India’s Most Critical Trade & Regulatory Compliance Digest

Ameet Datta, Suvarna Mandal | June 2023

Lex Witness in association with The Trade & Regulatory Compliance Practice Desk at Saikrishna & Associates brings to you a detailed analysis on select updates and notifications.

The Ministry Of Electronics And Information Technology Notifies The Information Technology (intermediary Guidelines And Digital Media Ethics Code) Amendment Rules, 2023 To Regulate Online Gaming

Earlier this year, on 2nd January 2023, the Ministry of Electronics & Information Technology (“MeitY”) released the draft amendments, in relation to online gaming (“Draft Rules”), to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules”) for public consultation and stakeholder comments. Later, while extending the date for stakeholders’ comments to the Draft Rules, MeitY also proposed an amendment to Rule 3(1)(b) (v) of the IT Rules with respect to due diligence obligations of social media and other intermediaries in relation to fact checking misinformation by Government to prevent sharing false, untrue or misleading information. Thereafter, on 6th April 2023, the MeitY notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023 (“Notified Rules”) to regulate online gaming and to establish a fact checking unit which will be notified by the Central Government in the Official Gazette.

The key features of the Notified Rules are as follows:

Key Definitions: The Notified Rules introduce the following definitions:

Online game is defined as “a game that is offered on the Internet and is accessible by a user through a computer resource or an intermediary”.
Online gaming intermediary (“OGI”) includes “any intermediary that enables the users of its computer resource to access one or more online games”.
Online gaming self-regulatory body (“SRB”) are defined as entities that are designated under Rule 4A of the Notified Rules.
Online real money game (“online RMG”) is referred to as “an online game where a user makes a deposit in cash or kind with the expectation of earning winnings on that deposit”. Additionally, the Explanation further defines “winning” as “any prize, in cash or kind, which is distributed or intended to be distributed to a user of an online game based on the performance of the user and in accordan
Permissible online game is defined as “a permissible online real money game or any other online game that is not an online real money game”.
Permissible online real money game (“permissible online RMG”) refers to “a permissible online real money game or any other online game that is not a real money online game”.

Amendments to the duediligence requirements: The duediligence requirements post the Notified Rules are as follows:

The Notified Rules amend Rule 3(1)(b) to require all intermediaries (including OGIs) to make ‘reasonable efforts’ by itself and cause their users to not host, display, upload, modify, publish, transmit, store, update or share any information. The list of information has been further amended to include information that:

causes user harm (i.e any effect which is detrimental to a user or child),
is an online game that is not verified as a permissible online game,
is an advertisement or surrogate advertisement or promotion of an online game that is not a permissible online game, or of any online gaming intermediary offering such an online game,
violates any law for the time being in force,
in relation of any business of the Central Government, is identified as fake or false or misleading by such fact check unit of the Central Government that the Ministry will notify in the Official Gazette.

Further, the OGI will be required to inform users of any change to rules, privacy policy, or user agreement to the users as soon as possible and within 24 hours, in English or any language specified in the Eighth Schedule to the Constitution, in the language of the users’ choice.
Additionally, users can make complaint to its Grievance Officer (“GO”) against violation of due diligence obligations under Rule 3. Users can also file a complaint with the GO if the OGI fails to provide information which inter alia include (in respect of every such permissible online RMG) withdrawal/ refund policy pertaining to the deposit made, policy pertaining to the manner of determination and distribution of winnings, etc. and if the OGIs undertake (by way of credit)/enable (by way of third parties) financing for the purposes of playing online RMGs.
Further, the IT Rules mandated intermediaries to prominently publish the contact details of the GO on the intermediary’s website/mobile-based application. The Notified Rules clarify that “prominently publish” refers to “publishing in a clearly visible manner on the home page of the website or the home screen of the mobile based application, or both, as the case may be, or on a web page or an app screen directly accessible from the home page or home screen”.
The Notified Rules provide users who are aggrieved by the decision of the GO, the right to prefer an appeal to the Grievance Appellate Committee (“GAC”) if, inter alia, a complaint against violation of the provisions of the IT Rules is not acknowledged by the GO within 24 hours and resolved within 15 days of the receipt of the complaint, an intermediary fails to take reasonable and practicable measures to remove or disable access to any content which is prima facie in the nature of any material which exposes the private area of such individual, shows individual in partial or full nudity, or depicts individuals in a sexual act, or is in the nature of impersonation, within 24 hours of receipt of the complaint, etc.

