Karishma Sundara Senior Associate
Kuruvila M JacobAssociate
In the last quarter, the central government proposed a new bill to overhaul the existing telecommunication framework, extending its applicability to a wide range of technology players previously outside its ambit. Moreover, the much-awaited personal data protection bill was withdrawn by the government in a bid to institute a simpler framework. The technology sector also saw developments related to consumer protection with regulators like the Reserve Bank of India (RBI) proactively regulating the digital lending space, and the Department of Consumer Affairs (DCA) stating its intention to introduce a common charging solution for small electronic devices and a right to repair framework, aimed at boosting sustainability.
Draft Indian Telecommunication Bill, 2022 released for public consultation
On 21 September 2022, the Department of Telecommunication (DoT) released the draft Indian Telecommunication Bill, 2022 (Draft Telecom Bill), following the consultations held earlier in the month. The draft is open for comments until 20 October 2022.
The Draft Telecom Bill is expected to replace the existing regime including the Indian Telegraph Act, 1885, the Wireless Telegraphy Act, 1933 and the Telegraph Wires (Unlawful Possession) Act, 1950. It is intended to bring the current regime in line with contemporary technological advancement and issues. For instance, the Draft Telecom Bill broadens the scope of telecommunication services, bringing over-the-top (OTT) communication services, internet-based communication services, email services, amongst others, within its ambit. By implication, the government's exclusive privilege to provision telecommunication services, telecommunication network, telecommunication infrastructure and spectrum now impacts a wider range of service providers, subjecting them to licensing requirements and making them susceptible to lawful interception requests.
If the Draft Telecom Bill is enacted as is, all entities engaged in
- providing telecommunication services;
- establishing, operating, maintaining, and expanding telecommunication network;
- providing telecommunication infrastructure;
- operating wireless equipment; and
- using the spectrum or operating an earth station,
will require a license under Clause 3(2) of the Draft Telecom Bill.
Additionally, as a licensee under the Draft Telecom Bill, an entity will need to undertake know-your-customer obligations, provide tools to ensure users receiving any message are provided with the identity of the sender of the message and comply with hardware and software standards that the government may prescribe. The Draft Telecom Bill, if implemented in the current form, could have far-reaching implications for all technology providers, given its expansive scope.
(To read our detailed update on the Draft Telecom Bill, click here.)
DoT advisory on the use of signal jammers and repeaters by private bodies and individuals
On 1 July 2022, the DoT issued an advisory stating that the use of jammers, global positioning system blockers or other signal jamming devices is illegal, unless specifically permitted by the Government of India. Currently, only Ministries/Departments of the Government of India, state governments/Union Territory Administration (Defence Forces, Central Security Organisations, Police Departments and Jail Authorities) and statutory examination conducting bodies are permitted to use jammers. Further, signal repeaters/boosters may be used by licensed telecom service providers but not by private sector organisations and individuals. Interestingly, the Draft Telecom Bill also has a similar provision that prohibits entities from using any equipment that blocks telecommunication.
DoT removes restriction on connectivity near international borders
The DoT has also amended the terms of the unified license (UL), Unified License (Virtual Network Operator) and Unified Access Service license to remove restrictions on telecom connectivity near international border areas. With this, the DoT, army, and security agencies will no longer be permitted to carry out periodic surprise checks to ensure compliance with security conditions applicable to such border areas.
Data protection and privacy law developments
National Health Authority's Data Sharing Guidelines
On 15 July 2022, the National Health Authority (NHA) issued guidelines (NHA Guidelines) related to the processing of digital health data under the Pradhan Mantri Jan Arogya Yojana (PM-JAY scheme). The NHA Guidelines apply to employees of the NHA, State health agencies, hospitals, health insurance providers, health service consultants and individuals, entities or ecosystem partners who collect or process, use, disclose, retain or store personal data of beneficiaries or individuals to implement the PM-JAY scheme.
