Technology, Media and Telecommunications

In the last quarter, several key developments took place in the technology, fintech and telecommunications sector, such as the issuance of the cyber security directions, a revised open data framework for sharing public data and guidelines for outsourcing arrangements in the financial sector.

Nikhil NarendranPartner

Krati HashwaniAssociate

Kuruvila M JacobAssociate

The cybersecurity, telecom and fintech space witnessed several regulatory and policy developments in the past quarter. The government introduced a more robust cyber security regime, proposed draft amendments to the due diligence requirements imposed on intermediaries and further liberalised the telecom sector. The quarter also saw more stringent regulations from the Reserve Bank of India (RBI) on fintech players entering into outsourcing arrangements with regulated entities such as banks.

Key Developments

  • Cyber security regime

    On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued directions introducing a host of cyber-security, breach reporting, record maintenance and customer validation requirements (Directions). The Directions bring sweeping changes to the law on cyber security and data breaches in India and is an attempt to ensure that accurate and reliable information is available to investigate cyber incidents, when required. On 18 May 2022, CERT-In also released Frequently Asked Questions on the Directions clarifying certain aspects of the Directions.

    The Directions are applicable to all service providers, including intermediaries, data centres, body corporates and government organisations in India (Covered Entities). Covered Entities must mandatorily report certain cyber incidents within six hours of noticing or being brought to notice such incidents. The Directions also require logs of information and computer technology (ICT) systems to be securely maintained for 180 days, which can be stored outside India if the Covered Entity is able to produce such logs to CERT-In in reasonable time. Further, the Directions require Covered Entities to be connected to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with other NTP servers traceable to those maintained by NIC or NPL, for synchronisation of all their ICT system clocks.

    In addition, specific entities such as data centres, virtual private server (VPS) providers, cloud service providers (CSPs) and virtual private network (VPN) providers must collect certain customer information and store such information for at least 5 years after the suspension/cancellation/closure of customers’ accounts, or a longer period as mandated by law. The Directions also mandate virtual asset service providers/exchanges and custodian wallet providers to maintain know your customer (KYC) information of their customers.

    (To read our detailed update on the directions, click here.)

  • Draft amendments to the intermediary guidelines

    On 6 June 2022, the Ministry of Electronics and Information Technology (MeitY) issued draft amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IDMC Rules) for public consultation (Draft Amendments).

    The Draft Amendments propose changes to the IDMC Rules notified under sections 87(1)(z) and 87(2)(zg) of the Information Technology Act, 2000 (IT Act). Intermediaries are required to comply with the due diligence requirements laid down under the IDMC Rules to avail safe harbour provisions, i.e., protection from liability in relation to third-party content hosted by them.

    The proposed changes include requiring intermediaries to (i) ensure compliance of the user-facing rules and regulations, privacy policy and user agreement published by the intermediary; (ii) inform and cause its users to not host, display, upload, modify, publish, transmit, store, update or share any information that is explicitly prohibited under Rule 3(1)(b) of the IDMC Rules; and (iii) take all reasonable measures to ensure accessibility of its services to users along with reasonable expectations of due diligence, amongst other requirements.

    Further, a Grievance Appellate Committee is also proposed to be set up by the central government to deal with appeals by users against the decision of a grievance officer appointed by an intermediary.

    The proposed changes could have far-reaching implications on intermediaries in India, which cover any person, who on behalf of another person receives, stores or transmits an electronic record and include entities such as telecom service providers, network service providers, internet service providers, online marketplaces, online payment systems, search engines, etc.

  • Open data framework

    The government has released the draft National Data Governance Framework Policy (Draft National Data Policy) replacing the earlier draft of India Data Accessibility and Use Policy (DAU Policy). The Draft National Data Policy (similar to the DAU Policy) aims to enhance the access, quality and use of data, in line with emerging technology needs. (To read our detailed update on the DAU Policy, click here).

    Unlike the draft DAU Policy however, the Draft National Data Policy does not contemplate monetising or licensing of datasets by the government or differentiate between any dataset.

    Similar to the draft DAU Policy, the Draft National Data Policy will be applicable to all non-personal data collected by the central government and housed in the India datasets program (IDP). The policy envisages the creation of India Data Management Office (IDMO) that will manage the IDP and manage access to the datasets stored in the IDP to Indian researchers and start-ups.

  • Telecom reforms

    • Developments on 5G

      Inching closer to fulfilling India's 5G ambitions, the government has approved the proposal for conducting the 5G spectrum auctions which will enable the provision of 5G services to public and enterprises. A total of 72097.85 MHz of spectrum with a validity period of 20 years will be put to auction in various low, medium, and high bands.

      Separately, India has also established its first 5G testbed to enable start-ups and industry players to test and validate their products locally and reduce dependence on foreign facilities. The 5G testbed has been developed as a multi-institute collaborative project led by the Indian Institute of Technology, Madras.

    • Government introduces guidelines for captive non-public network

      In furtherance of the National Digital Communications Policy, 2018, the Department of Telecommunication (DoT) has issued guidelines for captive non-public network (CNPN) and related amendments to the Unified License (UL) and the Unified Access Service License (UASL). CNPN is proposed to be deployed by non-telecom enterprises as an isolated network for private use and is expected to be a catalyst for ‘Industry 4.0’.

