×

or

Explore
Editor's Picks

India’s Most Critical Trade & Regulatory Compliance Digest

Lex Witness Bureau | October 2023
India’s Most Critical Trade & Regulatory Compliance Digest
The Digital Personal Data Protection Act, 2023 – India’s Data Protection Law

On 11th August 2023, the Draft Digital Personal Data Protection Bill, 2023 received President of India’s assent after passage in both the Houses of the Parliament and became a law i.e. Digital Personal Data Protection Act, 2023 (“DPDP Act”). The DPDP Act has been notified by the Government. This Act provides a framework for processing of digital personal data in a manner that recognises the right of individuals to protect their personal data and the need to process personal data for lawful purposes.

By way of brief background, in 2017, a Committee of Experts headed by Justice B.N. Srikrishna (Retd.) (“Srikrishna Committee”) was constituted to identify key data protection issues and provide a legislative framework for data protection in the country. The Srikrishna Committee submitted its report in 2018 along with a draft of the Personal Data Protection Bill, 2018. Thereafter, the Personal Data Protection Bill, 2019 (“2019 PDP Bill”) was tabled before the Parliament and later referred to the Joint Parliamentary Committee (“JPC”) which published its report in 2021 along with a draft Data Protection Bill, 2021. However, on 3rd August 2022, the Government of India withdrew the 2019 PDP Bill from the Parliament. Later that year, on 18th November 2022, the Ministry of Electronics and Information Technology (“MeitY”) released the Digital Personal Data Protection Bill 2022 (“Draft DPDP Bill 2022”) for stakeholder consultations. Finally, in the 2023 Monsoon Session of the Parliament, the Draft Digital Personal Data Protection Bill, 2023 was tabled before the Parliament which, after going through the Parliamentary procedure, has now become the law in India. The DPDP Act is the first consolidated legislation governing personal data protection and privacy in India.

