.[4] The boom of e-commerce in India has also had a role to play, with customers turning to shop for toys within the comfort of their own homes.

Associations and Committees Representing the Toy Industries in India:

 

1.Toy Association of India

  • Headquartered in New Delhi, the toy Association of India was established in 1995 with a view to bringing together toy manufacturers, traders and end-users to promote higher business relations.
  • It has a presence all over the country and has 600 registered members, out of which 275 are toy manufacturers.
  • Assists the toy industry in up-gradation of the industry’s units with modern machinery to maintain quality standards.
  • Attempts at creating a more conducive relationship between the government and the industry by offering policy recommendations, communicating the industry’s problems in the interest and growth of the toy industry.

2.The All-India Toy Manufacturer’s Association

  • Headquartered in Mumbai, All India Toy Manufacturer’s Association has nearly 150 registered members, out of which 100 are toy manufacturers.
  • It seeks financial assistance and subsidies from the government for the growth of the toy industry, educates and encourages suppliers to conform to the BIS regulations. 
  • Encourages the organization of toy fairs and exhibitions for the promotion of the toy industry.

 

Compliances Requirements for Toy Manufacturing Industry under the Bureau of Indian Standards (BIS) 

Apart from the general compliances which amount to over 700 ranging from the Companies Act, SEBI Act, FEMA Act to Income Tax and Foreign Trade Act for factories and MSME’s, regulations were required to be specifically made to ensure that the toy industries are safeguarded from unfair and excessive exploitation as well as products meet the international quality requirements.

According to a study, about 67% of toys sold in India had failed all safety and standard tests, while about 30 per cent of plastic toys failed to meet the safety standards of admissible levels of heavy metals and phthalates. Phthalates are a group of chemicals.

A lack of regulation in the past had resulted in degradation of the quality of our products and failed endeavours to keep up with the international standards. However, this is no longer the case as the government has not only strengthened the existing key factors but has also set up new compliances to steer clear of the past policy miscalculations and lapses. The said compliances are as follows:

The Toys (Quality Control) Order, 2020[5]

Issued by the DPIIT, Ministry of Commerce and Industry, vide order 25 February 2020, the safety of toys has been brought under compulsory BIS certification, which is granted after the successful assessment of the manufacturing infrastructure, production process, quality control, and testing capabilities. The toys shall bear the standard mark under a licence from BIS as per Scheme-I of Schedule II, of BIS (Conformity Assessment Regulations), 2018. The said QCO was initially slated to come into effect from 1st September 2020 but was later extended to 1 January 2021[6].

Exceptions:

  • The order is not applicable to goods and articles manufactured and sold by artisans registered with the Office of Development Commissioner (Handicrafts), under the Ministry of Textiles.
  • The order is not applicable to goods and articles manufactured and sold by registered proprietor and authorized user of geographical indication, by the registrar of geographical indications, Ministry of Commerce and Industry.[7]
  •  Goods or articles manufactured/meant for export purposes.

BIS Licence and Certification

For the purpose of BIS certification, toys have been classified into the following two categories. While applying for a licence, the manufacturer can apply under any one of the classifications:

 

If a licence is required for more than one type of toy (i.e., non-electric and electric), separate applications shall be made for each type. (However, samples shall be tested by BIS for conformity to the primary standard and the secondary standards which are applicable i.e., IS 9873 parts 1,2,3,4,7, and 9 etc.)[1]

While applying for a license the manufacturers must also specify the type of toy in order to choose the applicable standard it would be subjected to. The specifications of toys and their corresponding standards are as follows:

 

For Entities Manufacturing hundreds of toy models/SKU’s
  • Since testing hundreds of toy samples individually shall prove to be practically difficult for the purpose of BIS certification. The issue has been addressed in the Product Manual for the safety of toys[1].
  • The product manual is a guidance document containing product-specific guidelines for certification. It incorporates “Grouping Guidelines” which allows certification to be granted for a group of toy models based on the testing of certain representative models.
  • These grouping guidelines have been framed based on the Indian Standard IS 9873 (Part 8):2019 which is identical with the International Standard ISO/TR 8124-8:2016 (Safety of Toys Part 8 Age Determination Guidelines) which classifies toys into 7 Categories and 146 Sub-Categories based on the appropriate starting age and the specific purpose or function of the toy.
  • For the purpose of certification, all the models of toys of similar design, made from the same materials and covered under a single sub-category, shall be considered as a series. A sample of any one model from each series shall be drawn and tested to cover all the models in that particular series.

