Digital Business

Digital businesses in India operate under a comprehensive framework of legislative and regulatory provisions that addresses various aspects of digital operations. The Information Technology Act, 2000 (‘IT Act’) serves as the foundational legislation, covering issues such as:

• cybersecurity;
• data protection; and
• e-commerce.

Key provisions include:

• mandates for data security practices under Section 43A; and
• penalties for cybercrimes under Section 66.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 regulate the collection and handling of personal data by:

• granting individuals rights over their information; and
• establishing data protection principles.

The Goods and Services Tax Act governs the taxation of digital goods and services.

Like the tax laws, the Indian IP laws are also not sector-specific and apply to all types of digital businesses (irrespective of their industry of operation).

Specific sets of laws may apply depending on the sector in which the digital business is operating. For instance:

• the Consumer Protection Act, 2019 addresses consumer rights in digital transactions, ensuring transparency and fair practices in e-commerce;
• the overarching Payment and Settlement Systems Act, 2007 (and the numerous guidelines and directions prescribed by the Reserve Bank of India) make digital payments a highly regulated sector;
• digital businesses operating in the securities sector must comply with the Securities and Exchange Board of India Act, 1992 (along with the directions/guidelines prescribed by the Securities and Exchange Board of India); and
• digital businesses operating in the insurance sector must comply with the Insurance Regulatory and Development Authority Act, 1999 (as well as the directions/guidelines prescribed by the Insurance Regulatory and Development Authority of India).

In India, several key bodies play crucial roles in implementing and enforcing the digital business regime, each focusing on different aspects of digital operations:

• The Ministry of Electronics and Information Technology (MeitY) is central to formulating and overseeing policies related to IT and electronics. MeitY promotes digital infrastructure development, e-governance and cybersecurity initiatives, working to ensure a robust digital ecosystem and supporting the Digital India mission.
• The Reserve Bank of India (RBI) regulates the financial aspects of digital transactions and payments. The RBI issues guidelines for electronic banking and payment systems, focusing on:
• • security;
  • efficiency; and
  • the prevention of financial fraud.
• Its role is critical in:
• • ensuring the integrity of digital financial operations; and
  • enhancing financial inclusion through digital channels.
• The Indian Computer Emergency Response Team (CERT-IN) is tasked with:
• • handling cybersecurity incidents; and
  • providing support during cyber threats.
• It offers early warnings, incident response assistance and vulnerability assessments to help organisations manage and mitigate cybersecurity risks. CERT-IN’s efforts are vital in maintaining the security of digital infrastructure and responding to emerging threats.
• The Telecom Regulatory Authority of India (TRAI) regulates digital communications and telecoms services. TRAI sets standards and guidelines for telecoms operators, ensuring service quality and addressing consumer grievances. It plays a key role in:
• • managing policies related to digital communications; and
  • maintaining fair practices in the telecoms sector.

Together, these bodies ensure that digital businesses in India operate within a secure, regulated framework, addressing issues ranging from data protection and financial transactions to consumer rights and telecommunications. The primary function and focus of these industry bodies is to ensure that businesses are legally compliant, as in light of growing cybersecurity concerns, there is a much higher risk of consumer harm being caused due to lapses by businesses in the digital space.

Digital businesses are deeply embedded in India, largely driven by government initiatives such as Digital India and Startup India, which aim to:

• promote digital businesses;
• enhance ease of living and doing business; and
• promote innovation and healthy competition.

The Digital India initiative, launched in 2015, aims to:

• enhance online infrastructure and services;
• promote digital literacy; and
• encourage the use of technology.

The Startup India initiative provides support to budding entrepreneurs through:

• incentives;
• tax benefits; and
• simplified regulations.

Further, the evolution of digital infrastructure in the country – including high-speed internet connectivity and mobile networks – has served as a catalyst for digital businesses. Affordable smartphones and improved internet services have further eased access to digital platforms, enabling both businesses and consumers to engage seamlessly in digital transactions, digital communications and e-commerce. Furthermore, the regulatory framework has been framed to address challenges associated with digital business, such as:

• data privacy;
• cybersecurity;
• foreign exchange management;
• imports and exports of services and software; and
• taxation.

The Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 and the proposed Digital India Act, 2023 have been formulated and amended to create a secure and conducive environment for digital businesses while safeguarding user interests.

The main players in India comprise a mix of foreign, domestic and international entities. Although the number of domestic players is significant, the presence of major international and foreign players makes the Indian digital business markets competitive, innovative and ever evolving. The domestic players in the digital business landscape include:

• e-commerce platforms;
• digital payments and fintech platforms;
• social media and content platforms;
• travel and hospitality platforms;
• transport and food delivery platforms; and
• online education platforms.