Brief Overview of the DPDP Act
  • Key Definitions:
    1. Personal Data – Any data about an individual who is identifiable by or in relation to such data.
    2. Processing – Wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction
    3. Data Fiduciary – Entity/person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
    4. Data Principal – The individual to whom the personal data relates and includes the parent of a child and lawful guardian of a person with disability.
    5. Consent Managers – Entity/person registered with the Data Protection Board of India, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform
    6. Data Processor – Entity/person who processes personal data on behalf of a Data Fiduciary.
    7. Appellate Tribunal – Telecom Disputes Settlement and Appellate Tribunal
  • Applicability: The DPDP Act applies to the processing of digital personal data within India when the data is collected in digital form or non-digital form but digitised subsequently. It also applies to processing of digital personal data outside India if such processing is in connection with any activity related to offering of goods or services to Data Principals within India. However, the DPDP Act does not apply to digital personal data processed for personal/ domestic purpose and digital personal data that is made or caused to be made publicly available by the Data Principal or any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.
  • Grounds for processing: The personal data of a Data Principal can only be processed for lawful purpose for which consent has been provided or for “certain legitimate uses”.
  • Notice: Data Fiduciaries are required to provide a notice, providing the description of the personal data collected, the purpose of processing of such data, manner of exercising right to withdraw consent and the manner of exercising the right to grievance redressal, prior to or at the time of obtaining consent from Data Principals. In cases where the consent had been obtained prior to the commencement of the DPDP Act, a fresh notice will have to be given to the Data Principal as soon as it is reasonably practicable. Data Fiduciaries are also required to provide notice in English or in any of the 22 languages specified in the Eighth Schedule of the Constitution of India at the option of the Data Principal. As per the DPDP Act, Data Fiduciaries can process personal data until consent is withdrawn by the Data Principal.
  • Consent: Consent must be freely given, specific, informed, unconditional and should be an unambiguous indication of the Data Principal’s wishes, through a clear affirmative action signifying agreement to the processing of her personal data for the specified purposes and that the processing be limited to such personal data necessary for such specified purpose. Every request for obtaining consent must be in clear and plain language and the Data Principal should be given the option to access such request in English or in any of the 22 languages specified in the Eighth Schedule of the Constitution of India. While consent may be withdrawn at any point, the consequences of such consent withdrawal will have to be borne by the Data Principal and once consent has been withdrawn, the Data Fiduciary will be required, within a reasonable time, to cease processing of personal data of the Data Principal unless such processing is required or authorised under law.
  • Consent Managers: Data Principals can give, manage, review or withdraw their consent through a Consent Manager. A Consent Manager is required to be registered with the Board and would be accountable to Data Principals.
  • Certain Legitimate Uses: The Data Fiduciary can process personal data without providing a notice and request for consent for, inter alia, the following purposes –
    1. Specified purpose for which the Data Principal voluntarily provides their personal data to the Data Fiduciary and does not indicate that she does not consent to the use of her personal data
    2. Performance of any function under any law by the State or any instrumentality of the State, or in the interest of sovereignty and integrity of India or security of the State
    3. Compliance with any judgment or order
    4. Purposes related to employment or those related to safeguarding the employer from loss or liability including prevention of corporate espionage, maintenance of trade secrets and intellectual property, etc.
  • Obligations of the Data Fiduciary: A Data Fiduciary has certain obligations under the DPDP Act, including, inter alia, the following:
    1. Ensure completeness, accuracy and consistency of the personal data if it is to be used to make a decision that affects a Data Principal or if it is to be disclosed to another Data Fiduciary
    2. Implement technical safeguards and reasonable security measures for complying with the provisions of the DPDP Act
    3. Notify the Board and each affected Data Fiduciary about a personal data breach
    4. Publish details of a Data Protection Officer (in case of a Significant Data Fiduciary or “SDF”) or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data
    5. Erase the data of a Data Principal upon withdrawal of consent
    6. Establish a grievance redressal mechanism
    7. May engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf under a valid contract
  • Additional Obligations of SDF: Any Data Fiduciary or a class of Data Fiduciaries can be notified by the Central Government as SDF, based on the assessment of factors including, inter alia, the volume and sensitivity of personal data processed, risk of harm to Data Principals, risk to electoral democracy, public order. Further, SDF is required to appoint a Data Protection Officer (“DPO”), to represent the SDF and act as the point of contact for grievance redressal mechanism. SDF is also required to undertake periodic Data Protection Impact Assessment (“DPIA”), periodic audit and such other measures as may be prescribed.
  • Processing of Personal Data of Children: Data Fiduciaries will have to obtain “verifiable consent” of a parent/ lawful guardian before processing any personal data of a child or a person with disability who has a lawful guardian. The Data Fiduciary can neither process any personal data that is likely to cause detrimental effect on the well-being of a child nor undertake tracking or behavioural monitoring of children or targeted advertisement directed at children. Further, the Central Government can, if it is satisfied that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, notify for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or any of the obligations in respect of processing by that Data Fiduciary as the notification may specify.
  • Rights of Data Principals: The DPDP Act confers the following rights on Data Principals:
    1. Right to seek a summary of personal data which is being processed and processing activities undertaken by a Data Fiduciary, identities of all Data Fiduciaries and Data Processors with whom personal data has been shared with description of personal data so shared, any other information related to personal data as prescribed
    2. Right to correction, completion, updating and erasure of personal data
    3. Right of grievance redressal (a Data Principal is required to exhaust the opportunity of grievance redressal before approaching the Board)
    4. Right to nominate another individual to exercise rights of the Data Principal, in the event of death or incapacity of the Data Principal
  • Duties of Data Principals: The DPDP Act also imposes duties on Data Principals requiring them to, inter alia, comply with the provisions of all applicable laws, not to impersonate another person, not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities, not to register a false/ frivolous grievance.
  • Processing of Personal Data outside India: The Central Government can notify countries to which the transfer of personal data by a Data Fiduciary for processing would be restricted. However, the DPDP Act does not restrict the applicability of any law in India that provides for a higher degree of protection/restriction on the transfer of personal data outside India.
  • Exemptions for Data Fiduciaries including startups: Under the DPDP Act, the requirements of providing notice and obtaining consent need not be met with where, inter alia,:
    1. the processing of personal data is necessary for enforcing any legal right or claim
    2. where processing of personal data by any court/tribunal/any other body is necessary for performing any judicial/ quasi-judicial function
    3. personal data is processed for prevention, detection, investigation or prosecution of any offence/ contravention of any law
    4. personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India.
    5. personal data to be processed by the State/any instrumentality of the State, in the interest of inter alia, sovereignty and integrity of India, security of the State, maintenance of public order etc.
    6. processing of personal data by the State/any instrumentality of the State where the processing is for a purpose that does not include the making of a decision affecting a Data Principal
  • Data Protection Board (“Board”): A Board will be established to inter alia, determine non-compliance, impose penalties, conduct inquiry in respect of a complaint, and perform any other function as may be assigned by the Central Government
  • Appeal to Appellate Tribunal: Any person aggrieved by an order/direction made by the Board can prefer an appeal before the Appellate Tribunal.
  • Voluntary Undertaking: At any stage of proceeding before the Board, the Board can accept a voluntary undertaking in respect of any matter related to observance of the DPDP Act from any person. The voluntary undertaking may state the specific action that the person seeks to take within a specified time or an action they shall refrain from pursuing. After accepting the voluntary undertaking, the Board may with the agreement of the person, vary the terms included in such undertaking. The acceptance of the undertaking shall lead to a bar on the proceedings before the Board.
  • Penalties: Financial penalties have been introduced for non-compliance with the provisions of the DPDP Act. The DPDP Act also imposes a penalty on a Data Principal for non-compliance with its duties.
  • Power to Call for Information: The Central Government can require the Board and any Data Fiduciary or intermediary to furnish information called for by the Central Government.
  • Power of Central Government to Issue Directions: Upon receipt of a reference in writing from the Board regarding imposition of penalty by the Board on Data Fiduciaries in 2 or more instances and in the “interest of general public”, the DPDP Act allows
S.no. Topic GDPR DPDP Act
1. Cross border data transfer Codifies cross-border transfer of data and allows for transfer of personal data to a third country basis the adequacy test or the specified safeguards (i.e., Standard Contractual Clauses). Cross-border transfer of data will be based on a negative list. No provision of any principles for assessing adequacy of countries that may be barred/restricted by the Central Government. Further, if there is a higher degree of restriction on transfer of personal data outside India in any other law, then the same must be followed. This would mean that sectoral laws like RBI’s localisation mandate for payment system data will continue to be applicable.
2. Notice The GDPR requires providing information in the notice relating to the recipients or categories of recipients of the personal data, the period of retention of such data, and transfer of data. The Notice requirements have been stripped down significantly in the DPDP Act and corresponding requirements of notice are not present. Information relating to processing activities and recipients can be accessed by the Data Principal upon request.
3. Personal Data Breach Notification Data Controllers required to notify affected individuals without undue delay only if it is likely to result in a “high risk” to individuals. Data Fiduciaries are required to notify affected Data Principals for any breach of personal data without any guidance on scale or severity of such breach.
4. Public Authority Each Member State is required to establish an ‘independent’ public authority responsible for monitoring the application of the GDPR. While the Board is required to be an independent body, in practise it may not enjoy ‘independence’ from the Central Government as the appointment of employees in the Board will be subject to Government approval and also their conditions of service, etc. will be prescribed by such Government.
5. Right to be forgotten The GDPR specifically caters to the Right to be Forgotten when personal data has been published and requires that a Controller, in response to a request for the deletion of data that was previously made public, would need to “take reasonable steps” to inform any third parties that may be processing the data of the Data Subject who has requested deletion. There is also an obligation under the GDPR to communicate the deletion request directly to any known recipients of the data unless it would be impossible or would require disproportionate effort. While the DPDP Act provides a right to erasure and a Data Fiduciary on receipt of such a request must erase the personal data of the Data Principal, it does not have any obligation to erase personal data that has been published by the Data Fiduciary or by its Data Processors that have been provided this data by the Data Fiduciary.
6. Age of consent The GDPR imposes additional obligations when collecting consent from children under the age of 16 (or, at an age set between 13 and 16 by Member State law). The DPDP Act defines a child as an individual under 18 years of age. The Central Government can notify a lower age for processing of children’s data if it is satisfied that the Data Fiduciary has ensured that processing of personal data of children is in a “verifiably safe” manner. Such Data Fiduciaries would be exempt from the applicability of all or any of the special obligations relating to child’s data.

