HORIZON SCAN: JANUARY TO OCTOBER, 2023
India has witnessed a flurry of new laws, judgements, and developments in the TMT space since the start of the year. These have the potential to add a new layer of complexity to India's already convoluted regulatory landscape, especially in evolving sectors such as health-tech and gaming. Businesses may need to reorganise their workflows to achieve compliance in the upcoming months. This article provide an update on key legal developments this year.
KEY LEGISLATIONS ON THE HORIZON
- A New Data Protection Regime in India
India has recently enacted a new data protection law. The Digital Personal Data Protection Act, 2023 ("DPDPA") rehauls existing data protection practices in the country. While comparable to the GDPR, the DPDPA diverges from many international data protection laws by focusing on a consent-centric framework. This will require businesses to restructure their global privacy framework for India-related data processing. Penalties may extend up to INR 250 crores (~ 30 million USD). While the law is not yet in effect, companies have already commenced their compliance operations. Read our detailed summary of the new law here.
- A New Framework for Regulation of Information Technology
The Indian government proposes to revamp its decades-old IT law under its 'Digital India' initiative. A proposed "Digital India Act" will regulate the open internet, online safety, accountability and quality of services, and emerging technologies, while establishing a new adjudicatory mechanism. Through the regulation of internet intermediaries, developers of emerging technologies, and internet users, the Digital India Act aims to establish non-discriminatory internet access through sanctions on digital harms such as impersonation, privacy violations, misinformation, doxing, and cyber-attacks. Fines for non-compliance are expected to extend up to INR 500 crores (~60 million USD) and will include criminal penalties as well. A draft version of this law has not yet been officially published.
- Increased Penalties for Non-Compliance with Cybersecurity Requirements
In 2022, India's nodal cybersecurity regulator issued a set of directions that, among other cybersecurity obligations, requires businesses to report cybersecurity incidents to the regulator within six hours of knowledge of occurrence. Penalties for non-compliance include both, fines of up to INR 1 lakh (~1,200 USD) and imprisonment of up to one year. While there have been no public instances of penalties being imposed since these directions went into effect, the Indian government has recently enacted an amendment to increase the fine to a maximum of INR 1 crore (~120,000 USD), which significantly increases risks associated with non-compliance with the stringent directions. This amendment is not yet in effect.
- New Guidelines on Use of AI in Biomedical Research and Healthcare
The Indian Council for Medical Research ("ICMR"), the apex body for the conduct of biomedical research in the country, has issued a new set of guidelines for organisations that seek to utilise artificial intelligence in connection with the use of health data for biomedical research. Under the Ethical Guidelines for Application of Artificial Intelligence in Biomedical Research and Healthcare, organisations are required to undertake risk-based assessments to determine harm that may arise out of the use of artificial intelligence, create transparency frameworks, seek explicit consent for the use of predictive algorithms, and undertake impact assessments. Developers targeting the Indian market should account for these guidelines while creating artificial intelligence/machine learning models.
- New Cloud Services Framework and Enhanced Cybersecurity Framework for the Securities Sector
The Securities and Exchange Board of India ("SEBI"), India's securities and commodities regulator, issued an enhanced cybersecurity framework for regulated entities that include stockbrokers, asset management companies, and mutual funds. SEBI also issued a framework aimed specifically at the adoption of cloud services, which requires regulated entities to introduce security measures in connection with their cloud services. Non-regulated businesses that offer cloud solutions to these organisations will be required to restructure their security protocols to meet these new standards.
- A New Cybersecurity Framework for the Insurance Sector
The Insurance Regulatory and Development Authority of India, India's insurance regulator, has directed insurers and insurance intermediaries to strengthen their cybersecurity compliances by introducing a new set of guidelines for this purpose. Regulated entities are expected to comply with the new guidelines by the start of the upcoming financial year of 2024-2025.