The acceptance of digitalisation has not only given domestic businesses a boost, but also afforded an advantage to foreign and international businesses to gain a foothold in the Indian market. International and foreign digital businesses have also progressed in the Indian market by leveraging:

• first mover advantage;
• India’s vast consumer base;
• the easy availability of human resources; and
• India’s growing digital infrastructure.

India has thus fostered a flourishing digital business ecosystem for domestic, foreign and international players, with ongoing support provided by the government and regulatory authorities.

(a) Digital health

Digital health businesses have gained traction over the years and have transformed the healthcare industry by:

• enabling efficient and cost-effective delivery of care;
• empowering patients to take control of their health; and
• improving access to healthcare services in remote locations.

Key features shaping the digital health sector in India include:

• e-hospital information management systems for patient records;
• online pharmacies;
• telemedicine for remote consultations between patients and healthcare providers;
• fitness and health monitoring devices; and
• predictive analysis tools for predicting diseases and formulating patient treatment plans.

In 2023, e-hospitals simplified healthcare access for over 380 million registered patients.

(b) E-commerce

India’s flourishing e-commerce sector achieved a significant milestone in 2023, with a gross merchandise value of $60 billion, and is projected to reach $300 billion by 2030.

Key features include:

• retail platforms;
• electronic goods platforms;
• fashion platforms;
• travel platforms;
• logistics platforms; and
• at-home services platforms.

The beauty and personal care, food and fast-moving consumer goods and fashion sectors are growing at the fastest pace. Online shoppers encompass all age, income and gender groups. Even smaller cities are playing a pivotal role by contributing to e-commerce growth, while rural areas are expected to surpass urban areas by 2030.

(c) Fintech

The fintech sector in India is one of the fastest-growing and most dynamic segments of the financial services industry, comprising:

• a vast range of financial services;
• supportive regulatory frameworks; and
• a focus on financial inclusion and customer-centric solutions.

The key features of the fintech sector include:

• digital payment systems such as the Unified Payments Interface;
• mobile wallets and digital banking services;
• wealth management platforms;
• insurance platforms;
• personal finance platforms; and
• lending platforms.

Additionally, a payment system being developed by the National Payments Corporation of India will enable instant bank-to-bank transfers and facilitate digital payments with ease. GIFT City has revolutionised the first International Financial Services Centre in India, establishing a conducive ecosystem for fintech players in India.

(a) Online payments (including cryptocurrencies and digital wallets)

In India, the regulation of online payments is governed by a framework that is primarily overseen by the Reserve Bank of India (RBI). Online payments – including those made through digital fiat wallets, are regulated under the Payment and Settlement Systems Act, 2007 (‘Payments Act’). The Payments Act provides the legal foundation for regulating and supervising payment systems in India, empowering the RBI to prescribe guidelines and standards that must be adhered to by operators of digital wallets and other online payment mechanisms.

Cryptocurrencies, while currently permitted, exist in a regulatory grey area. Cryptocurrencies are still not recognised as legal tender in India. The Payments Act, which governs traditional payment systems, does not explicitly cover cryptocurrency transactions and there is no other specific statute that regulates cryptocurrency in India. However, there is a legal mandate that businesses dealing in cryptocurrencies must ensure compliance with existing anti-money laundering and know-your-customer obligations as outlined under the Prevention of Money Laundering Act, 2002 and the rules framed thereunder. In addition, any entities intending to offer services in the domain of virtual digital assets (cryptocurrencies) must register with the Financial Intelligence Unit.

(b) Artificial intelligence

In India, the regulation of artificial intelligence (AI) is still at a nascent stage, with no specific legislation governing the use and development of AI technologies. While the government has launched several initiatives to promote and regulate AI through various policy initiatives and frameworks, no specific statute has been enacted that regulates the use of AI.

In 2018, NITI Aayog released the National AI Strategy, emphasising the ethical use of AI, to ensure that AI technologies are developed and deployed responsibly. To this end, the Principles for Responsible AI were introduced in 2021, further promoting the ethical deployment of AI. These principles provide for fairness, transparency and accountability in AI systems, urging developers and users to consider the social and ethical implications of AI technologies. The principles and guidelines/advisories contained under these documents are only recommendatory in nature and do not serve as binding law.

