Lex Witness in association with The Trade & Regulatory Compliance Practice Desk at Saikrishna &
Associates brings to you a detailed analysis on select updates and notifications.
On 28th April 2022, the Indian Computer Emergency Response Team (“CERT-In”) issued ‘Directions under Section 70B (6) of the Information Technology Act, 2000 (“IT Act”) enlarging reporting obligations of several categories of corporate organizations in relation to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet’ (“Directions”).
The Directions will come into effect after 60 days from the date of issue i.e., on 27th June, 2022 and are applicable to all service providers [such as Virtual Private Server (“VPS”) providers, Cloud Service providers and Virtual Private Network Service (“VPN Service”) providers], intermediaries, data centres, body corporate (“relevant entities”) and Government organisations.
The purpose of introducing the Directions is to streamline tracking and reporting of cyber security incidents and taking required action, which according to the CERT-In becomes a challenge, since the requisite information is not found available/not readily available with the relevant entities to carry out the analysis and investigation as per the process of law.
The Directions have brought about a significant enlargement in the scope of obligations and reporting requirements for relevant entities as can be seen from the differences between the Directions, and the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (“CERT-In Rules 2013”). For instance, the categories of entities have been specifically identified and expanded; a specific mandatory reporting requirement within the 6 hours timeline has been prescribed (which wasn’t the case previously); the types of cyber security incidents that require mandatory reporting have been expanded in Annexure I of the Directions including contemporary technology related concerns like “Ransomware and Cryptominers”, “Fake Mobile Apps”, “Data leaks”, “Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers” etc.
Offshore entities and servers will also be impacted given that there is a mandatory requirement to enable ICT system logs for a 180-day period (on a rolling basis) within the Indian jurisdiction.
Additionally, maintaining and reporting obligations to CERT-In, relating to KYC Data, Transaction data etc. may have potential privacy related implications given that the Data Protection Bill 2021 is still on the anvil and hasn’t been introduced yet. Therefore, there is a vacuum, from a statutory protection of personal data/ sensitive personal data perspective.
Dr. Jacob Puliyel (“Petitioner”), a former member of the National Technical Advisory Group on Immunization (“NTAGI”) had filed a public interest litigation challenging the constitutional validity of vaccine mandates imposed by States, particularly Delhi, Tamil Nadu, Madhya Pradesh, and Maharashtra.
In light of the Supreme Court’s judgement all authorities including private organisations, cannot mandate vaccinations for its employees given that the Apex Court has upheld that “Nobody can be forcefully vaccinated as it would result in bodily intrusion and violation of the individual’s right to privacy, protected under Article 21 of the Constitution of India”.
In view of the same, any policy imposing restrictions (in terms of access to public places, services, and resources) on unvaccinated employees will have to be revised, which will likely include refusing access to unvaccinated employees in an office space. Accordingly, revisions to the company policy for the health and safety of the employees could include the following:
In exercise of its powers under Sections 35A and Section 56 of the Banking Regulation Act, 1949 and Chapter IIIB of the Reserve Bank of India Act, 1934, the Reserve Bank of India (“RBI”) issued the Credit Card and Debit Card – Issuance and Conduct Directions, 2022 (“Directions”) on April 21, 2022. The Directions shall become effective from July 01, 2022.
The Directions formalise, compile and regulate processes that form practices generally undertaken by banks. Not only do the Directions provide clarity on the demarcation of liabilities between card-issuers, holders and co-branding entities but also inculcate the application of guidelines such as the Telecom Commercial Communications Customer Preference Regulations 2018 (“TCCCPR”).
The Directions also make card-issuers liable for providing compensation to the complainant for the loss of their time, expenses, financial loss as well as for the harassment and mental anguish suffered by them. While this step is indeed in consumer interest, specifics pertaining to its implementation remain unclear.
The Ministry of Information and Broadcasting (“MIB”) on 23 April 2022, issued an advisory to private TV news channels, for coverage of events and incidents in a manner violative of the Programme Code framed under the Cable Television Networks (Regulation) Act, 1995 (“the Act”) and advised them to refrain from airing such content.
The advisory specifically highlighted the reporting on the Russia-Ukraine conflict, certain incidents in North-West Delhi and content in some news debates as violative of the Programme Code.
