The Next Play- Block Chain, Sports and Tourism

The excitement and intrigue surrounding cryptocurrency might have fizzled out, but alternate use cases of the blockchain have found roots for varied purposes, such as electronic health records, land records, farm insurance, digital certificates, etc., across as many as thirteen states in the country. 

 

In partnership with a platform called Yunometa, the State of Tamil Nadu recently launched the Women’s Chennai Open in the world of Metaverse and NFTs on September 10, 2022 (https://chennaiopen.co/). With this launch, the synergies between sports and technology are being explored further. Sports enthusiasts will now be able to view the Chennai Open (women) in the metaverse and watch it live. 

The Chennai Open Metaverse will have a tennis court where visitors can choose their avatars, including their favourite players, and play a match. There is also a media section where they can visit and get regular updates on the events’ matches. The metaverse will further have two more sections, i.e., an NFT museum section to display tourism and culture for the State of Tamil Nadu and a section for virtual tours of Tamil Nadu’s most well-known tourist destinations, such as Fort St. George, Meenakshi Temple, and Mahabalipuram Temple, amongst others. 

It seems to be a great initiative not only to enjoy sports in a new way but also to showcase the culture of Tamil Nadu, which may have a ripple effect on the tourism industry.

According to a recent study by Finder, released in 2022, India is ranked first in NFT gaming adoption. As per the report, around 34% of the Indian population has played P2E games[1], while 11% have shown a willingness to play them in the future.[2] Further, the size of the Indian eSports industry is expected to grow to INR 11 billion by FY2025 and potentially generate an economic impact of INR 100 billion between FY2021 and FY2025.[3]

While the statistics paint an impressive picture of the industry’s potential, it would be imperative to note that the legal landscape is definitely ‘glitching’ while trying to adopt a legislative pathway that would foster yet effectively regulate the sector.

At present, the policy focus of the government pertains to taxation only. However, with the increase in the participation of gamers, it is also prudent to address user safety issues by creating guidelines and standards for privacy, fraud prevention, structuring appropriate KYC procedures and payment mechanisms, and ensuring overall ease of doing business, regulatory certainty, and taxes.

The policy initiatives undertaken by the government in the recent past, including the Online Gaming (Regulation) Bill, 2022, which failed to address key concerns such as privacy, age-verification of players, defining casual online gaming, and money-based gaming, have shown a lack of a comprehensive approach to resolving the crucial issues. Similarly, the Inter-ministerial Panel on Online Gaming formed in May 2022 has, till now, only issued a slew of suggestions ranging from issuing a cap on deposit and withdrawal limits on the game winnings to recommending forming a regulatory body to distinguish between “games of skill” and “games of chance,” differential GST treatment, blocking prohibited gaming formats, and issuing a stricter stance on gambling websites.

In addition, the Animation, Visual Effects, Gaming, and Comics Task Force (AVGC) was set up in April this year and commissioned to formulate a national AVGC policy to attract foreign direct investment in the sector and to recommend a national curriculum framework, facilitate skilling initiatives, and boost employment opportunities within the sector has yet to submit its first action plan.

The Draft Virtual Online Sports Regulation Bill released by the Rajasthan government in May 2022[4] seems encouraging since it envisages structuring a licensing regime and establishing a Rajasthan Virtual Online Gaming Commission that shall be tasked with recommending conditions for licences, recognising “self-regulatory organisations,” and issuing advisories, caution notices, and recommendations to self-regulatory organisations. However, the Bill only applies to “esports competitions, fantasy sports, and derivative formats as provided by the sports engagement platforms” and leaves poker, rummy, ludo, and other such games of skill outside its purview.

It is safe to conclude that, at present, the central and the respective state governments have fallen short of formulating a cohesive set of legislation on online gaming. Further, with the integration of blockchain with gaming, it would also be crucial for the government to finally take a stand on laws regulating cryptocurrency in the country.

Shaping a comprehensive regulation on blockchain gaming would also necessitate the concerted deliberation and collaboration of various stakeholders in the industry, as current laws largely fail to address important concerns such as privacy, fraud, user safety, and so on.

It is safe to conclude that, at present, the central and the respective state governments have fallen short of formulating a cohesive set of legislation on online gaming. Further, with the integration of blockchain with gaming, it would also be crucial for the government to finally take a stand on laws regulating cryptocurrency in the country.

POST A COMMENT

The Energy Conservation (Amendment) Bill, 2022 – A Retort to Increasing Emissions

On August 9, 2022, the Energy Conservation (Amendment) Bill, 2022 (the “Bill”) passed the muster of the Lok Sabha (lower house of the Indian Parliament). The Government of India had identified new areas to achieve higher levels of penetration of Renewable energy and the bill sought to enhance demand for renewable energy at the end- use sectors such as Industry, buildings, transport etc.

What demanded the introduction of the Bill?

Decarbonization. The Bill, which amends the Energy Conservation Act, 2001 (the “Act”), introduces a series of modifications that opens the door for sustainable development. According to Bill’s statement of objects and reasons, it aims to, among other things, promote the use of green fuels and the growing renewable energy sector, ensure industrial energy efficiency, and establish a domestic “carbon market”, and carbon trading scheme to fulfil the commitments made by India at COP-26 (Conference of Parties -26) in Glasgow in 2021.

 

What are the major changes proposed in the Bill?

 

The Penalty


To enhance the effectiveness of the law and create stronger deterrence, the bill introduced stricter enforcement mechanisms. The changes include new penalties and aggravation of existing penalties for violations of certain provisions relating to the efficient use of energy and its conservation[1], use of deceptive names (introduced in the Bill)[2], and provision of information[3].

A new penalty introduced, for instance, is that if a vehicle manufacturer fails to comply with fuel consumption standards, he will be liable to pay an additional penalty (in addition to the penalties he is liable to under the Act) per unit of vehicles sold in the corresponding year, as follows:

  • twenty-five thousand rupees per vehicle for non-compliance with norms up to 0.2 litres per 100 km.
  • fifty thousand rupees per vehicle for non-compliance with norms above 0.2 litres per 100 km.[4]


Carbon Credit Trading


The Bill seeks to reduce carbon emissions by creating a carbon credit trading scheme. The Central Government is empowered under Section 14AA of the Bill to specify such a scheme.

Interestingly, the Act has enumerated a scheme through which energy savings certificates are issued by the Central Government to those plants or industrial units whose energy consumption is less than the prescribed norms and standards. Units that are unable to comply with the set energy consumption norms are entitled to purchase the energy savings certificate to ensure compliance. The industrial units that fail to meet the energy savings targets even after purchasing the energy saving certificates are liable to be punished with a fine as per the provisions of the Act.

To understand how a carbon credit trading scheme would aid in reducing emissions, we must understand what a carbon credit trading scheme is. A carbon credit is a certificate/permit that gives its holder the right to emit a certain amount (usually a tonne) of carbon dioxide. Based on historical emissions, carbon credits are provided to an organisation in a particular sector. If the organisation goes over its allocated amount of carbon credits, then it would have to purchase more credits from the carbon market, where carbon credits are bought and sold. And the price of the carbon credit is determined by the market forces of supply and demand. Additional factors that influence the pricing of carbon credits include regulations established by the government, international climate change protocols, emission trading schemes, and a carbon tax. This scheme or system of buying and selling carbon credits is, in simplistic terms, a carbon trading scheme. Hence, the carbon trading scheme aims to reduce carbon/greenhouse gas emissions by assigning a financial cost for causing pollution. This implies that for such units, carbon emissions will now be equivalent to any other capital investment like raw materials or labour.


Expanding, Enlarging, and Empowering


  1. Vehicles and Vessels– The Act, under Section 14, empowers the Central Government to set standards to enable efficient use of energy and its conservation for any equipment, appliance that consumes, generates, transmits, or supplies energy. The Bill seeks to include vehicles (as defined under the Motor Vehicles Act) and vessels into the scope of Section 14. Corresponding provisions for penalties have also been included in the Bill for violations of the provisions of the Act.
  1. Buildings- Under the Act, the Central Government and the Bureau of Energy Efficiency have the authority to lay down energy conservation standards for buildings, ascertained in terms of area. The Bill seeks to amend the provision to the effect that, now, the Bureau and the government shall set energy conservation and sustainable building codes, that shall elaborate upon standards for energy efficiency and conservation, use of renewable energy, and other requirements for green buildings.
  1. Residential Buildings– The energy conservation code in the Act has only been made applicable to commercial buildings. The Bill seeks to include residential buildings along with commercial buildings under the scope of the Code. As per the amended provision of the Bill, the State Governments have also been empowered to lower the load threshold. By bringing residential buildings under the scope of the energy conservation code, the responsibility for ensuring mindful energy consumption would effectively fall on citizens as well as industries.
  1. Composition of BEE Governing Council– The governing council of the Bureau of Energy Efficiency (BEE) created under the Act has twenty, not exceeding twenty-six members, which is intended to be expanded to thirty-one, but not exceeding thirty-seven members by the Bill. This expansion is likely intended to improve bureaucratic efficiency in the administration and enforcement of the provisions of the Act.
  2. State Electricity Regulatory Commission– The Act empowers the Bureau of Energy Efficiency to make regulations as necessitated, with the approval of the Central Government[5]. The Bill also envisages empowering the State Commission to make regulations for discharging its functions under this Act[6].