Additional due-diligence requirement by OGI: The Notified Rules require OGIs to comply with additional compliance requirements which include:

Appointment of Chief Compliance Officer, Nodal contact person, and Resident Grievance Officer who are resident in India.
Enabling access to any permissible online RMG “by mandating it” to have a physical contact address in India published on its website, mobile applications, or both for the purposes of receiving communications addressed to it.
Implementation of an appropriate mechanism for the receipt of complaints and grievances, enabling the complainant to track the status of the complaint or grievance.
Enabling users registering for their services from India/using services in India, to voluntarily verify their accounts and provide such users with a demonstrable and visible mark of verification, which shall be visible to all users of the service
Displaying a demonstrable and visible mark of verification on permissible online RMGs by SRBs.
Providing users with the following information while informing them of its rules and regulations, privacy policy and user agreements which inter alia include (in respect of every such permissible online RMG) withdrawal/ refund policy pertaining to the deposit made, policy pertaining to the manner of determination and distribution of winnings, fees and other charges payable by a user, the KYC policy followed for verifying the identity of users of such online game, etc.
Identify users and verify their identity in line with the procedure required to be followed by an RBI regulated entity for undertaking similar identification and verification of its customers.
The OGIs are prohibited from undertaking (by way of credit)/enabling (by way of third parties) of financing for the purposes of playing online RMGs.

Verification of online RMG: As per the Notified Rules, MeitY has the power to designate as many SelfRegulatory Bodies (“SRB”) as considered necessary for the purposes of verifying an online RMG as a permissible online RMG. Online RMG to verify themselves as permissible online RMG are required to make an application to the SRB. Upon receiving such an application and after conducting such inquiry, the SRB shall verify an online RMG as a permissible online RMG if it is satisfied that:

the online RMG does not involve wagering on any outcome; and
the OGI and such online game are in compliance with Rules 3 and 4 (as discussed above), the provisions of any law relating to the age at which an individual is competent to enter into a contract, and the framework made by an online SRB under Rule 4A (8) [as discussed below].

Obligations of SRBs: The SRBs are required to publish and maintain on their website, mobile based application, or both, certain information which inter alia include an updated list of verified permissible online RMGs, details of such online games which includes the details of the applicant, the date and period of validity, etc. Additionally, a verified online RMG and the OGI that enables access to such online games are required to display a demonstrable and visible mark of verification. Further, Rule 4A (8) mandates SRBs to prominently publish the following on their website, mobile based application or both, as the case may be:

a framework for verifying an online RMG, including inter alia, measures to ensure that such online RMG is not against the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States and public order, safeguards against user harm, measures to safeguard children and users,
the framework for redressal of grievances and the contact details of the Grievance Officer.

Obligations in relation to online game other than online real money game: The Notified Rules empower the Central Government to direct an intermediary to observe the specific obligations in respect of an online game which is not an online RMG and specify the period within which these obligations will have to be observed. These obligations inter alia include:

make reasonable efforts by itself, and to cause the users of its computer resource to, inter alia, not host, upload, share any information that:

is in the nature of an online game and is not verified as a permissible online game; and
in the nature of advertisement or surrogate advertisement or promotion of an online game that is not a permissible online game, or of any online gaming intermediary offering such an online game.

appoint Chief Compliance Officer, a nodal contact person, Resident Grievance Officer and publish periodic compliance reports every month.
have a physical contact address in India published on its website, mobile applications, or both, for receiving communications addressed to it.
implement appropriate mechanisms to receive complaints and enable complaints to track the status of such grievances by providing a unique ticket number for each complaint in respect of such notified online games.
allow users registering for/using services in India of the online game to voluntarily verify themselves by using any appropriate mechanism including active mobile phone numbers of such users.
display a demonstrable and visible mark of verification by an SRB on the online game.
inform users of the framework referred to in Rule 4A (as discussed above) in relation to the online game.

Where an online game is notified under this sub-rule, the provisions of Rule 4A vis-à-vis verification of online RMG shall apply as they apply to a permissible online real money game.

Applicability of certain obligations after notification of the SRBs: The Notified Rules state that the due diligence obligations as specified under Rules 3 & 4 will apply to online gaming intermediaries after the expiry of three months from the date of designating at least three SRBs by MeitY. However, it also clarified that the Central Government has the power to issue a notification directing an online game to implement the above-mentioned obligations before this above-stated period.