the Central Government, to direct any agency of the Central Government or an intermediary to block access to information, where it is satisfied that it is necessary or expedient to do so after giving an opportunity of being heard to the Data Fiduciary. Every intermediary who receives such direction is bound to comply with such direction.

  • Overriding Effect: Once enacted, the DPDP Act will replace Section 43A of the Information Technology Act, 2000 (“IT Act”) that provides the right to seek compensation from a body corporate that is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain while possessing, dealing or handling any sensitive personal data or information. Consequently, the DPDP Act will also replace the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Additionally, the DPDP Act also seeks to amend the Right to Information Act, 2005 and as per the amendment, there is no requirement to disclose any “information which relates to personal information”

    The operationalization of the DPDP Act would be contingent on various rules/notifications issued by the Government of India and the DPDP Act will be implemented in phases through separate notifications.

THE FIRM’S TAKE

By notifying the DPDP Act, the Government has taken a significant step towards introducing a comprehensive stand-alone legislation governing data protection and privacy in India. While the DPDP Act is largely based on the GDPR, there are significant departures from the GDPR. For instance, GDPR codifies cross-border transfer of data provisions and allows for transfer of personal data to a third country basis the adequacy test or specified safeguards. However, the DPDP Act does not provide any such threshold for crossborder transfer of personal data. Further, while the GDPR provides for the right to be forgotten, the DPDP Act does not specifically provide such right.

There are many concerns with the provisions of the DPDP Act. Notably, many terms used in the DPDP Act, such as “verifiable consent”, “detrimental effect on the well-being” of a child, “as soon as reasonably practicable” (for providing notice to Data Principals who had provided consent before commencement of the Act), have not been defined, leaving such terms open to interpretation. Further, the Central Government has broad powers, under the DPDP Act, to prescribe rules, regulations, and notifications in various areas, such as notice, data breach reporting, children’s digital personal data, list of countries for cross-border transfer etc. thereby giving excessive power to the government to notify the nuances of such provisions which would be critical in the effective implementation and compliance of the DPDP Act.

The DPDP Act also confers excessive powers to the Central Government allowing it to call for any information from a Data Fiduciary/Intermediary. The DPDP Act does not provide any guidance or safeguards in respect of the information that can be called for by the Government. Moreover, in addition to the Section 69A of the IT Act, the Central Government is also empowered under the DPDP Act to issue directions to an intermediary (albeit upon satisfaction of certain conditions) to block access, if it is in the ‘interest of the general public’, to information identified by the government.

Moreover, unlike the IT Act, the DPDP Act does not provide the right to seek compensation to the affected person in the event of any negligence on the part of the Data Fiduciary in implementing and maintaining reasonable security practices and procedures leading to a wrongful loss or wrongful gain while possessing, dealing or handling any sensitive personal data or information. To seek compensation from the erring Data Fiduciary, a Data Principal who suffers a civil wrong can invoke legal liability as a claimant against the person committing such wrongful act for compensatory damages, under tort law.

Furthermore, the compliance costs are likely to increase in light of the requirements, inter alia, to provide the option to access the contents of the notice and request for consent in English or any of 22 languages mentioned in the Eighth Schedule of the Indian Constitution. Further, the DPDP Act imposes a mandate of reporting data breaches to the Board and affected Data Principals. This would be in addition to the mandate of reporting cyber incidents to the Indian Computer Emergency Response Team as per the IT Act and rules and directions issued therein.

The DPDP Act prescribes hefty penalties (upto INR 250 crores, depending on the nature of the breach) for any non-compliance with its provisions on not only the Data Fiduciary but also the Data Principal.

While the DPDP Act codifies the rights and duties of Data Fiduciaries and Data Principals, Government’s approach in notifying various provisions of the DPDP Act and the timelines it seeks to provide to entities for transitioning and making appropriate administrative changes in a way that do not disrupt ongoing operations of businesses would be pivotal in the compliance and implementation of the DPDP Act.