Concluding Thoughts


The amendments that are envisioned under the Bill are strides in the right direction for enabling better regulation of carbon emissions and promoting the objective of sustainable development by encouraging a switch from fossil fuels to renewable energy sources. While the carbon trading scheme under the Bill has the right intentions, it is still lacking in clarifications pertaining to the market structure and incentive scheme for facilitating carbon trading in the country.

As with any other law, strict enforcement and alignment of all the relevant stakeholders contingent on the success of proposed policies under the Bill would be key in ensuring that India achieves its goals towards facilitating a steady shift from fossil fuels to promotion of new and renewable energy (wind, solar, etc.), accomplishes milestones contemplated in the National Green Hydrogen Mission, and actualizes its vision to meet 50 per cent of its energy requirements from renewable sources by 2030, as envisaged under the ‘Panchamrit’ strategy announced at the COP 26 conference in Glasgow.  

References:

[1] Section 14 clause (c) or clause (d) or clause (h) or clause (i) or clause (k) or clause (l) or clauses (n) and (x); and Section 15 clause (b) or clause (c) or clause (h) of the Act.

[2] Sub-section (1) of Section 13A of the Bill.

[3] Section 52 of the Act.

[4] Second proviso to Section 26 (2) of the Bill.

[5] Section 58 of the Act.

[6] Section 13 of the Bill.

Image Credits: Photo by catazul from Pixabay 

The amendments that are envisioned under the Bill are strides in the right direction for enabling better regulation of carbon emissions and promoting the objective of sustainable development by encouraging a switch from fossil fuels to renewable energy sources. While the carbon trading scheme under the Bill has the right intentions, it is still lacking in clarifications pertaining to the market structure and incentive scheme for facilitating carbon trading in the country.

POST A COMMENT

The Indian Telecommunication Bill, 2022: An Au Courant Approach

Telegraph was first introduced in India in the year 1851 and telephone exchanges were set up in the early 1880s. The Indian Telegraph Act, 1885; the Indian Wireless Telegraphy Act, 1933; the Telegraph Wires (Unlawful Possession) Act, 1950, were enacted to suit the needs of the day. The usage of the telegraph as a telecommunication mode became obsolete in 2013, and today technologies such as 4G and 5G, the Internet of Things, Industry 4.0, M2M communications, Mobile Edge Computing, etc. are revolutionising the sector.

While these technologies create new opportunities for social and economic growth, issues relating to dispute resolution and penalties, data privacy, the infrastructural needs of the industry, etc. become more complex.

With the objective of reforming the telecommunication law and making it more sensitive towards the concerns of this ever-evolving sector, a consultation paper on the “Need for a new legal framework governing Telecommunication in India[1] was issued by the Department of Telecommunication on July 23, 2022, inviting comments.

The Consultation Paper proposed a new legal framework to address the following:

  1. Simplification of the regulatory framework while ensuring regulatory certainty, minimising policy disruption, promoting investment, and preventing retrospective application.
  2. Spectrum assignment should be to best serve the common good and widespread access, with utilisation of spectrum liberally and neutrally allowed, as should the deployment of new technologies, the repurposing and rearrangement of frequency range, and the authorisation of the central government to share, trade, lease, and surrender spectrum.
  3. Provide a robust regulatory framework to obtain Right of Way and resolve disputes thereby ensuring the deployment of new technologies and ensuring continuous connectivity.
  4. Simplify the framework for mergers, acquisitions, or other restructuring.
  5. Ensure the license is not suspended or terminated during Insolvency while services are being provided, and ensure there is no default on license or spectrum dues.
  6. Expanding the scope of the Universal Service Obligation Fund to address delivery of telecommunications service to underserved rural and urban areas.
  7. Proportionate penalty for offences.
  8. Address situations of public emergency, public safety, or national security.

The draft Telecommunication Bill 2022 was created in response to public feedback on the consultation paper [2].  Further comments on the draft have been invited till 20th October 2022. It intends to replace the Indian Telegraph Act, 1885; the Indian Wireless Telegraphy Act, 1933; and the Telegraph Wires (Unlawful Possession) Act, 1950.

 

Key Takeaways of the Draft Telecommunication Bill, 2022

 

Over-the-top (OTT)

 

There was an interpretational discord as to whether OTT is regulated under the current legal system. The government is of the opinion that OTT is adequately covered under the definition of “Telegraph” in the Telegraph Act. However, there is no explicit legal backing. The proposed bill explicitly clarifies that OTT communication services are a telecommunication service. The bill’s definition of telecommunication service incorporates current technological trends in the industry and includes voice and video communication services, machine-to-machine services, and broadcasting services. Any transmission and receipt of a message through a wire, radio, optical, or electromagnetic system would be telecommunication. Such telecommunication, when intended to be received by the general public, becomes a broadcasting service. Therefore, an OTT service provider, be it broadcasting/streaming services or data/video call services, falls explicitly within the ambit of the Telecommunications Bill, 2022.

 

User-Beneficial Provisions

The bill requires that the identity of the person sending a message be made available to the user receiving the message at all times. Therefore, any call recipient from a landline, cellular, or through OTT platforms like WhatsApp, Facetime, or Zoom calls will have information about the caller. To achieve this end, the KYC of all the users has to be obtained by all service providers, including OTT platforms.  Users are prohibited from providing false information about their identity when obtaining telecommunications services. Any misrepresentation of identity is punishable with imprisonment for one year or a fine of up to 50,000 rupees. An advertisement or promotional message, whether fictitious or real, shall not be sent unless consent is procured from the recipient. Any unsolicited message shall be an offense, and the sender is liable to be penalized. The Bill formulates a mechanism for the preparation and maintenance of the ‘Do Not Disturb’ register. The user-beneficial provisions and the penalty for violation are not substantial enough. When the losses caused to the public because of cyber frauds are more than 1 lakh crore each year, the penalty for such fraud of INR 50,000 is not a deterrent. It is ideal that such offenders are abstained from providing telecommunication services so that repeated cyber frauds or impersonations can be avoided.

 

Spectrum Allocation

 

The Bill provides that spectrum allocation can be done only through auction, directly under circumstances specified in the schedule, such as national security, or in such a manner as mentioned in the rules. The Hon’ble Supreme Court of India, in “Union of India & Ors v. Centre for Public Interest Litigation and other” decided on February 2, 2012, stated that:

“When it comes to the alienation of scarce natural resources like spectrum, etc., it is the burden of the State to ensure that a non-discriminatory method is adopted for distribution and alienation, which would necessarily result in protection of national/public interest. In our view, a duly publicised auction conducted fairly and impartially is perhaps the best method for discharging this burden and the methods like first-come-first-served when used for alienation of natural resources/public property are likely to be misused by unscrupulous people who are only interested in garnering maximum financial benefit and have no respect for the constitutional ethos and values. In other words, while transferring or alienating the natural resources, the State is duty bound to adopt the method of auction by giving wide publicity so that all eligible persons can participate in the process.”

The Hon’ble Supreme court’s order mandates spectrum allocation only via auction. However, allocation of Spectrum under extraordinary circumstances such as national security and defence by the Central Government is understandable. Nevertheless, the entire list of Schedule I activities wherein the government is authorized to allocate spectrum to BSNL/MTNL or can assign it to “any other function or purpose as determined” is far too wide to defeat the very purpose of the order.  Further, it is ideal that such spectrum allotted under Schedule I, shall not be resaleable but only returnable to the government.

The Bill provides the Central Government rights to repurpose the spectrum frequency for a different use (“re-farm”), rearrange the frequency range (harmonization), or assign part of the assigned spectrum to another entity for efficient spectrum utilization, or if the spectrum remains unutilized.

 

Seamless Transition 

There is a new set of terms and conditions that will be formed after the Act and rules come into force. A telecom service provider and telecom infrastructure provider have a choice on whether to migrate to the new set of terms and conditions under this bill or the existing terms as per their existing license. A wireless equipment provider has to procure new authorisation (instead of a license). The existing spectrum licenses shall continue to remain valid for a period of 5 years or until the date of expiry, whichever is earlier. The existing rules under the old Telegraph enactments shall continue until superseded by the new rules. All Telecommunication Bill provisions are prospective in nature. These mechanisms would allow greater acceptance of the new Act and a seamless transition.

 

Penalties and Offences

In casesof breach of the terms and conditions of a license, registration, authorisation, or assignment, the government can revoke, suspend, or curtail such approvals. Further, the government can impose a penalty based on the severity of the breach after considering whether it is severe, major, moderate, minor, or non-severe. A licensee can provide a voluntary undertaking to the authority with respect to any breach or delay. Acceptance of a voluntary undertaking will put the proceedings on hold. An alternative dispute resolution mechanism for resolving certain disputes or classes of disputes is envisaged. The Bill provides a list of offences covered by it, the imprisonment or fine imposed, and whether such offences are bailable or cognizable.

 

Right of Way

The mechanism for Right of way is differentiated on the basis of whether it is public property or private property. In the case of public property, the authority has to provide permission in a time-bound manner.  In the case of private property, parties may mutually negotiate an agreement. To overcome the issues of the sale of property along with the telecom infrastructure, an explicit provision has been enshrined to state telecom infrastructure is different from the property it is installed on. Therefore, the property owner cannot claim ownership of the tower in his/her property, and it remains independent of any sale or lease. It is ideal that the Right of Way arrangements/agreements be standardized. Further, the legal framework should also encompass penalties in case of violation of the Right of Way by either the telecom infrastructure provider or the property owner.