The advisory invited attention to the specific provision of the Programme Code that prohibits the airing of content which:
With respect to reporting on the RussiaUkraine conflict, the advisory noted that certain TV news channels have made false claims, used scandalous headlines and fabricated statements to incite audiences
Similarly, the coverage by some TV news channels of certain incidents in North-West Delhi was cited for having used provocative or fabricated headlines, aggravating communal tensions and disrupting investigations by playing scandalous and unverified video footage.
The advisory further noted that some channels broadcast debates having unparliamentary, provocative and socially unacceptable language, communal remarks and derogatory references. This has the potential to incite communal disharmony and disturb the peace at large.
The advisory expressed serious concern about the manner in which the TV news channels have gone about transmitting content and strongly advised them to immediately refrain from publishing and transmitting any content which is violative of the Act and the rules framed thereunder. Effectively, TV news channels were warned not to air content which may be deemed to be, among other things, scandalous, provocative, fabricated or contain unparliamentary language.
The Central Government is empowered under the Act to regulate or prohibit transmission/retransmission of a programme where such programme is not found to be in conformity with the prescribed Programme Code.
The Government is empowered to regulate or even prohibit content for violation of the Programme Code. Further, there exist sufficient penal provisions under various laws, to punish hate speech, incitement of communal disharmony and fake news. The Constitution of India also provides for reasonable restrictions on free speech, on grounds of, inter-alia, security, public order and morality. Given this legislative backing, the Government’s step to warn TV news channels against airing of provocative, fabricated and communally sensitive content is a welcome one in the interest of societal harmony as well as friendly relations with foreign countries.
In a significant development for the film industry, the Kerala High Court has ruled that each film production unit would have to constitute an Internal Complaints Committee (“ICC”), to deal with complaints of harassment against women. The Court, in Women in Cinema Collective v. State of Kerala, (2022) SCC OnLine Ker 1436, was dealing with public interest litigations filed by various organizations seeking to constitute a grievance redressal mechanism against sexual harassment as per the Supreme Court directions in Vishakha v. State of Rajasthan, (1997) 6 SCC 241, and in accordance with the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013.
The Court’s direction is a step in the right direction and is likely to strengthen confidence of women Actor Artists and other women workers employed in the film industry, by providing an accessible forum for registering complaints of harassment. This is a significant development for women’s safety and access to justice.
Introduction
The Ministry of Information and Broadcasting (“MIB”), on 4th April 2022, launched the revamped Broadcast Seva Portal as a single point facility for various stakeholders of the broadcasting sector.
Key Aspects
The portal will help facilitate the stakeholders in seeking permissions, applying for registration, tracking applications, calculating fees, and executing payments. The Ministry of Information and Broadcasting portal will provide its services under the wider umbrella efforts of Digital India to all stakeholders – to private satellite TV channels, teleport operators, MSOs, community, and private radio channels etc. Additionally, the Broadcast Seva Portal is also planned to be linked to the National Single Window System operated by the Department for Promotion of Industry and Internal Trade for end-to-end facilitation.
Some of the stated features of the portal includes;
This is a positive initiative by the MIB for streamlining the approval processes on its erstwhile Broadcast Seva Portal by extending it to the DTH sector. While the new portal promises to streamline existing approval processes, the MIB should also consider undertaking an exercise to reengineer the existing processes instead of digitizing the same onto the portal. Additionally, for increasing transparency, there should have been a clear stipulation on the timelines involved for processing and approval by each ministry/department (Ministry of Home Affairs, Department of Telecom, Department of Space, etc.) involved in the approving/rejecting of applications uploaded on the portal. All applications breaching the stipulated timelines should ideally be granted “deemed approval” lest they are specifically rejected on account of objections raised by the different departments.
The Ministry of Corporate Affairs has introduced a new form for Corporate Social Responsibility (“CSR”) reporting, i.e. the CSR-2 form. The new form, CSR-2, was notified by the Ministry of Corporate Affairs on 11th February, 2022 vide the Companies (Accounts) Amendment Rules, 2022.
The details required to be reported through the 11 page form would present a comprehensive picture of the CSR activities as well as CSR spending by companies. It appears that the form has been introduced to assist the Government in monitoring the discharge of CSR obligations by companies, as well as to provide data to inform future policymaking in the CSR sphere.
