India’s Most Critical Trade & Regulatory Compliance Digest

Ameet Datta, Suvarna Mandal | July 2022

Lex Witness in association with The Trade & Regulatory Compliance Practice Desk at Saikrishna & Associates brings to you a detailed analysis on select updates and notifications.

MEITY PUBLISHES AMENDMENTS TO THE INFORMATION TECHNOLOGY (INTERMEDIARY GUIDELINES AND DIGITAL MEDIA ETHICS CODE) RULES, 2021 FOR PUBLIC CONSULTATION

The Ministry of Electronics and Information Technology (“MeitY”), on 6th June, 2022, published proposed amendments to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules, 2021”), which were notified on 25th February, 2021, for public consultation and stakeholder comments.

As per MeitY’s Press Note, the amendments have been proposed to provide additional avenues for grievance redressal, apart from courts, and new accountability standards for Intermediaries to ensure that Constitutional rights of Indian citizens are not contravened by any “Big-tech platform”.

Applicability: The proposed amendments are directly applicable to all Intermediaries, specifically Big-Tech Platforms and Significant Social Media Intermediaries (“SSMI”).

KEY AMENDMENTS

The proposed amendments to Rule 3(1)(a) and Rule 3(1)(b) require Intermediaries to (i) ensure that users comply with rules and regulations, privacy policy and user agreement for access or usage of their computer resource, and (ii) cause the users to not to host, display, upload, modify, publish, transmit, store, update or share any information that contravenes with the factors mentioned in the IT Rules, 2021.
Additional sub-rules, namely, Rule 3(1)(m) and Rule 3(1)(n), have been introduced for the purposes of requiring Intermediaries to respect the rights guaranteed to users under the Constitution of India, as well as to ensure their reasonable expectation of due diligence, privacy and transparency.
The timeline for grievance redressal by the Intermediaries has been reduced for complaints received in the nature of request for removal of information or communication link from 15 days to 72 hours of the receipt of the user’s complaint. Other complaints can be addressed within 15 days.
Intermediaries have been allowed to implement any safeguards to prevent any misuse of the grievance redressal mechanism by users.
• Lastly, creation of a Grievance Appellate Committee has been suggested. This committee will consist of a chairperson and other members, as may be appointed by the Central Government, and will deal with appeals by users against the decision of the Grievance Officer appointed by the Intermediary. Intermediaries will be required to comply with all the orders of this committee.
The Press Note and a footnote appended to amended IT Rules, 2021 clarify that the Grievance Appellate Committee will be set up to provide alternative redressal mechanism. However, a user has the right to approach the courts at any time.

THE FIRM’S TAKE

The proposed amendments go beyond the scope of Section 79 of the Information Technology Act, 2000 (“IT Act”), and introduce high standards of compliance for all Intermediaries, not just SSMIs. The draft amendments effectively require all Intermediaries to put in place an active content monitoring/filtration process to ensure that their users do not host, display, upload, modify, publish, transmit, store, update or share any offending information as prohibited under Rule 3(1)(b). This requirement goes against the principle enshrined in the IT Act that as long as Intermediaries ensure necessary due diligence requirements they will be protected under the safe harbour as they are deemed to not have ‘actual knowledge’ of legal violations within their resources. Further, in order to avoid any liability under the amended IT Rules, 2021, Intermediaries may end up over-censoring and over moderating the content on their platform. Furthermore, an action taken by an Intermediary as part of its filtration process, such as blocking of a user account, may be construed to be a violation of the constitutional right of freedom of speech and expression, thus violating the mandate under the proposed Rule 3(1)(n) of upholding the constitutional rights of all citizens. Reduction of timelines for redressal of complaints places unnecessary regulatory burden on Intermediaries.

In our opinion, the Government’s attempt to provide the Grievance Redressal Committee with “adjudicatory powers” of a court/tribunal without any enabling law is an exercise of excessive delegation, contrary to and in violation of the provisions of the IT Act and the principle of separation of powers enshrined in the Constitution of India.

Interestingly, the IT Rules, 2021 have been challenged before multiple High Courts and clubbed together for consideration by the Supreme Court. Accordingly, amendment of IT Rules, 2021 should, at the very least, be avoided during pendency of the petitions.

THE DEPARTMENT OF TELECOM EXEMPTS CERTAIN PRODUCTS FROM MANDATORY TESTING REQUIREMENTS

The Department of Telecom (“DoT”) in consultation with Ministry of Electronics and Information Technology (“MeitY”), vide notification dated May 24, 2022, decided to exempt the following products (“exempted products”) from the ambit of Mandatory Testing and Certification of Telecommunication Equipment (“MTCTE”) regime: –

Mobile User Equipment/Mobile handset
Server
Smart watch
Smart camera and
Point of Sale Devices

As per the existing legal framework the above stated exempted products fall within the below regulatory regimes –

MTCTE

The DoT had introduced the MTCTE Procedure for all telecom equipment, connected or capable of being connected to the Indian telecom network, to undergo mandatory testing and certification prior to sale, import and use in India.