(c) Connected devices/Internet of Things

In 2015, the Ministry of Electronics and Information Technology introduced the draft Internet of Things (IoT) Policy. This policy was designed to promote the development and regulation of IoT in India. It emphasises the need for standards, protocols and interoperability to ensure the seamless integration of IoT devices across various sectors, including:

• healthcare;
• agriculture; and
• manufacturing.

Despite the introduction of the draft policy, there has been no enforceable legislation specifically governing IoT in India to date.

(d) Other (eg, cloud services, quantum technology, chip technology)

Cloud services: In India, there is no general statute or legislation governing cloud services. There are some sector-specific guidelines – such as the Framework for Adoption of Cloud Services by SEBI Regulated Entities, 2023, which governs cloud services for entities regulated by the Securities and Exchange Board of India (SEBI). This framework emphasises various aspects of governance, risk management, data localisation and security controls to be adopted by entities which are regulated by the SEBI.

Quantum technology: India has no specific legislation governing quantum technology. However, the government has undertaken several programmes and initiatives – such as the Quantum-Enabled Science & Technology programme and the National Mission for Quantum Technologies and Applications – which are aimed at advancing the country’s position in this field.

Chip technology: Chip technology in India is regulated under the Semiconductor Integrated Circuits Layout-Design Act, 2000, which provides legal protection for the layout designs of semiconductor integrated circuits. The act grants the registered owner of a layout design the exclusive rights to:

• use the design;
• commercially exploit it; and
• seek legal remedies in case of infringement.

The current instrument covering the collection, processing, sharing and storage of personal data is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The rules mandate that organisations obtain explicit consent from individuals before collecting or processing such data, ensuring that consent is informed and specific.

Organisations must implement reasonable security practices to safeguard sensitive personal data from unauthorised access or disclosure. This involves employing physical, managerial and technical measures to ensure that data is adequately protected. Additionally, sensitive personal data:

• should be collected only to the extent necessary for the intended purpose; and
• should not be retained for longer than needed.

Once the data is no longer required, organisations must ensure that it is securely disposed of.

The rules also stipulate that sensitive personal can only be disclosed:

• in accordance with legal requirements; or
• with the individual’s explicit consent.

Organisations must have mechanisms in place to address grievances related to the handling of sensitive personal data, ensuring a structured approach to resolving any issues that arise. Although not explicitly required under these rules, larger entities are advised to appoint data protection officers to oversee compliance and ensure adherence to data protection practices.

India is in a transition phase as regards its data protection laws. The Indian Parliament passed the Digital Personal Data Protection Act, 2023 in August 2023. Despite the passing of this statute, it is not currently in force. The rules under this act are expected to be released for public consultation. It is anticipated that the implementation of the statutory provisions of the act as well as the relevant rules will start in a staggered manner some time this year.

There are no specific statutory/legislative provisions governing the processing and sharing of non-personal data. Any sensitive information of an entity can be protected through the confidentiality provisions contained in an agreement between two legal persons/entities.

In India, the legal aspects surrounding cybersecurity are primarily regulated under the Information Technology Act, 2000 (‘IT Act’) and the rules thereunder (ie, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011). The IT Act:

• mandates that companies implement reasonable security practices and procedures to protect sensitive personal data; and
• holds companies liable for any negligence in maintaining such practices which leads to data breaches.

Additionally, the Indian Computer Emergency Response Team (CERT-In), formed and operating under the Ministry of Electronics and Information Technology, plays an important role in responding to cybersecurity incidents. CERT-In also:

• issues guidelines and advisories on cybersecurity threats and vulnerabilities; and
• requires organisations to report specific types of cybersecurity incidents within a prescribed timeframe.

In addition, there are also some sector-specific cybersecurity guidelines, particularly in the banking and financial sector (prescribed by the Reserve Bank of India (RBI) and the Securities and Exchange Board of India). The Reserve Bank of India, for instance, has issued the Cyber Security Framework in Banks, 2016, which mandates that banks:

• establish comprehensive cybersecurity frameworks;
• conduct regular security audits; and
• implement incident reporting mechanisms.

The Securities and Exchange Board of India, on the other hand, has released the Cybersecurity and Cyber Resilience Framework, mandating all regulated entities to have appropriate security monitoring mechanisms. Fresh norms will be implemented in a graded manner starting from January 2025.

The primary statutes governing money laundering and other forms of financial crime in India include:

• the Prevention of Money Laundering Act, 2002 (PMLA); and
• the Prevention of Money Laundering (Maintenance of Record) Rules, 2005 made thereunder.