Key Aspects
The new form CSR-2 would require the reporting company to state, inter alia, details relating to the company’s CSR Committee, CSR spending, amount of CSR money unspent/carried forward, details of ongoing CSR projects and confirmation whether an impact assessment of CSR projects has been carried out. The form would need to be furnished to the Registrar of Companies for the preceding financial year (i.e, 2020-2021) and onwards, as an addendum to existing Form AOC-4 or AOC-4 XBRL or AOC-4 NBFC (Ind AS), as the case may be. These forms are available in the Companies (Accounts) Rules, 2014.
The requirement to fill in and furnish the form would be applicable to all companies covered under Section 135(1) of the Companies Act, 2013. This includes every company having net worth of Rs. 500 Crore or more, or turnover of Rs. 1000 Crore or more, or a net profit of Rs. 5 Crore more during any financial year.
Given that certain details to be disclosed through the new form CSR-2, such as composition of the CSR Committee and spending on CSR are already required to be disclosed by companies as part of the main directors’ report, which forms a part of the annual report, the new form CSR-2 may cause a duplication of CSR reporting, therefore increasing compliance obligations on companies.
The Department of Pharmaceuticals has released Draft Uniform Code for Medical Device Marketing Practices 2022 (“Draft Code”).
The Draft Code aims to regulate on a voluntary basis, marketing practices in the medical device industry which is currently being voluntarily regulated by the Uniform Code for Pharmaceuticals Marketing Practices, 2014 (“UCPMP”). The Draft Code is intended to be a voluntary code and its implementation is proposed to be reviewed after a period of six months from the date of its issue. The Draft Code states that if it is found that it has not been implemented effectively by the Medical Device Associations / Companies, the Government may consider making it a statutory code.
The Draft Code was open for stakeholder comments until 15th April 2022.
A voluntary code for marketing practices in the medical device industry is likely to serve as a guiding force to the medical device industry, particularly in light of certain notified medical devices being regulated as Drugs under the Drugs and Cosmetics Act, 1940.
Unlike the UCPMP which is a voluntary code for the “Indian Pharmaceutical Industry”, the Draft Code has been stated to be a voluntary code for the “Medical Device Industry”, recognizing that the types of entities involved in Medical Device marketing are not restricted to those in the pharmaceutical industry. Further, for guidelines pertaining to Gifts, the Draft Code departs from the UCPMP to the extent that unlike the UCPMP, the Draft Code permits companies to occasionally provide modest, appropriate educational items to Health Care Professionals that benefit patients or serve a genuine educational function for Health Care Professionals. Companies may also occasionally provide modest, appropriate brand recall items/ brand reminders, which are customary business courtesies and are reasonable in value (not exceeding Rs. 1000) and frequency.
However, in the light of the fact that the Ministry of Health and Family Welfare has specifically included certain types of software as medical devices, the Draft Code still appears primarily worded in respect of “hardware” medical devices. Further clarity on marketing practices for “software” medical devices, particularly where they may be marketed in combination with generic (i.e., non-medical device) hardware may be needed.
The Department of Consumer Affairs recently notified the Consumer Protection (Direct Selling) Rules, 2021 (“Direct Selling Rules”) on December 28, 2021, in accordance with Section 101 (2) (zg) read with Section 94 of the Consumer Protection Act, 2019 with the intent to regulate the Direct selling industry (engaged in activities involving multi-level marketing, pyramid schemes etc.) which was largely unregulated. A Direct Selling Entity (“DSE”) is a principal entity, which sells or offers to sell goods or services through direct sellers who undertake direct selling business on a principal-to-principal basis.
Under the Direct Selling Rules, DSEs are required to ensure that consumer grievances are appropriately redressed and all possible recourse mechanisms are adequately highlighted in a prominent and evident manner by the DSE on its platform.
Application – these rules shall apply to;
The Direct Selling Rules are a welcome step in safeguarding consumer interest as the sector was previously largely unmonitored without a system of checks and balances in place. Resultantly, both the DSE’s and the consumers were at risk of hosting and purchasing products respectively from unverified Direct Sellers. The Rules have not only ensured that a consumer is fortified with all the relevant information about a product but has placed a requirement on DSEs to facilitate an appropriate and effective grievance redressal process alongside verifying identities of the Direct Sellers selling on their platforms. Additionally, the Rules have also mandated requirements for DSEs to accept returns of defective goods and provide refunds for the consideration amount paid by the consumer.