The MTCTE Procedure also states that “the effective dates for certification becoming mandatory for different products are notified by the Government separately.” Accordingly, the exempted products were due to undergo certification under Phase III and IV of the MTCTE regime from 1st July 2022 onwards.

Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order 2021 (“CRO 2021”):

The MeitY mandates certification of the exempted goods under the CRO 2021 which also have to conform to the Scheme-II of Schedule-II of Bureau of Indian Standards (Conformity Assessment) Regulations, 2018.

REGULATORY OVERLAP

Due to the regulatory overlap which required the same set of products (exempted products) to seek the necessary certifications from both entities i.e. MTCTE and BIS CRO mandated by the DoT and MeitY respectively, the DoT sought to exempt the products as overregulation was seen to be delaying product launches and increasing the compliance cost for the industry.

THE FIRM’S TAKE

The decision of the DoT to exempt certain products from being certified under the MTCTE is laudable and showcases prudent regulatory forbearance. This in line with other reforms undertaken by the DoT such as relaxation of acceptance of test results/ reports from labs accredited by ILAC signatories up to 2 years, increasing the validity of test reports by designated Indian labs up to 5 years, extension of timeline for enforcement of Phase IV, MTCTE, exemption pertaining to various parameters/interfaces of essential requirements under MTCTE, etc. Although the DoT has taken wide ranging reforms in equipment certification, businesses still face onerous compliance related problems like few testing labs, multiple overlapping regulations for testing of same equipment by different agencies like WPC regulations, trusted telecom products under the national security directive on telecommunication sector, and multiple product labelling guidelines under BIS regulations, MTCTE and Legal Metrology (Packaged Commodities) Rules, 2011.

Multiplicity of regulations forces enterprises to shift their focus on compliance and not operating their businesses. Hence, DoT should consider leading an inter-governmental exercise to rationalize the information required from enterprises for the same/similar equipment under different regulations and regulators. This will help achieve a streamlined ecosystem and also enable expeditious launches of latest technological products available in the market.

MOEFCC PUBLISHES DRAFT E-WASTE (MANAGEMENT) RULES FOR PUBLIC CONSULTATION

The Ministry of Environment, Forest and Climate Change (“MoEFCC”) published the Draft E-Waste (Management) Rules (“Draft Rules”) for public consultation. The Draft Rules will be taken into consideration by the Central Government on/after 18th July, 2022, and if notified, shall supersede the E- Waste (Management) Rules, 2016 (“2016 Rules”).

Applicability: The Draft Rules are applicable to every manufacturer and producer of electrical and electronic equipment, refurbisher and recycler involved in manufacture, sale, transfer, purchase, and processing of e-waste or electrical and electronic equipment listed in Schedule I of the Draft Rules.
Registration: Under the Extended Producer Responsibility (“EPR”) framework of the Draft Rules, Manufacturers and Producers, among others, are required to mandatorily register on the centralised portal created by the Central Pollution Control Board (“CPCB”). An entity that is both the Manufacturer as well the Producer is required to register under the two categories separately. In case, any registered entity furnishes false information/wilfully conceals information/in case of any irregularity, the registration of such entity may be revoked by CPCB for a period up to three years after giving an opportunity to be heard.
Producer responsibilities: A Producer of electrical and electronic equipment (listed in Schedule I of the Draft Rules) is required to register itself on the CPCB centralised portal. It shall obtain and implement EPR target as per Schedule III through the CPCB online portal. The Producer is also required to file annual and quarterly returns on the CPCB portal (the 2016 Rules only mandated filing of annual returns with the CPCB/SPCB). The EPR obligations for each product will be decided on the basis of the information provided by Producers on the online portal and the individuals product’s life period.
EPR Targets: Producers are required to fulfil EPR obligations as per Schedule III of the Draft Rules which appear to be consistent with the figures in the existing regulations:
- For 2022-23, the E-Waste Recycling Target shall be 60% of the quantity of waste generation as indicated in EPR Plan
- For 2023-2024, the E-Waste Recycling Target shall be 70% of the quantity of waste generation as indicated in EPR Plan
- 2024-2025 onwards, the E-Waste Recycling Target shall be 80% of the quantity of waste generation as indicated in EPR Plan
EPR Certificates: EPR certificates may be purchased by Producers from registered Refurbishers. On production of the refurbishing certificates purchased from the registered Refurbishers, the EPR obligation of the Producers would be deferred by the duration as prescribed by the CPCB for the corresponding quantity of e-waste.
Recyclability of End Product and Compatibility of Components/Parts: Two new requirements have been inserted as an attempt to reduce the use of hazardous substances in the manufacture of electronic equipment and their components –
- Obligation has been placed on Manufacturers to use technology/ methods to make the end product recyclable as far as possible; and
- Ensure that component(s)/part(s) made by different Manufacturers are compatible with each other “as far as possible” so as to reduce the quantity of e-waste.
Environment Compensation (“EC”): Under the Draft Rules, EC shall be levied for violation of any of the provision of the Draft Rules and subsequent guidelines issued by the CPCB. The unfulfilled EPR obligation for a particular year will be carried forward to the next year and so on and up to 3 years. Payment of EC shall not absolve the Producers of the EPR obligation set out in these regulations.
Prosecution: Entities may be prosecuted, for EPR certificate related or audit related requirements, under Section 15 of the Environment (Protection) Act, 1986 (“EPA”) (which deals with the contravention of the Rules made under the EPA). This prosecution will be in addition to the EC levied under this regulation.
Verification and Audit: CPCB by itself or through a designated agency shall verify compliance of the Draft Rules through random inspection and periodic audit.
Steering Committee: A Steering Committee (“Committee”) shall be created under the Chairman, CPCB to oversee the overall implementation, monitoring and supervision of the Draft Rules. The Committee shall include representatives from the following organisations and sectors:

Representatives from MoEFCC
Representatives of Electrical and Electronic Equipment Producers and Manufacturer Association
Representatives of SPCB/PCC as coopted by the chairman of the Steering Committee – Head of the Concerned Division of CPCB
Member Convener

The Committee will decide upon the disputes arisen from time to time and on representations received, refer substantial issues to the MoEFCC pertaining to the Draft Rules, review and revision of guidelines/EPR targets/ addition of Equipment under Schedule I of the Draft Rules and will have to power to approve other processes and requirements prescribed under the Draft Rules.

THE FIRM’S TAKE

The applicability under the Draft Rules largely focuses on relevant entities playing a key role in dealing with e-waste. From a compliance standpoint, stakeholders would have to ensure that they are filing both annual and quarterly returns under the revised responsibilities on the CPCB portal.

Furthermore, stakeholders would also have to ensure that they are not engaged with any unregistered Manufacturer, Producer, Recycler, and Refurbisher. For these purposes, they may consider adding terms to contracts with such entities to ensure compliance with registration requirements on the end of the entities as well.

Additionally, the requirement under the Draft Rules for Manufacturers to ensure that component(s)/part(s) made by different Manufacturers are compatible with each other as far as possible seems to be an overreach and practically difficult to comply with.

It is unlikely that compatibility and interoperability can be ensured in the absence of legislative standards set out by the Government and contractual agreements with other manufacturers where such compatibility can be uniformly tested.

It is worth noting that as a penalty under the Draft Rules, registration may be revoked “in case of any irregularity”. Such a penalty is excessive and should be reconsidered by the Ministry with inputs from the Committee.

The creation of the Steering Committee is definitely an attempt at ensuring greater representation while formulating guidelines and standards. In that regard, representation by the Electrical and Electronic Equipment Producers and Manufacturer Association will be helpful in communicating and representing the interests of Industry players.

CERT-IN ISSUES DIRECTIONS FOR INFORMATION SECURITY PRACTICES, PROCEDURE, PREVENTION, RESPONSE AND REPORTING OF CYBER INCIDENTS

On 28th April 2022, the Indian Computer Emergency Response Team (“CERT-In”) issued ‘Directions under Section 70B (6) of the Information Technology Act, 2000 (“IT Act”) enlarging reporting obligations of several categories of corporate organizations in relation to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet’ (“Directions”).

The Directions will come into effect after 60 days from the date of issue i.e., on 27th June, 2022 and are applicable to all service providers such as [Virtual Private Server (“VPS”) providers, Cloud Service providers and Virtual Private Network Service (“VPN Service”) providers], intermediaries, data centres, body corporate (“relevant entities”) and Government organisations.

The purpose of introducing the Directions is to stream line tracking and reporting of cyber security incidents and taking required action, which according to the CERT-In becomes a challenge, since the requisite information is not found available/not readily not available with the relevant entities to carry out the analysis and investigation as per the process of law.

