There is a Tide in the Affairs of Men…and Nations too

Three decades ago, the mobile revolution helped India overcome its communication challenges. Today, mobile phones have become a commodity in India. At least feature phones have, even if smartphones haven’t. But if you are old enough to remember India during the mid-1990s, you will know that India’s fixed line telephone density was very low at that time. Getting new telephone connections was tough, and involved waiting periods that often extended to several months. Due to ageing cables, making telephone calls was a challenge, and even when calls were connected, the quality was poor.  

Mobile communication technologies unleashed a powerful revolution that changed all this. Even far-off locations where laying fixed-line cables was a challenge got access to mobile towers and signals. So huge has been the transformative power of mobile technologies that an entire generation of regulatory reforms, business models and lifestyle paradigms all depend on the ubiquitous mobile phone.

Why is this relevant now?

Today, the world is on the threshold of a new breed of technologies such as AI/ML, Robotics, IIoT, Blockchain, Cloud, Analytics, Drones, Autonomous Vehicles, the Metaverse etc. Collectively and individually, these technologies have the potential to transform the world as we know it to a much greater degree. Indeed, the next decade may witness the greatest changes driven by technology in the recorded history of humankind.

The reason why it is important to be cognizant of this and take timely action. There are no established leaders in these areas because the sectors, their impact and tech are still evolving. India as a country has the technical and commercial savvy to harness these new technologies and drive innovations. What is needed is the educational and industrial framework to ensure that students get to acquire and sharpen their expertise in these new areas and start applying them to solving real-world problems. The National Education Policy is one step in this direction, but implementing it in the right way is key. Not just the curriculum, but the whole system of education must change. Internships must become more focused and integrated with the learning process, and not just a certificate-driven activity as it largely has been (and is).

It’s not just the central government that needs to act with alacrity and vision; state governments also need to formulate the right policies and rules to ensure that the country as a whole is able to take advantage of the massive disruption that is occurring all around us. Some states have woken up to this need and are putting in place plans to encourage entrepreneurs and attract investments into key sectors. The initial agreement to set up a chip-making facility in Karnataka is one example- but it’s early days yet, and many more hurdles need to be overcome.

The startup ecosystem, too, needs to readjust its approach to backing ventures in these new areas. Yes, the risk will be higher and the failure rate may be higher, but these ventures must be seen as proving grounds for technologies and ideas. Our private sector must also be ready to make the necessary investments to embrace these new technologies and lead innovation and adoption. Our large IT services industry must accelerate the shift to provide offerings built around these new areas. A lot is already happening, but the pace must pick up. India’s public sector, long regarded as a white elephant, can also play a key role by absorbing these technologies and innovatively deploying them in sectors of national importance, such as energy, agriculture, disaster recovery, infrastructure development, defence etc.

Achieving all this requires macroeconomic stability: inflation under control, relatively stable exchange rates and an adequate money supply. For a number of reasons that are outside the control of our government or individual companies, these conditions may not be met immediately. But as responsible citizens, business leaders, regulators, teachers and parents, each one of us has a role to play. Of course, the executive, the legislature and the judiciary also have their own roles to play.

To quote Brutus from Shakespeare’s play “Julius Caesar”,

“There is a tide in the affairs of men
Which, taken at the flood, leads on to fortune;
Omitted, all the voyage of their life
Is bound in shallows and in miseries.
On such a full sea are we now afloat,
And we must take the current when it serves,
Or lose our ventures”.

This is very much the situation that much of the world finds itself in at this time. If we in India can rise to the occasion, our continued ascendancy as a power is assured. But there is many a slip between the cup and the lip, and if we squander time and energy on needless and irrelevant issues, it is just as certain that we will not realise our potential. Let us make the right choice.

Image Credits: Photo by Pete Linforth from Pixabay 

Today, the world is on the threshold of a new breed of technologies such as AI/ML, Robotics, IIoT, Blockchain, Cloud, Analytics, Drones and Autonomous Vehicles, the Metaverse etc. Collectively and individually, these technologies have the potential to transform the world as we know it to a much greater degree. Indeed, the next decade may witness the greatest changes driven by technologies in the recorded history of humankind. The reason why it is important to be cognizant of this and take timely action. There are no established leaders in these areas because the sectors, their impact and tech are still evolving.

POST A COMMENT

CERT-IN's Cyber Security Breach Reporting: An Update

The Indian Computer Emergency Response Team (CERT-In) was constituted in 2004 under section 70B of the Information Technology Act, 2000. It is the national nodal agency that responds to cyber security threats within the country and is under the Ministry of Electronics and Information Technology, Government of India. Recently, CERT-In released a direction [1] relating to information security practices, procedures, prevention, response and reporting of cyber security threats.

Key Features of the Cyber Security Breach Reporting Directions 

 

Mandatory Reporting

The direction mandates all service providers, government organisations, data centres, intermediaries and body corporates to mandatorily report within 6 hours of noticing or being brought to notice of any cyber incident. Rule 12(1)(a) of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 provides for a list of cyber security incidents that needed to be reported mandatorily by these entities mentioned above. The rules had previously listed 10 different types of cyber security incidents which need to be mandatorily reported. Apart from these 10 types, the new direction has also categorised data breaches, data leaks, attacks on IoT, and payment systems, fake mobile apps, unauthorised access to social media accounts and attacks or suspicious activities affecting software/servers/systems/apps relating to big data, blockchain, virtual assets, 3Dand 4D printing, drones as cyber security incidents which should be mandatorily reported. 

 

 

Point of Contact

All service providers, intermediaries, data centres, body corporates and Government organisations shall appoint a point of contact within their organisation, who shall ensure effective coordination with the CERT-In. The name and other details of the point of contact shall be sent to CERT-In and the entity should also ensure that it is updated every now and then when there is a change.

 

 

Log Retention and Data Localisation Requirement

The direction mandates all entities mentioned in the direction to mandatorily maintain and secure logs of their ICT systems for a period of 180 days. All such logs should be stored within the jurisdiction of the country and the same should be handed over to the CERT-In in the event of a cyber security incident or any order or direction from CERT-In.

 

 

Registration of Information

The direction has mandated data centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers to register certain information with CERT-In. All these entities are required to maintain such information for a period of 5 years or longer duration as mandated by law, even after the cancellation or expiration of the registration. The following information is required to be registered with CERT-In:

  • Validated names of subscribers/customers hiring the services.
  • Period of hire, including dates.
  • IPs allotted to/being used by the members.
  • Email address and IP address and time stamp used at the time of registration/on-boarding.
  • The purpose of hiring services.
  • Validated address and contact numbers.
  • Ownership pattern of the subscribers/customers hiring services.

 

KYC Requirement

This decade has witnessed the rise of cryptocurrencies across the globe and most countries, including India, still lack a dedicated framework to regulate this space. These new directions from CERT-In intend to regulate and streamline some aspects of this exponentially expanding sector. The directions mandate that virtual asset service providers, virtual asset exchange providers and custodian wallet providers to obtain KYC information from their customers. Further, these entities are also obligated to record all their financial transactions for a period of 5 years. Entities are also directed to maintain information about the IP addresses along with timestamps and time zones, transaction ID, the public keys, addresses or accounts involved, the nature and date of the transaction, and the amount transferred. 

 

 

Integration into ICT System

The direction calls on data centres, body corporates and government organisations to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) for synchronisation into the ICT system. Moreover, where ICT infrastructure of the entities are scattered in multiple locations, the entities are free to use accurate and standard time sources other than NPL and NIC.

 

Non-compliance

In the event that the above-mentioned entities fail to adhere or comply with these directions issued by CERT-In, they shall be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to one lakh rupees or with both under subsection (7) of section 70B of the IT Act, 2000.

 

Conclusion

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a corporate body in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared with the CERT rules 2013, the new directions have an expanded scope and applicability as well as a significantly increased compliance bracket for entities.

The European Union enacted the EU Directive on Security of Networks and Information Systems (called the NIS Directive), which supervises the cyber security of European markets. Unlike the present directive, the scope and applicability of the NIS directive are much larger. Certain critical sectors such as energy, transport, water, health, digital infrastructure, finance, and digital service providers such as online marketplaces, cloud and online search engines are all required to comply with these directives.

CERT-In has provided the entities with a 60-day window to comply with the directions. The increased compliance requirements and the added cost that comes along with such compliance will make smaller entities anxious. Hence, the effectiveness of these directions can only be judged with the passage of time. Significant concern can also be placed on the fact that these new directions will merely add to the compliance burden rather than improve the cyber security environment of the country.