The Financial Intelligence Unit of India (FIU-IND) coordinates India’s anti-money laundering (AML) efforts, with the objective of receiving, analysing and disseminating information relating to suspected financial transactions. FIU-IND coordinates and strengthens the efforts of national investigation, international intelligence and enforcement agencies in participating in the global fight against money laundering and terrorist financing. Further, the Directorate of Enforcement – a multi-disciplinary body formed under the Department of Economic Affairs – is empowered to investigate violations under various laws, including the PMLA.

The implications of the anti-money laundering provisions include compliance requirements for reporting entities, as defined under the PMLA (“a banking company, intermediary financial institution or a person carrying on a designated business or profession”) and as may be notified – for example:

• real estate agents;
• jewellers;
• virtual digital assets service providers; and
• trust and company service providers.

Reporting entities are expected to comply with the regulations and guidelines issued by the regulatory authorities – such as the Know Your Client (KYC) Directions, the AML Guidelines and Countering the Financing of Terrorism (CFT) Guidelines – which require reporting entities to:

• register with the FIU-IND;
• develop and implement robust AML, CFT and KYC policies within their organisations; and
• train their employees to identify suspicious transactions.

The Consumer Protection Act, 2019 (COPRA) was enacted with the aim of:

• ensuring protection of consumer rights; and
• effectively addressing consumer grievances.

One of the key aspects of COPRA in relation to digital businesses is the liability and accountability of e-commerce platforms. COPRA mandates e-commerce businesses to:

• provide detailed information about sellers; and
• provide a grievance redressal mechanism for customers.

E-commerce entities must also ensure that all product information as displayed on their respective digital platforms – including prices, return and refund policies and terms of sale – are accurate, complete and regularly updated.

The Consumer Protection (E-commerce) Rules, 2020 further outline obligations for all e-commerce entities with respect to:

• unfair trade practices;
• advertising;
• misleading customers; and
• obtaining consent from consumers.

All policies pertaining to privacy, returns and refunds must:

• be displayed on the respective digital platforms; and
• always be available to consumers.

Additionally, the Legal Metrology (Packaged Commodities) Rules, 2011 require all packaged goods that are sold online to clearly display accurate information pertaining to weight, labels, dimensions and measures, with the objective of ensuring a public guarantee relating to the security and accuracy of the weights and measurements of the commodities sold.

Collectively, the instruments outlined above comprise a comprehensive framework for consumer protection in the digital age. The regulations impose specific compliance obligations on digital businesses to ensure that they:

• conduct their operations transparently;
• provide effective grievance redressal mechanisms; and
• handle consumer data responsibly.

India imposes a digital services tax known as the equalisation levy. Introduced in 2016, it initially:

• targeted only online advertising services provided by non-resident entities to Indian businesses; and
• was charged at a rate of 6% of the consideration for such services.

The scope of the equalisation levy was broadened in 2020 to include e-commerce operators, subjecting non-resident e-commerce entities to a 2% tax on consideration received for the supply of goods or services online to Indian customers. The levy aims to obtain tax revenue from digital transactions and services that previously escaped the traditional tax net due to the absence of a physical presence in India.

India has been actively engaged in the Organisation for Economic Co-operation and Development’s (OECD) Multilateral Convention Inclusive Framework on Base Erosion and Profit Shifting, which seeks to address the tax challenges of the digital economy through a global consensus-based solution. Under Pillar 1, a portion of the residual profits of the largest and most profitable multinational enterprises will be allocated to market jurisdictions where goods or services are consumed, irrespective of the physical presence of such enterprises.

India has consistently aligned with OECD guidelines in shaping its economic policies. One significant example is the introduction of goods and services tax (GST) in 2017, which completely revamped India’s indirect taxation system. This unified tax regime was heavily influenced by the OECD’s GST/value-added tax guidelines, reflecting India’s commitment to global taxation practices.

India’s approach to revising its unilateral digital tax measures, such as the equalisation levy, is linked to the progress and successful implementation of the OECD-negotiated Multilateral Convention on Amount A of Pillar 1. Much like its alignment with OECD guidelines on the introduction of GST, India remains committed to international consensus within the evolving global tax landscape. The Indian government has expressed its willingness to reconsider these measures once a globally accepted framework has been established that ensures a fair allocation of taxation rights. To demonstrate its commitment to international taxation reforms for digital businesses, the Indian government, through the Finance (No 2) Bill, 2024, has proposed to withdraw the 2% equalisation levy imposed on e-commerce operators. The withdrawal of this levy will significantly reduce the tax burden on non-resident e-commerce entities and thus foster a more favourable business environment for such companies in India.