 

Common Ducts & Cable Corridors

An express provision is planned under which the Central Government will require infrastructure projects to have common cable ducts and cable corridors established and such cable made available to facility providers on an open access basis.

 

Restructuring & Insolvency

A licensee entity undergoing restructuring/merger/acquisition has to merely inform the authority and an explicit prior approval is not required. The restructured entity has to thereafter follow the rules therein. In case of insolvency, service continuity is given priority, and the entity retains control over Spectrum. An enabling framework has been made for the Central Government to intervene and revert the control of the Spectrum to the Central Government in case the entity fails to provide telecommunications services, and has promptly paid the spectrum licensing fees/charges.

 

Regulatory Sandbox

A regulatory framework of simplified license terms and conditions to empower the start-up ecosystem is formulated, whereby such entities can live-test their products and services in a controlled environment.

 

The Telecommunication Bill is a framework that intends to create a comprehensive and centralised legal ecosystem for an industry that is rapidly expanding with the addition of new players in the market, investments, and technology. How the Telecommunication Act, Digital Data Protection Act, and Digital India Act finally shape up to create a legal landscape to address the new technological challenges remains to be seen. The proposed Telecommunications Bill has addressed the concerns of the present while keeping an eye on the future in its simple, light-touch approach- a concrete step in the right direction.

The Telecommunication Bill is a framework that intends to create a comprehensive and centralised legal ecosystem for an industry that is rapidly expanding with the addition of new players in the market, investments, and technology. How the Telecommunication Act, Digital Data Protection Act, and Digital India Act finally shape up to create a legal landscape to address the new technological challenges remains to be seen.

POST A COMMENT

Green Intellectual Property

The damage to the environment has over the last decade or so been a topic of paramount importance. Changes to the same can now be felt closer to home rather than in some remote corner of the globe. The Intergovernmental Panel on Climate Change (IPCC) released a report in 2021 stating that climate change is “widespread, rapid, and intensifying”. We are at the precipice of an important stage in the history of our planet. Never before has technology reached the levels that we have now. It is time to optimally harness technology to protect the environment to sustain future generations. With the literature currently in the media, there is definitely awareness of the damage being caused.

Green technology and innovation thereof will be of paramount importance, and Intellectual Property (IP) rights play a major role. The term ‘Green Intellectual Property’ refers to the protection of innovations in the field of green technology. The UN Rio Declaration on Environment and Development of 1992 stated that Green Technology means “environmentally sound technologies that protect the environment, are less polluting, use all resources in a more sustainable manner, recycle more of their wastes and products, and handle residual wastes in a more acceptable manner than the technologies for which they were substitutes“.

WIPO is playing a huge role in the acceleration of Green IP through WIPO Green (https://www3.wipo.int/wipogreen/en/). “WIPO GREEN is an online platform for technology exchange. It supports global efforts to address climate change by connecting providers and seekers of environmentally friendly technologies.”

India, with a huge focus on agriculture, could see smart agriculture come to the forefront. We could also see the rise of water and soil conservation mechanisms, soil re-carbonization and carbon sequestration, etc. In fact, since 2016, over half of the patents granted in India were related to green technologies. In sheer numbers, 61.186 patents were granted in this field, and over 90% of these technologies addressed waste management and alternative energy production methods.[1]

Green IP is likely to lead to the rise of a huge amount of innovation. With innovation comes patent protection. Secrecy may be maintained to maximise market position for innovative technologies that will result in the rise of trade secrets. The aesthetic appearance of new innovations will come under the ambit of protection of design rights. Design rights may also be a valuable right as the use of 3D printing grows as a potentially more sustainable manufacturing technique. The rise of Green IP will also result in the rise of certified trademarks. Software and data evaluation will also play a decisive role in improving existing technologies in an environmentally friendly way. We will also see the rise of technology transfer licensing agreements as companies look to leverage technology developed by others to their advantage. Thus, the importance of Green IP will percolate to an increase in IP protection as well.

For those who are trailblazers in the field, having an IP checklist and an IP strategy will be of importance. Apart from this, the Indian government may also need to look at more subsidies and rebates for the development of Green IP. In a recently published report, Green Future Index 2022, India was ranked among a contingent labelled as “climate laggards”. The country’s COVID-19 recovery plan favours traditional industries, which is hampering the move to greener policies.

Nevertheless, subsidies in official fees for start-ups and MSME’s have pushed these industries to protect their intellectual property. Such a change can also be effected with rebates for the filings for Green IP. With the problems brought about by damage to the environment being closer to home, it is time for India to be at the forefront of the development of Green IP.

References:

[1] https://timesofindia.indiatimes.com/india/every-2nd-patent-granted-since-2016-relates-to-green-tech-most-linked-to-waste-alternative-energy/articleshow/89420047.cms

Image Credits: Photo by JudaM from Pixabay 

For those who are trailblazers in the field, having an IP checklist and an IP strategy will be of importance. Apart from this, the Indian government may also need to look at more subsidies and rebates for the development of Green IP.

POST A COMMENT

Cryptocurrency and Money Laundering: Deciphering the Why and the How

The financial sector continues to revel in the advancement of disruptive technological innovations. Due to the attractive rates and fees, ease of access and account setup, variety of innovative products and services, and improved service quality and product features, financial technology is attracting more customers and investors today.[1] Despite the numerous advantages of these sectoral transformations, it is impossible to deny that the digitization and ease with which the internet has enabled all of us to function effectively in our day-to-day work has also created a space for virtual crimes.

Amidst the pioneering fintech revolution, cryptocurrency has emerged as a modern financial technology that can be used to easily launder money. Despite rapid market fluctuations and an uncertain legal status, cryptocurrency continues to captivate Indian investors, who are undeterred and unbothered by the associated risks of cyber fraud.

This article will explore how the crypto market nurtures a convenient and fertile ground for money laundering activities.

 

Cryptocurrency and India

 

The Indian regulatory market has had a hot and cold relationship with cryptocurrency over the years. The RBI, vide Circular DBR.No.BP.BC.104/08.13.102/2017-18 dated April 06, 2018[2], restricted all crypto transactions. However, in 2020, the Supreme Court effectively struck down the ban. As a result, the RBI stated in Circular DOR. AML.REC 18/14.01.001/2021-22 that banks and financial institutions cannot cite the aforementioned circular to warn their customers against dealing in Virtual Currencies. However, it did state that, “Banks, as well as other entities addressed above, may, however, continue to carry out customer due diligence processes in line with regulations governing standards for Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT) and obligations of regulated entities under the Prevention of Money Laundering Act (PMLA), 2002, in addition to ensuring compliance with relevant provisions under the Foreign Exchange Management Act (FEMA) for overseas remittances.”[3]

At present, while the talks of implementing comprehensive legislation governing cryptocurrencies have fizzled out, the Union Budget 2022 brought digital currencies under the tax net. As of 2022, the crypto asset market in India stands at an approximated evaluation of 45,000 Crores and 15 million investors[4].

However, it is pertinent to note that it is transactions, not investments, in the digital currency that pose an issue. In India, the Enforcement Directorate discovered over 4,000 crores of such illegal cryptocurrency transactions in 2021. As per the 2022 Crypto Crime Report by blockchain data firm Chainalysis[5], cybercriminals laundered $8.6 billion worth of cryptocurrency in 2021, $6.6 billion in 2020 and $10.9 billion in 2019. Furthermore, the study discovered that at the moment, darknet market sales or ransomware attack profits are virtually derived in cryptocurrency rather than fiat currency, thus significantly contributing to the data. 

Money laundering, terror financing, drug dealing, and other criminal activities are all done using cryptocurrency transactions. Although these transactions are recorded on a blockchain and are traceable, criminals use mixers and tumblers to make it difficult for a third party to track them.

 

The Laundering Mechanism

                           

                                    Eurospider Information Technology AG, “Mixers Tumbler Example,” fig.

For clarity, refer to the above image. Using the OHNE mixer, A sends 20 bitcoins to B, U sends 15 bitcoins to V, and X sends 5 bitcoins to Y. These are single-layer transactions that are simple to trace and identify.

The transaction takes place in a different way in the second image, where the MIT mixer is used. For the sake of brevity, let us consider a single layer of mixer being used. In real life, the number of mixers used is in the thousands. Here, A sends 20 bitcoins to M1, U sends 15 bitcoins to M2 and X sends 5 bitcoins to M3. In the next stage, B receives 20 bitcoins from M2, V receives 15 bitcoins from M1, and Y receives 5 bitcoins from M1. The difference we must notice is that B, V, and Y are receiving the same number of bitcoins as in picture one, but not from A, U and X, respectively. Because there is no information about A sending bitcoins to B, U sending bitcoins to V, or X sending bitcoins to Y, these transactions are not single-layered and are impossible to trace. Hence, making the transaction anonymous.

Criminals use a similar method to send money using cryptocurrencies. Consider the following scenario to gain a better understanding: A, B, C, and Z are cryptocurrency users who keep their coins in their digital wallets. They use the same mixing service to make transactions. A, B, and C are law-abiding citizens, while Z is a criminal involved in drug trafficking. A has to pay X a certain amount of money. X is paid, but the bitcoins he received were deposited by Z, a drug trafficker. When X received the payment, he had no idea that the bitcoins he had were dirty bitcoins and had been used for illegal activities. This is a straightforward explanation of how dirty bitcoins are making their way through the market, paving the way for money laundering. 