References:

[1] https://www.cert-in.org.in/Directions70B.jsp

Image Credits: Image by Pete Linforth from Pixabay

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a body corporate in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared to the CERT rules 2013, the new directions have an expanded scope and applicability and a significantly increased compliance bracket for entities.

POST A COMMENT

New Labour Codes : How to Prepare for the Challenges Ahead?

A couple of years ago, India’s Parliament approved four new Labour Codes that cover important areas such as Wages, Social Security, Industrial Relations and Occupational Safety and Health. Labour reforms have been a long-pending agenda item for successive governments. The creation of these codes was aimed at modernizing, rationalizing and strengthening India’s arguably archaic labour-related laws. The new codes are also intended to attract investments into various sectors and make it easier to do business in India.

Although the Central Government notified these four new Labour Codes in September 2020, even now, a majority of states have not notified rules; less than half the states have even come up with draft rules. There has been some talk in recent days that the government may decide to implement the new codes effective 1 July. While this has not been officially confirmed, the inevitability of the implementation of the new codes makes it important for state governments to quickly come up with their draft rules and allow time for consultation so that loopholes and lacunae can be plugged before they come into effect. There will naturally be protests against the new laws because any change causes pain by forcing people outside their zones of comfort.

Once the new labour codes come into effect, two key changes will occur that will directly impact employees and organizations:

Working hours: It is expected that working hours may increase from the current 9 hours a day to 12 hours a day. The flip side, however, is that employees will need to work only four days a week, instead of the current five.

Take-home salary: The new wage code stipulates that an employee’s “basic salary” must be at least 50% of the total salary. This will cause changes to allowances and other perquisites that are widely used for tax planning purposes. A higher Basic Salary also means that deductions towards retirement benefits such as provident fund and gratuity will increase. In turn, this will reduce the net take-home salary for employees. However, this also means that employees will accumulate a much larger corpus of money when they retire, in effect, trading off current consumption with future security.

Adapting to this change will require companies to revisit policies, employment terms and contracts and even operating procedures. It may require fresh investments in amenities for workers and other employees at factories, construction sites, stores etc. New compliance requirements will arise, which means that business leaders, HR teams and those responsible for compliance must gear up to ensure that the organisation remains compliant with the new set of rules. This task becomes more difficult because the new codes have amalgamated a number of laws. For example, four laws have been amalgamated into the Wage Code, three into the Industrial Relations Code, nine into the Social Security Code and thirteen laws into the Occupational Safety, Health and Working Conditions Code, 2020.

Organizations must also keep in mind that these new codes will need to be implemented in tandem with hybrid ways of working. Even when employees were required to work for only 9 hours a day, there have been many instances of individuals (across industries and companies) working for 14 hours a day in a “work from home” model. Care must be taken to ensure that work-life balance is not further damaged by the extended working hours that the new codes provide for.

Business organizations with offices and production facilities in multiple locations spread across a number of states will need to be extra careful to ensure compliance with every state’s laws. Enterprises considering M&A will need to evaluate the costs of compliance with the new labour codes as part of their due diligence and strategic/financial assessment during valuation. Expert advice will be needed to minimize the pain that will inevitably accompany the transition. But given the intent of the new labour codes, it is fair to say that if they are backed by pragmatic rules, they will surely play a key role in accelerating the country’s economic growth in the years ahead.

Image Credits: Photo by Pop & Zebra on Unsplash

Adapting to this change will require companies to revisit policies, employment terms and contracts and even operating procedures. It may require fresh investments in amenities for workers and other employees at factories, construction sites, stores etc. 

POST A COMMENT

Are Reservations Adequate to Foster Diversity & Inclusion?

                                                   Non-inclusion and lack of diversity are a painful reality that needs to be urgently addressed. 

It is beyond dispute that in different parts of the world – India included – discrimination continues to exist, although constitutional provisions and a number of other laws explicitly prohibit such actions. Several factors such as race, caste, gender, economic status, religion, complexion and other aspects of physical appearance, mental abilities, sexual identity, education, linguistic skills, etc., are used to make distinctions between people that lead to various decisions. Sometimes, the inferences made are limited to an individual’s mind, but often they influence decisions that impact someone else’s life. 

In India, this challenge is visible right from the primary school level and continues till the individual’s retirement and perhaps death. Educational institutions have been directed to ensure affirmative actions to reduce the inequalities in access to and the right to education. This takes the form of reservations of seats based on specific criteria. The government as well as public and private sector organisations have reservations based on various considerations. Certain constituencies too have been identified as “reserved”, which means candidates must come from a specified caste/tribe, etc.

There is no doubt that families, organisations and countries can progress on all fronts only if there is broad societal representation. Countries that are able to achieve this will develop faster- not just in terms of economic indicators, but also in equally critical areas such as health, education, justice, environment, women’s safety, child welfare, etc. But are reservations sufficient to achieve this lofty objective?

Reservations do not Account for “Intersectionalities”

 

I believe that our experience so far in India does not support the notion that reservations are adequate or even the best option. They may be necessary, but are far from being an effective solution in practise because of the reality of “intersectionality”. An individual may not qualify for a reservation based on caste, but what if s/he comes from an Economically Weaker Section of society? Which criterion gets primacy between caste and gender? Unless a priority is determined, it is likely that caste-based reservations will benefit men more than women (from the same caste).

Even in the corporate context, reservations largely manifest during the intake of talent at the entry-level. At more senior levels, the talent pool is largely skewed towards males, who benefit from privilege in various forms (including not being impacted to the same extent by parenting responsibilities). In turn, this reduces the likelihood that women will be able to break the glass ceiling. There are shining exceptions of women who have overcome all odds, but that is more due to their individual abilities, hard work and possibly the good fortune of having excellent mentors and visionary leaders than to an environment that consciously recognises and empowers merit, irrespective of other criteria.

Fostering Diversity and Inclusion Needs More Than Just Reservations

 

A multi-pronged approach is needed to address the issue of diversity and inclusion. The central government (and state governments as necessary) needs to formulate national or state policies across sectors in order to consciously recognise and address the realities of the multiple intersectionalities that prevail in our society. While some of these elements may be conscious individual choices, most of them are “historical” or the result of factors outside an individual’s control. This means reservations must account for various elements that can co-exist and not treat them as discrete. This is easier said than done and may require experiments to figure out what works best. But, in order to reap the benefits of our demographic dividends, we must act now!

However, formulating policies is not enough, as is evident from so many other facets of our society. The key lies in ensuring that the policies are complied with not just in letter, but also in spirit. Multiple stakeholders need to be consulted, so that different views are factored in. Indeed, this is where diversity and inclusion must begin.

Private and public-sector organisations are key stakeholders in an attempt to raise diversity and inclusion in India. These organisations must consciously train their people at all levels to value diversity of thought, opinion and lived experiences. This means changing how meetings are conducted (e.g., by giving everyone the opportunity to speak and not pushing the leader’s views and opinions down everyone’s throats). It means coaching leaders to encourage diverse talent pools to make decisions around promotions, key projects etc. It means walking the talk and rejigging the organization’s rewards systems to recognise and reward diversity that translates to business value. 

“Diversity” should not be limited to gender; it must cover as many elements as possible, including, for example, generational differences. This will become an increasingly important area. It means ensuring that offices are built/modified to provide access to people with disabilities and appropriate amenities. Business/HR leaders must rethink their visions to consciously bring out elements of diversity and inclusion. Genuine efforts must be made to eliminate gender pay gaps, even if it means a hit to the P&L account. All this is not something that can be easily legislated, although some indicators can perhaps be brought under the ESG umbrella.

The problem is complex, and so it does not lend itself to simplistic, formula-based solutions. All stakeholders must have alignment in their thinking so that there is concerted action in various spheres. This alone will enable the world to ensure that diversity and inclusion moves from the ivory towers to the realm of daily life.

Image Credits: Photo by Andrew Moca on Unsplash

A multi-pronged approach is needed to address the issue of diversity and inclusion. The central government (and state governments as necessary) need to formulate national/state policies across sectors in order to consciously recognise and address the realities of the multiple intersectionalities that prevail in our society. While some of these elements may be conscious individual choices, most of them are “historical” or the result of factors outside an individual’s control. This means reservations must account for various elements that can co-exist and not treat them as discrete.

POST A COMMENT

Cryptocurrency and Money Laundering: Deciphering the Why and the How

The financial sector continues to revel in the advancement of disruptive technological innovations. Due to the attractive rates and fees, ease of access and account setup, variety of innovative products and services, and improved service quality and product features, financial technology is attracting more customers and investors today.[1] Despite the numerous advantages of these sectoral transformations, it is impossible to deny that the digitization and ease with which the internet has enabled all of us to function effectively in our day-to-day work has also created a space for virtual crimes.