- A New Framework for Regulation of Outsourcing Activities in the Banking Sector
The Reserve Bank of India, India's central bank and banking regulator, has issued detailed guidelines on the outsourcing of IT services for regulated entities, such as commercial banks. Fintech companies that collaborate with regulated entities as outsourcing partners will be expected to introduce new measures within their partnerships, especially in the areas of risk management, monitoring and control over outsourced activities, cross-border outsourcing, and cybersecurity.
- A Proposed Framework for Regulation of OTT Services
Concerned that internet-based communication tools sidestep compliance with traditional telecom laws, India's nodal telecom authority, the Telecom Regulatory Authority of India ("TRAI") has been exploring mechanisms to examine regulatory frameworks and licensing structures for internet-based communication tools, including VoIP tools. A public consultation process was undertaken by the TRAI, and we expect further guidance soon. Read our comments in connection with the consultation process here.
- Telecom Service Providers to Use AI/ML to Curb Smishing Attacks undertaken through Telecom Networks
The TRAI has directed telecom service providers to utilise artificial intelligence tools to detect new patterns, techniques, calls to action, and signatures in phone calls and text messages used by smishing attackers. These tools must analyse the reputation of senders based on a variety of factors such as the duration of use of a telecom service provider's network, verification mechanisms, and calling patterns. Telecom service providers are required to share information from detection systems with other telecom service providers, law enforcement authorities, and government bodies.
- A Proposed Framework to Leverage Artificial Intelligence and Big Data in Telecom
The TRAI has recommended the use of artificial intelligence and big data in the telecom sector. The suggested regulatory framework includes the establishment of an independent statutory authority called the 'Artificial Intelligence and Data Authority of India' to ensure the responsible use of artificial intelligence, creation of a regulatory sandbox for testing artificial intelligence solutions to curb spam, and adopting artificial intelligence tools in the telecom sector to verify mobile subscribers, detect security threats, and redress customer grievances, among other use cases.
- A Proposed Framework to Bolster Digital Transformation through 5G Inclusion
TRAI has recently set its sights on identifying policy challenges to the effective utilisation of 5G technology. The regulator acknowledged the potential of emerging technologies such as IOT, AI, AR/VR/MR, and the metaverse to boost India's digital economy, and to this end, has sought stakeholder views on the development and deployment of 5G technologies, 5G use cases, infrastructure requirements, regulatory model, security and privacy issues, and international best practices.
- Telecom Tribunal holds the Regulation of OTTs to be Outside Telecom Law
The Indian telecom tribunal has held that OTT platforms do not, prima facie, fall under the purview of the TRAI, and therefore, telecom law. Telecom laws empower the TRAI to regulate telecommunication services including broadcasting and cable services. However, the definition does not explicitly extend to OTT platforms. This ruling lends credence to concerns raised by industry players, who have argued that the Ministry of Electronics and Information Technology, and not TRAI, is the only Indian regulator that has the authority to regulate OTTs by virtue of the powers granted to it under India's information technology law.
- New Anti-Tobacco Disclaimer Mandate for OTT Platforms
OTT platforms that depict the use of tobacco products in their content are now required to display anti-tobacco health warnings at the beginning and middle of programmes. This requirement, issued by the Health Ministry, has been met with pushback from industry stakeholders who have voiced concerns regarding the large-scale efforts required to modify existing library content, jurisdictional boundaries of the Health Ministry's ability to regulate OTT content, and the overall impact on user experience while viewing such modified content.
- OTT Platforms required to Display Age-Based Classifications in Ads
In furtherance of the laws regulating intermediaries that require OTT platforms to display age-based content classifiers for their programming, the Indian government now similarly requires OTT platforms to display age-based classifiers in promotional and marketing material of their content published on media platforms.
- Indian Government amends Film Laws
The Indian government recently amended the Cinematograph Act, 1952 which now requires theatrical film releases to be classified into 'U/A 7+', 'U/A 13+' and 'U/A 16+' in addition to the existing categories of 'U', 'U/A' and 'A'. This brings theatrical releases in line with the age-based content classifiers imposed on OTT platforms. The amendments also impose harsher penalties on those who engage in or abet to engage in unauthorised recording and exhibition of films, including imprisonment.