Furthermore, as provided in the Direct Selling Rules, the contravention provisions as envisaged within the Consumer Protection Act, 2019 (“CPA”) shall apply to the DSE and Direct Sellers. Since the CPA provides consumers with the right to approach dispute redressal commissions set up under the Act and file complaints for any harm caused, DSEs and Direct Sellers have now been explicitly brought under the ambit of the CPA providing more clarity and recourse options for consumers.
The Rules came into effect upon their publication in the official gazette on 28th December 2021 and DSEs were given a ninety-day window to comply with the provisions of the said Rules.
The Ministry of Environment, Forest and Climate Change (“MoEFCC”) inserted Schedule II, Guidelines on Extended Producer Responsibility for Plastic Packaging (“EPR Guidelines”) as an Amendment to the Plastic Waste Management Rules, 2016 (“PWM Rules”). This is in furtherance to the responsibility of Producers, Importers and Brand Owners (“PIBOs”) demarcated under Rule 9 (1) of the PWM Rules. Extended Producer Responsibility is a regulatory approach as per which PIBOs are required to ensure responsible collection, channelisation, treatment and/or disposal of plastic waste.
The intent behind the introduction of Schedule II is definitely a step in the right direction as an initiative to strengthen the circular economy with greater accountability and incentivisation at stake for PIBOs. The materialisation of the polluter pays principle and the instatement of EC would likely push businesses to be mindful of achieving their EPR Targets with aid from EPR certificates which may be sold or purchased to offset and meet respective business and environmental goals.
It is, however, imperative to note that there does exist the possibility of a regulatory overlap whereby the same entity may play more than one role as a Producer, Importer and Brand Owner. This multiplicity may not only weigh heavily on a business entity from a compliance and regulatory standpoint but may also leave room for the surplus EPR Certificates generated to be relayed amongst entities in a manner that may impact the efficaciousness of these Guidelines.
The EPR Guidelines came into force with immediate effect vide notification dated 16th February 2022.
In a significant step, the Government has clarified in Parliament that there is no proposal at present to bring in a separate law to ensure and authenticate all social media accounts or for linking a government identity with social media accounts of individuals.
This was stated by the Minister of Electronics and Information Technology in the Lok Sabha on 30th March 2022, by way of a statement laid on the Table of the House in response to a starred question. This in effect means that the Government does not intend to make verification of social media accounts mandatory as of now. At present, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules, 2021”), notified in February 2021, provides that a significant social media intermediary (“SSMI”) shall enable users who register for their services from India, or use their services in India, to voluntarily verify their accounts by using any appropriate mechanism, including the active Indian mobile number of such users.
This issue of authentication / verification of social media accounts assumes importance from the perspective of addressing misinformation and fake news which is known to be spread online by social media accounts, often under the cloak of anonymity afforded by social media.
The anonymity offered by social media is a double-edged sword. While on one hand, it may safeguard the privacy of individuals and help in the free and open exchange of ideas, on the other hand, it can lead to spread of misinformation, rumours and even hate by entities hiding behind false identities. The adequacy and effectiveness of the steps taken to address issues of fake news and hate speech may be a matter of further debate. However, in the absence of a data protection legislation at present, the decision to not mandate linking of government identification with social media accounts or otherwise impose a mandatory verification requirement on social media accounts, appears unobjectionable.
The Department of Telecommunications (“DoT”) has, vide an Amendment Notification dated 31 January 2022 (“Amendment Notification”), modified certain important compliance requirements pertaining to Phase III and Phase IV of the Mandatory Testing and Certification of Telecommunication Equipment (“MTCTE”) regime. These modifications amend certain requirements previously notified by the DoT on 22 September 2021.
Significant modifications include the following:
These modifications are expected to ease compliance obligations while at the same time addressing potential security concerns.
The Department of Consumer Affairs, Legal Metrology Division had invited stakeholder consultations on the proposal for decriminalization of the Legal Metrology Act, 2009 (“LM Act”) on 13 July 2020. The LM Act is the primary instrument which establishes, enforces, and regulates the standards of weights and measures in the country. Revisions have been suggested for penalties between Sections 25 and 53 of the LM Act governing the manufacture or sale of nonstandard weights, selling of non-standard packaging with incorrect mandatory declarations, etc.
The decriminalization initiative was motivated by the understanding that a criminal offence often requires a much higher standard of proof i.e., to be beyond reasonable doubt, as compared to the threshold adopted for civil wrongs.
Accordingly, the Centre is of the view that offences which can be decriminalized should meet the following criteria:
While the decriminalization attempt is a welcome step for the ease of doing business in India, the move is said to have received considerable opposition from certain States and Consumer Organisations.