In summary, while India imposes specific digital service taxes, it is committed to aligning with international tax reforms. The recent decision to withdraw the equalisation levy on e-commerce entities demonstrates India’s willingness to cooperate with global tax solutions that address its economic and fiscal interests.

India’s tax landscape is evolving rapidly, especially in the context of digital businesses. Key tax measures include the following:

• Equalisation levy: Introduced in 2016, this is a tax on digital transactions by non-resident companies, designed to address the challenge of taxing digital businesses that generate income from India without having any physical presence in the country. The levy ensures that foreign digital companies offering services such as online advertising, cloud services and financial services contribute to the Indian tax base, capturing revenue generated from Indian users.
• Significant economic presence (SEP): The Finance Act, 2018 introduced the concept of SEP to:
• • expand the scope of a ‘business connection’ in India; and
  • establish a taxable presence for non-resident entities based on their substantial economic engagement within India, irrespective of physical presence.
• The SEP criteria include specific revenue and user thresholds, allowing India to tax foreign companies that derive significant income or have a large user base in the Indian subcontinent. This approach ensures that companies which benefit economically from the Indian market contribute their fair share of taxes. However, India has also entered into double taxation avoidance agreements (DTAAs) with various countries under which foreign entities whose incomes are taxable in India may avail of a set-off in the jurisdictions which partner with India under these DTAAs.
• GST: Individuals supplying goods or services through e-commerce operators (ECOs) must be registered for GST irrespective of the threshold set out in the GST law. Additionally, ECOs which are used as a platform to provide such goods and services must have dual registration for GST:
• • one as a taxable person; and
  • the other as a tax collector.
• Compulsory registration for GST is also necessary for any entity that provides online information and database access or retrieval (OIDAR) services from a location outside India to an individual in India (except where the services are provided to a registered taxable person). Therefore, if a foreign service provider is providing OIDAR services to a taxable person that is already registered for GST in India, the foreign OIDAR service provider need not be registered for GST in India.

Apart from the domestic tax regime for digital businesses, India has also been a key player on the international stage, advocating for broader taxation of digital services. India actively participates in the OECD discussions on the Multilateral Convention, which seeks to establish an integrated global approach to the taxation of digital services.

Through its active participation and support in these international forums, India is pushing for a tax framework that:

• ensures fair revenue distribution from digital services; and
• strengthens its position within the global tax regime.

The growing number of transactions in digital cross-border trade has led to the development and implementation of new laws and policies in India aimed at:

• creating a conducive legal and regulatory framework; and
• facilitating digital cross-border trade.

Recently, the Digital Personal Data Protection Act, 2023 was introduced to protect the personal data of individuals exchanged during the cross-border trade of goods and services. The Telecommunications Act, 2023 has also been notified with the aim of promoting the development, expansion and operation of telecommunications services and telecommunications networks and the assignment of spectrum to formulate a robust network structure in order to facilitate cross-border trade. The Foreign Trade Policy, 2023 further lays down simple and transparent procedures that are easy to comply with for efficient management of foreign trade in India. Among other things, it seeks to:

• make it easier to do business in India;
• reduce transaction costs;
• facilitate e-initiatives; and
• promote exports.

The Regulation on Payment Aggregators Cross Border of 31 October 2023, along with relevant circulars, governs online cross-border payment transactions. Furthermore, as part of the Ease of Doing Business initiative, the Central Board of Excise and Customs has implemented the Single Window Project, which facilitates trading across borders and enables importers and exporters to lodge clearance documents online through a single point. India is thus continuously equipping itself with the appropriate regulations and framework to promote, regulate and facilitate digital cross-border trade.

India has laid the groundwork through concrete programmes such as Digital India, which aims to transform India into a digitally empowered society and a knowledge economy. While the legislative framework is continually evolving to promote the dynamics of digital cross-border trade, certain challenges and concerns remain that digital businesses should keep in mind in order to bridge jurisdictional gaps and overcome transactional hindrances.

Stakeholders should be mindful that digital cross-border trade is covered by numerous regimes, including:

• data privacy laws;
• foreign exchange management laws;
• cross-border funds transfer laws; and
• taxation laws.

In analysing the regulatory landscape, digital businesses should also be aware of gaps in interpretation of legislation which may arise due to unfamiliarity with local or national laws. Further, technical issues such as inadequate telecommunications networks, developing infrastructure for digital transactions and complex integration systems across jurisdictions may make it difficult to carry out digital transactions in a seamless manner. Other technical hindrances include:

• data localisation barriers;
• web filtering and blocking;
• restrictions on cloud computing and data flows;
• barriers to internet access; and
• restrictions on online advertising.