The Firm’s Take

Given the lack of regulations at the central level, the notification of the Notified Rules has been welcomed by industry stakeholders. However, confusion pertaining to several issues continue to persist. It was reported that the industry players met with Hon’ble Minister of State of MeitY, Mr. Rajeev Chandrasekhar, and sought clarifications/guidance on the Notified Rules a few days after its notification. Therefore, the issuance of guidance with respect to the “Notified Rules” will provide clarity on its implementation.

Some concerns regarding the Notified Rules are below:

The Notified Rules do not distinguish between games of chance and games of skills. Additionally, gambling and betting (which requires analysis of whether such games are game of chance/ game of skill) are State subjects as per the Constitution which gives States the power to regulate online gaming to that extent within their territorial boundary. Recently, the Tamil Nadu government passed the Tamil Nadu Prohibition of Online Gambling and Regulation of Online Games Act which bans online gambling in the state. Therefore, it is likely that in light of the broad definition of online RMG, there may be potential jurisdictional overlaps between state legislation and the Notified Rules. Although the Hon’ble Minister of State of MeitY, Mr. Rajeev Chandrasekhar made a statement that indicated that the Notified Rules do not deal with games of skill and games of chance, the confusion will probably continue to persist. This is because while verifying permissible online RMG, SRBs are required to assess whether such online games pertain to gambling or not. Hence, it is likely that permissible online RMGs which are duly assessed by SRBs are challenged before Courts due to the continued legislative ambiguity regarding the contours of whether a specific online game will be considered as a game of chance or a game of skill.
Additionally, like the Draft Rules, the definition of OGI continues to include within its scope intermediaries that only offer a platform to host such online games despite such intermediaries not being actual publishers/developers/ owners of such online games, thereby, imposing excessive compliances on such intermediaries.
Further, except for a few exclusions, the Notified Rules retain most compliance requirements (as proposed under the Draft Rules) to be adhered to by OGIs. For instance, unlike the Draft Rules, the Notified Rules do not require OGIs to obtain “No Bot” and “Random Number Generator” certificates. However, other compliance requirements as proposed under the Draft Rules have been retained which inter alia include appointment of Chief Compliance Officer, Resident Grievance Officers, Nodal contact person, displaying a demonstrable & visible mark of verification on permissible online RMGs by SRBs, etc.
Additionally, the Notified Rules require OGIs to inform users of any change in privacy policy, user agreement, etc., as soon as possible and not later than 24 hours, in English or any language specified in the Eighth Schedule to the Constitution, in the language of the user’s choice which considerably increases the compliance burden on such OGIs.
Furthermore, the due-diligence mandate that requires intermediaries (including OGIs) to make reasonable efforts by itself to not host, upload, etc., prohibited content contravenes intermediary safe harbour principle as envisaged under Section 79 of the IT Act which does not require this level of content moderation by its very nature. It is settled law [as has been upheld in multiple case laws such as Indian Young Lawyers’ Association v Union of India (2019) 11 SCC 1] that executive notification/rules cannot contradict statutory provisions enacted by the Parliament.
Additionally, the Notified Rules retain the provision which provides the Central Government the power to set up a fact check unit by way of notification in the Official Gazette. The notified fact check unit will be responsible for identifying fake, false, or misleading information in respect of any business of the Central Government. However, this provision has been challenged before the Bombay High Court.

Union Cabinet Approves National Medical Device Policy 2023

The National Medical Device Policy 2023 (“Policy”) was approved by the Union Cabinet on 26th April 2023, and was thereafter published on 2nd May 2023.

The salient features of the Policy are highlighted below:

Aims and Objectives: The Policy aims to ensure access to patent-centric, innovative and affordable healthcare products of excellent quality for better healthcare outcomes, consequently achieving 10-12% share in the expanding global market over the next 25 years and lays down the following missions for achieving accelerated growth of the medical devices sector:

Access to and universality of good quality medical devices and healthcare across all ages.
Affordability through enhancement of domestic manufacturing capacity and capability for newer technologies.
Giving importance to the quality of products manufactured in the country to enhance global positioning, acceptability and competitiveness.
Improvement through patient centered & quality care through improvement of clinical outcomes and convenience of the patients (such as early diagnosis of diseases and increased accuracy in treatment).
Giving importance to preventive and promotive health enabling individuals to lead a healthier lifestyle by achieving extensive application of medical devices in early screening and diagnosis for early detection/prevention and management of diseases.
Ensuring medical devices security (on par with drug and food security of the country), through development of strong local manufacturing capabilities and a resilient supply chain for inputs or raw materials.
Encourage and sustain innovation and research in the sector to enable technology driven medical devices with IoTs & AI, nanotechnology, etc.
Facilitate future-ready skilled manpower aligned to the multidisciplinary nature of medical device technologies.

