Knowledge Repository
All Issues

Technology and Advertising

In this update +

Jyotsna JayaramPartner

Akshaya ParthasarathySenior Associate

Amala GAssociate

Key Developments

  • Bombay High Court strikes down an amendment enabling the government to establish a fact check unit for digital media

    In April 2023, the Ministry of Electronics and Information Technology had notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023 (Intermediary Amendment Rules). The amendments included a provision allowing the Indian government to notify a fact check unit (FCU) which could unilaterally declare online content related to “any business of the Central government” as “fake, false or misleading” and require such content to be taken down from the internet.

    The constitutional validity of this amendment was challenged before the Bombay High Court, and a split verdict was issued by a division bench in January 2024. Subsequently, the matter was referred to a third judge to arrive at a final determination. Separately, the Supreme Court in March 2024 also stayed the notification of the FCU until the final disposal of the proceedings before the Bombay High Court.

    In September 2024, the third judge of the Bombay High Court opined that the provision under the Intermediary Amendment Rules on establishing the FCU was unconstitutional by taking the following factors into consideration:

    • the provision restricts information based on its content in a way that does not align with the limited restrictions permitted on the right to free speech under the Indian Constitution;
    • treating digital and print media differently infringes upon the right to profession, trade and occupation under Article 19(1)(g) of the Indian Constitution;
    • the terms “fake”, “false”, or “misleading” in the Intermediary Amendment Rules are vague and could result in a chilling effect on free speech;
    • the test of proportionality recognised in Indian jurisprudence was not satisfied by the provision; and
    • the provision creates substantive law beyond what is permitted under the parent legislation and was not brought into effect as per the requirements under that parent legislation.

    If the FCU had been established, intermediaries and digital news platforms may have been required to implement additional compliances for platform participants, thus increasing compliance burden and restricting the free flow of information. The Bombay High Court’s decision provides significant relief to intermediaries, as it addresses their concerns regarding potentially increased compliances, which have persisted since the introduction of the Intermediary Amendment Rules. As settled by various case laws, a provision of law that is held to be unconstitutional by any High Court in India would also be considered invalid by other High Courts. Therefore, the rule establishing the FCU will be invalid across the country unless the Supreme Court overrules this decision following an appeal.

  • Reserve Bank of India issues directions on cyber resilience and digital payment security for non-bank payment system operators

    Recognising the increased cybersecurity and technology-related concerns for authorised non-bank payment system operators (PSO), the Reserve Bank of India (RBI) issued the Master Directions on Cyber Resilience and Digital Payment Security Controls for non-bank PSOs (RBI PSO Directions) on 30 July 2024. These directions categorise non-bank PSOs into large, medium and small, and propose a phased implementation to afford each category of non-bank PSOs sufficient time to comply with the new requirements.

    The key governance and information security requirements for non-bank PSOs include:

    • implementing a board approved Cyber Crisis Management Plan to detect, contain, respond and recover from cyber threats and cyber attacks;
    • nominating a senior executive with requisite expertise to implement the information security policy and cyber resilience framework;
    • undertaking cyber risk assessments for new products and services or when implementing major changes to existing products and services;
    • establishing policies, procedures and controls that address access privileges and administration of access rights with additional guardrails for privileged accounts;
    • putting in place specified measures to protect its network and systems from external threats; and
    • using certified and malware-free applications where the source code is not owned by the PSO.

    The RBI PSO Directions also prescribe digital payment security measures and controls for non-bank PSOs, which will apply in addition to the existing instructions on security and risk mitigation measures for payments made using cards, prepaid payment instruments (PPI) and mobile banking. These measures include:

    • requirements for mechanisms that provide online alerts based on parameters such as transaction velocity, transaction failure, time zone and location, and protocols for notifying customers;
    • requirements for mechanisms to identify/mark fraudulent transactions on the mobile application or website;
    • security practices and risk mitigation measures for non-bank PSOs providing, facilitating or processing mobile payment services transactions, and security measures for devices capturing card details and enabling card payments; and
    • a recommendation for PPI issuers to communicate one-time-passwords and transaction alerts to users in vernacular languages, and a requirement for PPI issuers to put in place cooling periods for transactions through PPIs after they are loaded.

    Notably, in addition to complying with the RBI PSO Directions, non-bank PSOs must ensure that unregulated entities engaged by them also adhere to these directions. An organisational policy approved by the board of directors should be put in place in this regard.