Global competitiveness and disparities present significant challenges due to fundamental differences in the infrastructure and frameworks of developed and developing nations. Global currency fluctuations affect several aspects of cross-border trade as pricing becomes inconsistent and less predictable due to fluctuating exchange rates.

The Trademarks Act, 1999, together with the rules framed thereunder, is the primary statute governing the protection and enforcement of trademarks in India. This statute affords protection to the trademarks of both domestic and international entities. Obtaining trademark registration under this statute enables businesses to establish and safeguard the goodwill and reputation that reside in their respective brands. Trademark registration enables businesses to initiate legal proceedings for infringement against other businesses which may be offering goods or services under an identical or similar mark. The remedies for trademark infringement include:

• injunctive relief;
• rendition of accounts; and
• damages.

The Indian trademark regime also permits the initiation of both criminal actions and civil suits in case of a breach of rights by a third party.

Trademark registration is not mandatory for the protection of trademark rights. In the absence of a trademark registration, although a suit for trademark infringement cannot be initiated, it is still possible to initiate a suit for passing off (as India is a common law nation).

India is also a signatory to the Paris Convention and the Madrid Protocol, making it quite easy for foreign businesses to extend their trademark protection in India (through their foreign trademark registrations).

Trademark owners should be wary of trademark squatting and cybersquatting. While there are relatively fewer instances of squatting (due to increased awareness of trademarks and the relevant rights), instances of squatting can still be observed.

In India, innovation in the digital business space is primarily protected under the IP laws (eg, patents, copyrights, industrial designs and trade secrets). The Patents Act, 1970 allows businesses to secure patents for new and inventive products, processes or technologies, providing exclusive rights to the patent holder for a specified period. Copyright protection under the Copyright Act, 1957 extends to original digital works including software, databases and digital content, ensuring that creators have the exclusive right to reproduce, distribute and monetise their creations. The Industrial Designs Act, 2000 protects the graphical user interfaces of computer software. Additionally, trade secrets (which are not subject to specific legislation) are protected through confidentiality agreements and non-disclosure agreements (NDAs). Accordingly, securing various types of IP protection will enable a business to holistically protect and safeguard its proprietary information and innovation (particularly in the tech and digital industry).

Digital businesses should prioritise securing IP protection early in the innovation process – whether through patents, copyrights or trademarks – to establish clear ownership and prevent infringement. It is also essential to put in place watertight contracts, including NDAs and confidentiality agreements, to protect trade secrets and proprietary information, in order to ensure legal enforceability.

The Committee on Digital Competition Law was set up on 6 February 2023 to examine the need for an ex ante regulatory mechanism for digital markets in India. The committee was tasked with:

• reviewing the current provisions of the Competition Act, 2002;
• assessing whether they are sufficient to deal with challenges that have emerged from the digital economy; and
• evaluating whether a separate law to regulate digital markets is needed.

According to the committee, the existing domestic legislative instruments are unable to holistically address anti-competitive practices prevalent in the Indian market pertaining to digital businesses. Thus, the draft Digital Competition Bill, 2024 proposes to designate certain enterprises as ‘systemically significant digital enterprises’ (SSDEs) if they:

• are engaged in certain ‘core digital services’ (CDSs); and
• meet the threshold criteria outlined under the DC Bill.

Designated SSDEs must:

• adhere to various obligations imposed on them under the bill; and
• guarantee fair and transparent interactions with both end users and business users.

The exact obligations will differ for each CDS, with the Competition Commission outlining them through regulations based on:

• market characteristics;
• user demographics; and
• other relevant factors.

The legal framework for employment regulation in India consists of both central and state laws. The central laws for employment do not contain specific provisions on digital businesses. However, the state governments have framed laws to protect the welfare of individuals who are engaged as gig workers by companies operating digital services platforms such as food delivery or ride sharing companies, in order to provide a layer of social security for gig workers who are registered on digital platforms to provide services to subscribers on a fixed-term basis. Such categories of workers are usually categorised as independent contractors and are unfairly subject to arbitrary contractual terms dictated by the platform companies, mainly pertaining to:

• commission rates payable to the platforms; and
• long working hours to receive subsistence levels of payment.

The law passed by the state of Rajasthan in this regard provides for:

• the establishment of a board for the mandatory registration of all service aggregator businesses, as well as individuals working as gig workers in the state, to ensure proper record keeping;
• the payment of a welfare cess by all digital service aggregators to the board; and
• the establishment of:
• • social security schemes by the applicable government; and
  • a mechanism for the redressal of grievances raised by gig workers.