Strategies to Promote Medical Device Sector: The Policy provides a set of strategies covering six areas which have been identified based on the “current challenges facing the sector as well as the opportunities that lie ahead for fulfilling the potential of the sector”. These are as follows:

Regulatory streamlining through inter alia the setting up of a Single Window Clearance System for licensing of medical devices, gradual expansion of the standards developed by Bureau of Indian Standards (BIS) and sectoral standards development organisations in terms of processes, products, wireless technologies and performances; development of framework for a coherent pricing regulation, facilitation of research and development of marketready products; etc.
Setting up of enabling infrastructure such as the strengthening of large medical device parks and medium sized medical devices clusters and testing laboratories for medical devices and the phased manufacturing of critical components to allow for uninterrupted supply of such components.
Facilitating R&D and innovation by acknowledging the role new technologies such as 5G, 6G, IoTs and AI can play in innovation, and establishing Centers of Excellence, Innovation hubs, start-ups, clinical settings, funding agencies, plug and play infrastructures etc. to create a health technology ecosystem.
Attracting investments in the sector through private route and public procurement policies (such as Make In India) to promote indigenous manufacturing, competitiveness and creating a manufacturing friendly ecosystem.
Human Resources Development through a skilled workforce, across the value chain such as scientists, regulators, health experts, managers, technicians.
Brand positioning and awareness creation through a dedicated Export Promotion Council for the sector to manage issues pertaining to market access and building global competitiveness. Further, the Policy envisages extensive engagement with industry stakeholders to foster innovation.

Monitoring and Evaluation of Strategies: The Policy recognises the Sustainable Development Goals outlined in the National Health Policy, 2017 and states that quantitative output/outcome metrics will be developed to measure the impact of the strategies proposed under the Policy in due consultation with NITI Aayog, in addition to the regular monitoring of economic indicators such as market size, exports and Foreign Direct Investments.

The Firm’s Take

The Policy is a much-needed step to streamline the medical devices sector and provides broad principles for strengthening the same. However, since the specifics pertaining to the practical implementation of this Policy is unknown at this point of time, stakeholders in the med-tech industry have sought clarity on the granular details of the Policy, which is the need of the hour given the extensive stakeholder consultation has already taken place on the subject. Additionally, while the Policy broadly addresses “regulatory streamlining” it does not include any specific details on how streamlining this sector will reduce regulatory approvals and compliances to enhance ease of doing business. Also, the Policy does not expressly deal with the position of wearables technology in the healthcare sector, unlike the erstwhile National Health Policy, 2017 which expressly recognized the integral role of wearables technology.

Reportedly, the Government has already started implementing its associated PLI schemes with the establishment of medical device parks and the domestic manufacturing of highend medical devices. A National Medical Device Policy with granular details on implementation and crystallized frameworks is much needed since it will provide the desired momentum and impetus to India’s vision of becoming a global manufacturing hub.

The Ministry of Commerce And Industry Notifies The Foreign Trade Policy 2023

The Ministry of Commerce and Industry (“Ministry”) notified the Foreign Trade Policy 2023 (“FTP 2023”) on 31st March 2023 which came into effect on 1st April 2023. FTP 2023 seeks to promote ease of doing business for exporters and improve the business environment in the country. Unlike its predecessors, the FTP 2023 is a dynamic policy with a long-term focus that will be revised as and when required. The 2023 policy is based on four pillars:

Incentive to Remission,
Export Promotion through Collaboration – Exporters, States, Districts, and Indian Missions,
Ease of Doing Business, reduction in transaction cost, and e-initiatives,
Emerging Areas – E-commerce Developing Districts as Export Hubs.

