Answer ... (a) Internet (e-commerce)
E-commerce is primarily regulated by data privacy, intermediary liability and foreign investment regulations. Details of the data privacy regulations are set out in question 5.1.
E-commerce marketplaces are categorised as intermediaries under the IT Act. The IT Act provides a conditional safe harbour or exemption (intermediary exemption) for entities that operate websites, applications or computer systems that host or provide access to user-generated content. The justification here is that such intermediaries have minimal control over content transmitted by third parties. Search engines, online payment sites, online marketplaces and social media platforms usually claim the intermediary exemption.
In a recent development, however, the Delhi High Court distinguished between passive and active intermediaries. The High Court issued interim orders in favour of direct selling companies Amway, Modicare and Oriflame, restraining several e-commerce platforms – including Amazon and Flipkart – from allowing sales of products under the brand names of the direct selling companies unless the respective seller or merchant produced written consent letters authorising such online sales. The court observed that the e-commerce platforms were providing value-added services to sellers and merchants.
While foreign direct investment (FDI) in business-to-business e-commerce is generally permitted, FDI in business-to-consumer (B2C) e-commerce is heavily regulated by Indian foreign exchange laws. Further, FDI in e-commerce marketplaces is subject to various conditions. These include restrictions on ownership of inventory, restrictions on activities that the marketplace entity can undertake in terms of value-added services, and restrictions on concentration of sales in a single vendor or group. FDI in an inventory-based model of B2C e-commerce is not generally permitted.
(b) Mobile (m-commerce)
M-commerce platforms are subject to the same regulations as e-commerce platforms.
(c) Big data (mining)
Big data is not specifically regulated in India. However, general data protection laws (as described in question 5.1) will apply to any data mining activities. Additional requirements may apply, depending on the nature of the data mined. For example, if the data mined contains credit information, restrictions will apply to how that data can be used. Similarly, if the data includes data relating to payment transactions in India, that data may need to be localised in India. Additionally, if data mining forms part of outsourced IT activities, obligations imposed by the Reserve Bank of India (RBI) on outsourced activities (as described in question 2.6) will apply.
The Indian government has proposed an overhaul of the data protection regime. In July 2018 a committee of experts established by the government released a first draft of the Personal Data Protection Bill 2018. Among other things, the bill (as presently drafted) provides for the imposition of additional obligations on entities which are categorised as significant data fiduciaries. The relevant authority will categorise a data fiduciary as a ‘significant data fiduciary’ based on factors including the following:
- the volume of personal data processed;
- the sensitivity of the personal data processed;
- the turnover of the data fiduciary;
- the risk of harm resulting from any processing; and
- the use of new technologies.
Significant data fiduciaries must be registered with the relevant authority and must implement trust scores, data audits and data protection impact assessments. The Bill is expected to be tabled for legislation in the winter session of the Parliament in 2019, or the subsequent session.
(d) Cloud computing
No specific regulations govern cloud computing in India. However, existing data protection laws (as described in question 5.1) will apply to cloud computing in connection with data collected and handled by cloud service providers. Additionally, a cloud service provider may be considered to be an intermediary under the Information Technology (Intermediaries Guidelines) Rules 2011. These rules impose certain obligations on intermediaries, including a prohibition on hosting certain categories of information, the deletion of information upon receiving notification and a requirement to have a physical presence in India.
In certain circumstance, cloud service providers may be treated as vendors for outsourced financial or back-office services. In such situations the outsourcing requirements (discussed in question 2.6) may be triggered.
The government is considering introducing rules and regulations on cloud computing and related services.
(e) Artificial intelligence
There are no regulatory guidelines for the adoption of artificial intelligence (AI). However, the core function of AI involves handling huge amounts of data. To this extent, the applicable data protection regulations (described in question 5.1) will apply.
Earlier in 2019 the finance minister announced a government proposal to set up a National Centre for Artificial Intelligence and a national AI portal. There are also indications that a legal framework for AI will be established.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
Indian laws do not regulate the use of distributed ledger technology (DLT). However, DLT and blockchain technology are seen as important tools for the development of banking processes and are thus expected to attract the government’s attention in the coming year. The RBI is implementing several initiatives to introduce regulations that can be adopted by banks and financial institutions to implement blockchain technology.
In September 2017 the Institute for Development and Research in Banking Technology (IDRBT) – the RBI’s research arm on banking technology – released a white paper entitled “Applications of Blockchain to the Banking and Financial Sectors in India”. The recommendations in the white paper include:
- providing secure distributed databases of client information across banks; and
- automating the underwriting process by storing financial data on blockchain.
The IDRBT also conducted a proof of concept on the use of blockchain technology in a trade finance application, which involved the participation of banks, solutions providers and the National Payments Corporation of India (a retail payment organisation). The IDBRT has since released a blueprint for blockchain platforms in India.
Despite these initiatives, the government’s approach to the use of cryptocurrencies has been negative. The RBI has asked its own regulated entities (eg, banks) to stop providing services that facilitate trade in cryptocurrencies. Prohibited services include maintaining accounts; registering, trading, settling or clearing cryptocurrencies; issuing loans against virtual tokens; accepting virtual tokens as collateral; opening accounts of exchanges that deal in cryptocurrencies; and transferring or receiving funds in accounts relating to the purchase or sale of cryptocurrencies. Cryptocurrencies are not legal tender in India. While cryptocurrency exchanges are not prohibited from operating, the RBI Crypto Circular restricts the use of banking channels and credit cards in connection with the purchase and sale of cryptocurrencies, which has made it very difficult for such cryptocurrency exchanges to operate.