Schemes Floated for the Toy Manufacturing Industry in India

Along with the set of existing and new compliances, the government has also introduced various schemes and incentives with the aim of promoting the industry.

Micro, Small, Medium Enterprises (MSME)

Approximately four thousand[2] enterprises in India, engaged in toy manufacturing fall under the category of micro and small-scale sectors. The MSMEs in the toy manufacturing sector is an unorganized sector, accounting for a whopping 60% of the national market share. These MSME’s are spread all across the country with a large chunk operating in the Northern and Western regions.

The Indian toy market is 70% larger thanks to the existence of MSMEs and the support they received from our government. In pursuance of the same, the government has amended the classification of MSMEs in the Aatmanirbhar Bharat Abhiyan to ensure that they receive the aid and recognition required to keep up with the changing times. The amended classification is as follows:

 

With the advent of Aatmanirbhar Bharat Abhiyan various schemes have been introduced to promote MSMEs:

•       Technology and Quality Upgradation Scheme

Enrolling in this scheme will help the micro, small and medium enterprises to use energy-efficient technologies (EETs) in manufacturing units to diminish the expense of production and adopt a clean development mechanism. The scheme guarantees to cover up to 75% of the expenditure.[1]

•       Grievance Monitoring System:

Enrolling in this scheme is advantageous when it comes to addressing complaints of business owners. Additionally, the owners may also check the status of their complaints and file an appeal if they are not satisfied with the result.

•       Incubation: 

It assists innovators in implementing their new design or product ideas. It provides financial assistance for “Business Incubators”. Financial assistance of 75 % to 85 % of the project cost, up to a maximum of 8.00 Lakh is extended to the innovators.[2]

•       Credit Linked Capital Subsidy Scheme:

Under this scheme, new technology is provided to the business owners to replace their old and obsolete technology. A capital subsidy is given to the business to upgrade and have better means to do their business. These small, micro and medium enterprises can directly approach the banks for these subsidies. The ceiling on subsidy would be Rs. 15 lakh or 15 per cent of the investment in eligible plant and machinery, whichever is lower[3]

•       Scheme of Fund for Regeneration of Traditional Industries: 

The government aims at establishing a total of 35 toy clusters in various states under this scheme. Once set up, these will boost the manufacturing of toys made of wood, lilac, palm leaves, bamboo and fabric. This scheme offers incentives such as skill development, capacity building, e-commerce assistance to local industries.

•       Product Specific Industrial Cluster Development Programme: 

The programme aims to establish dedicated SEZ’s and customize them into self-sustaining ecosystems catering to export markets.

 

Incentives Provided to the Toy Manufacturing Industry in India

The Centre and State governments have implemented various incentives to promote the toy industry.

A. For Toy Manufacturing Entities

 

1.Hiked import duty:

The import duty on toys was raised from 20% to 60% [4]making it difficult for foreign companies to compete in our market as well as making Indian companies’ entry into the market easier.

2.Handicraft and GI Toys exempted from Quality Control Order[5]:

This allows any traditionally made toys by artisans registered with Development Commissioner (Handicrafts) to be exempted from the quality compliances newly introduced.

3.Custom Bonded Warehouse Scheme:

Central Board of Indirect Taxes and Customs (CBIC) has launched a new scheme expected to play a critical role in promoting investments in India and in enhancing the ease of doing business. According to this, the unit can import goods (both inputs and capital goods) under a customs duty deferment program.[6]

4.Export Promotion Capital Goods (EPCG) Scheme: 

Enables the import of capital goods (toys/ spare parts thereof) in the pre-production, production and post-production stage without the payment of customs duty.

5.Increase in BCD for Electronic Toys (under HSN 9503) from 5% to 15%[7]:

This will increase the expenditure incurred for foreign companies to sell products in India and thus help relax the competition for Indian manufacturers. An example of how these steps have been implemented and made into a reality is the Product-Specific Industrial Cluster Development Program. An initiative taken up by the Karnataka government in partnership with Aequs Infra, is a first-of-its-kind project aimed at promoting toy industries by dedicating 400 acres of self-sustained ecosystem including an SEZ to serve export markets and Domestic Tariff Area (DTA) through state-of-the-art industrial infrastructure and facilities. It has the potential to create 40,000 jobs in five years and attract over INR 5,000 crore in investments. [8]The toy cluster aims to capitalize on the presence of key elements essential for the sector’s growth like manpower, R&D and raw material.  It is also in a strategic position to cater to 50% of the domestic toy market needs, and has an efficient connectivity network with access to highways, ports, airports, and major cities.[9] This program was touted as a one-stop-shop solution catering to the needs of both large MNCs and small and medium enterprises.