The key features of the FTP 2023 are discussed below:

Facilitation of E-commerce Exports: The FTP 2023 extends several benefits and seeks to promote e-commerce exports in India through various schemes such as the Niryat Bandhu Scheme (“NBS”) under which the DGFT shall conduct outreach activities/ workshops in partnership with Custom Authorities, Department Post, Industry Partners, Knowledge Partners for the promotion of exports. Capacity-building and skill-development activities may also be undertaken by the NBS. Additionally, the FTP creates E-commerce Export Hubs (“ECEHs”) which would offer favorable business infrastructure and facilities for e-commerce export activities. Furthermore, Dak Niryat Kendras will be operationalized across the country to aid cross-border e-commerce to help artisans, weavers, and craftsmen MSMEs in the land-locked regions to reach international markets.
Process Re-Engineering and Automation: To promote ease of doing business, the FTP 2023 has implemented a common digital platform for issuance, renewal, amendment, and related processes pertaining to Registration Cum Membership Certificate (“RCMC”)/ Registration Certificate. Additionally, the DGFT has created a platform for the issuance of Preferential and NonPreferential Certificates of Origin (“e-CoO”). Furthermore, Unique Document Identification (“UDIN”) and a QR Code will be placed on each e-CoO for validation and authentication by agencies. The FTP 2023 also introduces various IT initiatives to create a paperless and contactless environment for availing benefits under the export promotion scheme which inter alia include DGFT Trade Facilitation mobile application, facility to verify the documents/certificates issued through the DGFT portal, automated processing in online environments, etc.
Facilitation under Export Promotion of Capital Goods (“EPCG”) Scheme: The EPCG Scheme which allows the import of capital goods at zero customs duty for export production has been further rationalized to include within its scope all types of Battery Electric Vehicles (“BEV”). Therefore, BEVs will qualify for lower export obligations. Furthermore, Prime Minister Mega Integrated Textile Region and Apparel Parks (PM MITRA) scheme has been included as an additional scheme that allows benefits to be claimed under the Common Service Provider (“CSP”) Scheme.
Merchanting Trade: According to the press release related to the FTP 2023, ‘Merchanting Trade’ of prohibited as well as restricted items under FTP 2023 will now be possible. Merchanting Trade refers to the shipment of goods from one foreign country to another foreign country without such goods touching Indian ports, but it involves an Indian intermediary. However, merchanting trade will be subject to the intermediary’s adherence to the RBI Guidelines and will not apply to items under the CITEs and Special Chemicals, Organisms, Materials, Equipment and Technologies (“SCOMET”).
Streamlining SCOMET Policy: The SCOMET policy highlights India’s commitment to export control in line with its international obligations under various export control regimes. These regimes aim to regulate trade in sensitive and dual-use items, including software and technology, to prevent their proliferation and ensure their responsible use. Recent policy changes have been introduced to streamline the licensing of certain SCOMET items, such as general authorizations for their export. This move aims to make the export of SCOMET items globally competitive while still adhering to India’s international commitments. Such changes also seek to simplify policies to facilitate the export of high-end goods and technologies, such as UAV/drones, cryogenic tanks, and certain chemicals.
Export from Districts: The objective of the FTP 2023 is to collaborate with state governments and advance the Export Hubs initiative at the district level. The goal is to promote exports and enhance the growth of local trade. To achieve this, there will be a State Export Promotion Committee and a District Export Promotion Committee at the state and district levels, respectively, which will work to identify products and services that are suitable for export and address concerns at the district level. Each district will have its own export action plan, outlining its unique approach to promoting the export of identified products and services. Furthermore, Faridabad, Mirzapur, Moradabad, and Varanasi have been designated as Towns of Export Excellence in addition to the already existing thirty-nine towns. These towns will be able to avail Common Service Provider benefits under the EPCG Scheme.

The Firm’s Take

The FTP 2023 adopts strategies that are imperative for the growth of a country in the 21st century. It is a dynamic document that seeks to promote India’s export and boost its expansion. The perpetual validity of the FTP 2023 provides scope for policy advocacy which will allow amendment of the policy as and when required. The focus of the FTP 2023 is on promoting ease of doing business which is sought to be implemented through various schemes and building an infrastructure that will allow for promotion of exports in India.

The Reserve Bank Of India Issues Master Directions On Outsourcing Of Information Technology Services

The Reserve Bank of India (“RBI”), on 10th April 2023, issued the Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023 (“Master Directions on IT Outsourcing”). The Master Directions on IT Outsourcing have been issued in furtherance of the relevant proposal made in the Statement on Development and Regulatory Policies dated 10th February 2022 (“2022 Statement”). As per the 2022 Statement, the RBI noted that, in order to improve efficiencies, Regulated Entities (“REs”) have been “leveraging and outsourcing critical IT services” to access latest technologies through fin-tech players which makes them vulnerable to financial, operational and reputational risks. Accordingly, the RBI proposed regulatory guidelines to address aspects such as risk management framework for IT outsourcing, managing concentration risk, periodic risk assessment and outsourcing to foreign service providers. Thereafter, in June 2022, the RBI released the draft Master Directions on IT Outsourcing for public comments. Based on the proposal and public consultation the Master Directions on IT Outsourcing have been issued which will come into effect from 1st October 2023 to provide adequate time to REs to comply with the requirements.