 

What can be done?

 

The International Monetary Fund (IMF) has released a report titled “Global Financial Stability Report”[6] which discusses the following details about how cryptocurrencies should be regulated, considering their increasing market capitalization and the growing exposure of banking and financial systems to crypto assets:

  1. Implementation of global standards applicable to crypto-assets should be the key focus area of national policies.
  2. Regulators should identify and control the associated risks of crypto assets, specifically in areas of systemic importance.
  3. Coordination among national regulators is key for effective enforcement and fewer instances of regulatory arbitrage.
  4. Data gaps and monitoring of the crypto ecosystem for better policy decisions should be prioritised by the regulators.

The report also discusses how stablecoins and decentralized finance pose a significant risk to the crypto market and the overall economy if they are not properly regulated and supervised by issuers.

  1. Regulations should be proportionate to the risk and in line with those of global stablecoins.
  2. Coordination is a must, to implement requisite recommendations in the areas of acute risks, enhanced disclosure, independent audit of reserves, and fit and proper rules for network administrators and issuers.

The report also discusses the importance of managing macro-financial risks through:

  1. Enactment of de-dollarization policies, including enhancing monetary policy credibility.
  2. Formulating a sound fiscal position with effective legal and regulatory measures and implementing central bank digital currencies
  3. Reconsidering Capital Flow Restrictions with respect to their effectiveness, supervision, and enforcement

However, according to the report, cryptoization would make finance more cost-effective, quick, and accessible.

There is also an intergovernmental organisation known as the Financial Action Task Force, which is constantly updating its recommendations to maintain legal, regulatory, and operational methods for combating money laundering, terrorism financing, proliferation, and other threats to the integrity of the international financial system. The Financial Action Task Force (FATF) recently released a compliance framework recommending that all anti-money laundering rules that traditional financial systems follow be applied to stable coins, cryptocurrency, and virtual asset service providers. Even though identifying the source of such funds and keeping track of who is the beneficiary of such funds is difficult, countries are still being encouraged to develop provisions that provide for due diligence, record keeping, and the reporting of suspicious transactions.[7]

 

The Legislative Way Forward for India

 

At present, there is no comprehensive legislative framework to govern fintech advancements encompassing blockchain and cryptocurrencies. At best, the present regulatory framework is a patchy, cross-networked arrangement that demands careful deliberations in alignment with the evolving technological innovations in the sector.

The Information Technology Act, 2000:

While the legislation successfully addresses issues like identity theft, hacking, and ransomware and provides a means to tackle the issue of extraterritorial jurisdiction, it is safe to conclude that the serpentine considerations of blockchain cannot be comprehended and addressed by the Act.

The Prevention of Money Laundering Act, 2002 and the Prevention of Money Laundering Rules, 2005

The offences listed in Parts A, B and C of the PMLA Schedule attract the penalties enumerated under the Act.

Part A categorises offences under: Indian Penal Code, Narcotics Drugs and Psychotropic Substances Act, Prevention of Corruption Act, Antiquities and Art Treasures Act, Copyright Act, Trademark Act, Wildlife Protection Act, and Information Technology Act.

Part B enlists offences under Part A with a valuation of Rs 1 crore or more.

Part C exclusively deals with trans-border crimes.

Recently, the Enforcement Directorate attached proceeds of crimes amounting to Rs 135 crores in 7 cases in which the usage of cryptocurrency for money laundering activities was flagged by the authorities.[8]

However, it is pertinent to note that the offences recognised under the respective parts of the schedule only comprise the offences under the current framework of legislation, which is at present not equipped to regulate any segment of cryptocurrency transactions and digital currency operations in the country. 

Foreign Exchange Management Act, 1999

Even though the Act specifies procedures to conduct cross-border and foreign exchange transactions, it fails to identify the role of technology as an instrumental enabler of such transactions at present. However, it is interesting to note that it empowers the RBI to establish a regulatory framework to address the same.

The Payment and Settlement Systems Act, 2007

The PSS Act was enacted with the objective of establishing a regulatory framework for banks and ancillary financial institutions, designating RBI as the nodal authority. Section 4 of the Act states that no payment system shall operate in India without the prior due authorization of the RBI.

Apart from the above-mentioned legislation, regulators like SEBI, Ministry of Electronics and Information Technology (MeitY), Insurance Regulatory and Development Authority of India (IRDAI), and Ministry of Corporate Affairs (MCA) have also undertaken initiatives to implement specialised guidelines. While these regulations deal with the contemporary issues of payments, digital lending and global remittances, none of them has managed to find a concrete ground for effectively supervising and regulating cryptocurrency transactions backed by blockchain in the current volatile ecosystem.

At present, key industry regulators and stakeholders should collaborate to understand the novelty, process and extent of the present disruptive fintech trends. Furthermore, initiatives should be taken to ensure transparency of such transactions, establish secure authentication transactions for the exchanges and tighten the legislative noose on cyber security systems in the country. Additionally, establishing a centralised statutory body and local self-regulatory bodies across the sovereign, and implementing an extensive centralised framework is also imperative. The current scheme of criminal activities in virtual space transcends geographical boundaries, hence it is crucial for global policymakers to implement mechanisms to ensure coordination and collaboration by institutionalising inter-governmental bodies.

References: 

[1] ‘The Current Landscape Of The Fintech Industry – Fintech Crimes’ (Fintech Crimes, 2022) <https://fintechcrimes.com/the-landscape-of-fintech-in-year-2020/> accessed 9 February 2022.

[2] https://www.rbi.org.in/scripts/FS_Notification.aspx?Id=11243&fn=2&Mode=0

[3] https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12103

[4] https://timesofindia.indiatimes.com/business/india-business/union-budget-2022-no-crypto-bill-listed-this-budget-session/articleshow/89265038.cms

[5] https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf

[6] ‘Global Financial Stability Report’ (2021) <https://www.imf.org/en/Publications/GFSR/Issues/2021/10/12/global-financial-stability-report-october-2021> accessed 11 February 2022.

[7] ‘VIRTUAL ASSETS AND VIRTUAL ASSET SERVICE PROVIDERS’ (2021) <https://www.fatf-gafi.org/media/fatf/documents/recommendations/Updated-Guidance-VA-VASP.pdf> accessed 11 February 2022.

[8] https://economictimes.indiatimes.com/news/india/ed-investigating-7-cases-of-cryptocurrency-usage-in-money-laundering-attaches-rs-135-crore/articleshow/90200012.cms

 

Image Credits: Photo by Bermix Studio on Unsplash

At present, key industry regulators and stakeholders should collaborate to understand the novelty, process and extent of the present disruptive fintech trends. Further, initiatives should be undertaken to ensure transparency of such transactions, establish secure authentication transactions of the exchanges and tighten the legislative noose on cyber security systems in the country.

POST A COMMENT

TRAI’s Framework for Data Centres, Interconnect Exchanges and Content Delivery Networks- An Update

Communication services such as voice, video, data, internet, and wideband multimedia have become indispensable in the modern society. Information communication technology (ICT) has become a vital resource in development of various economic sectors enabling the various participants in economic and social spheres to have a quick and easy access to information and knowledge. ICT makes communication efficient in all spheres of life- in companies fostering increased efficiency, allowing access to human resource, promoting sustainable development of entrepreneurship.

At present, most sectors and organizations are generating mountains of data on a daily basis. Therefore, to stay competitive, organizations are constantly working to optimize data to leverage it to their advantage. For instance, the banking sector uses data extensively to understand how their customers use data to identify potential security risks. Data plays a vital role in the real estate and property management sector by extending an improved property analysis mechanism, understanding the customers and deciphering the market trends. The telecom industry is also utilizing data to improve in several key service areas, including customer experience, fraud reduction, churn prediction, and dynamic pricing. Further, with the rollout of 5G, data plays a key role in network planning, monitoring and management. Hence, data is the central force for driving crucial innovative and advanced industry solutions for the systematic growth of the economy.

Digital advances have generated enormous wealth in record time, but that wealth has been concentrated around a small number of individuals, companies and countries. Under current policies and regulations, this trajectory is likely to continue, further contributing to rising inequality, not only at the country level between developed and developing economies but also at the level of big online players, controlling data acting as an entry barrier for new entrants, leading to near monopoly in global digital markets. The effect of globalization and the development of the telecommunication sector has also affected the Indian market vitally.

On 21 December 2021 TRAI- the Telecommunication Authority of India released a consultation paper on the ‘Regulatory Framework for Promoting Data Economy through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges in India’ where it discussed and opined thoroughly on the markets of data economy, its challenges and its growth and future opportunities in the sector.


The TRAI Consultation Paper and Data Centres  

 

The new era of digitization has rolled out 5G, Internet of Things (IoT), and Artificial Intelligence (AI) leading to the creation of data via widespread, geographically distributed networks and new-age devices. Further, Enhanced Mobile Broadband (eMBB), Ultra-Reliable Low Latency Communications (URLLC), and Massive Machine Type Communications (MMTC) are set to emerge as dominant storage interfaces. 5G, along with edge computing, is set to fulfil the needs for ultra-reliable, low-latency, and high-throughput communication. Use cases driven by this intelligence-centric connectivity will catalyse computing at the edge as they effectively become mini data centres and bring a completely new paradigm to storage at the edge. This brings with it a need for advanced networking, computing and storage in edge devices and endpoints.