This area of law in India is now an evolving landscape, and complete clarity will be available once the phased implementation of the DPDP Act is complete, and the corresponding delegated legislation is passed by Parliament and notified.

NATIONAL COMMISSION FOR PROTECTION OF CHILD RIGHTS ISSUES THE GUIDELINES FOR CHILD AND ADOLESCENT PARTICIPATION IN THE ENTERTAINMENT INDUSTRY

In May 2023, the National Commission for Protection of Child Rights (“NCPCR”) issued Guidelines for Child and Adolescent Participation in the Entertainment Industry (“Guidelines”)

The Guidelines supersede its previous iteration of 2011 and have been revised to ensure the welfare of children who are working in the entertainment industry and have taken into consideration the nature of issues that were brought before the NCPCR as well as the growing use of social media platforms and OTT platforms for creating entertainment content.

Some of the key features of the Guidelines are as follows:

  1. Scope: The Guidelines cover television programmes including, inter alia, reality shows, news and informative media, movies, OTT platforms, content on social media platforms, as well as “any other kind of involvement of children in commercial entertainment activities”. The Guidelines are applicable to any company, organisation, individual, and Central and State Government authorities that are involved in the production and broadcasting of such material/content.
  2. General Principles: The Guidelines provide a set of 11 principles, that are to be followed while employing children/ adolescents in the entertainment industry, pertaining to, inter alia, treatment with equal dignity, right to be heard and participate in all processes affecting the interests of the child, consideration of best interests of the child, safety, privacy, confidentiality, and natural justice.
  3. Key Definitions: Some of the definitions introduced in the Guidelines are as follows:
    • Adolescent is a person who has completed 14th year of age but not the 18th year of age.
    • Child is a person below the age of 14 years of age or age specified in the Right of Children to Free and Compulsory Education Act, 2009, whichever is more.
    • Child Artist is a child who performs/ practices any work as a hobby/profession directly involving him as an actor, singer, sports person or in such other activity as may be prescribed relating to the entertainment or sports activities
    • OTT Platforms are over the top media services that are offered directly to viewers via the Internet.
    • The definitions of Online Curated Content (“OCC”) and Publisher of OCC are the same as those notified in the Cigarettes and other Tobacco Products (Prohibition of Advertisement and Regulation of Trade and Commerce, Production, Supply and Distribution) Amendment Rules, 2023.
    • Further, terms such as “best interests” and “child in need of care and protection” have also been introduced in the Guidelines.
  4. Registration of Child Artist with the District Magistrate: A producer of any audio-visual media production or commercial event, must obtain the permission from the District Magistrate of the district where the activity is to be performed and must furnish an undertaking, list of child participants, consent of parent or guardian, along with the details of the person from the production/event responsible for the safety and security of a child before starting the activity. Further, such producers must also ensure that screening of films and television programmes carry a disclaimer at the beginning of film or each episode, specifying that measures were taken to ensure that there has been no abuse, neglect or exploitation of a child during the production and shooting process. The permit obtained in accordance with this guideline will only be valid for a period of 6 months.
  5. Content: A child/adolescent should not be cast in an inappropriate or distressful or embarrassing situations or a situation that is likely to cause unnecessary mental or physical suffering. The age, maturity, emotional or psychological development and sensitivity of the child/adolescent must also be taken into consideration. Further, children/adolescents shall not be portrayed in a scene where the child is shown under the influence of alcohol or any other substance. A child/adolescent shall not be made to participate in a programme against their will/consent.
  6. Presence of Parent/Guardian: As per the Guidelines, at least one parent or legal guardian must be present if the child is below the age of 6 years. For a child above the age of 6 years, a person known to the child can also be present at all times of the process. A registered nurse/midwife must be present to take care of a child that is an infant. Further, travel arrangements will have to be made for the child.
  7. Categories of Content Created on Social Media Platforms: The content created for social media applications/ short video platforms involving children/ adolescents must be bifurcated into production house/organisation created content and content created by child/ adolescent or their parent/guardian/ family.
  8. Duties of Social Media Intermediaries for content uploaded on their platforms: The Guidelines specify the provisions of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules”) that social media intermediaries are required to follow. The Guidelines also stipulate that, in the event of any violation of child rights under any law in force including the IT Rules, the social media intermediaries must take swift and prompt action.
  9. Children in News and Media: The Guidelines also state that media and production houses must be sensitive towards child victims of offences and should refrain from sensationalizing issues of/ relating to children.
  10. Advertisements: The Guidelines prescribe following Guidelines for Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022 in respect of use of child/adolescent in advertisements and children/adolescents targeted advertisements.
  11. Conditions of work: The Guidelines also stipulate the physical conditions of work, the working hours, education as well as the conditions of safety of a child/adolescent.
THE FIRM’S TAKE

The Guidelines issued by the NCPCR are a much needed upgrade to the 2011 Guidelines, given the popularity, ubiquitous use and exposure to Internet based entertainment sector and its impact on children who participate and consume this content.

However, the Guidelines appear to be a consolidation of all the prevailing laws, governing children/adolescents and their participation in the entertainment sector, mostly reproducing the provisions under various laws and not providing any clarity on the overlapping nature of the powers conferred under these laws to various authorities. Further, the Guidelines require production houses to register all child artists with the District Magistrate, however, the registration will be valid only for 6 months at a time. While this provision is important to ensure safety and security of children, it is pertinent to note that the Guidelines are not mandatory under law thereby frustrating the very rationale of introducing a registration mechanism. Moreover, the 6 months’ term for validity of registration places onerous obligations on media and production houses which would likely deter such media/ production houses from following the Guidelines.