The NHA Guidelines iterate the baseline requirements under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including:
- notice requirements regarding types of information collected, processed and the associated purposes;
- choice and consent to provide information;
- collection limitation;
- purpose limitation; and
- safeguards, in relation to handling personal or sensitive personal data of beneficiaries.
Additionally, the NHA Guidelines prescribe:
- the provision of a privacy notice;
- an opt-in/opt-out consent mechanism enabling beneficiaries to only provide information that is mandatory;
- a confidentiality framework to ensure accountability and confidentiality of information collected from beneficiaries for the purpose of the PM-JAY scheme;
- processes to be followed in the case of a data breach; and
- ensuring the confidentiality of Aadhaar information.
The NHA Guidelines also establish a grievance redressal mechanism for entities processing data and security standards to be observed by such entities (e.g. entering into non-disclosure agreements with third-party entities processing data, the process for erasure/deletion of data that is no longer necessary).
Withdrawal of the Personal Data Protection Bill, 2019 and the Draft Data Protection Bill 2021
Contrary to expectations, on 3 August 2022, the government withdrew the Personal Data Protection Bill, 2019 (PDP Bill 2019) and as a result did not table the Data Protection Bill, 2021 (DP Bill) in the monsoon session. The government stated that the revisions and recommendations proposed by the Joint Parliamentary Committee tasked with examining the PDP Bill 2019 and drawing up the DP Bill had complicated the design of the law which needed to be simplified. In September, the Ministry for Electronics and Information Technology (MeitY) indicated that the government intends to introduce the new bill in the Parliament by the next budget session (likely to run from February – March 2023).
Proposed establishment of the Indian Data Management Office
Additionally, MeitY has also proposed the creation of the Indian Data Management Office (IDMO), envisaged under the draft National Data Governance Framework Policy released in May 2022, for managing the flow and setting standards for processing of Non-Personal Data (NPD) present with government ministries and departments. Reportedly, the IDMO will be established following a series of roundtable discussions and public consultations involving the industry, consumer groups and government agencies. The official consultation process is yet to commence.
Ban on export of sensitive maps and geospatial data
On 23 September 2022, the Ministry of Finance issued a notification (Notification) prohibiting the export of maps and geospatial data (i) of spatial accuracy and specific threshold values; and (ii) with sensitive attributes, as specified. The restrictions under the Notification concern sensitive locations of importance, such as nuclear installations, space centres, bulk oil and gas depots, military installations, international border fences, air force airfields and runways. The Notification prohibits the labelling of 51 facilities, including those related to features/installation of nuclear missiles, missile launch pads and complexes, with information regarding corresponding site names, descriptions of such facilities or the specification of any other attributes.
Separately, the central government, in a bid to reduce dependency on foreign systems is also pushing for smartphones offered in India to be compatible with the Indian regional navigation satellite system – Navigation with Indian Constellation (NavIC).
Challenge against blocking orders issued under the Information Technology Act, 2000
In July 2022, Twitter, Inc. (Twitter) filed a writ petition before the Karnataka High Court contending that certain blocking orders (Blocking Orders) issued under Section 69A of the Information Technology Act, 2000 (IT Act) by the MeitY were unconstitutional. Under these Blocking Orders, the government had directed Twitter to block access to certain information by public, which included suspending multiple accounts on its platform. Twitter challenged the Blocking Orders on grounds of being broad and arbitrary as well as constituting a disproportionate measure and violating users' rights under the Constitution.
Twitter has sought (i) quashing of the Blocking Orders for being ‘substantively and procedurally’ non-compliant with the government’s powers under Section 69A of the IT Act and with the procedures and safeguards prescribed by the Information Technology (Procedures and Safeguards for Blocking of Access to Information by Public) Rules, 2009; or (ii) directions to the government to modify the Blocking Orders to identify only the specific tweets that were in fact violative of Section 69A citing cogent reasons. The matter is currently sub-judice.