      CNPN will increase automation and efficiency and allow enterprises to introduce new services and products with superior performance. The CNPN guidelines permit enterprises to obtain spectrum through the means of a license, either by leasing it from a telecommunication service provider (TSP) or directly from the DoT. Enterprises opting for direct allotment of spectrum from DoT must meet the eligibility criteria of having a net worth of at least INR 100 crore.

      However, no separate CNPN license is required where the TSP with access authorisation under the UL or UASL provides CNPN as a service to enterprises by using network resources over public land mobile network or through methods such as slicing, or where such TSP establishes an isolated CNPN for enterprises using international mobile telecommunications spectrum.

      (To read our detailed update on these guidelines, click here.)

    • DoT notifies the Use of Low Power Radio Frequency Devices Rules

      DoT has notified the Use of Low Power Radio Frequency Devices in the frequency band 433.05 to 434.79 MHz (Exemption from License) Rules, 2022, which exempt the need for a license for establishing, maintaining, working, possessing, or dealing in any wireless telegraphy apparatus for the usage of low power short range radio frequency devices on a non-interference, non-protection, shared and non-exclusive basis. Various devices such as wireless security or alarm systems, radio stations, cordless microphones, bluetooth, global positioning system and radio frequency identification applications devices operate in this band.

    • Government planning a caller identification framework

      As per media reports, the DoT has directed the Telecom Regulatory Authority of India (TRAI) to begin a consultation process for a framework to flash a caller’s name on the phone screen when a call is made, as per their KYC records. The framework aims to bring greater accuracy and transparency compared to the existing practices of certain applications, which use information based on crowdsourced data. The consultation process is expected to begin in a few months.

    • DoT attempts to facilitate satellite-based communication services

      In an attempt to liberalise and enable the ease of doing business, the DoT has removed Network Operation and Control Center charges for the use of space segment for all telecom licensees operating commercial/captive Very Small Aperture Terminal (VSAT) services, Global Mobile Personal Communication by Satellite (GMPCS), national long distance and other telecom licensees having UL/standalone license.

      The DoT has also amended the UL permitting GMPCS or VSAT authorisation holders to facilitate satellite-based connectivity for low bit rate applications, such as internet of things (IoT) and machine-to-machine (M2M) applications.

  • Potential overhaul of the Information Technology regime

    The Minister of State for Electronics and IT, Rajeev Chandrasekhar, recently indicated that the government will shortly come out with the Digital India Act (DIA), which will act as the new regulation governing the digital ecosystem and cyberspace in India. The DIA is expected to replace provisions of the IT Act, however very little information about the DIA is available in the public domain.

    The DIA is expected to cover aspects relating to cyber security, intermediary liability, applications store regulations, smart contacting and enforcement, online dispute resolution, social media, digital services, digital evidence and personal data protection, amongst others. The IT Act is over two decades old and the new DIA will hopefully be a step in the right direction to align our IT regime with the evolving technological developments such as blockchain, artificial intelligence, IoT and Web 3.0. Given the wide scope of the DIA, it is possible that some data related aspects will overlap with the proposed Data Protection Bill, 2021 (DP Bill).

  • Fintech developments

    • RBI publishes the draft IT Outsourcing Master Direction

      The RBI published the draft Master Direction on Outsourcing of IT Services (Draft MD) for public consultation. Under the Draft MD, 'outsourcing of IT services' has been defined as a regulated entity’s (RE) use of a service provider to perform activities such as application development, management of IT infrastructure associated with payment system, etc.

      The Draft MD prescribes certain norms for the outsourcing of IT services to ring-fence banks and other REs from financial, operational and reputational risks. It requires REs to conduct a due diligence on the service provider to assess the capability of the service provider to comply with the outsourcing agreement and provide a comprehensive IT outsourcing policy approved by the board. Service providers are also required to develop and establish a robust framework for documenting, maintaining and testing business continuity and disaster recovery plans.

      The Draft MD states that the outsourcing agreement between the RE and service provider should require the storage of data (as applicable to the concerned REs) only in India, as per extant regulatory requirements. Currently, there are no extant laws (yet notified) that require localisation apart from the RBI’s mandate for localisation of payment data.

    • Restriction of loading prepaid payment instrument through credit lines

      The RBI issued a letter to all authorised non-bank prepaid payment instrument (PPI) issuers clarifying that the Master Directions on Prepaid Instruments 2021 do not allow for the loading of PPIs via credit lines. This move by the RBI is likely to impact several fintech players that allow customers to load their credit line in a digital wallet that is not owned by an RE.

The technology, media and telecommunications space continues to evolve and the upcoming quarter is expected to introduce major changes to the regime. The government is expected to streamline the IT Act and also separately introduce a simpler regime to regulate digital media. Satellite communication is expected to open up for private participation once the space-based communication policy is notified by the government. The government's consultation paper on cryptocurrency is also expected to be released soon. On privacy, the introduction of the much-awaited DP Bill in the monsoon session of the Parliament is likely to be pushed to the next session.

More in this issue