Accordingly, while the intention behind introducing the Guidelines is vested in the interest of children and child artists, the execution of these Guidelines and its impact on ease of doing business will become clear in fulness of time.

MINISTRY OF ENVIRONMENT AND CLIMATE CHANGE HAS ISSUED THE DRAFT GREEN CREDIT IMPLEMENTATION RULES, 2023 FOR PUBLIC CONSULTATION.

On 27th June, The Ministry of Environment, Forest and Climate Change (“MoEFCC”) issued a notification containing the Draft of the Green Credit Programme Implementation Rules, 2023 (“Green Credit Rules”) for public consultation. The Green Credit Programme aims to leverage a competitive market-based approach for Green Credits thereby incentivising voluntary environmental actions of various stakeholders such as private sector industries and companies as well as other entities. The Green Credit Programme will enable such entities to meet their existing obligations, stemming from other legal frameworks, by taking actions which are able to converge with activities relevant for generating or buying Green Credits. The key highlights of the Green Credit Rules are:

  1. Objective: The Green Credit Programme (“Programme”) has been drafted for promoting the Government of India’s ‘LiFE’– ‘Lifestyle for Environment’ movement for “combating climate change, enhancing environment actions to propagate a healthy and sustainable way of living based on traditions and values of conservation and moderation, and for sustainable and environmentfriendly development”.

    2. The Programme accordingly will further the LiFE movement by seeking to establish market-based mechanisms for providing Green Credits. Such a Programme would incentivise adoption of environmentally friendly practices by various entities like the private sector, industries, etc.

    The Green Credits will be made available to individual and entities, engaged in selected activities and who undertake environmental interventions and the same will made available for trading on a domestic market platform. Additionally, in case an environmental activity generating Green Credits also reduces/removes carbon emissions, the same shall be eligible to claim carbon credits as well.

  2. Relevant Definitions:
    1. ‘Accredited Green Credit Verifier’ means an entity accredited and authorized by the Green Credit Programme Administrator (i.e. Indian Council of Forestry Research and Education) to carry out verification activities in respect of the Programme.
    2. ‘Green Credit’ means a singular unit of an incentive provided for a specified activity, delivering a positive impact on the environment.
    3. ‘Registered Entity’ means any entity, registered for generation of Green Credits.
    4. ‘Registry’ means an electronic database system maintained by Green Credit Programme Administrator or its accredited agency to record issuance and exchange of Green Credits.
    5. ‘Third-party certifiers’ means an entity that certifies an activity for its registration.
    6. Verification’ means an independent evaluation of the green credit activity by the accredited Green Credits Verifier for acquiring Green Credits.
    7. ‘Empanelled Auditors’ means an entity empanelled by the Central Government for auditing the entire system of the Programme.
  3. Implementation Mechanism

    4. A phase wise approach for implementation of the Programme will be adopted. In the first phase, two to three activities from the sectors indicated below will be considered for designing and piloting the Programme:

    1. Tree Plantation-based Green Credit: To promote activities for increasing the green cover across the country through tree plantation and related activities.
    2. Water-based Green Credit: To promote water conservation, water harvesting and water use efficiency/ savings, including treatment and reuse of wastewater
    3. Sustainable Agriculture based Green Credit: To promote natural and regenerative agricultural practices and land restoration to improve productivity, soil health and nutritional value of food produced.
    4. Waste Management based Green Credit: To promote sustainable and improved practices for waste management, including collection, segregation and treatment.
    5. Air Pollution Reduction based Green Credit: To promote measures for reducing air pollution and other pollution abatement activities.
    6. Mangrove Conservation and Restoration based Green Credit: To promote measures for conservation and restoration of mangroves.
    7. Ecomark based Green Credit: To encourage manufacturers to obtain Ecomark label for their goods and services.
    8. Sustainable building and infrastructure based Green Credit: To encourage the construction of buildings and other infrastructure using sustainable technologies and materials.
  4. Methodology of generating Green Credits:

    5. Thresholds and benchmarks will be developed for each Green Credit activity for generating and issuance of Green Credits. In case of any obligation under any law, the thresholds and benchmarks will be aligned with that obligation. The environmental outcome, achievable by any Green Credit activity, will be based on equivalence of resource requirement, parity of scale, scope, size and other relevant parameters, and will be considered for allocation of one unit of Green Credit in respect of each activity.

  5. Steering Committee:

    6. A Steering Committee, comprising of representatives from the concerned Ministries/Departments, domain experts will be setup to oversee the implementation of the Programme. Specifically, the Steering Committee will have to carry out the following functions:

    1. Grant approvals in respect of procedures, guidelines, etc. for implementation of the programme.
    2. Make recommendations to the Central Government on measures to create demand for the programme, activities and sectors to be covered under the programme and in respect of matters referred to it by the Central Government.
    3. Review and monitoring the implementation of the programme.
  6. Green Credit Programme Administrator and its functions:

    7. Indian Council of Forestry Research and Education shall be the Administrator of the Programme which shall discharge, inter alia, the following functions:

    1. Develop guidelines, processes and procedures for implementation of the Programme;
    2. Constitute Technical or Sectoral committees for each activity to facilitate in developing methodologies and processes for registration of Green Credit activities and issuance of Green Credit.
    3. Develop methodologies, standards, registration process and associated Measurement, Reporting and Verification mechanism
    4. Establish methodologies and processes for equivalence of Green Credits generated from each identified activity;
    5. Develop guidelines for establishment and operation of Green Credit Registry and trading platform, for issuance of digital Green Credits for each activity, for self-certification of Green Credits, and for accreditation of Green Credit Registry, third-party certifiers, Green Credit Verifiers, for grant of Green Credits, and for auditing of the Programme.
    6. Accreditation and registration of the Green Credit Registry, third-party certifiers, Green Credit Verifiers and Trading Service Providers.
    7. Collect fees from Registered Entity as per the approved guidelines.
  7. Technical Committee and its functions: The Administrator may constitute technical or sectoral committees, comprising of Government officials and experts, for each activity for developing methodologies, standards and processes for registration of Green Credit activities and grant of Green Credits
  8. Green Credit Registry and its functions: The Green Credit Registry will be in the form of a standardized electronic database which contains inter-alia common data elements relevant to the issuance, holding, transfer and acquisition of Green Credits. This registry’s mandate, inter alia, also extends to register entities, grant & record green credits, indemnify registered entities in case of any loss caused to such entity due to security breach in the database, not attributable to such registered entity, establish linkages with other national and international registries, etc.
  9. Trading Platform: The guidelines for the establishment and operation of the Trading Platform shall be issued by the Administrator with the approval of Steering Committee. The Trading Platform for the exchange of Green Credits shall be established by the Trading Service Provider accredited by the Administrator. Furthermore, Trading Service Provider shall perform functions regarding the trading of Green Credits, in accordance with the approved guidelines.
  10. Knowledge and Data Platform: A Knowledge and Data Platform will be established as an online platform developed for providing transparency on the various types of activities being undertaken and for reporting sectoral progress under the Programme.

    11. Accredited Green Credit Verifiers: Accredited Green Credit Verifiers shall conduct verification and submit reports to the Administrator for grant of Green Credits in accordance with provisions of the guidelines.

  11. Demand Generation for Green Credits: The Programme shall be based on voluntary participation of all stakeholders. Furthermore, all entities registered for Accredited Compensatory Afforestation shall register with the Green Credit Registry under the Programme as the same will be eligible for consideration under these guidelines for allocation of Green Credits.
  12. Empanelled Auditors: The Central Government may empanel auditors for audit of the entire system of the Programme functioning and administration from time to time.
THE FIRM’S TAKE

The Programme is a laudatory initiative by the MoEFCC as it seeks to use a market-based mechanism to incentivise multiple stakeholders to use environmentally friendly practices. Additionally, the Programme, in line with principles of good governance, seeks to converge existing schemes/activities like compensatory afforestation, extended producer responsibility, etc. and providing green credits for the same. Another aspect of the Programme that merits attention is the convergence with carbon credit and such an activity generating Green Credits may also get Carbon Credits from the same activity under carbon market. The MoEFCC has, in compliance with the pre-legislative consultative policy, sought comments from the public on the Programme before notifying the same. The same approach should be adopted whilst notifying various operational guidelines under the Programme such as issuance of digital green credits, trading of green credits, etc.

TRAI ISSUES DIRECTION FOR IMPLEMENTING AI/ML BASED UCC DETECT SYSTEM UNDER TELECOM COMMERCIAL COMMUNICATIONS CUSTOMER PREFERENCE REGULATIONS, 2018

On 13th June 2023, TRAI issued a direction requiring all Access Providers to deploy Artificial Intelligence and Machine Learning (“AI/ML”) based Unsolicited Commercial Communication (“UCC”) Detect System to detect, identify and act against senders of Commercial Communication who are not registered in accordance with the provisions of Telecom Commercial Communication Customer Preference Regulations, 2018 (“TCCCPR”).

Salient features:
  1. As a part of its Direction, TRAI noted the following:
    1. There has been an increase in UCC calls and SMS from Unregistered Telemarketers (“UTMs”) using ten-digit mobile numbers.
    2. Use of fraudulent links and misuse of telephone numbers for trapping customers into sharing of their critical information often leading to financial loss to the customers.
    3. The inability of the current UCC detect systems to detect senders of such unsolicited communications.
    4. Constant evolution of SMS phishing (smishing) patterns, CTAs (call to action) and other frequently changing techniques by UTMs which due to their low activity span, are difficult to contain.
    5. In light of such evolving cases of misuse, the TRAI has recognised a need to use Al/ML techniques to deploy and constantly evolve the UCC Detect system capable of dealing with new signatures, new patterns and new techniques used by UTMs. Accordingly, there is a need to establish a UCC Detect System to detect, identify, and act against senders of Commercial Communication who are not registered in accordance with the provisions of the TCCCPR.
  2. TRAI has directed all Access Providers to:
    1. Deploy AI/ML based UCC Detect system capable of evolving constantly to deal with new signatures, new patterns and new techniques used.
    2. Ensure that UCC Detect System detect bulk UCC that is non-compliant with the TCCCPR.
    3. Ensure that UCC Detect System can –
    • Undertake reputation-based analysis of the message sender, and is helpful in avoiding false positives, taking into account various factors like age of subscription, authentication at the time of subscription, address verification method, and SMS sending/ calling pattern;
    • Share intelligence with other Access Providers using DLT platform.
    1. Ensure that action is taken by the Originating Access Provider (“OAP”) as per provisions of the regulations.
    2. Share information with concerned Law Enforcement Agencies, Ministry of Home Affairs, and Department of Telecommunications.
THE FIRM’S TAKE