Amidst the pioneering fintech revolution, cryptocurrency has emerged as a modern financial technology that can be used to easily launder money. Despite rapid market fluctuations and an uncertain legal status, cryptocurrency continues to captivate Indian investors, who are undeterred and unbothered by the associated risks of cyber fraud.

This article will explore how the crypto market nurtures a convenient and fertile ground for money laundering activities.

 

Cryptocurrency and India

 

The Indian regulatory market has had a hot and cold relationship with cryptocurrency over the years. The RBI, vide Circular DBR.No.BP.BC.104/08.13.102/2017-18 dated April 06, 2018[2], restricted all crypto transactions. However, in 2020, the Supreme Court effectively struck down the ban. As a result, the RBI stated in Circular DOR. AML.REC 18/14.01.001/2021-22 that banks and financial institutions cannot cite the aforementioned circular to warn their customers against dealing in Virtual Currencies. However, it did state that, “Banks, as well as other entities addressed above, may, however, continue to carry out customer due diligence processes in line with regulations governing standards for Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT) and obligations of regulated entities under the Prevention of Money Laundering Act (PMLA), 2002, in addition to ensuring compliance with relevant provisions under the Foreign Exchange Management Act (FEMA) for overseas remittances.”[3]

At present, while the talks of implementing comprehensive legislation governing cryptocurrencies have fizzled out, the Union Budget 2022 brought digital currencies under the tax net. As of 2022, the crypto asset market in India stands at an approximated evaluation of 45,000 Crores and 15 million investors[4].

However, it is pertinent to note that it is transactions, not investments, in the digital currency that pose an issue. In India, the Enforcement Directorate discovered over 4,000 crores of such illegal cryptocurrency transactions in 2021. As per the 2022 Crypto Crime Report by blockchain data firm Chainalysis[5], cybercriminals laundered $8.6 billion worth of cryptocurrency in 2021, $6.6 billion in 2020 and $10.9 billion in 2019. Furthermore, the study discovered that at the moment, darknet market sales or ransomware attack profits are virtually derived in cryptocurrency rather than fiat currency, thus significantly contributing to the data. 

Money laundering, terror financing, drug dealing, and other criminal activities are all done using cryptocurrency transactions. Although these transactions are recorded on a blockchain and are traceable, criminals use mixers and tumblers to make it difficult for a third party to track them.

 

The Laundering Mechanism

                           

                                    Eurospider Information Technology AG, “Mixers Tumbler Example,” fig.

For clarity, refer to the above image. Using the OHNE mixer, A sends 20 bitcoins to B, U sends 15 bitcoins to V, and X sends 5 bitcoins to Y. These are single-layer transactions that are simple to trace and identify.

The transaction takes place in a different way in the second image, where the MIT mixer is used. For the sake of brevity, let us consider a single layer of mixer being used. In real life, the number of mixers used is in the thousands. Here, A sends 20 bitcoins to M1, U sends 15 bitcoins to M2 and X sends 5 bitcoins to M3. In the next stage, B receives 20 bitcoins from M2, V receives 15 bitcoins from M1, and Y receives 5 bitcoins from M1. The difference we must notice is that B, V, and Y are receiving the same number of bitcoins as in picture one, but not from A, U and X, respectively. Because there is no information about A sending bitcoins to B, U sending bitcoins to V, or X sending bitcoins to Y, these transactions are not single-layered and are impossible to trace. Hence, making the transaction anonymous.

Criminals use a similar method to send money using cryptocurrencies. Consider the following scenario to gain a better understanding: A, B, C, and Z are cryptocurrency users who keep their coins in their digital wallets. They use the same mixing service to make transactions. A, B, and C are law-abiding citizens, while Z is a criminal involved in drug trafficking. A has to pay X a certain amount of money. X is paid, but the bitcoins he received were deposited by Z, a drug trafficker. When X received the payment, he had no idea that the bitcoins he had were dirty bitcoins and had been used for illegal activities. This is a straightforward explanation of how dirty bitcoins are making their way through the market, paving the way for money laundering. 

 

What can be done?

 

The International Monetary Fund (IMF) has released a report titled “Global Financial Stability Report”[6] which discusses the following details about how cryptocurrencies should be regulated, considering their increasing market capitalization and the growing exposure of banking and financial systems to crypto assets:

  1. Implementation of global standards applicable to crypto-assets should be the key focus area of national policies.
  2. Regulators should identify and control the associated risks of crypto assets, specifically in areas of systemic importance.
  3. Coordination among national regulators is key for effective enforcement and fewer instances of regulatory arbitrage.
  4. Data gaps and monitoring of the crypto ecosystem for better policy decisions should be prioritised by the regulators.

The report also discusses how stablecoins and decentralized finance pose a significant risk to the crypto market and the overall economy if they are not properly regulated and supervised by issuers.

  1. Regulations should be proportionate to the risk and in line with those of global stablecoins.
  2. Coordination is a must, to implement requisite recommendations in the areas of acute risks, enhanced disclosure, independent audit of reserves, and fit and proper rules for network administrators and issuers.

The report also discusses the importance of managing macro-financial risks through:

  1. Enactment of de-dollarization policies, including enhancing monetary policy credibility.
  2. Formulating a sound fiscal position with effective legal and regulatory measures and implementing central bank digital currencies
  3. Reconsidering Capital Flow Restrictions with respect to their effectiveness, supervision, and enforcement

However, according to the report, cryptoization would make finance more cost-effective, quick, and accessible.

There is also an intergovernmental organisation known as the Financial Action Task Force, which is constantly updating its recommendations to maintain legal, regulatory, and operational methods for combating money laundering, terrorism financing, proliferation, and other threats to the integrity of the international financial system. The Financial Action Task Force (FATF) recently released a compliance framework recommending that all anti-money laundering rules that traditional financial systems follow be applied to stable coins, cryptocurrency, and virtual asset service providers. Even though identifying the source of such funds and keeping track of who is the beneficiary of such funds is difficult, countries are still being encouraged to develop provisions that provide for due diligence, record keeping, and the reporting of suspicious transactions.[7]

 

The Legislative Way Forward for India

 

At present, there is no comprehensive legislative framework to govern fintech advancements encompassing blockchain and cryptocurrencies. At best, the present regulatory framework is a patchy, cross-networked arrangement that demands careful deliberations in alignment with the evolving technological innovations in the sector.

The Information Technology Act, 2000:

While the legislation successfully addresses issues like identity theft, hacking, and ransomware and provides a means to tackle the issue of extraterritorial jurisdiction, it is safe to conclude that the serpentine considerations of blockchain cannot be comprehended and addressed by the Act.

The Prevention of Money Laundering Act, 2002 and the Prevention of Money Laundering Rules, 2005

The offences listed in Parts A, B and C of the PMLA Schedule attract the penalties enumerated under the Act.

Part A categorises offences under: Indian Penal Code, Narcotics Drugs and Psychotropic Substances Act, Prevention of Corruption Act, Antiquities and Art Treasures Act, Copyright Act, Trademark Act, Wildlife Protection Act, and Information Technology Act.

Part B enlists offences under Part A with a valuation of Rs 1 crore or more.

Part C exclusively deals with trans-border crimes.

Recently, the Enforcement Directorate attached proceeds of crimes amounting to Rs 135 crores in 7 cases in which the usage of cryptocurrency for money laundering activities was flagged by the authorities.[8]

However, it is pertinent to note that the offences recognised under the respective parts of the schedule only comprise the offences under the current framework of legislation, which is at present not equipped to regulate any segment of cryptocurrency transactions and digital currency operations in the country. 

Foreign Exchange Management Act, 1999

Even though the Act specifies procedures to conduct cross-border and foreign exchange transactions, it fails to identify the role of technology as an instrumental enabler of such transactions at present. However, it is interesting to note that it empowers the RBI to establish a regulatory framework to address the same.

The Payment and Settlement Systems Act, 2007

The PSS Act was enacted with the objective of establishing a regulatory framework for banks and ancillary financial institutions, designating RBI as the nodal authority. Section 4 of the Act states that no payment system shall operate in India without the prior due authorization of the RBI.

Apart from the above-mentioned legislation, regulators like SEBI, Ministry of Electronics and Information Technology (MeitY), Insurance Regulatory and Development Authority of India (IRDAI), and Ministry of Corporate Affairs (MCA) have also undertaken initiatives to implement specialised guidelines. While these regulations deal with the contemporary issues of payments, digital lending and global remittances, none of them has managed to find a concrete ground for effectively supervising and regulating cryptocurrency transactions backed by blockchain in the current volatile ecosystem.