SALIENT FEATURES

Short 6 Hour Reporting Requirement: The Directions have made it mandatory for relevant entities to report cyber security incidents to the CERT-In within 6 hours of noticing any cyber security incidents or the same being brought to notice.
Expansion of types of cyber security incidents requiring mandatory reporting: Recognising the spread of technology, Annexure-I of the Directions has added new categories/types of cyber security incidents that are mandatorily required to be reported, including contemporary technology related concerns like “malicious code attacks such as Ransomware/Cryptominers”, “Data Breach”, “Data Leak”, “Fake Mobile Apps”, “Unauthorised access to social media accounts”, “Attacks or incident affecting Digital Payment systems”, “Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers” etc.
Obligations on VPN Service providers, VPS providers, Cloud Service providers Registration and Data Centres: Such entities are required to mandatorily register accurate information (such as validated names of subscribers, email addresses and IPs allotted to members, validated address & contact numbers) which must be maintained by them for a period of 5 years or a longer duration as mandated by the law after any cancellation or withdrawal of the registration.
Short 6 Hour Reporting Requirement: Relevant entities, have to mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction. This localization requirement will impact offshore servers and businesses.
Short 6 Hour Reporting Requirement: Relevant entities, have to mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction. This localization requirement will impact offshore servers and businesses.
Short 6 Hour Reporting Requirement: Relevant entities, have to mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction. This localization requirement will impact offshore servers and businesses.
Record Maintenance by Virtual Asset Service Providers (“VASP”), Virtual Asset Exchange Providers (“VAEP”) and Custodian Wallet Providers (“CWP”):

The VASP, VAEP and CWP (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (“KYC”) and records of financial transactions for a period of five years to ensure cyber security in areas related to payments and financial markets for citizens. The KYC Requirements are detailed in Annexure III.
With respect to transaction records, entities will be required to maintain accurate information in such manner that individual transaction can be reconstructed with information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.

Synchronisation and alignment of clocks: Relevant entities have been directed to connect to the Network Time Protocol (“NTP”) Server of National Informatics Centre (“NIC”) or National Physical Laboratory (“NPL”) for synchronisation of systems clocks. Entities having infrastructure spanning multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source does not deviate from NPL and NIC.
Penalisation: In the instance of a cyber security incident, the relevant entities under the Directions must furnish details as mandated by CERT-In. Failure to furnish the information or non-compliance with the Directions (and CERT-In orders issued under these Directions) is likely to invite punitive action under Section 70B (7) of the IT Act i.e. imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both. Entities may also be penalised under other corresponding laws as applicable.

THE FIRM’S TAKE

The Directions have brought about a significant enlargement in the scope of obligations and reporting requirements for relevant entities as can be seen from the differences between the Directions, and the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (“CERT-In Rules 2013”). For instance, the categories of entities have been specifically identified and expanded; a specific mandatory reporting requirement within the 6 hours timeline has been prescribed (which wasn’t the case previously); the types of cyber security incidents that require mandatory reporting have been expanded in Annexure I of the Directions including contemporary technology related concerns like “Ransomware and Cryptominers”, “Fake Mobile Apps”, “Data leaks”, “Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers” etc.

Offshore entities and servers will also be impacted given that there is a mandatory requirement to enable ICT system logs for a 180-day period (on a rolling basis) within the Indian jurisdiction.

Additionally, maintaining and reporting obligations to CERT-In, relating to KYC Data, Transaction data etc. may have potential privacy related implications given that the Data Protection Bill’ 2021 is still on the anvil and hasn’t been introduced yet. Therefore, there is a vacuum, from a statutory protection of personal data/sensitive personal data perspective.

Tags: Saikrishna & Associates

About Author

Ameet Datta

Ameet Datta is a Partner at Saikrishna & Associates. He is an IP litigator and TMT lawyer with over 22 years of experience and wide ranging expertise across IP Law, Technology law, privacy and data protection law, white collar crime cases around data breaches, and, media & entertainment law specifically in relation to licensing, content aggregation & acquisition, film & music production, distribution/ licensing, format rights, defamation and right of publicity. Ameet has extensive experience with the creative sector in terms of multiple litigations including licensing disputes before the Courts & the Copyright Board. Ameet is closely involved with Copyright laws, Technology regulations and policy matters. In 2010, Ameet appeared as an expert witness before the Indian Parliamentary Standing Committee overseeing amendments to the Copyright Act, 1957. Ameet has been highly ranked as a recommended lawyer for IP Litigation, and, telecoms, media & entertainment by Chambers & Partners (Asia Pacific), WTR1000; as a recommended lawyer for IP litigation by Legal 500, and recommended as an IP Star by MIP

Suvarna Mandal

Suvarna Mandal is a Partner at Saikrishna & Associates. She has nearly a decade of experience in providing trade & regulatory compliance advice to domestic and international clients for understanding and complying with a wide range of national, state as well as sector-specific legislations and regulations in the spheres of telecommunications, technology law, consumer law, environmental law, product compliance and safety regulations (including packaging standards, labels and safety standards), data protection and privacy, media law, advertising regulations, etc. She provides end-to-end compliance counselling to clients across various industries and sectors such as software services, consumer electronics, technology, telecom, media, intermediaries, e-commerce, online value-added services sectors, consumer goods and medical devices. Suvarna also works closely with clients’ Government Affairs team to prepare strategic policy documents, representations and formal communications towards policy development and policy reform efforts with the Government.