6. Duty Drawback Scheme: 

The scheme was introduced to rebate duty chargeable on any imported materials or excisable materials used in the manufacture or processing of goods, manufactured in India and exported.

B. For MSME’s

Apart from extending financial aid as discussed above, the government initiatives for MSME’s are largely based on undertaking initiatives to promote homegrown toy manufacturers and boost domestic demand for indigenous and locally produced toys. Some of these initiatives are:

Phased Manufacturing Programme (PMP): 

The programme will make the assembly of toys cheaper than imports, offering benefits similar to the PMP for mobile phones introduced back in 2015. The government has offered tax reliefs and differential tariffs among other incentives for components and accessories to push local manufacturing.

Toy Labs: 

In a bid to promote traditional toys, the government has chalked out a plan to create toy labs – a national toy fair for innovative Indian themed toys. The Atal Tinkering Lab is one such toy lab to provide support for physical toys promoting learning and innovation. Additionally, due to literacy programmes like Sarv Siksha Abhiyan and the new education policy, toys nurturing innovation and creativity are in focus.

Involving various sectors:

The education ministry has been asked to include indigenous toys as a part of learning resource, under the new education policy. The IIT’s are set to be roped in to look into the technological aspect of toys, while the NIFT’s shall study the concept of toys and national values, by using non-hazardous materials. The Ministry of Science and Technology has been directed to explore how India’s indigenous games can be featured in the digital space. While the Ministry of culture will work on ‘Indian Toy Museum’.

Labour law reforms:

The Indian toy industry is labour intensive, the new labour law reforms have a significant impact on the ease of doing business, thereby providing a competitive advantage to the Indian toy industries.

The toy industry is one sector that contains a lot of untapped potentials. The compulsory BIS certification as per the Toys (Quality Control) Order, 2020, will ensure that the quality of toys is at par with international standards along with the strengthening of existing conditions of the market. These are significant steps in the right direction to ensure that the domestic markets pick up once the pandemic wanes. The domestic production and sales could catch up with exports and thus make sure that the future of this sector will not be as grim as in the past and will light up, once again.

References 

1 https://www.investindia.gov.in/sector/consumer-goods/toys-manufacturing

2 Koppal Toy Manufacturing Cluster; https://static.investindia.gov.in/s3fs-public/2021- 01/Koppal%20Toy%20Manufacturing%20Cluster%20-%20For%20International%20Investors.pdf

3 Ibid

4 Indian Toys Market: Industry Trends, Share, Size, Growth, Opportunity and Forecast 2021-2026, https://www.imarcgroup.com/indian-toys-market

5 https://bis.gov.in/wp-content/uploads/2020/03/Toy_QC_order.pdf

6 https://dipp.gov.in/sites/default/files/orderToy-26February2021_0.pdf

7 https://dipp.gov.in/sites/default/files/QC-AmendmentOrder-Toys-21December2020.pdf

8 https://bis.gov.in/wp-content/uploads/2020/09/toys-faqs-bilingual.pdf

9 https://bis.gov.in/wp-content/uploads/2020/08/safety-of-toy.pdf

10 Toy industries in India; https://www.ibef.org/indian-toys

11 Impact of Aatmanirbhar Bharat Abhiyan on MSMEs; https://cleartax.in/s/impact-aatmanirbhar-bharat- abhiyan-msmes/

12 https://msme.gov.in/3-technology-upgradation-and-quality- certification#:~:text=Technology%20and%20Quality%20Upgradation%20Support%20to%20MSMEs&text=50%

13 https://msme.gov.in/incubation25%20of%20actual%20expenditure%20subject,licenses%20from%20National%20%2F%20International%20bodies.