The main theme of the TRAI consultation paper is the development of a regulatory framework to make the data market more abiding and regulated for systematic development and protection of its users. While competing with the world data economy the need for a proper regulatory framework that can encourage the development of 5G, IoT, data centres, and associated services, data analytics, edge computing, digital platforms, and applications were discussed and their effect on the growth are discussed in the paper.  For any economy to be competitive, it has become essential to become reliable and self-sufficient in terms of futuristic technology. This has bought the Indian government’s inaction to bring in various initiatives and policies to bring digitalisation to the forefront of the market. Policies like Digital India Programme 2015 and National Digital Communication Policy 2018 contributed tremendously to the development and population of the data economy and digitalization.

The TRAI paper clearly emphasized and questioned the potential of growth of data centres in India in light of various challenges in terms of economic/infrastructure and financial aspects. The paper sought views on:

(i) incentives and long-term measures to facilitate growth and investment in data centres, Content Delivery Networks (“CDN”s), and Interconnect Exchanges (“IXP”s).

(ii) building, safety, disaster recovery, and security standards for data centres.

(iii) access to facilities such as dedicated fibre and electricity, and provision of concessional tariffs or subsidies.

(iv) need for a unified data centre policy in India and centre-state coordination.

(v) need for a regulatory framework for CDN and interconnect exchanges in India.

Additionally, it was noted in the paper that the mere establishment of data centres will not efficiently meet the country’s data requirements.  Initiatives to address challenges of data penetration in Tire 2 and Tire 3 cities also has to be addressed. The paper also discussed and opened itself to comments on the green data certification, building norms for data centres and other aspects important for the development of an economically efficient data economy. The paper further discusses the impact of Covid-19 on the digital economy that resulted in a data surge arising out of increased digital social interactions and online transactions.


The Infrastructure of the Data Economy

 

The paper recognises the following three main infrastructures for boosting the data ecosystem and facilities

  • Data Centres
  • Content Delivery Networks
  • Internet Exchange Points

Together these three form the part of what can be termed as “Digital communication infrastructure and services”. It is important to note that with CDN the delivery of the data sought by the users is established and the players like Netflix, Youtube and Amazon establish their own CDN  in locations that are near to users to make the use of the internet bandwidth less which ultimately reduces the cost and make it more economical for them. These CDN networks are not adequately regulated in the Indian market. TRAI with the consultation paper has sought opinions on the same and has also highlighted the point of whether the lack of a regulatory framework for these CDN networks in India affects the growth of the CDN market in the country.

The main mission of the paper was to connect India with proper digital communication infrastructure, propel India with the latest technology including 5G, AI, IoT Cloud, and empower India by securing its digital sovereignty and data protection.

The consultation paper further analysed the idea of the dark fibre cable network, data centre and the regulatory framework or other limitations these data centre companies are facing and how these avenues can be incentivised. 


Infrastructure Requirements for Data Centres

 

The paper discussed the resources which are required for the establishment of the data centres and how their availability or shortage can add to the hardships of the establishment of economical units of the data centre. While opting for and establishing a data centre it’s essential to look into the availability of the power supply and water. India faces an energy deficit of 1,44,1 Million Units (MU). The most affected areas are the rural areas in India. The cost of power can also not be overlooked. The major cost which is approximately 50-60% of the total operating cost of these data centres is the cost of power. The power and cooling segment of the Indian Data Centre power and cooling market is expected to reach $1,065.5 million by 2025, growing at a Compound Annual Growth Rate (CAGR) of 9.4% during the forecast period 2019–2025. 

Water resources were another facility for which data centres might face challenges. The major work of the water is to cool off. As per the report around 15- megawatt of energy in a Data Centre can use up to 360,000 gallons of water a day as the scale of the data centre will rise more reliable sources of water has to be looked into. In the process of cooling off some amount of water is also evaporated leading to loss of water. The question which arose is whether India is ready to meet these power and water supply requirements for the establishment of a highly popularizing segment of data centres. This remains a question of concern to meet the cooking up future requirements

Looking into the matter the TRAI suggested developing renewable energy and development of green data centres. In Europe, the climate-Neutral Data Centre pact is the law that aims to make all of the European Union Climate-neutral by 2050. These green data centres will have low emission rates. A vision to create such data centres and emphasis on the establishment of data centres driven by renewable energy was also emphasised.


Telecom Data and its Security Issues


 

Telecom data is the first digital footprint created by any household. For proper functioning of the services collecting such user data and establishing robust infrastructure for the services providers to proffer better services becomes very essential. For this, the mechanisms of the consented sharing of telecom data and data empowerment and protection Architecture were explained in the paper.

Even though the intention of the Personal Data Protection (Bill) 2019 was to extend legislative protection to users wherein purpose-driven collection of data, user consent to sharing of personal data etc. were addressed, it is yet to be seen how the law progresses in the future. 


Telecom Industry and the OTT Platforms

 

The functioning of the telecom industry and its importance and assistance in the development of Over the Top (OTT) platforms like ‘Netflix’, ‘Amazon’, ‘Hotstar’ can be understood easily. The telecom industry provides the oil to these OTT industry players for smooth functioning and better market reach. In the recent paper released by the Competition Commission of India (CCI) on the market study of the telecom sector, it highlighted the raising trends of a partnership between the telecom Industry and these platforms and how this can act as an entry barrier. 


CCI’s Concern over the Growth of the Telecom Market and its Nexus with TRAI

 

The market study of the telecom sector released by the CCI on 22nd January 2021, highlighted various contemporary competition issues, including upcoming competition issues as the telecom sector is set to see further transformation and innovations with 5G around the corner, discussing:

(a) Financial stability and competition

(b) Vertical integration and competition.

(c) Data privacy and competition.

(d) Infrastructure and competition.

The CCI raised concerns over the data privacy of the users from deals like Jio- Facebook, where the users are robbed of their right to data privacy. Raising concerns of such kind in its study, the TRAI also channelized its discussions on similar lines in its paper where a huge threat to the data privacy of the users was discussed and a strong need to regulate and limit the data sharing and purpose-driven data collection was identified. 


Regulatory Framework for the Data Centres, Current Scenario and the Way Forward

 

A strong surge in the consumption of data has been projected for the coming years. This massive increase in the use of data shall require a robust mechanism for data management, data security, and good data infrastructure. However, India still lacks a centralized regulatory framework that properly regulates or prescribes compliance standards with respect to the establishment of such data centres. This consultation paper by TRAI is the first concrete step in this direction.

The paper received comments from various significant stakeholders. While addressing the issue of data penetration at Tier 1 and Tier 2 cities, Vodafone Idea Limited (‘VIL’), one of the stakeholders, suggested that the Government should extend tax benefits to Service Providers that are building disaster recovery sites to ensure reliable services. Development of Special Economic Zones (‘SEZ’) in TIER 2 & 3 cities should be undertaken to motivate data centre players, rationalization of electricity tariffs across all states and ready infrastructure facilities inclusive of power, transport, water supply, fibre connectivity etc. should be set up in those Tier 2 & 3 cities. VIL further observed that a central law governing data construction and operation should address aspects relating to the entire lifecycle of data centres. Since the National Broadcasting Company (‘NBC’) covers maximum data centre related guidelines, it is recommended to form a single regulatory body under NBC, which should develop India-specific building standards for the construction of data centres operating in India.

Internet freedom foundation, another stakeholder, has also provided its comments and suggestions on the considerations raised in the Paper. The foundation advocated the urgent need for the creation of a multi-stakeholder body for the enforcement of net neutrality. The need for a more efficient data policy specifically designed for the telecom industry was also put forward promoting evidence-based policymaking for the CDNs. In order to ensure a more streamlined functioning of the telecom industry, the foundation emphasized overall sectoral transparency. It raised concerns over data monetization and its threats. Additionally, it placed stress on proper surveillance of these data centres as sensitive data of users would be involved.

The National Association of Software and Service Companies (‘NASSCOM’) in their comments on the paper focused on the development of the CDN market and its growth potential in India. NASSCOM raised concerns over regulatory compliances that can potentially make the Indian CDN market less competitive and advised on initiating strategies to combat the same. It also raised concerns over the reduced network efficiency because of the regulatory requirement of interconnection with Telecom Service Provider (TSP) and Internet Service Providers (ISP) and network neutrality. It opined that both will be affected negatively by the criteria proposed by the paper. It urged TRAI to refrain from imposing ex-ante obligations for mandatory interconnection between CDNs and ISPs.

With all these regulatory challenges the stakeholders also provided their point of view on the issues and challenges of the data centres, from advocating for the establishment of special economic zones and providing some tax benefits for the establishment of the data centres to the need for proper authority for the certification of the data centre as adopted globally has been highlighted. The stakeholders also highlighted the portions wherewith not much effort skilled labour can be found and up-gradation of the existing skills can be done. Data privacy matters took the spotlight in almost all the stakeholders’ comments. They advocated for the implementation of a comprehensive law to deal with the matter at hand. Further, on compliance, the stakeholders emphasized structuring an all-encompassing competent channel for the use and availability of the resources such as power, land, and water for smooth functioning of the data centres.

In 2020, Singapore imposed a moratorium on the establishment of the data centres because of the disparity in the use of resources by 7%. India is already facing challenges in sustainable development and is aiming to become a global hub for data centres, without a practical mechanism in place. It is interesting to note that, states like Karnataka and Tamil Nadu have formulated their policy on the same. They have also sought amendments in the state legislations to incorporate congenial provisions for the establishment of the data centres but until now no steps have been taken.

