India : Technology Law – Legal and Regulatory Developments in 2023 Authors: Rahul Goel and Anu Monga
A. After stalling for half-decade, India gets its own Data Protection Laws
The Digital Personal Data Protection Act, 2023 (“Data Protection Act”) was notified by the Government of India (“GoI”) in August 2023.
The Data Protection Act applies to processing of all personal data which is in digital form or non-digital form and digitized subsequently, within the territory of India or outside the territory of India, if it is in connection with activities related to goods and services within the territory of India.
In terms of the Data Protection Act, ‘personal data’ means any data about an individual; who is identifiable by or in relation to such data.
The Data Protection Act covers notice and consent to protect ‘personal data’. It also provisions for obligations of fiduciaries, processing of data of children, obligations of significant data fiduciaries. In terms of the Data Protection Act fines and penalties are imposed for breach of provisions of Data Protection Act and rules made thereunder.
Like enforcement of data protection laws in other countries, the Data Protection Act also has an extra-territorial jurisdiction, in cases where the processing of Indian data subjects occurs outside India or if the processing is in connection with any activity related to the offering of goods or services to individuals within India. Further, the Data Protection Act also has requirements relating to data transfers, data protection officer appointment and lawful basis for processing.
Prior to notification of the Data Protection Act, protection of personal data and privacy concerns were dealt under the Information Technology Act, 2000 (“IT Act”) and relevant rules framed under the IT Act, i.e., the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), the Information Technology (Information Security Practices and Procedures for Protected System) Rules 2018, and the Intermediaries Guidelines. After the introduction of the Data Protection Act, the SPDI Rules were repealed on 11 August 2023.
B. CERT-In’s Cybersecurity Guidelines for Government Entities
The Indian Computer Emergency Response Team (“CERT-In”), which is the government’s nodal agency for cybersecurity-related matters, released the guidelines on Information Security Practices for Government Entities (“Cybersecurity Guidelines for Government Entities”).
The Cybersecurity Guidelines for Government Entities shall be applicable to all Ministries, Departments, Secretariats and Offices specified in the First Schedule to the Government of India (Allocation of Business) Rules, 1961, their attached and subordinate offices, and all government institutions, public sector enterprises and other government agencies under their administrative purview (“Government Entities”).
The purpose of Cybersecurity Guidelines for Government Entities is to establish and implement prioritized cyber security measures and controls within government organisations and their associated organizations; and to protect their cyber infrastructure from prominent threats.
These Cybersecurity Guidelines for Government Entities shall act as a baseline document for administration and audit teams (internal, external/ Third-party auditors) to evaluate an organization’s readiness from security threats and evaluate its requirements.
The Cybersecurity Guidelines for Government Entities cover best practices segregated in different security domains such as Network Security, Application Security, Data Security, Auditing, Third Party Outsourcing. Due to the ever-evolving threat landscape, Cybersecurity Guidelines for Government Entities is envisaged to be an organic document and would be updated as per changing threat landscape.
The Cybersecurity Guidelines for Government Entities necessitates senior management of the organisations to nominate a Chief Information Security Officer (“CISO”) for IT Security and provide the details of this CISO (Point of Contact) to CERT-In; Formulate cyber security policy and assign roles and responsibilities for CISO and a dedicated cyber security functional team; CISO should have a dedicated cybersecurity team, separate from IT operations and infrastructure team; Organisations should conduct an internal and external audit of the entire ICT infrastructure and deploy appropriate security controls based on the audit outcome; Maintain inventory of authorised hardware and software along with mechanism for automated scanning to detect presence of unauthorized device and software; and maintain situational awareness of latest cyber security threats by following website of CERT-In and alerts and advisories thereof.
C. TRAI issued recommendations on establishment of independent authority for AI
The Telecom Regulatory Authority of India (“TRAI”) published its recommendation on ‘Leveraging Artificial Intelligence and Big Data in Telecommunication Sector’ in August 2023, in which TRAI recommended establishment of an independent statutory authority, Artificial Intelligence and Data Authority of India (“AIDAI”), for development of responsible AI and regulation of use cases in the country.
As per TRAI, the regulatory framework should comprise of an independent statutory authority; a multi stakeholder body that will act as an advisory body to the proposed statutory authority; categorisations of the AI use cases based on their risk and regulating them according to broad principles of responsible AI.
As per TRAI’s recommendations, AIDAI’s functions could include defining principles of responsible AI and their applicability on AI use cases based on risk assessment etc..
Further, as per TRAI, the proposed multi stakeholder body is to be constituted to act as an advisory body to AIDAI, and drawing members from different Ministries/ Departments, industry, legal expert, cyber expert, academia and research institutes. Multi stakeholder body may invite representatives of relevant Ministry/ Department of Centre/ State government on need basis as special invitee.
D. Digital India Programme extended till 2026
GoI had launched the Digital India Programme in July 2015 (“Digital India Programme”) with three key vision areas, namely:
- digital infrastructure as a core utility to every citizen (i.e. high speed internet as a core utility and mobile phone and bank account enabling participation in digital and financial space),
- governance and services on demand (i.e. numerous services available from online and mobile platforms in real time, making cashless transactions, Services digitally transformed for improving Ease of Doing Business), and
- digital empowerment of citizens (i.e. universal digital literacy, availability of digital resources / services in Indian languages, universal digital literacy and portability of all entitlements through cloud).