The introduction of AI/ML measures to combat UCC is a welcome step for the effective implementation of the TCCCPR. Over the past few years, the TRAI has been actively engaged in combating UCC, specifically through the strict implementation of registration requirements for telemarketers. The growing menace of bulk UCC, despite strict regulations for content and principal entity registration, is quickly escalating on a global scale. The Direction is extremely pertinent in light of the recent steps taken by the Singapore Infocomm Media Development Authority (“IMDA”). The IMDA requires entities sending SMS with alphanumeric Sender IDs to be registerd with the Singapore SMS Sender ID Registry (“SSIR”). Further, unregistered entities sending such SMS shall be labelled as “Likely-SCAM” in an attempt to preserve cyber health and protect consumers from online scams. Considering that previous attempts by TRAI utilising DLT/ blockchain have not been able to keep up with the rise in UCC, incorporating AI/ML solutions to detect such communications could be extremely beneficial for consumers at large.

THE MINISTRY OF HEALTH AND FAMILY WELFARE NOTIFIED THE CIGARETTES AND OTHER TOBACCO PRODUCTS (PROHIBITION OF ADVERTISEMENT AND REGULATION OF TRADE AND COMMERCE, PRODUCTION, SUPPLY AND DISTRIBUTION) AMENDMENT RULES, 2023

On 31st May 2023, the Ministry of Health and Family Welfare (“MoHFW”) notified the Cigarettes and other Tobacco Products (Prohibition of Advertisement and Regulation of Trade and Commerce, Production, Supply and Distribution) Amendment Rules, 2023 (“COTPA 2023”). These rules amend the Cigarettes and Other Tobacco Products (Prohibition of Advertisement and Regulation of Trade and Commerce, Production, Supply and Distribution) Rules, 2004.

COTPA 2023 mandates publishers of online curated content to display antitobacco health spots, warning messages, and audio-visual disclaimers while displaying any tobacco products or their use.

The key amendments introduced in COTPA 2023 are as follows:
  1. Key Definitions: The definitions for the terms “online curated content” and “publisher” of such content have been introduced to the regulations and are as follows:
    1. Online Curated Content(“OCC”) – OCC is a curated catalogue of audiovisual content, other than news and current affairs content, which is owned by, licensed to, or contracted to be transmitted by a publisher of OCC and is made available on demand over the internet or computer network, including through subscription. This term includes, inter alia, films, audio visual programmes, documentaries, podcasts or any other such content.
    2. Publisher of OCC– A publisher has been defined to mean a publisher who, plays a “significant role” in determining the OCC being made available, and makes available to users a computer resource that enables users to access OCC over the Internet. This definition includes within its ambit any entity that performs a similar function but excludes an individual/user who is not transmitting OCC in the course of business/commercial activity
  2. Anti-tobacco health spots and audio visual disclaimer: Every publisher of OCC that displays tobacco products or its use is required to display anti-tobacco health spots for a minimum duration of 30 seconds each at the beginning and middle of a programme and an audio visual disclaimer pertaining to the ill-effects of tobacco for a minimum duration of 20 seconds each at the beginning and middle of a programme.
  3. Anti-tobacco health warning: Additionally, a publisher of OCC is also required to display an anti-tobacco health warning message as a “prominent static message” at the bottom of the screen while displaying the tobacco products or their use. This message must be displayed on a white background, in black font, in a legible and readable manner, and along with the following warnings, “Tobacco causes cancer” or “Tobacco kills.
  4. Language requirements: The antitobacco health spot, warning message and audio visual disclaimer have to be provided in the same language as used in the OCC. Further, the health spot, warning message, and the disclaimer will be provided to the OCC publisher on the official websites of the MoHFW, namely “mohfw.gov.in” and “ntcp.mohfw.gov.in”
  5. Limitation: OCC publishers should not display brands of cigarettes, other tobacco products or any form of tobacco product placement, or their use in promotional material.
  6. Non-compliance: In the event of non-compliance, an inter-ministerial committee can take action either suo moto or on complaint and issue a notice to the publisher of the OCC to explain the non-compliance and make corrections.

    7. COTPA 2023 came into force after expiration of 3 months from the date of notification, i.e. on 31st August 2023.

THE FIRM’S TAKE

The amendments introduced under COTPA 2023 appear to have been introduced with the intent of discouraging tobacco consumption considering the growing popularity of over-the-top (“OTT”) platforms and their impact on viewers. Notably, the definition of the term “online curated content” has been harmonised with the definition provided in Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and cover original content as well as any third party content hosted/made available on OTT platforms. Interestingly, the MoHFW will be providing the language for the anti-tobacco health spots, warning message and the audio visual disclaimers, informing the stakeholders about the language that would be acceptable for such health spots, warning messages, and disclaimers.

Having said this, at this time, it is unclear whether these rules would be applicable to existing programmes or new content made available after 3 months, potentially leading to administrative issues for OTT platforms. Further, while COTPA 2023 provides for an action from an inter-ministerial committee in the event of non-compliance of these rules, the basis of forming such a committee and the scope of its powers have not been provided. COTPA 2023 also does not shed light on the consequences of non-compliance with the notice of the inter-ministerial committee.