As per some of the suggestions, in addition to notifying a national policy on data centres, the government should also identify and proffer various incentives for the players keen on undertaking the establishment of such data centres, especially with respect to considerations like electricity, water resources, infrastructure, technology and Research and Development. Before formulating and enforcing anything it’s evident for the government to into consideration all the aspects of labour, resources, real estate etc. before devising a perfectively addresses the challenges of the sector and works in concert towards the benefits of its stakeholders.

In 2020 the Ministry of Information Technology formulated a Data Centre Policy, 2020 discussing the challenges and how a centralised system for clearance and approval for the establishment of data centres has to be structured and new building norms specifically dealing with the construction of the data centres are to be developed. More stress on a smooth regulatory framework for ease of doing business was emphasised.

While the central government is yet to formulate comprehensive legislation to govern data centres, various state governments have undertaken the initiative to regulate the sector within their jurisdiction.

Maharashtra’s Data policy extends fiscal incentives such as stamp duty exemption, electricity duty exemption, value-added-tax refund and property tax benefits for data centres that comply with specific criteria. 

Telangana’s Policy extends fiscal incentives like power, building fee rebates and land at subsidized costs. Additionally, other non-fiscal incentives like exemption from the purview of the Telangana Pollution Control Act, exemption from statutory power cuts and from inspection under specified labour legislation and permissions to file self-certificates have also been offered.

The Tamil Nadu Data Centre Policy 2021 has established a single-window facilitation portal to maintain time-bound processing of applications and coordination with various agencies and departments. Further, incentives such as electricity tax subsidies on power, concessional open access charges and cross-subsidies, dual power and stamp duty concessions and permits for self-certificates pertaining to compliance with respect to statutory registrations and forms under respective labour legislation are provided. 

The Data Centre Policy 2021 of Uttar Pradesh provides incentives with respect to data centre park developers and data centre units. Interest/capital subsidy, land subsidy, stamp duty exemptions and dual power grid network, as well exemption from inspection under labour legislation and permissions to file self-certificates have also been provided for under the legislation.

West Bengal data centre policy 2021 is a 5-year plan providing various power, water and infrastructure facility for the smooth functioning of the data centres. 

Haryana and Karnataka are still finalising their state policy while the Odisha government has also rolled out a policy that needs further development and the status of its implementation is not yet confirmed.

As per some of the suggestions of the stakeholders, in addition to notifying a national policy on data centres, the government should also identify and proffer various incentives for the players keen on undertaking the establishment of such data centres especially with respect to considerations like electricity, water resources, infrastructure, technology and Research and Development. Before formulating and enforcing anything it’s evident for the government to into consideration all the aspects of labour, resources, real estate etc. before devising a perfectively addresses the challenges of the sector and works in concert towards the benefits of its stakeholders.

 

Image Credits: Photo by Ian Battaglia on Unsplash

A strong surge in the consumption of data has been projected for the coming years. This massive increase in the use of data shall require a robust mechanism for data management, data security, and good data infrastructure. However, India still lacks a centralized regulatory framework that properly regulates or prescribes compliance standards with respect to the establishment of such data centres. This consultation paper by TRAI is the first concrete step in this direction.

POST A COMMENT

Privacy Shield 2.0: Cue for EU-India Data Transfer Mechanism?

Since the implementation of GDPR standards across the EU, data transfer between other countries and the EU has become a widely debated complex issue across the world. Article 44 of GDPR permits the transfer of personal data outside the EU, only when the recipient country has an equivalent level of security to protect the personal data of EU citizens, as guaranteed by the General Data Protection Regulation (GDPR). The biggest dilemma that many countries across the globe face is that they either lack a national legislation on data privacy or if they do have one in place, it may not be considered at par with the standards set by GDPR. Such a situation creates a genuine legal obstacle to the transfer of personal data between the EU and those countries.

Conceptualization of the Privacy Shield

Over the years EU and various other countries have developed certain mechanisms to tackle these obstacles created by requirements mentioned under Article 44. Standard contractual clauses (SCC), binding corporate rules (BCR) are such instruments that the countries and corporates have adopted for the transfer of personal data. The United States of America lacks a comprehensively dedicated legislation for data privacy.  However, the country has many sectorial legislation and regulations ensuring the privacy protection of individuals, yet, the EU has consistently ruled that the USA does not guarantee an equivalent level of protection.  Safe Harbour Framework, one such additional mechanism agreed upon between the Governments of the EU and USA defines a series of principles to be followed and adopted by companies for the transfer of personal data. US companies were required to self-certify these principles mentioned under the safe harbour framework and the US regulators would in turn enforce such framework within their limits and jurisdictions.  In 2013, Edward Snowden rocked the world with some lethal revelations about various global surveillance programs run by the NSA. In light of such a disclosure, an Austrian citizen named Max Schrems filed a complaint stating that the US does not provide adequate protection of personal data against such mass surveillance undertaken by authorities. The European Court of Justice (“ECJ/ Court”), noted that the US could allow any national security, public interest argument and law enforcement requirement to prevail over the Safe Harbour framework. Hence, the ECJ concluded that the safe harbour decision was invalid, as it interfered with the fundamental rights of an EU citizen. This decision is widely known as Schrems I. After courts invalidated the safe harbour decision, the European Commission and the US Department of Commerce came up with the Privacy Shield framework for the continued transfer of data from the EU to the US.  US Corporations who intend to receive personal data from the EU self-certify before the Department of Commerce that they will adhere to certain principles recognised in the Privacy Shield. These principles were developed by the US Department of Commerce in consultation with the European Commission. This led Max Schrems to again file a complaint challenging the validity of the privacy shield and the use of SCCs by companies to bypass the requirements of adequate protection stipulated by Article 44 of the GDPR on the ground that US investigation agencies have unlimited access rights of personal data retained with USA corporations neither Privacy Shield nor SCCs prevents those rights. Accordingly, it was argued that Privacy Shield or SCCs does not ensure the privacy rights of EU citizens. This case soon came to be known as Schrems II. The Court of Justice of the European Union (CJEU) examined the US’s Foreign Intelligence Surveillance Act and the surveillance programmes that such provisions allow and found that US agencies have wider access rights on every data retained with USA corporations and Privacy Shield in any manner takes away these rights of USA investigative agencies.   CJEU accordingly invalidated the EU-US privacy shield mechanism. The judgment in Schrems II had led to a major deadlock between US-EU economic relations, particularly concerning the transfer of data. With no approved mechanism in sight, companies found it difficult to transfer data for achieving their business obligations. On 25th March 2022, the EU commission and US government announced that they had agreed in principle on a new framework for the purpose of cross border transfer of data, known as Privacy shield 2.0. The new framework promises to provide benefits to both sides of the Atlantic and ensure that a balance is created between the new safeguards and the national security objectives of the US, which will ensure the privacy of EU personal data. The text of this new framework has not been released.  The press note released by the White House contains a few details that the framework might incorporate. It states that intelligence collection might be undertaken only where it is necessary to advance legitimate national security objectives and in no way should impact the protection of privacy and civil liberties[1]. In addition, the US intelligence agencies will adapt procedures to ensure effective oversight of new privacy and civil liberties standards[2]. Moreover, a proposal to set up an independent Data Protection Review Court has been mooted for EU individuals seeking claims and damages for breach of their personal data by the US Government. The proposal also details that the adjudicating members or individuals shall be chosen from outside the US Government. If Privacy shield 2.0 does pass the test laid down by the European courts, experts believe that this could trigger an estimated $7.1 trillion economic relationship between the US and the EU. Hopefully, Privacy shield 2.0 will be able to provide a predictable, effective and lasting remedy for transferring personal data from the EU to the USA.

Data Transfer between EU and India

The above discussions and mechanisms have a significant relevance in relation to data transfer between the EU and India. The Indian investigation and intelligence agencies have similar powers to their US counterparts in terms of their right to access or demand or conduct searches in any Indian enterprises and collect all relevant data required.  The fundamental right to privacy recognised in the Puttuswamy case is not absolute. Further, as per Article 19(2) of the constitution, the state can impose reasonable restrictions on the exercise of fundamental rights in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence. Moreover, Section 69, of the IT Act, 2000 provides the Central and State government with the power to intercept or monitor any information stored in a computer resource provided such information is required for:
  • In the interests of India’s sovereignty and integrity.
  • Defence of India,
  • State’s security,
  • To maintain friendly relations with other nations, or
  • To maintain public order, or
  • For preventing incitement to the commission of any cognizable offence relating to the above, or
  • For investigation purposes
The above provisions are similar to the rights available to US investigative agencies. For the same reasons, the Schrems II judgment and Privacy Shield mechanisms are relevant while considering EU-India data transfer. Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. Unfortunately, neither of the Governments has taken any urgency to initiate the formulation of rules similar to the Privacy Shield. It is worthwhile to consider whether the new Privacy Shield 2.0 could be considered and replicated in India.  If both the governments can demonstrate their intent, the groundwork for a contusive business environment for data transfer between the two sovereigns can be initiated.

Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. 

POST A COMMENT

Navigating the Legal Quagmire of Limitations on Trademark Oppositions

Though the pandemic seems to be receding across the world, the problems that it has created seem to be multiplying, and the legal system has been grappling trying to address the issues affecting business. The High Court of Delhi, in a recent judgment, Dr. Reddys Laboratories Limited vs. the Controller General of Patents, Designs and Trademarks, sent shockwaves through the system.