At present, key industry regulators and stakeholders should collaborate to understand the novelty, process and extent of the present disruptive fintech trends. Furthermore, initiatives should be taken to ensure transparency of such transactions, establish secure authentication transactions for the exchanges and tighten the legislative noose on cyber security systems in the country. Additionally, establishing a centralised statutory body and local self-regulatory bodies across the sovereign, and implementing an extensive centralised framework is also imperative. The current scheme of criminal activities in virtual space transcends geographical boundaries, hence it is crucial for global policymakers to implement mechanisms to ensure coordination and collaboration by institutionalising inter-governmental bodies.

References: 

[1] ‘The Current Landscape Of The Fintech Industry – Fintech Crimes’ (Fintech Crimes, 2022) <https://fintechcrimes.com/the-landscape-of-fintech-in-year-2020/> accessed 9 February 2022.

[2] https://www.rbi.org.in/scripts/FS_Notification.aspx?Id=11243&fn=2&Mode=0

[3] https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12103

[4] https://timesofindia.indiatimes.com/business/india-business/union-budget-2022-no-crypto-bill-listed-this-budget-session/articleshow/89265038.cms

[5] https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf

[6] ‘Global Financial Stability Report’ (2021) <https://www.imf.org/en/Publications/GFSR/Issues/2021/10/12/global-financial-stability-report-october-2021> accessed 11 February 2022.

[7] ‘VIRTUAL ASSETS AND VIRTUAL ASSET SERVICE PROVIDERS’ (2021) <https://www.fatf-gafi.org/media/fatf/documents/recommendations/Updated-Guidance-VA-VASP.pdf> accessed 11 February 2022.

[8] https://economictimes.indiatimes.com/news/india/ed-investigating-7-cases-of-cryptocurrency-usage-in-money-laundering-attaches-rs-135-crore/articleshow/90200012.cms

 

Image Credits: Photo by Bermix Studio on Unsplash

At present, key industry regulators and stakeholders should collaborate to understand the novelty, process and extent of the present disruptive fintech trends. Further, initiatives should be undertaken to ensure transparency of such transactions, establish secure authentication transactions of the exchanges and tighten the legislative noose on cyber security systems in the country.

POST A COMMENT

IS17428 -A New Privacy Assurance Standard in India

Recently, Aditya Birla Fashion and Retail Ltd (ABFR) faced a major data breach on its e-commerce portal. As per the reports, personal information of over 5.4 million users of the platform was made public. The 700 GB data leak included personal customer details like order histories, names, dates of birth, credit card information, addresses and contact numbers. Additionally, details like salaries, religion, marital status of employees were also leaked.  Forensic and data security experts were pro-actively engaged to implement the requisite damage-control measures and launch a detailed investigation into the matter.[1] This demonstrates the need to have wider awareness and establish standardized protocols for personal data management. 

The battle of data protection and privacy currently stands at a juxtaposition with a flourishing data economy. 2021 was a watershed moment in the privacy & data protection dialogue in the country. The need for comprehensive data protection law was louder than ever and there were major initiatives on the legislative and executive front.

In June of 2021, the Bureau of India Standards (BIS) introduced IS 17428 for data privacy assurance. It is a privacy framework designed for organisations to handle the personal data of individuals that they collect or process. The certification provided by BIS for IS 17428 can be deemed as an assurance extended to the customers/users by the organizations of well-implemented privacy practice. The BIS being a statutorily created standard-setting body of our country will bring some welcome change in our data management.  

IS 17428 is divided into 2 parts[2]:

  • Part 1 deals with the Management and Engineering parameters that are mandatory for an organization to comply with. This part provides for establishing and cultivating a competent Data Privacy Management System.
  • Part 2 deals with the Engineering and Management guidelines which enable the implementation of Part 1. These guidelines are not mandatory in nature but a reference framework for an organization to implement good practices internally.

 

The Context – Privacy & Data Protection laws in India

 

The Data protection bill was expected to be tabled in parliament back in 2019 but was postponed due to the ongoing pandemic. The country was hoping to pass the bill last year, however, it was sent to the Joint Parliament Committee (JPC) for perusal. The JPC made its report on the bill public in the month of December 2021.

Also, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 had been implemented back in 2011, primarily to safeguard the sensitive personal data of individuals that are collected, processed, transferred, or stored by any organisation and enumerate security practices. The rule lays down certain practices and procedures to be followed by a stakeholder while dealing with sensitive personal data. International Standard IS/ISO/IEC 27001 is one such acceptable standard.

Later ISO27701 was specifically introduced that focused on Privacy Information Management.  However, our Indian enactment has not specifically endorsed any such standards though Standards formulated by the industry association that is approved and notified by the Central Government are also deemed appropriate.  In this background, BIS introducing a standard is a welcome initiative as it will help in bringing uniformity in terms of the implementation of privacy practices across Indian industries.

Components of Part 1 of IS 17428[3]

 
Development of Privacy Requirements:

While developing the privacy requirements of the organisation in relation to the data collected or processed, the organisation has to take into consideration various factors such as jurisdiction, statutory requirements and business needs.

Personal Data Collection and Limitation:

The organisation is permitted to collect the personal information of the individuals, provided the same has been consented to by such individuals.

Privacy notice: 

The organisation is bound to provide a notice to individuals while collecting information from them and when such collection is through an indirect method employed by the organisation, then it is the duty of the former to convey by the same in an unambiguous and legitimate means.

The contents of a privacy notice at the minimum should include the following[4]:

  • Name and Address of the entity collecting the personal data
  • Name and Address of the entity retaining the personal data, if different from above
  • Types and categories of personal data collected
  • Purpose of collection and processing
  • Recipients of personal data, including any transfers
Choice and Consent:

As mentioned earlier, while collecting information, the organisation should get the consent of the individual at the initiation of the process while offering such individuals the choice of the information that they consent to disclose. This entire process should be done in a lawful manner and according to the privacy policies implemented by the organisation.

Data Accuracy: 

The data collected by the organisation should be accurate, and in case it is inaccurate, it should be corrected promptly.

Use Limitation: 

The data collected by the organisation should be used for the legitimate purpose for which it was agreed upon and it shall not be used for any other purposes.

Security: 

The organisation should implement a strict security program to ensure that the information collected is not breached or compromised in any manner.

Data Privacy Management System: 

The organisation is required to establish a Data Privacy Management System (DPMS). The DPMS shall act as a point of reference and baseline for the organisation’s privacy requirements/objectives.

Privacy Objectives: 

The privacy objective of the organisation shall be fixed and set out by the organisation itself. While determining the objectives the organisation shall also look into various factors such as the nature of business operations involving the GDPR processing of personal information, the industry domain, type of individuals, the extent to which the processed information is outsourced and the personal information collected. Moreover, the organisation shall also ensure that the objectives are in alignment with its privacy policy, business objectives and the geographical distribution of its operations.

Personal Data Storage Limitation: 

The organisation shall be allowed to retain the information collected from the individual only for a specific time period as required by the law or the completion of the purpose for which it was collected in the first place. The individual shall have the right to delete their personal information from the organisation database upon request.

Privacy Policy: 

The organisation shall create and implement a privacy policy that shall determine the scope and be applicable to all its business affiliates. The senior management of the organisation shall be in charge of the data privacy function. Moreover, the privacy policy should be in consonance with the privacy objectives of the organisation.

Records and Document Management

The organisation shall keep a record of its processing activities which shall, in turn, ensure responsibility towards the compliance of data privacy. The possible way to achieve such a standard is to lay out procedures that help to identify various records. While laying out procedures, the organisation shall take into consideration certain factors such as a record of logs that demonstrate affirmative action and options chosen by individuals on privacy consent and notice, evidence of capture events related to access or use of personal information, and retention period of obsolete documents.

Privacy Impact Assessment: 

A privacy impact assessment shall be carried out by the organisation from time to time. Such an assessment shall help in estimating the changes and the impact that they can possibly have on the data privacy of the individuals.

Privacy Risk Management

The organisation shall put in place and document a privacy risk management methodology. The methodology shall determine how the risks are managed and how the risks are kept at an acceptable level.

Grievance Redress:  

A grievance redressal mechanism shall be established by the organisation to handle the grievances of the individuals promptly. The organisation shall ensure that the contact information of the grievance officer shall be displayed or published and that they have the channel of receiving complaints from the individuals. Moreover, the organisation shall also make it clear as to the provision for escalation and appeal and the timelines for resolution of the grievance.

