Calendar year 2021 saw a number of regulatory developments, some expected and some surprising, that will shape the Indian digital business ecosystem in interesting ways. The global pandemic continued to spur digitalization of businesses, which in turn spurred regulators into taking a keener interest in the TMC space. Some major regulatory changes are expected in Calendar 2022.
In this update, we give you a roundup of TMC regulatory highlights to look out for in 2022.
A New Data Protection Law
On December 16, 2021, a Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019 presented its report on the Draft Bill before both houses of the Indian Parliament. The report comprises the JPC's recommendations and changes to be made to the Draft Bill and general data protection framework in India.
The JPC's report will lead to a number of consequential changes in the data privacy law, not least adding to it elements of 'non personal' data protection. The new draft data protection law is now expected to be passed, with these changes, sometime in early 2022.
In February 2022: The Indian Government will present its annual budget to Parliament, and it is likely that the new draft data privacy law will be presented and debated before the Parliament at that time.
Intermediary Platform Regulations Will Be Tested
Amendments to Indian intermediary protection regulations were notified in May 2021. These brought about significant changes, including requiring on-soil presence in India for large social media intermediaries, requiring proactive monitoring of content, and also regulated online content curators and online news providers by specifying 'codes of conduct'.
There new rules have not been without controversy, and certain portions have been put on hold by Indian courts. The new year will bring more instances where the Government and the online content industry will test the enforcement of these rules.
During Calendar Year 2022: The medium to long term on-the-ground impact of new IT rules will be tested. For one, Indian courts will finally rule on the legality of certain measures. 2022 will also show how strictly the Indian Government intends to enforce these rules, particularly with politically sensitive state elections scheduled for early 2022.
Recurring Themes of Data Sovereignty
A common thread in the Indian Government's new, and proposed, rules about data protection, blockchain, intermediary liability, etc., is the assertion of India's 'sovereignty' over Indian data. On one hand, this will lead (and has led) to data localization rules that prevent non-Indian players from collecting, storing, or monetizing Indians' data. This regulatory outlook also translates to allowing the Indian Government wide powers to access data present in India for law enforcement purposes.
A tricky issue arises when the data in question is not of Indian data subjects. In such cases these data access rights have to be calibrated to deal with, say, EU subjects' data. Post the July 2020 Schrems II ruling, European and other overseas players have had to conduct DPIAs to determine if EU data subject's rights are adequately protected under Indian regulations.
During Calendar Year 2022: The need to reconcile the Indian Government's data access powers will again become relevant when the final version of the data privacy law is notified, and/or when Indian courts rule on the rights accorded to EU data subjects.
(More) Curbs on Payment Data Storage
With India's payment ecosystem growing exponentially in the past decade, concerns about paymentrelated frauds and data theft have come to the forefront. The Reserve Bank of India has, in the past, introduced several new measures in an effort protect end-users, such as payment data localisation measures since 2018, etc.
In 2021, the RBI also mandated the purging of credit card data by entities in the payment transaction chain. The intention was to have payment system participants transition to tokenisation of card details with effect from January 1, 2022. After an industry-wide pushback, the RBI relented and the deadline for purging Card on File data was extended by six months, until June 30, 2022. While this provides some respite, it remains to be seen if tokenization is a viable solution for Indian payments ecosystem.
In July 2022: The ban on storing credit card data on file will come into force; with players scrambling to put in place alternate solutions before then.
Cryptocurrency: Ban or Regulate?
Despite cryptocurrencies growing manifold in valuation in 2021, their legal status and regulation in India is as unclear as ever. Cryptocurrency is currently not regulated; while not explicitly prohibited, it has no regulatory foundation or recognition under Indian laws. Since 2018, also, the RBI has warned against cryptocurrencies, and had effectively shut them out of availing traditional banking services. While this order of the RBI was countermanded by the Indian Supreme Court, there is little clarity on how non-fiat currencies will be viewed in the long term.
Some clarity may be forthcoming in 2022. A "Cryptocurrency and Regulation of Official Digital Currency Bill, 2021″ was listed before the Indian Parliament, but could not be taken up. No draft law has been released as yet. This matter is likely to come to a head in 2022, again, in the next session of the Indian Parliament.
In February 2022: The Government may put up a draft crypto regulation bill before the Parliament; it remains to be seen if this bill will seek to regulate private cryptocurrencies, or regulate them.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.