    The RBI PSO Directions are crucial for non-bank PSOs, who now must adhere to comprehensive organisational and security measures prescribed by the RBI. Although the compliance window is relatively lengthy (with certain categories of non-bank PSOs having over three years to ensure compliance with the directions), it will likely necessitate significant internal restructuring for these entities.

  • Securities and Exchange Board of India issues new cyber security and cyber resilience framework

    With an aim to strengthen cybersecurity measures in the Indian securities market and to ensure adequate resilience against cybersecurity incidents, the Securities and Exchange Board of India (SEBI) issued a comprehensive and unified Cyber Security and Cyber Resilience Framework (SEBI Cyber Framework) on 20 August 2024 superseding several pre-existing cybersecurity circulars.

    The SEBI Cyber Framework classifies SEBI-regulated entities (RE) into different categories based on certain criteria and prescribes various corresponding obligations as well as exemptions. Broadly, it provides a list of:

    • objectives and standards grouped under five cyber resilience goals (anticipate, withstand, contain, recover, and evolve), each of which is linked with certain cybersecurity functions (governance, identification, protection, detection, response, and recovery) and reporting timelines;
    • guidelines that recommend, and in some cases mandate, the implementation of various identified standards; and
    • standard formats for compliance reports.

    Some key obligations for REs under the SEBI Cyber Framework are:

    • to localise regulatory data (e.g., data on core and critical activities and ancillary data impacting such activities, and data deemed necessary or sensitive by the regulatory authority) and information technology (IT) and cybersecurity data (e.g., logs and metadata that do not contain any regulatory data);
    • to establish appropriate security monitoring mechanisms through Security Operation Centre;
    • to constitute an IT committee including at least one external independent expert on cybersecurity. This requirement is mandatory for certain categories of REs and recommended for certain others;
    • to fulfil several IT-related compliances, such as the appointment of a Chief Information Security Officer, formulating a cybersecurity and cyber resilience policy that is periodically reviewed, and regularly monitoring compliance of third-party service providers involved in ‘critical’ activities;
    • to comply with specific reporting timelines for policies, reports, audits, training and assessments; and
    • to comply with various technical specifications and audit requirements.

    Graded compliance timelines have been prescribed for different categories of REs. Non-compliance with the SEBI Cyber Framework may, however, attract penalties under the SEBI Act of not less than INR 1 lakh (approx. USD 1,200), but which may extend to INR 1 crore (approx. USD 120,000).

    The SEBI Cyber Framework expands the scope of the existing regime by requiring additional categories of REs, such as AIFs, to comply with the framework. This expanded scope has raised several questions (including clarity on operational and governance requirements and the scope of the data localisation requirement) for such newly regulated players, some of whom have been relying on global level and centralised IT infrastructure to support local operations. Industry players are currently assessing the implications of this framework and the manner in which compliance may be achieved and are in discussions with industry bodies and SEBI to clarify some of the operational issues.

This quarter also witnessed some significant court rulings. The Supreme Court determined that imposing a bail condition requiring law enforcement agencies to track the movements of an accused individual— using technology or otherwise— would violate their right to privacy. Additionally, the Delhi High Court held that no writ petition under Article 226 of the Indian Constitution can be filed against privately owned social media platforms like X on the basis that it is different from other non-state actors traditionally subject to writ jurisdiction since it does not perform public functions, such as education, subject to specific governmental delegation or statutory obligations.

Separately, the RBI recognised the Fintech Association for Consumer Empowerment as a self-regulatory organisation in the fintech sector, following its introduction of an omnibus framework (to read our previous update on this framework, click here).

Recent months have seen an increased focus on cybersecurity and data protection by various sectoral regulators. This trend is likely to continue with the much-awaited rules under the Digital Personal Data Protection Act, 2023 anticipated to be notified soon. News reports also suggest that more stringent regulations around surrogate advertisements may be expected.

More in this issue

More Quarterly Milestones

Corporate

Dispute Resolution

Financial Regulatory Regime

Banking and Finance

Direct Tax

Indirect Tax

International Trade

Competition

Private Client

Real Estate

Life Sciences

Copyright

Trademarks, Patents and Geographical Indications

Space and Telecommunications

In this update

  • Bombay High Court strikes down an amendment enabling the government to establish a fact check unit for digital media
  • RBI issues directions on cyber resilience and digital payment security for non-bank payment system operators
  • SEBI issues new cyber security and cyber resilience framework