- New Guidelines to Enhance Film Accessibility
In a recent court order, the Indian government and other film, theatre, and OTT platform stakeholders have been instructed to discuss ways to make films disability-friendly for visually- and hearing-impaired individuals. These guidelines stem from the protection afforded under the Rights of Persons with Disabilities Act, 2016.
- Indian Courts upheld Rights of Lyricists and Composers
An Indian court has ordered FM radio broadcasters to pay royalties to lyricists and composers for broadcast of their underlying composition in a sound recording. This is in addition to paying music labels who own the overall sound recording. The court clarified that broadcasting a sound recording to the public includes the utilisation of the underlying literary and musical copyright, thereby warranting payment to the authors of such underlying works.
- Landmark Case upholds Celebrity's Personality Rights against A.I Misuse
A recent ex-parte injunction issued by an Indian court granted a popular Bollywood celebrity the right against the unauthorised use of his name, image, and likeness through technological tools such as artificial intelligence, deepfake technology, and voice and face morphing applications, for financial or commercial gains. This decision reaffirms an individual's personality rights in the digital era.
- Streaming Platforms not subject to Statutory Licensing Regime
Indian copyright laws allow for a statutory licensing regime wherein public broadcasters are allowed to broadcast certain copyrighted works by notifying copyright holders and paying royalty rates set by the Copyright Appellate Board. A recent court order limits this definition of public broadcasters to traditional, non-internet-based broadcasters, thereby excluding all internet streaming platforms, requiring them to engage in negotiations with the copyright holders prior to broadcasting their works.
- Private TV Channels required to Broadcast Public Service Programming
The Indian government now requires private TV channel broadcasters to undertake public service broadcasting for at least 30 minutes per day on themes ranging national importance and social relevance such as education, agricultural development, and health and family welfare.
- New Guidelines for Health and Wellness Celebrities
The Indian government has issued guidelines to celebrities and influencers endorsing health and wellness products and services to curb misleading advertisements and unsubstantiated claims. These new guidelines require disclaimers on endorsed content to ensure viewers do not misconstrue it as professional medical advice or diagnosis. Endorsers are also required to engage in due diligence activities prior to making such endorsements and must disclose if they are certified medical practitioners and health experts. Read our detailed summary of the new guidelines here.
- Indian Government Imposes Higher Taxes on Online Gaming Companies
The Indian government has levied a 28% goods and services tax on online gaming companies, casinos, and betting on horse racing. Online 'games of skill', which are considered legal in India, face a relatively lower tax of 18% on gross gaming revenue, but 'games of chance' face the higher tax of 28% on total bet value. However, the line between what constitutes a 'game of chance' versus 'game of skill' is relatively blurred with conflicting judicial and legislative decisions. This new taxation regime has been met with large-scale criticism from industry stakeholders, primarily the online gaming companies, who are incurring losses and even engaging in layoffs to meet these tax requirements.
- New advisory against Use of Trading Data for Virtual Trading and Online Gaming
The National Stock Exchange ("NSE") has advised its trading members against using stock market data for virtual trading and online games, which involve rewards for predicting stock market moves. The NSE has emphasized that such data should be used solely for legitimate trading purposes.
- Indian Government issues Advisory against Online Gaming Advertisements:
The Indian government, in consultation with various advertising industry stakeholders, has advised all media platforms, including print, TV, and social media, to refrain from publishing advertisements of online real-money gaming platforms, which may constitute direct or surrogate advertising for betting or gambling. This advisory arises in light of ongoing debate on qualifying real-money online games as 'games of skill' versus 'games of chance', with 'games of chance' amounting to gambling or betting under various state laws.
It is imperative that companies analyse their business models from the lens of each sectoral development. Businesses must identify the risks and opportunities and restructure their processes to stay ahead of the curve.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.