Some of the key features of the Master Directions on IT Outsourcing are as follows:

Applicability: The Master Directions on IT Outsourcing apply to entities regulated by the RBI, including, inter alia, all banking companies, corresponding new banks, the State Bank of India, Primary Co-operative Banks, Non-Banking Financial Companies, Credit Information Companies and Material Outsourcing of Information Technology (“IT”) Services arrangement.
Key Definitions: Some of the key definitions provided in the Master Directions on IT Outsourcing are as follows:

Material Outsourcing of IT Services: Services which, if disrupted or compromised, have the potential to significantly impact the REs’ business operations or may have material impact on REs’ customers in the event of any unauthorised access, loss or theft of customer information.
Outsourcing: This term has been defined in Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks to mean “bank’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the bank itself, now or in the future.”
Outsourcing of IT Services: Outsourcing of activities such as IT infrastructure management, maintenance and support, services and operations related to Data Centres, Cloud Computing Services, etc.
Service Providers: These are providers of IT or IT enabled services and include entities related to RE or those belonging to the same as group/ conglomerate to which the RE belongs

Role of REs: The REs must comply with certain obligations, some of which are listed below:

The Board and Senior Management of REs will be responsible for the outsourced activity. The REs have to ensure that outsourcing does not diminish the REs’ obligations.
Irrespective of whether the service provider is based in India, it would be the duty of REs to ensure that the outsourcing neither impedes nor interferes with the ability of the REs to oversee and manage its activities.
REs must evaluate the need for Outsourcing of IT Services based on a comprehensive assessment of the benefits, risks and availability of commensurate processes to manage those risks.
REs must have a grievance redressal mechanism for addressing the grievances related to outsourced services. Outsourcing arrangements will not affect the rights of the customer against the REs.
Further, REs are also required to create an inventory of services provided by the service providers, map their dependency on third parties, and periodically evaluate information received from the service providers.
REs must also perform appropriate due diligence while considering or renewing the Outsourcing of IT Services arrangements. The Master Directions on IT Outsourcing provide a non-exhaustive list of aspects that must be considered while undertaking such due diligence.
REs are also required to ensure that their rights and obligations and of their service providers are clearly defined on a legally binding agreement clearly defining the nature of the legal relationship between the parties as well as the terms and conditions governing the contract. As was the case with due diligence requirement, the Master Directions on IT Outsourcing also provide a list of aspects that must be included in the legally binding agreement. These Master Directions on IT Outsourcing mandate storage of data in India as per the extant regulatory requirements. Moreover, REs are also required to ensure that the agreement contains clauses pertaining to removal/destruction of data, hardware and all records (digital and physical). Through this agreement, it would also be ensured that the service providers are prohibited from erasing, purging, revoking, altering or changing any data during the transition period, unless specifically advised by the RE or the regulator.

Governance Framework: REs intending to outsource IT services must place a comprehensive Board approved IT outsourcing policy incorporating, inter alia, the roles and responsibilities of the Board, senior management, IT functions, and business functions, criteria for selection of such activities as well as service providers, delegation of authority depending on risk and materiality, disaster recovery and business continuity plans, etc.
Risk Management Framework: In addition to the above, REs are also required to place a risk management framework for Outsourcing IT Services to comprehensively deal with the processes and responsibilities for identification, measurement, mitigation, management, and reporting of risks associated with Outsourcing of IT Services arrangements. As per the Master Directions on IT Outsourcing, confidentiality and integrity of data and information pertaining to the customers that is available to the service provider will be the responsibility of the REs. Among other obligations, RE(s) are also required to ensure that cyber incidents are reported to them by the service provider without undue delay, so that the incident is reported by the RE to the RBI within 6 hours of detection by the Third Party Service Provider.
Cross-Border Outsourcing: In the event a service provider is based abroad, then REs are required to monitor, on a continuous basis, government policies as well as the political, social, economic and legal conditions of jurisdiction in which the service provider is based. Further, REs must also establish procedures for mitigating the country risks by having, inter alia, appropriate contingency and exit strategies. It must also be ensured that availability of records to the RE and the RBI will not be affected under any circumstances including in case of liquidation of the service provider. Such an arrangement shall only be entered into with parties operating in jurisdictions that uphold confidentiality clauses and agreements and the governing law of the arrangement shall be clearly specified. Moreover, REs must ensure the right of the RE and the RBI to direct and conduct audit or inspection of the Service Provider who is based in a foreign jurisdiction is not affected.
Exit Strategy: An exit strategy for different scenarios, while ensuring business continuity during and after exit must be included in the Outsourcing of IT Services policy. Such a strategy must also identify alternative arrangements including regarding performance of an activity by a different service provider or RE itself.