Periodic Audits: 

The organisation shall conduct periodic audits for the data privacy management system. The audit shall be conducted by an independent authority competent in data privacy, internal or external to the organization, at a periodicity appropriate for the organization, at least once a year.

Privacy Incident Management: 

Privacy breaches and data privacy incidents shall be reported regularly and the organisation shall come up with a mechanism to manage such incidents. The process shall involve identifying the incident at the first stage and investigating the root cause, preparing analysis and correcting the incidents in the second stage. The last stage is basically informing the key stakeholders including Data Privacy Authority about the breach or incident.

Data Subject’s Request Management: 

The organisation shall develop a mechanism to respond to requests from individuals concerning their personal data. This process shall include the means to verify the identity of the individual, provision access to the information and the means to update the information.

 

How IS 17428 would help in Privacy and Data Protection? 

 

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (RSPP and SPDI rules) had been the only law for organisations to follow. The rules did not prescribe or detail any specific requirements or standards in relation to personal data management and in the absence of formulated standards for the protection of the sensitive personal data of individuals, industry bodies were struggling to have uniform procedures. 

This being the case, introducing specific standards for personal data management will bring more clarity and will help companies to adhere to an approved standard prescribed by a government agency. Moreover, principles narrated in this standard are in accordance with the Internationally recognised privacy principles and will help Indian companies to proffer confidence when dealing with their commercial counterparts.

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

 

The proposed data protection legislation and the IS 17428

 

The IS 17428 standard has been inspired primarily from the principles dictated from OECD privacy principles, GDPR and ISO27701. The proposed data protection legislation on the other hand has many divergences from the above instruments in many respects. For Instance, the IS standard has an elaborate description provided for the privacy objective of the organisation and the factors that need to be taken into account. Most of these objectives are covered under Sections 22 and 23 of the draft Bill but nevertheless, the standard has recommended a few other factors such as geographical operation, industrial domain and type of individuals as specific factors to be taken into consideration while drafting the privacy objectives. How much discretionary privacy standards can be created, what is allowed freedom for industries in this regard is unclear.

Section 28 of the draft bill talks about the records and document management of the data collected or processed and the standard covers almost every bit of the section. In addition to the consideration mentioned under the bill, the standard goes forward and echoes the need to establish a policy on the preservation of obsolete policies and process documents. Data and record-keeping should be for a defined period. The majority of other legislation prescribes an average of 7 years of data-keeping. Keeping any data beyond such a reasonable period may not serve many purposes. Why this standard has prescribed such obsolete data retention is again unclear.

The standard could be made effective by only having an enactment for data protection legislation in place. For instance, the grievance redressal mechanism, though the standards do envisage an appeal mechanism, they do not establish appeal machinery. This part of the standard can be put to use only after the Data Protection Authority as per section 32 is constituted. The standard also calls for an investigative process in the event of any breach or compromise of data. The organisation is welcome to conduct an onsite or internal investigation into the breach or incidents, but once again an independent authority to investigate in a legitimate and fair manner is required.

In short, I am afraid, has it failed to take into account the special requirements contemplated under the PDPB, 2019 which may eventually become the law of the country thereby, once this law is enacted, this standard will also be required to be modified. The government has not made any announcement as per the RSPP and SPDI rules, that IS 17428 is an appropriate standard certifying the compliance of personal data management. In the absence of such explicit endorsement, the ambiguity continues as to whether the adoption of this standard is sufficient compliance under the said rules.

Finally, with the Data protection bill around the corner, the Data Protection Authority envisaged being constituted under the legislation which shall have the power to issue code, guidelines, and best practices for protecting the privacy of data subjects. How IS 17428 standards framed by the BIS will be looked at by the DPA or the proposed rule will offer a different set of practices shall be an interesting development to observe.

References:

[1] https://economictimes.indiatimes.com/industry/cons-products/fashion-/-cosmetics-/-jewellery/abfrl-faces-data-breach-on-its-portal/articleshow/88930807.cms

[2] The IS 17438 was established on November 20, 2020 and notified in the official gazette on December 4, 2020. Please see the notification available at: https://egazette.nic.in/WriteReadData/2020/223869.pdf (last visited Jan 18, 2022).

[3] Supra note 2.

[4] Sub-clause 4.2.2 of the IS Requirements: “Privacy Notice”.

 

 

Photo Credits:

Image by Darwin Laganzon from Pixabay 

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

POST A COMMENT

India's Own Crypto Asset Regulations Soon: Plugging an Important Gap

Till last year, most people (at least in India) had probably only heard of cryptocurrencies such as Bitcoin and Ethereum; now, many other names such as Dogecoin, Solana, Polkadot, XRP, Tether, Binance etc. are being spoken of commonly in media. The global cryptocurrency market cap is estimated at over US$2.5 Trillion.

India too is witnessing a surge in investment in cryptotokens – especially by millennials. There is a correspondingly increase in the number of advertisements for cryptocurrencies on national television as well as on various web sites; mainstream media reports extensively on the daily price movement of cryptocurrencies. One estimate puts the number of crypto investors in India at between 15-20 million, and the total holdings to be in excess of US$5.3Billion. 

This surge in unregulated cryptoassets is a matter of rising concern globally. Recently, PM Modi urged democracies around the world to work together to ensure that cryptocurrencies do not “end up in the wrong hands, as this can “spoil our youth”. His exhortation came just days after RBI Governor Shaktikanta Das spoke of “serious concerns” around cryptocurrencies.

The RBI’s 2018 blanket ban on cryptocurrencies was lifted by the Supreme Court in 2020. However, the time has now come for the government and regulators to act quickly, and there are indications that regulations are just around the corner. At the time of writing, the government has already announced its intention to table The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 in parliament in the winter session.

It is expected that through this legislation, the Indian government will seek to ban private cryptoassets. This means that those trade in such cryptoassets may be liable for penalties and/or other punishment. It is also expected that there will be tighter regulations around advertising such products and platforms where cryptoassets can be bought and sold. Another regulatory salvo could be around taxing cryptogains at a higher rate (although such notifications may have to wait for the next budget due to be announced in another three months). The bill is also expected to deny the status of “currency” to cryptoassets because the prevailing ones are issued by private enterprises, and not backed by any sovereign.

The government has also acknowledged the potential of sovereign digital currencies (or CBDC- Central Bank Digital Currency, as they are officially called) in the days ahead. Countries such as China and the USA, are at various stages of launching their own digital currencies, and experts predict that such CBDC will be the “future of money”. In this context, the proposed bill is expected to create a “facilitative framework” to pave the way for the RBI to launch India’s sovereign digital currency in the days ahead by. In fact, the RBI is already working on India’s CBDC, and some media reports suggest that such a launch may happen in the next couple of months (which may also explain the timing of tabling the The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021, at this time). CBDCs too require crypto and blockchain technologies that are similar to those that underpin cryptoassets, so the bill is also expected to promote these technologies for specific purposes. Indeed, not doing so would be akin to throwing out the baby with the bathwater.

Given their wide global reach, cryptoassets arguably will have a role to play in the world’s financial system. However, countries such as India must ensure proper regulation because by their very nature, cryptoassets can easily be misused for various activities that can destabilize the nation. They will allow for free inward/outward remittances that will make it harder to trace; being encrypted, the origins of such wealth too will become easier to hide. All this will make cryptoassets even more convenient ideal for nefarious activities such as money laundering, terror-funding, drugs-financing etc. In the absence of appropriate regulations, the rising supply of cryptocurrencies can hobble the RBI’s ability to perform its basic role. Its ability to manage the Rupee’s value against global currencies too will weaken, as will its ability to use domestic interest rates as a means to balance the economy’s twin needs of inflation management and providing growth impetus. This is a scary scenario, but not one that could unfold in the short-term. Even so, India needs to be prepared.

PS: The Indian government’s announcement to regulate cryptoassets has already triggered a significant (8-10%) correction in the prices of various cryptoassets. It’s therefore a good idea for resident Indians holding cryptoassets to sell them. They can decide on their future course of action once there is clarity on the specific regulatory impact of the proposed bill.

 

Image Credits: 

Photo by Worldspectrum from Pexels

Given their wide global reach, cryptoassets arguably will have a role to play in the world’s financial system. However, countries such as India must ensure proper regulation because by their very nature, cryptoassets can easily be misused for various activities that can destabilize the nation.