The petitioners had filed writ petitions against the haphazard manner in which the Controller General of Patents, Designs and Trademarks (“CGPDTM”) had handled the filing of Trademark opposition proceedings during the pandemic. The petitioners were aggrieved when they discovered that opposition proceedings couldn’t be initiated on the online portal of the Trademarks Registry post the statutory timelines of four (4) months, as prescribed under Section 21 of the Trademarks Act, 1999. However, the Supreme Court in Suo Moto Writ (Civil) No. 3 of 2020, titled In Re: Cognizance for Extension of Limitation, had extended the statutory time period in India. Additionally, the Trademarks Registry also refused to accept such oppositions when filed manually. Further, the Trademarks Registry went on to issue the Certificates of Registration even though they were aware of the requests to initiate opposition.

The Supreme Court had clearly stated in the aforementioned order that “the time period between March 15, 2020, and February 28, 2022, has to be fully excluded for the purpose of calculating limitation under all enactments and statutes, both before judicial and quasi-judicial bodies.” The CGDPTM had also reaffirmed the above order vide its notice of January 18, 2022. The petitioners argued that the non-acceptance of the oppositions was in contravention of the Supreme Court order, especially as it had been reaffirmed by the CGDPTM as well.

The officials of the CGDPTM also informed the court that more than 4 lakh registration certificates had been granted during this period. Further, vide an affidavit submitted by the CGDPTM, it was affirmed that 113517 oppositions were filed between the periods of March 24, 2020, and February 28, 2022. It was also mentioned that “6,000-7,000 oppositions have been filed during the pandemic period beyond the four-month period of limitation, and the same have also been entertained.” Thus, the CGDPTM has been accepting oppositions in a very haphazard manner, undermining the rights of those who wished to initiate opposition actions and has also issued Certificates of Registration, granting challengeable rights to applicants.

As the limitation period in terms of the orders of the Supreme Court would have been extended for filing oppositions to the said applications until the expiry of 90 days from March 1, 2022, i.e., till May 30, 2022, the High Court of Delhi has instructed as follows:

  • Opponents must send emails expressing their interest in opposing any of the marks until May 30, 2022. On receipt of any such email, even if the mark currently stands as opposed, the CGDPTM is to facilitate the filing of the opposition either through the online platform or by accepting the same manually.
  • If the mark stands registered, and in the absence of any request to oppose the marks by May 30, 2022, the mark will continue to stand registered.
  • For those marks that stand as registered, if the opposition is received by May 30, 2022, the Certificates of Registration shall stand suspended till the opposition is decided upon.

The High Court of Delhi has also gone on to caution the CGDPTM and instructed them to develop a mechanism to dispose of the huge backlog of opposition currently pending at their end.

Right holders, especially those who are in receipt of the Certificates of Registration, will need to keep their fingers crossed that no oppositions are filed by May 30, 2022. Furthermore, infringement proceedings may not be initiated against infringing parties until the May 30, 2022 deadline.

The haphazard handling of the opposition proceedings in this time period has created both a logistic nightmare as well as hampered the rights of numerous applicants. With more skeletons coming out of the closet of the CGDPTM, it remains to be seen how they are handled. The High Court of Delhi needs to be lauded for taking such a sensitive issue and handling it at the earliest.

Exciting times to navigate through the curveballs thrown by the CGDPTM. 

Image Credits: Photo by Markus Winkler on Unsplash

The haphazard handling of the opposition proceedings in this time period has created both a logistic nightmare as well as hampered the rights of numerous applicants. With more skeletons coming out of the closet of the CGDPTM, it remains to be seen how they are handled.

POST A COMMENT

Self Reliance: Not Just a Political Construct Anymore

Since independence, Indian political leaders have espoused the need for “self-reliance”. Over the last five decades, we have certainly achieved this goal in areas such as the production of food grains and milk. It is clear that we have not done so in some other basic areas, including education, healthcare and energy. When the government announced “Make in India” and “Atmanirbhar”, some called it “old wine in new bottles” or “mere election slogans”. While there may be some truth in these allegations, it cannot be denied that recent developments around the world (and in our own neighbourhood) are forcing us to rethink concepts such as “national interest” and hence, “self-reliance”.

Self-Reliance Important Despite Globalization

Especially in the last two years, major events have unfolded that continue to have a significant impact on our lives and indeed, the world as we know it. The pandemic has painfully underscored global interdependence amongst countries. Whether it was PPE kits, face masks, syringes or vaccines, no one country had it all. And if they did, they chose not to share it with others. Inherent inequities in the current global healthcare and socio-economic systems led to many parts of the world remaining without access to resources that were critical to preventing infection and the spread of COVID 19. Many western countries with the financial muscle to place bulk vaccine orders in advance end up destroying millions of expired vials. What a waste! Arguably, political and governance decisions made even a couple of months before the vaccines expired could have helped to vaccinate hundreds of thousands of people in less fortunate countries that were not self-reliant.

Russia’s month-long invasion of Ukraine continues even as I write this post. Many countries have united to impose a range of sanctions on Russia; many have stayed away. But in an interdependent world, the impact of such sanctions cannot be localised to just one country. India, which imports more than 85% of its crude oil requirements, has been adversely affected. Many of our young citizens who were pursuing medicine or other courses in Ukraine, have been affected. It is unclear whether they will be able to complete their education in Ukraine if the war continues, and what alternatives there may exist.

Petroleum is a natural resource and we cannot do much on the supply side if we do not have economically exploitable reserves in India (whether onshore or offshore). We have little choice but to look at alternative energy sources and manage demand- which is what we have been doing for some years now. An example is the Electric Vehicle revolution that is beginning to gather momentum. Similarly, drones have the potential to transform many fields, including agriculture, logistics, healthcare and of course, defence- but we need to develop the capacity to design and build them in India.

As the world evolves even more into a knowledge economy, innovation will be a clear source of competitive advantage. Not just through technological advancements in fields like AI/ML, IoT and quantum computing, but also through innovations in creating appropriate legal frameworks to ensure the orderly functioning of the global/national systems. This also means revamping our education system to ensure that it encourages the kind of critical thinking that’s needed in the years ahead. The New Education Policy was introduced in 2020, but many teething troubles remain; steps need to be taken quickly to resolve them if we are to benefit from this new approach to primary, secondary and higher education in our country.

Fostering Self-Reliance Involving Multiple Stakeholders

While the Founding Fathers had a certain perspective when they wrote our constitution, that worldview was limited by what they envisioned at the time. It is reasonable to say that the world has changed drastically in the last 70 years. Indeed, many of these changes could not have been imagined in the late 1940s or even in the 1990s. This is why we, as a nation, must view “self-reliance” in a different way than we have done in the past. The quasi-federal structure that we have given ourselves must not impede progress; the Central and State Governments must work together to formulate policies that complement and supplement each other and are not designed to create face-offs.

Policies and strategies alone are not enough; action is needed on the ground to convert them into actionable plans, projects and measurable goals. This needs everyone to work together. The private sector must play its part in making the necessary investments in building critical capacities and training our youth. The PLI scheme has begun to show some results, and I hope manufacturing of drones, electric vehicles and batteries based on sodium, etc. will also soon take off in a bigger way. Our citizens, too, have an important role to play. The advice to “reuse, reduce, recycle” is not just for environmental gains; it has the potential to conserve physical and financial resources that will make it easier for us to become self-reliant.

The starting point is to set aside ego and ideological differences, make the effort to understand other points of view and work together to build a self-reliant India that becomes a self-contained ecosystem that is more capable of bearing external shocks in the future. We cannot predict what these shocks might be or where they will originate, but we can be better prepared.

Image Credits: Photo by Christopher Burns on Unsplash 

While the Founding Fathers had a certain perspective when they wrote our constitution, that worldview was limited by what they envisioned at the time. It is reasonable to say that the world has changed drastically in the last 70 years. Indeed, many of these changes could not have been imagined in the late 1940s or even in the 1990s. This is why we, as a nation, must view “self-reliance” in a different way than we have done in the past.

POST A COMMENT

IS17428 -A New Privacy Assurance Standard in India

Recently, Aditya Birla Fashion and Retail Ltd (ABFR) faced a major data breach on its e-commerce portal. As per the reports, personal information of over 5.4 million users of the platform was made public. The 700 GB data leak included personal customer details like order histories, names, dates of birth, credit card information, addresses and contact numbers. Additionally, details like salaries, religion, marital status of employees were also leaked.  Forensic and data security experts were pro-actively engaged to implement the requisite damage-control measures and launch a detailed investigation into the matter.[1] This demonstrates the need to have wider awareness and establish standardized protocols for personal data management. 

The battle of data protection and privacy currently stands at a juxtaposition with a flourishing data economy. 2021 was a watershed moment in the privacy & data protection dialogue in the country. The need for comprehensive data protection law was louder than ever and there were major initiatives on the legislative and executive front.

In June of 2021, the Bureau of India Standards (BIS) introduced IS 17428 for data privacy assurance. It is a privacy framework designed for organisations to handle the personal data of individuals that they collect or process. The certification provided by BIS for IS 17428 can be deemed as an assurance extended to the customers/users by the organizations of well-implemented privacy practice. The BIS being a statutorily created standard-setting body of our country will bring some welcome change in our data management.  