Consumer protection developments related to technological devices
Adoption of common charging solutions
The DCA has formed an expert committee to consider adopting a common charger for mobile and portable electronic devices, including the feasibility of harmonising a single charging port and its effect on the industry. The government aims to permit only two types of charging ports: (i) one for small and medium electronic devices (such as smartphones, laptops, tablets); and (ii) one for feature phones (i.e., non-smart phones). The move aims to boost sustainability and reduce the burden on consumers who are obliged to purchase different chargers for every new device. The committee is expected to submit its recommendations by the end of October 2022.
The right to repair framework
The DCA set up a committee to develop a right to repair framework in respect of essential products such as mobile phones, tablets, other consumer durables, automobiles and farming equipment. The framework aims to boost consumer protection and sustainability, by harmonising trade between the original equipment manufacturers and third-party buyers and sellers. Under the proposed framework, technology companies may need to provide customers/third party service providers: (i) complete knowledge and access to manuals, (ii) schematics, (iii) software updates, and (iv) parts and tools to service devices, to ensure that they can repair the products. The committee was expected to submit its inputs on the scope of the proposed legislative framework in September. However, it is yet to do so.
RBI guidelines on digital lending
On 2 September 2022, the RBI published the Guidelines on Digital Lending (Digital Lending Guidelines) applicable to banks (commercial, co-operative) and non-banking finance companies (NBFCs) that disburse loans through digital lending platforms. The Digital Lending Guidelines aim to ensure that all RBI-regulated entities and loan providers are transparent and accountable.
All such entities must disclose all-inclusive cost of digital loans to borrowers in the form of a key fact statement and refrain from automatically increasing credit limits without the borrower’s explicit consent. Additionally, all digital lending applications must establish a grievance redressal mechanism, appointing a nodal grievance redressal officer to address borrowers' complaints. On the data protection front, the Digital Lending Guidelines allow lenders to store only basic information, such as names and contact details required for processing the loan; storage of biometrics or access to mobile phone resources, such as contact lists, and files is not permitted. The Digital Lending Guidelines also enumerate other mechanisms and requirements intended to ensure that customers are informed and aware of their rights, and that arbitrariness and unfair practices are not prevalent in the digital lending sphere.
(To read our detailed update on the RBI Press Release on digital lending, click here.)
RBI to prepare a whitelist of legal loan applications
Following a meeting held on 8 September 2022, in a bid to tackle the increasing menace of and risks associated with illegal loan apps, the RBI is expected to prepare a ‘whitelist’ of all legal loan apps. MeitY will consequently be required to ensure that only the apps on the whitelist are hosted on app stores. This move aims to curb apps offering exorbitantly high interest rates coupled with hidden processing charges on loans extended to vulnerable and low-income groups.
Card-on-file restrictions effective from 1 October 2022
On 28 July 2022, the RBI reiterated that all entities except card issuers and card networks must purge stored card-on-file (CoF) data by 1 October 2022. While the RBI did not grant an extension to this deadline, merchants or payment aggregators involved in the settlement of a transaction have been permitted to save CoF data for a maximum period of T+4 days (‘T’ being the transaction date) or until the settlement date, whichever is earlier, on the condition that this data is only used for settlement and purged thereafter. Further, acquiring banks can continue to store CoF data until 31 January 2023 for handling post-transaction activities.
The next quarter is expected to be an eventful one, specifically on the data protection and privacy front as well as for laws concerning intermediary liability and the telecommunications sector, with certain draft legislation already open for consultation or expected to be released for consultation (such as the Digital India Act - a comprehensive framework intended to replace the IT Act). Separately, the fintech space may also see some developments, with the government expected to collaboratively engage with international stakeholders to assess the risks and benefits of cryptocurrencies, a common taxonomy and associated standards. It is likely that the government will then formulate a governing framework for cryptocurrencies.