POST A COMMENT

Intermediary Guidelines and Digital Media Ethics Code: Shifting Paradigm of Social & Digital Media Platforms

It has been just over six months since the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “Rules“) have been notified. However, these six months have been nothing short of a roller coaster ride for the (Internet) Intermediaries and Digital Media platforms, especially Social Media platforms who have tried to muddle through the slew of compliance obligations now imposed through these eccentric Rules. Notwithstanding, some of them had to face the wrath of the Government and even Courts for the delay in adherence.

On this topic, we are trying to stitch together a series of articles covering the entire gamut of the Rules, including their objective, applicability, impact, and the key issues around some of the rules being declared unconstitutional, etc.

In our first article, we analyse the timeline, objectives, and applicability of these Rules through some of the definitions provided under the Rules and the IT Act.

Tracing the Roots of the Digital Media Ethics Code 

The initiation of this endeavour can be tracked down to July 26, 2018, when a Calling Attention Motion was introduced in the Rajya Sabha on the misuse of social media and spread of fake news, whereby the Minister of Electronics and Information Technology conveyed the Government’s intent to strengthen the existing legal framework and make social media platforms accountable under the law. Thereafter, the first draft of the proposed amendments to the Intermediary Guidelines, The Information Technology (Intermediary Guidelines (Amendment) Rules) 2018, was published for public comments on December 24, 2018.

In the same year, the Supreme Court in Prajwala v. Union of India[1] directed the Union Government to form necessary guidelines or Statement of Procedures (SOPs) to curb child pornography online. An ad-hoc committee of the Rajya Sabha studied the issue of pornography on social media and its effects on children and the society and laid its report recommending the facilitation of identification of the first originator of such contents in February 2020.

In another matter, the Supreme Court of India on October 15 2020, issued a notice to the Union Government seeking its response on a PIL to regulate OTT Platforms. The Union Government subsequently on November 9 2020, made a notification bringing digital and online media under the ambit of the Ministry of Information and Broadcasting, thereby giving the Ministry the power to regulate OTT Platforms.

On February 25, 2021, the Union Government notified the much-anticipated Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, bringing various digital entities under its purview and imposing new compliances to regulate them.

 

Objectives of the Digital Media Ethics Code

The rising internet and social media penetration in India raises concerns of transparency, disinformation and misuse of such technologies. The Rules address these concerns and bring accountability to social and digital media platforms by mandating the setting up of a grievance redressal mechanism that adheres to statutory timeframes. The Rules also address the legal lacuna surrounding the regulation of OTT platforms and the content available on them and introduces a three-tier content regulation mechanism.

Key definitions and the applicability of the Digital Media Ethics Code

The Rules add on extensively to the 2011 Intermediary Guidelines and also introduce new terms and definitions. To understand the Rules and the compliances thereunder in a holistic manner, it becomes imperative to learn the key terms and definitions. This also addresses concerns of applicability of the Rules to different entities, as they prescribe different sets of compliances to different categories of entities.

Key definitions:

Digital Media as per Rule 2(1)(i) are digitised content that can be transmitted over the internet or computer networks, including content received, stored, transmitted, edited or processed by

  • an intermediary; or
  • a publisher of news and current affairs content or a publisher of online curated content.

This broadly includes every content available online and every content that can be transmitted over the internet.

Grievance as per Rule 2(1)(j) includes any complaint, whether regarding any content, any duties of an intermediary or publisher under the Act, or other matters pertaining to the computer resource of an intermediary or publisher as the case may be.

Intermediary has not been defined in the Rules, but as per S. 2(1)(w) of the IT Act, intermediary, with respect to any particular electronic record, is any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.

The first part of the definition lays down that an Intermediary with respect to an electronic record, is any person that receives, stores or transmits that electronic record on behalf of another person.

An entity becomes an intermediary for a particular electronic record if that record is received by, stored in or transmitted through the entity on behalf of a third party. However, as the clause does not use the term “collect” with respect to an electronic record, any data that entities may collect, including IP Addresses, device information, etc., do not fall within the definition’s purview. Hence the entities would not be considered as intermediaries for such data.

Moreover, the second part of the definition lays down that those entities that provide any service with respect to an electronic record would be intermediaries. However, what constitutes “service” has been a key point of discussion in prior cases. In Christian Louboutin Sas v. Nakul Bajaj[2], the Court not only held that the nature of the service offered by an entity would determine whether it falls under the ambit of the definition, but also went on to hold that when the involvement of an entity is more than that of merely an intermediary, i.e., it actively takes part in the use of such record, it might lose safe harbour protection under S. 79 of the Act.

The definition also includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places, and cyber cafes as intermediaries. In Satish N v. State of Karnataka[3], it was held that taxi aggregators like Uber are also intermediaries with respect to the data they store. Therefore, Telecom Service Providers like Airtel, Vi, Jio, etc., Network Service Providers like Reliance Jio, BSNL, MTNL, etc., Internet Service Providers like ACT Fibernet, Hathaway, etc., Search Engines like Google, Bing, etc., Online Payment gateways like Razorpay, Billdesk etc., Online Auction Sites like eBay, eAuction India, etc., Online Market Places like Flipkart, Amazon etc. are all considered intermediaries.

Social Media Intermediaries as per Rule 2(1)(w) is an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services. This includes platforms like Tumblr, Flickr, Diaspora, Ello, etc.

Significant Social Media Intermediaries as per Rule 2(1)(v) is a social media intermediary having number of registered users in India above such threshold as notified by the Central Government. Currently, the threshold is 5 million users. Platforms that fall under this category would be Facebook, Twitter, Instagram, YouTube, Snapchat, LinkedIn, WhatsApp, Telegram etc.

News & current affairs content as per Rule 2(1)(m) includes newly received or noteworthy content, including analysis, especially about recent events primarily of socio-political, economic or cultural nature, made available over the internet or computer networks, and any digital media shall be news and current affairs content where the context, substance, purpose, import and meaning of such information is in the nature of news and current affairs content. Therefore, news pieces reported by newspapers or news agencies, shared online, on social media, or on digital media platforms are news & current affairs content. This includes contents of such nature created by any person and shared through social media platforms like WhatsApp, Facebook, Twitter etc. Digital content discussing news and the latest happenings will also come under the purview of this definition.

Newspaper as per Rule 2(1)(n) as a periodical of loosely folded sheets usually printed on newsprint and brought out daily or at least once in a week, containing information on current events, public news or comments on public news. Newspapers like The Hindu, Times of India etc. will fall under this category.

News aggregator as per Rule 2(1)(o) is an entity performing a significant role in determining the news and current affairs content being made available, makes available to users a computer resource that enable such users to access such news and current affairs content which is aggregated, curated and presented by such entity. This includes platforms like Inshorts, Dailyhunt etc.

Online curated content as per Rule 2(1)(1) is any curated catalogue of audio-visual content, other than news and current affairs content, which is owned by, licensed to or contracted to be transmitted by a publisher of online curated content, and made available on demand, including but not limited through subscription, over the internet or computer networks, and includes films, audio visual programmes, documentaries, television programmes, serials, podcasts and other such content. This includes movies and shows available on OTT platforms like Netflix, Prime Video, Disney+Hotstar etc.

Publisher of News and Current Affairs Content as per Rule 2(1)(t) includes online paper, news portal, news aggregator, news agency and such other entities, which publishes news and current affairs. This would include websites/apps such as The Wire, The News Minute, Scroll.in, Dkoding.in, The Print, The Citizen, LiveLaw, Inshorts etc.

While the Rules do not include the regular newspapers or replica e-papers of these newspapers, as they come under the Press Council Act, news websites such as Hindustantimes.com, IndianExpress.com, thehindu.com are covered under the Rules, and the Union Government clarified the same on June 10, 2021. The clarification stated that websites of organisations having traditional newspapers and digital news portals/websites of traditional TV Organisations come under the ambit of the Rules.

This does not include news and current affairs reported or posted by laymen or ordinary citizens online, as the scope is limited only to news publishing agencies.

Publisher of Online Curated Content as per Rule 2(1)(u) is a publisher who performs a significant role in determining the online curated content being made available and enables users’ access to such content via internet or computer networks. Such transmission of online currented content shall be in the course of systematic business or commercial activity. This includes all OTT platforms, including Netflix, Prime Video, Voot, Lionsgate, Disney+Hotstar, etc.

The Digital Media Ethics Code Challenged in Court

Part III of the IT Rules has been challenged by many persons in various High Courts. News platforms including The Wire, The Quint, and AltNews moved to the Delhi High Court, alleging that online news platforms do not fall under the purview of Section 87 of the IT Act, under which these Rules are made as the section is only applicable to intermediaries. Section 69A is also limited to intermediaries and government agencies. It is alleged that since such publishers are not intermediaries, they do not fall under the purview of the IT Rules.