In addition to the Outsourcing of IT Services, the Master Directions on IT Outsourcing also provide guidance on usage of cloud computing services and outsourcing of security operations centers.

The Firm’s Take

The ubiquitous use of technology has allowed various types of entities, including entities that are critical in the banking and finance sector, to leverage IT and IT enabled services for their businesses. Given this development and the associated risks, the RBI has issued this Master Directions on IT Outsourcing to safeguard the interests of the stakeholders involved to provide a streamlined risk management framework in relation to services that can materially impact the REs and their customers. These Master Directions on IT Outsourcing are a step in the right direction as they extensively lay down the expectations of the RBI from REs such that the outsourcing arrangements do not impede the ability of the REs to operate responsibly and for ensuring consumer confidence.

Having said that, the Master Directions on IT Outsourcing could potentially lead to operational challenges. The Master Directions on IT Outsourcing have placed significant obligations on the REs thereby increasing their compliance burden. Further, REs will probably be expected to revaluate existing agreements and, if required, enter into fresh agreements with service providers in order to address the aspects to be mentioned in the legally binding agreement as required under the Master Directions on IT Outsourcing.

While the intention behind introducing the Master Directions on IT Outsourcing is vested in the interest of the regulated entities and consumers, the effectiveness of the Master Directions on IT Outsourcing will only become clear in the fullness of time.

Dot Notifies The Indian Wireless Telegraphy (cell Broadcasting Service For Disaster Alerts) Rules, 2023

On 10th April, 2023 the Department of Telecommunications (“DoT”) notified the Indian Wireless Telegraphy (Cell Broadcasting Service for Disaster Alerts) Rules, 2023 (“Disaster Alert Rules”) introducing mandatory “cell broadcast” of messages on smartphones and feature phones for providing alerts during disasters/emergencies.

The salient features of the Disaster Alert Rules are as follows:

Important definitions: The Disaster Alert Rules define the following relevant terms:

The term “smart phone” has been defined under the Disaster Alert Rules to mean “a mobile phone handset with a mobile operating system, which combines features similar to those of a personal computer operating system with other features useful for mobile or handheld use”.
The term “feature phone” has been defined under the Disaster Alert Rules to mean “a mobile phone handset that may incorporate features such as the ability to access internet and store and play music but does not have the operating system feature of a personal computer”.
The term “cell broadcast” has been defined under the Disaster Alert Rules to mean “a method of sending messages to multiple mobile telephone users in a defined area at the same time in a broadcast manner”.

Prohibition on manufacture/ sale of new smartphones/feature phones without specified facilities: The Disaster Alert Rules specify timelines for the prohibition on the manufacture/ sale of specified devices without certain mandated features:

Six (6) months after commencement of the Disaster Alert Rules: New smartphones/feature phones will have to provide the following mandated facilities:

Mandatory support to receive cell broadcast messages in English & Hindi languages;
Storing of received cell broadcast messages for at least twenty-four hours;
Maintaining cell broadcast messages on the screen until acknowledged by the user; • Alert sound, vibration and light duration for at least thirty seconds; and
Mandatory mentioning of cell broadcast capability in feature list and user manuals to increase customer awareness.

Nine (9) months after commencement of the Disaster Alert Rules: New smartphones/feature phones will have to provide the following mandated facilities:

Mandatory receipt of extreme cell broadcast alert messages and the mandatory receipt of severe cell broadcast alert messages may be explored; and
Automatic read out of the cell broadcast messages in Indian accent, in English & Hindi languages.

Twelve (12) months after commencement of the Disaster Alert Rules: Manufacturers can only manufacture/sell smartphones that provide mandatory support to receive cell broadcast messages and automatic read out of such messages in Indian accent, in all Indian languages as per Eighth Schedule to the Constitution of India.