This Draft policy will be applicable to all non-personal data and information created, generated, collected, or archived by the Government of India directly or indirectly through authorised agencies and autonomous bodies. State Governments will also be free to adopt the provisions of this policy and the protocols as applicable.
The Draft Policy envisages a negative list to be published by departments and ministries, which would enumerate confidential data sets which are not to be shared at all. There would also be a restricted access list, of datasets accessible only through a prescribed process of registrations and authorization by respective departments or organizations.
In addition to the MeitY, the Policy provides for the creation of the two new executing bodies – The India Data Office (IDO) and the India Data Council (IDC). The IDO would facilitate data access to stakeholders including researchers, start-ups, enterprises, individuals and government departments. It would also notify protocols for sharing of nonpersonal datasets. The IDC shall comprise of the India Data Officer and Chief Data Officers of state and central government departments. Broadly they shall devise frameworks for defining important datasets, finalize data and metadata standards and review the implementation of the policy.
It is felt that this exercise of framing a data accessibility and use policy before enacting a data protection legislation amounts to putting the cart before the horse (with the horse being the enactment of the Data Protection Bill 2021). The Data Protection Bill 2021 (“DP Bill”) must be enacted first, particularly in light of the Supreme Court judgment in KS Puttaswamy and Another v. Union of India and Others[(2017) 10 SCC 1], holding that any intrusion into the privacy of an individual by access to personal information (or anonymised non-personal data with the possibility of re-identification), will have to necessarily be subject to legislative sanction and legitimate state interest, both required to be valid from a constitutional validity perspective.
Additionally, there should be legislative safeguards for limited use of interdepartmental data sharing to prevent any potential surveillance related overreaches.
The last date for submission of stakeholder inputs was 18 March 2022.
The Department of Telecommunications (“DoT”) on 18th February 2022 released ‘Guidelines for registration process of ‘Machine to Machine’ (“M2M”) service providers & WPAN/WLAN Connectivity Provider for M2M Services’ (“Guidelines”). These guidelines seek to address industry concerns by regulating and operationalizing M2M services in India through registration under the Guidelines.
The guidelines were first recommended by the Telecom Regulatory Authority of India (“TRAI”) on 5th September 2017 with respect to “Spectrum, Roaming and QoS related requirements in Machineto-Machine (M2M) Communications”. Subsequently, the DoT had issued the draft guidelines to seek views of relevant stakeholders including the M2M industry before notifying the same.
The DoT has been continuously issuing regulatory guidance to operationalize the entire M2M ecosystem consisting of users, application service providers, Machine to Machine Service Providers (“M2MSPs”) and network operators (TSPs). Earlier, the DoT had issued notification prescribing KYC norms for issuing SIM cards for enabling M2M communications. Additionally, the DoT had amended the Unified License and Unified License (Virtual Network Operator) agreements enabling TSPs to provide M2M connectivity within the area of their existing authorizations. These guidelines seek to provide regulatory clarity to M2MSPs and WPAN/WLAN connectivity providers for providing M2M connectivity for commercial purposes, operating in unlicensed spectrum.
The Advertising Standards Council of India (“ASCI”) on 27 May 2021 released the ‘Guidelines for Influencer Advertising in Digital Media’ (“Guidelines”). The objective of the Guidelines is to enable the consumers to differentiate between the content created by influencers in the general scheme of things to that from content created with a promotional/profit-making intent. Contextually, the Guidelines have been created to prevent the circulation of promotional posts and campaigns that may exploit the lack of knowledge of the consumer, mislead the consumer and abuse their trust.
Through these Guidelines, a responsibility of applying a disclosure has been placed upon the advertisers as well as the influencers. The content created should be in consonance with the ASCI Code for Self-Regulation of Advertising Content in India (ASCI Code) and the Influencer Guidelines. If an influencer/ advertiser disputes a complaint from the ASCI, that the content in question is not an advertisement by virtue of there being no ‘material connection’, a declaration from the advertiser will have to be submitted to the ASCI confirming that there is no ‘material connection’ between them and the influencer as on the date of the post. If the advertiser of the brand featured is difficult to trace or if the piece of communication features brands of multiple advertisers, then proof of purchase of featured products and brands, provided by the influencer, would be considered adequate evidence to refute material connection.
Tags: Saikrishna & Associates
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