A similar petition was moved by LiveLaw, a legal news reporting website before the Kerala High Court, alleging that the Rules violated Articles 13, 14, 19(1)(a), 19(1)(g), and 21 of the Constitution and the IT Act.[4] The petitioners contended that the Rules had brought Digital News Media under the purview of the Press Council of India Act and the Cable Television Networks (Regulation) Act, 1995, without amending either of the two legislations. They also alleged that the rules were undoing the procedural safeguards formed by the Supreme Court in the Shreya Singhal[5] case. In this regard, the Kerala High Court has ordered that no coercive action is to be taken against the petitioner as interim relief.

Recently, the Bombay High Court in Agij Promotion of Nineteenonea v. Union of India[6] delivered an interim order staying Rules 9(1) and 9(3), which provides for publishers’ compliance with the Code of Ethics, and the three tier self-regulation system respectively. The Court found Rule 9(1) prima facie an intrusion of Art. 19(1)(a).

Legality & Enforceability of the Digital Media Ethics Code

Even though six months have passed since the Rules came into force, the legality and enforceability of the Rules are still in question. While most intermediaries, including social media and significant social media intermediaries, have at least partly complied with the Rules, the same cannot be said for publishers of news and current affairs content and online curated content. This will have to wait until the challenges to its legality and constitutionality are settled by Courts.

References:

[1] 2018 SCC OnLine SC 3419.

[2] 2018 (76) PTC 508 (Del).

[3] ILR 2017 KARNATAKA 735.

[4] https://www.livelaw.in/top-stories/kerala-high-court-new-it-rules-orders-no-coercive-action-issues-notice-on-livelaws-plea-170983

[5] (2013) 12 SCC 73.

[6] Agij Promotion of Nineteenonea v. Union of India, WRIT PETITION (L.) NO.14172 of 2021.

Image Credits: 

Photo by Jeremy Bezanger on Unsplash

 

Even though six months have passed since the Rules came into force, the legality and enforceability of the Rules are still in question. While most intermediaries, including social media and significant social media intermediaries, have at least partly complied with the Rules, the same cannot be said for publishers of news and current affairs content and online curated content. This will have to wait until the challenges to its legality and constitutionality are settled by Courts.

POST A COMMENT

Small Entity Status- Can Foreign Companies Claim It?

The government of India has been aggressively pushing for the development and promotion of entrepreneurship in the country. In the Intellectual Property Domain, various concessions have been made for small and upcoming entities. Organizations claiming a ”small entity” status or a “start-up” status while applying for registration are entitled to some additional benefits pertaining to fees and filing requirements.  Here, we briefly look upon the small entity status as per the Indian patent and design rules. 

Intellectual Property Related Government Initiatives to Encourage Small Entities & Startups

In 2020, the Scheme for Facilitating Start-ups Intellectual Property Protection, was launched as an experimental initiative to encourage start-ups to develop and protect their intellectual property, which was extended for a period of three years (April 1, 2020 – March 31, 2023).

Further, the Patent (Amendment) Rules, 2020[1] were notified on October 19, 2020 to simplify the procedure of submitting priority applications and their translations and filing of working statements under form 27. These changes were introduced in consequence to the Delhi High Court’s order in the case of Shamnd Bashir v UOI[2], that resulted in a stakeholder’s consultation.

On November 4, 2020 the Ministry of commerce and Industry[3], notified Patents (2nd Amendment) Rules, 2020[4], making additional filing and prosecution concessions for start-ups and small entities.  The status of start-ups was discussed critically, extending their life for up to ten years. These amendments are set to make protection of intellectual property affordable to every category and class of business. Finally, the government also notified Design Amendment Rules 2021,[5] which recognized start-ups as applicants. The current Locarno classification system[6] and simplified fee structure were introduced specifically to benefit small entities.

 

Categorization of ‘Entities’

 

1.1 Natural Person

Under the Indian Patent Act, natural person includes an individual human being. In this context, the patent application can be filed in the name of one or a group of individuals. Here, the inventorship and ownership lies solely with the inventor and he is entitled to:

  1. Sell
  2. Transfer
  3. License, or
  4. Commercialize their patent as per their want.

1.2 Small Entity

The Indian Patents Rule, 2003 under Rule 2(fa)[7] define ‘small entity’ as:

  • in case of an enterprise engaged in the manufacture or production of goods, an enterprise where the investment in plant and machinery does not exceed the limit specified for a medium enterprise under clause (a) of sub-section (1) of section 7 of the Micro, Small and Medium Enterprises Development Act, 2006 (27 of 2006); and
  • in case of an enterprise engaged in providing or rendering of services, an enterprise where the investment in equipment is not more than the limit specified for medium enterprises under clause (b) of sub-section (1) of Section 7 of the Micro, Small and Medium Enterprises Development Act, 2006 (27 of 2006).

In calculating the investment in plant and machinery, the cost of pollution control, research and development, industrial safety devices and such other things as may be specified by notification under the Micro, Small and Medium Enterprises Development Act, 2006 (27 of 2006), shall be excluded.

1.3 Start up:

A start-up is an entity recognized as a ‘startup’ by the competent authority under the Startup India initiative and fulfills all the criteria for the same.

A foreign entity shall fall under the category of start-up if it fulfills the criteria of turnover and specified period of incorporation/registration, and submission of a valid declaration to that effect as per the provisions of Start-up India initiative. (In calculating the turnover, reference rates of foreign currency of Reserve Bank of India shall prevail.)

As per the Notification of Department of Promotion of Industry and Internal Trade[8], an entity is considered a start-up  

  1. Up to a period of ten years from the date of incorporation/ registration, if it is incorporated as a private limited company (as defined in the Companies Act, 2013) or registered as a partnership firm (registered under section 59 of the Partnership Act, 1932) or a limited liability partnership (under the Limited Liability Partnership Act, 2008) in India.
  1. Turnover of the entity for any of the financial years since incorporation/ registration has not exceeded one hundred crore rupees.
  2. Entity is working towards innovation, development or improvement of products or processes or services, or if it is a scalable business model with a high potential of employment generation or wealth creation.

Provided that an entity formed by splitting up or reconstruction of an existing business shall not be considered a ‘Startup’.

How to apply for Small Entity Status in India:

 

Any business can apply for the status of small entity under the MSME Development Act, 2006 at udyamregistration.gov.in. Subsequent to a successful registration the business shall be issued a Udyam registration certificate, that can be furnished as proof for availing various government subsidies and benefits. 

A foreign company can also register as an MSME on the same government portal. However, as a preceding step such a company shall register itself as per the provisions of the Companies Act, 2013[9].

Any Indian entity wishing to declare themselves as small entity for the purpose of Patent registration has to furnish the following documents:

  1. Form 28 of the Indian Patent Act:
  2. Proof of Registration Under MSME Act 2006 (Micro, small and medium enterprise development Act, 2006).
  3. Form 1 of the Indian Patent Act (if Fresh Patent Application is being filed).

Any Indian entity wishing to declare themselves as small entity for the purpose of Design registration:

  1. For an Indian entity to claim the status of small entity, it must be registered under the MSME Development Act, 2006.
  2. To file an application as a start-up, the entity should be recognized as startup by a competent authority under the Union government’s Start-up India Initiative.

 

Can a Foreign Company claim Small Entity Status in India?

On a plain interpretation of the requirements under the Patent rules and Design rules, it is clear that a foreign enterprise can claim the status of a small entity or a start-up, provided it is registered and incorporated in India and is engaged in the manufacture of goods and services as specified in the first schedule of the 2006 Act.[10]

Under the MSME Development Act, 2006 an enterprise is defined as:

enterprise” means an industrial undertaking or a business concern or any other establishment, by whatever name called, engaged in the manufacture or production of goods, in any manner, pertaining to any industry specified in the First Schedule to the Industries (Development and Regulation) Act, 1951 (55 of 1951) or engaged in providing or rendering of any service or services;[11]

With an objective to incentivize the incorporation of OPC (One Person Companies), the Ministry of Corporate Affairs amended the Companies (Incorporation) Rules. The move empowers OPCs to grow without any restrictions on paid up capital and turnover, thereby facilitating their conversion into any other type of company at any time. Additionally, reducing the residency limit for an Indian citizen to set up an OPC from 182 days to 120 days and also allowing Non-Resident Indians (NRIs) to incorporate OPCs in India has paved the way for foreign entities to enter Indian markets[12] [13].