14 http://laghu-udyog.gov.in/schemes/sccredit.htm

15 Budget 2020: Govt hikes customs duty on toys, furniture, footwear products; https://www.financialexpress.com/budget/budget-2020-govt-hikes-customs-duty-on-toys-furniture-footwear- products/1848123/

16 Handicraft and GI Toys exempted from Quality Control Order; https://pib.gov.in/Pressreleaseshare.aspx?PRID=1680181

17CBIC and Customs launch scheme to attract investment and support Make in India programme; https://knnindia.co.in/news/newsdetails/sectors/cbic-and-customs-launch-scheme-to-attract-investment-and- support-make-in-india-programme

18 Union budget 2021; https://www.indiabudget.gov.in/doc/budget_speech.pdf

19 https://www.investindia.gov.in/sector/consumer-goods/toys-manufacturing

20 Koppal Toy Manufacturing Cluster; https://static.investindia.gov.in/s3fs-public/2021- 01/Koppal%20Toy%20Manufacturing%20Cluster%20-%20For%20International%20Investors.pdf

 

 

Image Credits: Photo by Nguyen Bui on Unsplash

The toy manufacturing industry is one sector that contains a lot of untapped potentials. The compulsory BIS certification as per the Toys (Quality Control) Order, 2020, will ensure that the quality of toys is at par with international standards along with the strengthening of existing conditions of the market.

POST A COMMENT

Food Safety Compliance System (FOSCOS) - A game-changer for Food laws Compliance and Enforcement Mechanism

With increased awareness, globalization and technological advancement, people are becoming more and more conscious of their eating choices. In fact, COVID-19 has changed the food habits of many individuals eager to fight against the pandemic by adopting a more balanced and nutritious diet to improve immunity.

Accordingly, Indian Food laws are changing in line with global food laws/standards through the amendment of various regulations based on the changing scenario. Food Safety Standard Act, 2006 (“the Act”) is also evolving and transforming in consonance with the “One Nation One Food Law” initiative.

 

The Food Safety and Standards Authority of India (FSSAI) established under the Act is now not only responsible for monitoring food safety standards but is also governing the entire food supply chain. With this mandate, the FSSAI has taken various steps towards easing the process of registration and licensing.

 

A new step in that direction is the replacement of the present online application system i.e. Food Licensing and Registration System (FLRS) to provide licensing and registration with an upgraded, advanced, controlled, improved, and developed open-source platform called Food Safety Compliance System (FoSCoS).

 

It was initially launched in the States/UTs of Tamil Nadu, Puducherry, Gujarat, Goa, Odisha, Manipur, Delhi, Chandigarh, and Ladakh in June 2020. FSSAI is now launching the second phase of FoSCoS in the remaining 27 States/UTs on 01st November 2020. Consequently, the FLRS portal has been closed w.e.f. 21st October 2020. FoSCoS is a more user-friendly and effective IT platform that seeks to connect Food Business Operators (FBOs), Designated Officers (DOs), and Food Safety Officer (FSOs).

 

FoSCoS is an upgraded and comprehensive solution that also connects with FSSAI’s other existing IT platforms such as Food Safety Compliance through Regular Inspection and Sampling (FoSCoRIS), Food Safety Connect-Complaints Management System, Online Annual Return Platform, Food Import Clearing System (FICS), Indian Food Laboratory Network (InFoLNet), Audit Management System (AMS), Food Safety Training and Certification (FoSTaC), Food Safety Mitra (FSM), etc.

 

FoSCoS has been rolled out to achieve the following objectives:  

 

  • Transform from the present FLRS which is only a licensing platform to a central food safety compliance regulatory platform.
  • Facilitate a hassle-free and user-friendly IT platform to connect Food Business Operators and Food authorities.
  • Build a technically advanced integrated application to achieve interoperability with other applications, capable of higher user traffic, and has potential for future upgrades and functionalities.
  • Enhance user performance of the application and make the application process simpler and efficient to promote ease of doing business amongst FBOs.
  • Achieve minimal physical documentation and streamline business process flows for FBOs for online applications.
  • Achieve and enable the application to have a standardized product approach rather than a text box approach for manufacturers.
  • Enable the application to seed business-specific details such as CIN No., PAN No. and GST No. to ensure effective profiling and validation of FBOs.

 

The FSSAI expects FoSCoS to be a game-changer for the implementation and enforcement of food laws in India. It is necessary to create awareness among Food Business Operators and the general public to achieve the goal of the Swastha Bharath Mission.

 

 

 

 

Fox Mandal is planning to publish a series of articles/blogs to create awareness on the food laws in India and related compliance under the FoSCoS Platform.

 

 

Image Credits: Photo by Mat Brown from Pexels

The FSSAI expects FoSCoS to be a game-changer for the implementation and enforcement of food laws in India. It is necessary to create awareness among Food Business Operators and the general public to achieve the goal of the Swastha Bharath Mission.

POST A COMMENT