This law is the first step taken specifically towards the regulation of digital businesses in India within the employment context.

There is no regulatory framework which governs the terms and conditions for remote working in India. However, certain laws provide for remote working arrangements in specific situations.

The draft Model Standing Orders for the Service Sector, published by the Ministry of Labour and Employment through a notification dated 31 December 2020, contains reference to ‘work-from-home’ arrangements for employers in the services sector, whereby employees can work remotely for a specified period subject to the terms of employment agreed between the employee and the employer.

Additionally, the Maternity Benefits Act, 1961, through an amendment introduced in 2017, provides an option for female employees (who have returned from maternity leave) to work from home if the nature of their work is such that it can be carried out from home. In such case, the employer may allow a female employee to work from home for such period and on such conditions as may be mutually agreed between the two parties.

Companies that are registered as ‘other service providers’ can allow employees to work remotely subject to the specific terms provided under the rules specified for this without needing permission from the authorities to allow employees to work from home.

Additionally, under the Special Economic Zones Rules, 2006, a unit/company may permit its employees to work remotely:

• subject to its internal rules and policies;
• in adherence to applicable regulations; and
• with the approval of the relevant authorities.

The growth of the Indian economy, driven by various startups and favourable government policies, has created significant opportunities for digital businesses in India and increased demand for overseas talent. Indian law has no specific framework for the engagement of foreign nationals by digital businesses. However, the Ministry of Home Affairs has introduced a special visa regime which allows digital businesses to engage foreign nationals in India where conditions such as the following are met:

• The applicant is a highly skilled and/or qualified professional who is being engaged or appointed by an Indian establishment on a contractual or employment basis;
• The visa is not being issued for:
• • a job for which qualified people from India are already available; or
  • routine, ordinary or secretarial/clerical jobs; and
• The foreign national will be drawing a salary which is in excess of $25,000 except, for applicants working as:
• • ethnic cooks;
  • language teachers (other than English language teachers)/translators; or
  • staff at an embassy/high commission in India.

A popular alternative which bypasses these visa conditions for the employment of foreign nationalists in India is to engage foreign nationals on a remote basis. This is beneficial for companies because the legal framework for the engagement of remote workers in India (see question 13.2) imposes far fewer restrictions in relation to the engagement of foreign nationals.

Digital businesses in India face numerous environmental challenges, primarily in relation to:

• energy consumption;
• electronic waste generation; and
• the depletion of useful resources.

Data facilities which support cloud services and digital operations use substantial amounts of electricity, which is generally generated from non-renewable sources and thus contributes significantly to carbon emissions and climate change.

Further, the manufacture, use and disposal of electronic devices such as laptops, chargers, computers and their accessories – which are regularly used in digital businesses – result in substantial electronic waste containing hazardous materials that can harm the ecosystem if not properly managed.

Digital businesses must bear in mind certain imperative measures which can mitigate the impact of digital businesses on the environment. Key considerations include the following:

• Energy efficiency: Digital businesses must adopt energy-efficient technologies and practices which can significantly reduce their carbon footprint. Businesses should invest in renewable energy sources for energy consumption, such as solar or wind power, which will not only be beneficial for the environment but also be cost efficient for businesses in the long run.
• Sustainable practices: Digital businesses can integrate sustainability into their business practices through measures such as:
• • improving supply chains (by appointing suppliers with sustainable practices) to minimise their environmental impact; and
  • encouraging remote work to reduce commuting emissions.
• E-waste management: Businesses should:
• • take good care of their electronic devices and ensure that they are used for a long period of time, without needing to replace them with new electronic devices; and
  • implement effective recycling methods to ensure that e-waste is being disposed of properly, by partnering with reputed e-waste management service providers.
• Sustainable products and services: Digital businesses should consider the environmental impact of their products and services throughout their lifecycle, from design to disposal. This includes designing products that are:
• • energy efficient;
  • durable; and
  • easy to repair or recycle.

By focusing on these issues, digital businesses can better align with environmental sustainability goals and reduce their overall ecological impact.

Data privacy is an important concern for digital platforms that gather, retain and utilise significant amounts of personal data which can be exploited or compromised if improperly maintained, thereby:

• endangering the private information of individuals; and
• undermining confidence in digital services.

The implementation of robust data protection measures and adherence to privacy regulations – such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (as and when it is notified) – are vital considerations for safeguarding user information in India.