IS 17428 is divided into 2 parts[2]:

  • Part 1 deals with the Management and Engineering parameters that are mandatory for an organization to comply with. This part provides for establishing and cultivating a competent Data Privacy Management System.
  • Part 2 deals with the Engineering and Management guidelines which enable the implementation of Part 1. These guidelines are not mandatory in nature but a reference framework for an organization to implement good practices internally.

 

The Context – Privacy & Data Protection laws in India

 

The Data protection bill was expected to be tabled in parliament back in 2019 but was postponed due to the ongoing pandemic. The country was hoping to pass the bill last year, however, it was sent to the Joint Parliament Committee (JPC) for perusal. The JPC made its report on the bill public in the month of December 2021.

Also, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 had been implemented back in 2011, primarily to safeguard the sensitive personal data of individuals that are collected, processed, transferred, or stored by any organisation and enumerate security practices. The rule lays down certain practices and procedures to be followed by a stakeholder while dealing with sensitive personal data. International Standard IS/ISO/IEC 27001 is one such acceptable standard.

Later ISO27701 was specifically introduced that focused on Privacy Information Management.  However, our Indian enactment has not specifically endorsed any such standards though Standards formulated by the industry association that is approved and notified by the Central Government are also deemed appropriate.  In this background, BIS introducing a standard is a welcome initiative as it will help in bringing uniformity in terms of the implementation of privacy practices across Indian industries.

Components of Part 1 of IS 17428[3]

 
Development of Privacy Requirements:

While developing the privacy requirements of the organisation in relation to the data collected or processed, the organisation has to take into consideration various factors such as jurisdiction, statutory requirements and business needs.

Personal Data Collection and Limitation:

The organisation is permitted to collect the personal information of the individuals, provided the same has been consented to by such individuals.

Privacy notice: 

The organisation is bound to provide a notice to individuals while collecting information from them and when such collection is through an indirect method employed by the organisation, then it is the duty of the former to convey by the same in an unambiguous and legitimate means.

The contents of a privacy notice at the minimum should include the following[4]:

  • Name and Address of the entity collecting the personal data
  • Name and Address of the entity retaining the personal data, if different from above
  • Types and categories of personal data collected
  • Purpose of collection and processing
  • Recipients of personal data, including any transfers
Choice and Consent:

As mentioned earlier, while collecting information, the organisation should get the consent of the individual at the initiation of the process while offering such individuals the choice of the information that they consent to disclose. This entire process should be done in a lawful manner and according to the privacy policies implemented by the organisation.

Data Accuracy: 

The data collected by the organisation should be accurate, and in case it is inaccurate, it should be corrected promptly.

Use Limitation: 

The data collected by the organisation should be used for the legitimate purpose for which it was agreed upon and it shall not be used for any other purposes.

Security: 

The organisation should implement a strict security program to ensure that the information collected is not breached or compromised in any manner.

Data Privacy Management System: 

The organisation is required to establish a Data Privacy Management System (DPMS). The DPMS shall act as a point of reference and baseline for the organisation’s privacy requirements/objectives.

Privacy Objectives: 

The privacy objective of the organisation shall be fixed and set out by the organisation itself. While determining the objectives the organisation shall also look into various factors such as the nature of business operations involving the GDPR processing of personal information, the industry domain, type of individuals, the extent to which the processed information is outsourced and the personal information collected. Moreover, the organisation shall also ensure that the objectives are in alignment with its privacy policy, business objectives and the geographical distribution of its operations.

Personal Data Storage Limitation: 

The organisation shall be allowed to retain the information collected from the individual only for a specific time period as required by the law or the completion of the purpose for which it was collected in the first place. The individual shall have the right to delete their personal information from the organisation database upon request.

Privacy Policy: 

The organisation shall create and implement a privacy policy that shall determine the scope and be applicable to all its business affiliates. The senior management of the organisation shall be in charge of the data privacy function. Moreover, the privacy policy should be in consonance with the privacy objectives of the organisation.

Records and Document Management

The organisation shall keep a record of its processing activities which shall, in turn, ensure responsibility towards the compliance of data privacy. The possible way to achieve such a standard is to lay out procedures that help to identify various records. While laying out procedures, the organisation shall take into consideration certain factors such as a record of logs that demonstrate affirmative action and options chosen by individuals on privacy consent and notice, evidence of capture events related to access or use of personal information, and retention period of obsolete documents.

Privacy Impact Assessment: 

A privacy impact assessment shall be carried out by the organisation from time to time. Such an assessment shall help in estimating the changes and the impact that they can possibly have on the data privacy of the individuals.

Privacy Risk Management

The organisation shall put in place and document a privacy risk management methodology. The methodology shall determine how the risks are managed and how the risks are kept at an acceptable level.

Grievance Redress:  

A grievance redressal mechanism shall be established by the organisation to handle the grievances of the individuals promptly. The organisation shall ensure that the contact information of the grievance officer shall be displayed or published and that they have the channel of receiving complaints from the individuals. Moreover, the organisation shall also make it clear as to the provision for escalation and appeal and the timelines for resolution of the grievance.

Periodic Audits: 

The organisation shall conduct periodic audits for the data privacy management system. The audit shall be conducted by an independent authority competent in data privacy, internal or external to the organization, at a periodicity appropriate for the organization, at least once a year.

Privacy Incident Management: 

Privacy breaches and data privacy incidents shall be reported regularly and the organisation shall come up with a mechanism to manage such incidents. The process shall involve identifying the incident at the first stage and investigating the root cause, preparing analysis and correcting the incidents in the second stage. The last stage is basically informing the key stakeholders including Data Privacy Authority about the breach or incident.

Data Subject’s Request Management: 

The organisation shall develop a mechanism to respond to requests from individuals concerning their personal data. This process shall include the means to verify the identity of the individual, provision access to the information and the means to update the information.

 

How IS 17428 would help in Privacy and Data Protection? 

 

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (RSPP and SPDI rules) had been the only law for organisations to follow. The rules did not prescribe or detail any specific requirements or standards in relation to personal data management and in the absence of formulated standards for the protection of the sensitive personal data of individuals, industry bodies were struggling to have uniform procedures. 

This being the case, introducing specific standards for personal data management will bring more clarity and will help companies to adhere to an approved standard prescribed by a government agency. Moreover, principles narrated in this standard are in accordance with the Internationally recognised privacy principles and will help Indian companies to proffer confidence when dealing with their commercial counterparts.

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

 

The proposed data protection legislation and the IS 17428

 

The IS 17428 standard has been inspired primarily from the principles dictated from OECD privacy principles, GDPR and ISO27701. The proposed data protection legislation on the other hand has many divergences from the above instruments in many respects. For Instance, the IS standard has an elaborate description provided for the privacy objective of the organisation and the factors that need to be taken into account. Most of these objectives are covered under Sections 22 and 23 of the draft Bill but nevertheless, the standard has recommended a few other factors such as geographical operation, industrial domain and type of individuals as specific factors to be taken into consideration while drafting the privacy objectives. How much discretionary privacy standards can be created, what is allowed freedom for industries in this regard is unclear.

Section 28 of the draft bill talks about the records and document management of the data collected or processed and the standard covers almost every bit of the section. In addition to the consideration mentioned under the bill, the standard goes forward and echoes the need to establish a policy on the preservation of obsolete policies and process documents. Data and record-keeping should be for a defined period. The majority of other legislation prescribes an average of 7 years of data-keeping. Keeping any data beyond such a reasonable period may not serve many purposes. Why this standard has prescribed such obsolete data retention is again unclear.

The standard could be made effective by only having an enactment for data protection legislation in place. For instance, the grievance redressal mechanism, though the standards do envisage an appeal mechanism, they do not establish appeal machinery. This part of the standard can be put to use only after the Data Protection Authority as per section 32 is constituted. The standard also calls for an investigative process in the event of any breach or compromise of data. The organisation is welcome to conduct an onsite or internal investigation into the breach or incidents, but once again an independent authority to investigate in a legitimate and fair manner is required.

In short, I am afraid, has it failed to take into account the special requirements contemplated under the PDPB, 2019 which may eventually become the law of the country thereby, once this law is enacted, this standard will also be required to be modified. The government has not made any announcement as per the RSPP and SPDI rules, that IS 17428 is an appropriate standard certifying the compliance of personal data management. In the absence of such explicit endorsement, the ambiguity continues as to whether the adoption of this standard is sufficient compliance under the said rules.

Finally, with the Data protection bill around the corner, the Data Protection Authority envisaged being constituted under the legislation which shall have the power to issue code, guidelines, and best practices for protecting the privacy of data subjects. How IS 17428 standards framed by the BIS will be looked at by the DPA or the proposed rule will offer a different set of practices shall be an interesting development to observe.

References:

[1] https://economictimes.indiatimes.com/industry/cons-products/fashion-/-cosmetics-/-jewellery/abfrl-faces-data-breach-on-its-portal/articleshow/88930807.cms

[2] The IS 17438 was established on November 20, 2020 and notified in the official gazette on December 4, 2020. Please see the notification available at: https://egazette.nic.in/WriteReadData/2020/223869.pdf (last visited Jan 18, 2022).

[3] Supra note 2.

[4] Sub-clause 4.2.2 of the IS Requirements: “Privacy Notice”.

 

 

Photo Credits:

Image by Darwin Laganzon from Pixabay 

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

POST A COMMENT