Digital India Programme helped in the delivery of several welfare benefits/services directly to beneficiaries in a transparent manner.
The overall goal is to ensure that digital technologies improve the life of every citizen, expand India’s digital economy, and create investment and employment opportunities.
On 16 August 2023, government approved the extension of the Digital India Programme till 31 March 2026. In terms of the Digital India Programme being extended till 2026 – nine more supercomputers will be added under National Super Computer Mission, in addition to eighteen supercomputers already deployed; Bhashini, the AI-enabled multi-language translation tool, which is currently available in 10 languages, will be rolled out in all 22 languages; Digital document verification facility under DigiLocker will now be available to MSMEs and other organisations; along with many other enhancements in the sector.
E. UIDAI rolls out new security mechanism using AI and ML for robust fingerprint based Aadhaar authentication
Unique Identification Authority of India (“UIDAI”) under Ministry of Electronics and Information Technology (“MeitY”) rolled out a new security mechanism for Aadhaar-based fingerprint authentication, and faster detection of spoofing attempts in February 2023.
The artificial intelligence and machine learning based security mechanism developed by UIDAIuses a combination of both finger minutia and finger image to check the liveness of the finger print captured. The new two-factor/ layer authentication creates add-on check to validate the genuineness/ liveness of the fingerprint so as to further cut down the chances of spoofing attempts.
The move will be of immense use in segments including banking and financials, telecom and government sectors. It shall also benefit bottom of the pyramid as it will further strengthen the Aadhaar enabled payment system and curb malicious attempts by unscrupulous elements.
F .Virtual Digital Assets covered under Prevention of Money Laundering Act giving Enforcement Directorate a clear way to investigate illegal online transactions
In March 2023, the Ministry of Finance issued notification to bring all transactions involving virtual digital assets (“VDA”) within the purview of the Prevention of Money Laundering Act, 2002 (“PMLA”). After the said notification, the Enforcement Directorate (“ED”) scooped a trail of financial transactions of the entities showing that they remitted ‘proceeds of crime’ from India to China and other foreign nations via payment aggregators/ enablers and crypto exchanges.
In April 2023, it was revealed in the Parliament of India that is investigating several cases related to cryptocurrency/ virtual digital currency frauds wherein a few crypto exchanges have also been found involved in money laundering.
G. Draft regulations for Payment System Operators to enhance cyber security
With the objective of promoting safety and security of digital payments, the Reserve Bank of India (“RBI”) on 02 June 2023, announced draft regulations for Payment System Operators (“PSO”).
As proposed under the draft regulations, the RBI has entrusted PSOs with the responsibility of defining appropriate ‘key risks indicators’, to effectively identify potential risk events and ‘key performance indicators’ for assessing the effectiveness of security controls.
The RBI plans to enforce the proposed master directions in a phased manner. Large non-bank PSO, Payment Aggregators (PAs), card payment networks, large PPI issuers, non-bank ATM networks, White Label ATM Operators, Clearing Corporation of India Limited (CCIL), National Payments Corporation of India (NPCI), NPCI Bharat Bill Pay Limited, Trade Receivable discounting System (TReDS), and Bharat Bill Payment Operating Units have a timeline till 01 April 2024, to ensure compliance, whereas Medium non-bank PSO (Cross-border (in-bound) money transfer operators under Money Transfer Service Scheme (MTSS) and Medium PPI Issuers) may take until 01 April 2026 to comply with the proposed master directions.
Small non-bank PSO (Small PPI Issuers and Instant Money Transfer Operators) have been allotted until 01 April 2028 to ensure compliance with the draft master directions upon enforcement.
H. Proposed Digital India Act to replace the 23-year-old IT Act
In March 2023, the Press Information Bureau (“PIB”) announced introduction of proposed Digital India Act, 2023 (“Digital India Act“).
On 9 March 2023 a short power point presentation highlighting a few elements of the proposed Digital India Act was made available on the website of MeitY. As per the said presentation the proposed Digital India Act should address the tenets of Digital India, which are – Open Internet, Online Safety and Trust, Accountability and Quality of Service, Adjudicatory mechanism, and New Technologies. Further, the said presentation mentioned existence of a specialized and dedicated adjudicatory mechanism for online civil and criminal offences which would be easily accessible, deliver timely remedies to citizens, resolve cyber disputes, develop a unified cyber jurisprudence, and enforce the rule of law online.
Apart from these provisions, provisions for accountability for upholding fundamental rights of the citizens, Article 14,19 & 21 of the Constitution of India, ethical use of AI based tools to protect rights or choices of users, provision of deterrent, effective, proportionate and dissuasive penalties, etc. are also discussed as salient features of the proposed Digital India Act under the sad presentation.
The presentation also mentioned the different types of intermediaries as – ecommerce, digital media, search engines, gaming, AI, over-th-top platforms, telecom service providers, ad-tech, significant social media intermediaries; and the need for separate rules for each class of intermediaries.