India's Online Gaming Explosion: Strengthening Data Protection and Anti-Money Laundering Measures in the Digital Age
The government of India is swiftly developing the necessary regulatory infrastructure to accelerate the growth of its thriving online gaming market. At the beginning of 2023, the Indian government released the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules which amongst other things mandated online gaming operators to maintain and enforce comprehensive customer identity authentication and verification processes before accepting deposits from customers.
Developing on this, in August 2023, the Indian government passed the Digital Personal Data Protection Act (DPDPA) which establishes anti-money laundering rules and provides detailed guidance on the usage of a customer's personal information.
Protections for Customers
Under the DPDPA, customers have the right to access and make necessary changes to their personal data. They can also seek redressal of any grievance relating to the handling of their personal information nominate a representative to exercise their rights under the DPDPA in case of death or incapacity. These new protections are developing a foundation that will allow customers to participate in the Indian gaming industry with confidence.
Regulations for Gaming Companies
The DPDPA's recognition of gaming companies as "data fiduciaries" signifies a pivotal shift in their regulatory framework, imposing rigorous criteria that mandates strict adherence. This regulatory evolution not only emphasizes the obligation to erase personal data when no longer necessary or upon customer consent withdrawal but also underscores the imperative implementation of security safeguards to mitigate the risk of personal data breaches. These obligations are applicable irrespective of whether the gaming companies store data internally or engage third-party data processors.
In this landscape, the term "commercial litigation" could come into play if disputes arise regarding the interpretation or enforcement of these stringent criteria. Gaming companies, in their efforts to comply with the DPDPA, might find themselves entangled in legal conflicts, especially concerning issues such as the proper handling of personal data, consent withdrawal procedures, and the efficacy of security safeguards. Consequently, the appointment of a Data Protection Officer and the publication of contact information become pivotal not only for regulatory compliance but also as strategic measures to address potential legal inquiries and facilitate communication in the event of commercial litigation.
The Data Protection Board
The DPDPA also provides for the establishment of a Data Protection Board (DPB) that will be responsible for upholding the provisions of the DPDPA. The DPB will look into data breaches and customer complaints, and they will have the authority to impose financial penalties on offenders. Companies will be required to inform the DPB and affected users of a data breach. Failure to do so will result in penalties of up to INR 250 crore (USD 30 million). In cases where a data fiduciary has repeatedly violated DPDPA provisions, the DPA may advise the government to block the data fiduciary's website or app. Appeals against DPB decisions will be heard by the Telecom Disputes Settlement and Appellate Tribunal.
The Big Picture
The penalties under the DPDPA emphasize the importance of protecting customer privacy and will act as deterrents for potential violators. Gaming companies will need to have robust policies and procedures in place to safeguard customers' data and ensure compliance with the new privacy legislation.
The DPDPA has the potential to create a solid foundation for the growing Indian gaming industry, and this is an opportune time for stakeholders to enter the Indian gaming market. In doing so, gaming companies must consider the DPDPA provisions carefully and consult professionals in the field to ensure compliance.
Originally published September 13, 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