Cell broadcast in smartphones already sold within a four year period: Within six months of the commencement of the Disaster Alert Rules, the manufacturer of mobile phone handset and the mobile handset operating system developer are required to explore that the smartphones which have been sold in India within four years prior to commencement of the Disaster Alert Rules (i.e. 10th April, 2019 onwards), have the facility to receive cell broadcast messages and auto read out feature, in all Indian languages as per Eighth Schedule to the Constitution of India.

The Firm’s Take

The Disaster Alert Rules appear to be in line with the National Digital Communication Policy 2018 (“NDCP”), published by the DoT, which envisages, inter-alia the strategy under the ‘Secure India’ mission for:

Development of a comprehensive plan for network preparedness, disaster response relief, restoration and reconstruction; and
Establishment of an institutional framework to promote monitoring of activities, rapid dissemination of early warning disaster notifications and better coordination and collaboration between relevant Ministries/Departments, including the National Disaster Management Authority of India

Further to the NDCP strategies stated above, in December 2022, the TRAI had issued the Telecom Tariff (69th amendment) Order 2022 on “Tariff for SMS and Cell Broadcast alerts disseminated through Common Alerting Protocol (CAP) platform during disasters/ non-disasters” (“Tarrif Order”), that require TSPs to broadcast messages to all the subscribers through Cell Broadcast free of cost during disaster and nondisaster period.

While the introduction of these rules is a commendable initiative by the DoT to give prompt disaster emergency related alerts, there are several implementation related aspects which will have to be taken into consideration before the strict realisation of the timelines under the rules. For instance, there are several hardware and software constraints which may impact the narrow timelines provided under the Disaster Alert Rules.

In order to ensure that only those “new” smartphones/feature phones are made available in the market that meet the mandated requirements, more clarity will be needed from the DoT on what is considered a “new” smartphone/feature phone under these rules. This clarification would be specifically necessary to shed light on the position of those smartphones/feature phones which are either already placed in the market (as on the date of the prohibition mandate coming into force under the respective timelines) or are already a part of the production process for entering the market in the coming few months.

Further, the DoT will also have to provide more clarity on what it means (in terms of compliance) under the rules to “explore” whether smartphones already sold in India (in the preceding four years) have the facilities to receive cell broadcast messages and the auto read out feature. Such a clarification would assist in doing away with any vagueness under the Disaster Alert Rules, especially from a non-compliance and implication standpoint. This is pertinent as it may be difficult in the case of some smartphones to switch to a more advanced software (that allows for such facilities) owing to their make, model and hardware/software specifications. At this stage, it remains unclear what the consequence would be in case previously sold phones are not aligned with this requirement under the rules.

About Author

Ameet Datta

Ameet Datta is a Partner at Saikrishna & Associates. He is an IP litigator and TMT lawyer with over 22 years of experience and wide ranging expertise across IP Law, Technology law, privacy and data protection law, white collar crime cases around data breaches, and, media & entertainment law specifically in relation to licensing, content aggregation & acquisition, film & music production, distribution/ licensing, format rights, defamation and right of publicity. Ameet has extensive experience with the creative sector in terms of multiple litigations including licensing disputes before the Courts & the Copyright Board. Ameet is closely involved with Copyright laws, Technology regulations and policy matters. In 2010, Ameet appeared as an expert witness before the Indian Parliamentary Standing Committee overseeing amendments to the Copyright Act, 1957. Ameet has been highly ranked as a recommended lawyer for IP Litigation, and, telecoms, media & entertainment by Chambers & Partners (Asia Pacific), WTR1000; as a recommended lawyer for IP litigation by Legal 500, and recommended as an IP Star by MIP

Suvarna Mandal

Suvarna Mandal is a Partner at Saikrishna & Associates. She has nearly a decade of experience in providing trade & regulatory compliance advice to domestic and international clients for understanding and complying with a wide range of national, state as well as sector-specific legislations and regulations in the spheres of telecommunications, technology law, consumer law, environmental law, product compliance and safety regulations (including packaging standards, labels and safety standards), data protection and privacy, media law, advertising regulations, etc. She provides end-to-end compliance counselling to clients across various industries and sectors such as software services, consumer electronics, technology, telecom, media, intermediaries, e-commerce, online value-added services sectors, consumer goods and medical devices. Suvarna also works closely with clients’ Government Affairs team to prepare strategic policy documents, representations and formal communications towards policy development and policy reform efforts with the Government.