 

Application Process for Small Entity Status in India? (Foreign Company):

Patent Rules

A foreign applicant seeking the status of ‘small entity’ for the purpose of filing patent in India, has to submit duly filled Form 28[14], along with the requisite documents of proof.

As per the requirements of Form 28, a foreign applicant has to attach evidentiary documents that verify their status as ‘small entity’ for the want of Rule 2 (fa) of the Patent Rules, 2003. For this purpose, the said documents can include a certified copy of financial statement from a Chartered Accountant, that proves that the investment in plant and machinery and the annual turnover of the entity on the date of filing the application does not exceed the limitations specifications under the MSME Development Act, 2006.

Design Rules

For the purpose of recognitions as a start-up the foreign entity should satisfy the following criteria:

  1. The entity must be a private limited company, limited liability partnership, or partnership firm.
  2. Its turnover at any point during the course of its business (from inception) should not exceed INR 100 crores (approximately USD 13.7 million as on date)
  3. The entity would be considered a start-up only for a period of 10 years from the date of incorporation.
  4. An entity formed by splitting up or reconstruction of an existing business shall not be considered a “Start-up”

For a foreign entity to claim the benefit of being a start-up, an affidavit (which under Indian practices would need to be notarized, although this has not been explicitly mentioned in the Amendment Rules) along with supporting documents must be submitted at the time of filing the application[15], to be submitted with Form 24[16] of the Designs Rules.

References:

[1] https://pib.gov.in/Pressreleaseshare.aspx?PRID=1668081

[2] writ petition No. WPC- 5590

https://www.scconline.com/blog/post/2020/10/28/patents-amendment-rules-2020-patentee-would-get-flexibility-to-file-a-single-form-27-in-respect-of-a-single-or-multiple-related-patents/

[3] https://ipindia.gov.in/writereaddata/Portal/Images/pdf/Patents__2nd_Amendment__Rules__2020.pdf

[4] https://ipindia.gov.in/writereaddata/Portal/Images/pdf/Patents__2nd_Amendment__Rules__2020.pdf

[5] https://www.foxmandal.in/wp-content/uploads/2021/08/Indian-Designs-Amendment-Rules-2021.pdf

[6] https://www.wipo.int/classifications/locarno/locpub/en/fr/

[7] https://ipindia.gov.in/writereaddata/Portal/IPORule/1_70_1_The_Patents_Rules_2003_-_Updated_till_1st_Dec_2017-_with_all_Forms.pdf

[8] https://dpncindia.com/blog/wp-content/uploads/2019/02/DIPP-Notification-dated-19-Feb-2019.pdf

[9] https://www.indiacode.nic.in/show-data?actid=AC_CEN_22_29_00008_201318_1517807327856&sectionId=185&sectionno=2&orderno=2

[10] https://www.startupindia.gov.in/content/sih/en/bloglist/blogs/How-a-foreign-national-from-China-can-start-and-register-company-in-India.html

[11] https://www.indiacode.nic.in/show-data?actid=AC_CEN_46_77_00002_200627_1517807324919&sectionId=9884&sectionno=2&orderno=2

[12] http://164.100.117.97/WriteReadData/userfiles/Notification%201.pdf

[13] http://164.100.117.97/WriteReadData/userfiles/Notification%202.pdf

[14] https://ipindia.gov.in/writereaddata/Portal/IPOFormUpload/1_40_1/form-28.pdf

[15] https://www.foxmandal.in/wp-content/uploads/2021/08/Indian-Designs-Amendment-Rules-2021.pdf

[16] https://www.ipindia.gov.in/writereaddata/Portal/IPOFormUpload/1_109_1/Form_24.pdf

Image Credits: Photo by Startup Stock Photos from Pexels

 

On a plain interpretation of the requirements under the Patent rules and Design rules, it is clear that a foreign enterprise can claim the status of a small entity or a start-up, provided it incorporates itself under the relevant schemes and statutes and is able to furnish documents for proof to the same effect

POST A COMMENT

Education in India: Time to Connect the Dots and Look at the Big Picture

In the last few days, I read news reports that are seemingly unrelated on the surface. However, I think there exists a deeper connection for those willing to think outside the box. I thought I would use this article to articulate my thoughts on the connections and their possible implications for India. 

India’s New Education Policy expected to gain traction

The first item was about various initiatives announced by the Union government on the first anniversary of India’s National Education Policy (NEP). While internationalization, multiple entry/exit options, and digital education will be key pillars, one other important component is to enable students to pursue first-year Engineering courses in Indian languages.

In the context of the broad-brush changes envisioned to India’s education system, it is time to rethink the role of the UGC as a body that enables the nation’s higher education system in ways beyond disbursing funds to be recognized universities. There also ought to be more harmony between the various Boards that govern school education. The roles of bodies responsible for governing professional education in India- e.g., AICTE, NMC (which replaced the MCI), ICAI, ICSI, ICWAI, Bar Council of India etc. should also be redefined to ensure that India’s professionals remain in tune with the needs of a fast-changing world.

English will play an important role in our continued growth

The second report that caught my attention was on two main points made by Mr. Narayana Murthy (the Founder of Infosys), in a recent media interaction. He stated that it is high time that English be formally acknowledged and designated as India’s official link language, and greater emphasis is given to its teaching and learning in Indian schools. He said that his opinion is based on his first-hand knowledge of many technically qualified students in Bangalore/Karnataka who lose out in the job market largely because they lack a certain expected level of proficiency in English.

In the same interview, Mr. Murthy went on to say that on a priority basis, India needs overseas universities and vocational educational institutions to set up facilities in India to train students and teachers in key areas like nursing. This too makes sense because our healthcare infrastructure needs massive upgrades- and human resources will be critical.

China’s tightening regulations threaten its US$100 Billion EdTechc industry

The third report was on China’s recent decision to tightly regulate its online tutoring companies. The new rules bar online tutoring ventures from going public or raising foreign capital. There are also restrictions on the number of hours for which tutors can teach during weekends and vacations. In fact, the rules go so far as to make online tutorial businesses “not for profit”.

Different views have been expressed on why Chinese authorities have taken this step. Some see it as a means to reduce the cost of children’s education- and thus encourage couples to have more children. They point to this as a logical enabler of the recent relaxations in China’s two-child policy. Others view it as a step designed to clip the wings of Chinese tech companies that are deeply entrenched in many consumer segments, and have, over the past decade, acquired significant financial muscle.

To put into perspective the size of Chinese EdTech companies, consider this data point: Byju’s, arguably India’s largest EdTech company, was valued at over US$16.5 Billion as of mid-June 2021. Despite this high valuation, Byju’s would have been smaller than the top 5 Chinese EdTech players (on the basis of valuations that existed before the recent draconian rules came into effect).

Implications for India

The majority of China’s EdTech ventures are financed through significant venture capital investments from the west. Analysts expect that China’s sudden actions will, at least in the short run, divert capital to other locations. India could be a potential beneficiary because it already fosters a large EdTech ecosystem.

Given our demographics, we have a significant domestic market for education across all levels- primary, secondary, and college. Since digital education will likely become the norm, this space is ripe for newfangled innovations in the days ahead. If online education can bridge the gaps that employers currently perceive in our fresh graduates, unemployability rates shall notably decline. . This will not only contribute directly to our GDP but also indirectly stimulate innovation and entrepreneurship.

India has a large technical skill base. Some of these resources can easily be harnessed to develop next-gen education solutions using cutting-edge technologies such as AI, ML, Language Processing, Augmented Reality, etc. To begin with, Indian start-ups can build, test, and scale EdTech platforms and solutions for our domestic market. Over time, these can be refined and repurposed for global markets. Similarly, features built for the global market can be adapted to Indian markets, thus creating a virtual cycle. Such a trend will not only proffer legs to implementing India’s NEP but will also enable us as a society to improve access to education to underprivileged sections of the society. This is critical to sustaining our growth on the path of socio-economic development.

By taking the right decisions now, we can attract capital, talent, and world-famous institutional brands to this critical sector. EdTech in India has the potential to become a powerful engine of growth for our services sector. Done right, I have no doubt that in a few years, India can become a “Vishwaguru” not just in the spiritual sense, but also literally.

PS: As with many other sectors in India, the legal framework that governs education too needs to be made more contemporary and relevant, but that’s for another time.

Image Credits: Photo by Nikhita S on Unsplash

By taking the right decisions now, we can attract capital, talent and world-famous institutional brands to this critical sector. EdTech in India has the potential to become a powerful engine of growth for our services sector. Done right, I have no doubt that in a few years, India can become a “Vishwaguru” not just in the spiritual sense, but also literally.

 

POST A COMMENT