Digital inclusion is another issue which digital businesses face, in terms of bridging the ‘digital divide’ – in other words, the difference between those with and without access to technology – which has the potential to exacerbate social inequality. This disparity can impact on work, education and general quality of life. For instance:

• job seekers who lack digital literacy are at a disadvantage; and
• children in underprivileged neighbourhoods might not have access to the digital tools required for modern education.

In order to address this problem, digital businesses should:

• invest in infrastructure to enable them to provide reasonably priced goods and services;
• sponsor initiatives which promote digital literacy; and
• push for laws that facilitate digital access to rural and remote areas.

Digital literacy should further be promoted through digital ethical practices, as digitalisation has also contributed to the extensive spread of misinformation and hate speech, thus exacerbating social polarisation. Therefore, digital businesses must navigate issues such as misleading advertising, counterfeiting and uninformed online purchases by implementing strict internal regulations and content controls on their platforms to minimise the impact of misleading information.

Data governance, legal compliance and ethical conduct are frequently at the centre of governance issues in digital businesses. The widespread adoption of digital technology has presented businesses with complex regulatory frameworks, requiring compliance with a range of laws and standards pertaining to cybersecurity, data protection and intellectual property. Retaining credibility and trust requires adherence to ethical and transparent standards when using individuals’ data in business operations.

By focusing on the following key considerations, digital businesses can enhance their governance frameworks and compliance:

• Regulatory compliance: It is necessary to comply with evolving data protection regulations – such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 – in order to:
• • avoid legal repercussions; and
  • ensure ethical business practices.
• Data governance: Protecting information and ensuring regulatory compliance require the establishment of clear policies and procedures for handling data, including:
• • adherence to data protection regulations; and
  • the deployment of robust internal security measures.
• Ethical conduct: Regularly promoting accountability, transparency and ethical behaviour in business operations significantly contributes to the development of trust and reduces the risk of governance errors, thereby enhancing good governance practices in companies.

Digital India – an initiative which commenced in July 2015 – aims to transform India into a digitally empowered economy. Despite its remarkable progress, certain challenges remain, such as:

• digital illiteracy;
• connectivity limits;
• cybersecurity threats;
• patchy resource allocation; and
• slow infrastructural development.

Another key initiatives of the Indian government – Viksit Bharat – has been emphasised in the 2024 Budget. This:

• aims to transform India into a developed nation by 2047; and
• envisions holistic national development by:
• • empowering citizens;
  • promoting economic growth; and
  • ensuring access to digital infrastructure and social welfare.

There has been a notable recent increase in the use of 5G networks, digital payment methods (eg, the Unified Payments Interface (UPI)), artificial intelligence (AI), blockchain technology and e-banking services, contributing to the shift towards a digital cashless economy. UPI transactions in India increased significantly in both volume and value in the 2023-2024 financial year, reflecting the rapid digitalisation of businesses. By utilising data analytics and AI, digital businesses can deliver bespoke experiences to their customers with enhanced expertise and superior-quality goods and services.

Digitalisation requires the extensive collection and storage of data, augmenting the importance of robust data security. Stringent implementation of data privacy laws – such as the Information Technology Act, 2000 and rules made thereunder and the Digital Personal Data Protection Act, 2023 – is thus required. The proposed Digital India Act, 2023 will replace the Information Technology Act, 2000 and further the principles of the Digital India initiative by:

• increasing the accountability of data fiduciaries;
• protecting the data of data principals; and
• ultimately regulating the entire digital ecosystem.

Further, the rules under the Digital Personal Data Protection Act, 2023 may be notified along with amendments to the rules under the Information Technology Act, 2000 for the purpose of safeguarding digital personal data.

Digital businesses in India can thrive by tailoring their strategies to the unique characteristics of the Indian market. Understanding local preferences is crucial, as offering content in regional languages and being culturally sensitive can significantly enhance user engagement. As mobile internet usage is high, a mobile-first approach is essential and the development of user-friendly apps can be advantageous. The effective use of social media platforms such as WhatsApp and Instagram, along with partnerships with local influencers, can boost visibility and customer interaction. Compliance with local regulations, including data privacy and tax laws, is necessary to avoid legal issues. Forming local partnerships and investing in regional networks can help to streamline operations and expand reach.

However, businesses should be aware of potential challenges. Connectivity issues in some areas may affect user experience and navigating India’s relatively bureaucratic regulatory environment can be challenging. The diverse payment ecosystem requires offering various options while staying vigilant against fraud. Its best to engage experienced legal counsel with experience in handling the legal requirements of digital businesses to navigate this rapidly evolving space in India.