Moreover, since the language for the health spots, warning messages, and disclaimers will be provided by the MoHFW, which has to be displayed in the manner specified in COTPA 2023, such manner of display could potentially affect the consumer experience of watching the programme on OTT platforms. Additionally, in the absence of any definitions, the difference between a health spot, warning message and a disclaimer is unclear at this time, which may become clear when the MoHFW provides the language for the same on its websites.

TRAI ISSUES DIRECTIVE FOR DEVELOPMENT OF DIGITAL CONSENT ACQUISITION FACILITY

On 2nd June, 2023, TRAI issued a Direction under the Telecom Commercial Communication Customer Preference Regulations, 2018 (“TCCCPR”) to all the Access Providers (“APs”) to develop and deploy the Digital Consent Acquisition (“DCA”) facility. The DCA facility is a unified platform and process to register customers’ consent digitally across all service providers and Principal Entities (“PEs”) to curb spams through Unsolicited Commercial Communication (“UCC”) . A period of two months has been allocated for the development of the DCA facility and will be implementing the same in a phased manner.

Salient features of the Directive:
  1. Issues with Status-Quo: Under the Direction, the TRAI has made the following observations pertaining to UCC and compliance with the TCCCPR within the status-quo:
    1. promotional messages are being sent without scrubbing (verification) of the consents of the customers registered, and further, these messages are being sent under the Service Message category;
    2. APs have not developed uniform process for registering the consent of the subscribers, as envisaged in the regulations;
    3. the consents acquired by the PEs are being used by the APs without reverification and updation as provided for in the regulations;
    4. DCA and Revocation facilities are yet to be developed and to be deployed by the APs;
  2. Direction to APs: Under the Direction, APs have been instructed to:
    • Ensure that no promotional messages are sent without scrubbing of the consent and preference of the customers;
    • Ensure that no promotional messages are sent under the Service Message category;
    • Develop and deploy DCA facility to –
      • Enable subscribers to record their consents and revoke the same as provided in the regulations.
      • Ensure that short code 127xxx (or any other code as prescribed by the TRAI) are used by all the APs for sending consent seeking message.
      • Develop a SMS/IVR/Online facility to register unwillingness of the customers to receive any consent seeking message initiated by any PE. APs will also be required to whitelist the telephone numbers of such customers and ensure that no consent seeking messages are delivered to them.
      • Ensure that the scope and PE/Brand name is mentioned clearly in the consent seeking message sent through the short code.
      • Ensure that PEs whitelist existing URLs/APKs/OTT links/Call Back number within one month after development of DCA facility and after that only whitelisted URLs/APKs/OTT links/ Call Back number and others as may be specified by the TRAI from time to time are used in the consent seeking messages.
      • Ensure that the consent acquisition confirmation message sent to the customers also has information related to revocation of the consent.
      • Ensure that if a customer has rejected or not responded to the consent seeking requests, no such messages to the customer are initiated by the same PE for next ninety days for the same consent. However, customers will have the right to initiate the consent registration request on their own.
      • Ensure that PE initiated consent acquisition process should begin only one month after the DCA Facility is fully functional and advertised or thirty days after successful implementation of DCA, whichever is earlier, and until then, only customer-initiated consent acquisition process is followed.
      • Ensure that in the first month after the commencement of the PE initiated Consent Acquisition process, PEs belonging to the Banking, Insurance, Finance and Trading related sectors are on-boarded to initiate Consent Acquisition process and the remaining sectors will be onboarded within the two month timeline.
      • Educate the PEs about the process of taking consent and its verification through APs and facilitate the onboarding of PEs.
      • Give wide publicity through various media including print media to the Digital Consent Acquisition/Revocation/ whitelisting process for user awareness.
      • No other mode of consent acquisition process can be adopted after successful implementation of the DCA platform.
THE FIRM’S TAKE

The Direction is a much needed development in light of the significant rise in UCC spam over the past few years. TRAI has been continuously engaged in developing measures aimed at curbing UCC, including the development of a Do Not Disturb application, as well as, constant efforts aimed at ensuring compliance with header and content registration requirements. It is pertinent to note that the TCCCPR has preexisting obligations for APs to develop/cause to develop an ecosystem to regulate the delivery of the commercial communications, including the facility to record consents of the subscribers acquired by the senders for sending commercial communication, maintenance of complete and accurate records of the consents and revocation of consent by its subscribers, in furtherance of which the consent records will be updated. Further, it is also the obligation of APs to ensure that no commercial communication is made to any recipient, except as per the preferences or digitally registered consents registered in accordance with the TCCCPR. Accordingly, this Direction will be a step further in providing APs with the ability to verify such consents and will be extremely beneficial for subscribers at large.

The Direction will be implemented phasewise, with the first phase pertaining to only subscriber-initiated consent acquisition and subsequent steps will include PE initiated consent acquisition as well.

PRACTICE CONTACTS

Ameet Datta is a Partner at Saikrishna & Associates. He is an IP litigator and TMT lawyer with over 22 years of experience and wide ranging expertise across IP Law, Technology law, privacy and data protection law, white collar crime cases around data breaches, and, media & entertainment law specifically in relation to licensing, content aggregation & acquisition, film & music production, distribution/ licensing, format rights, defamation and right of publicity. Ameet has extensive experience with the creative sector in terms of multiple litigations including licensing disputes before the Courts & the Copyright Board. Ameet is closely involved with Copyright laws, Technology regulations and policy matters. In 2010, Ameet appeared as an expert WITNESS before the Indian Parliamentary Standing Committee overseeing amendments to the Copyright Act, 1957. Ameet has been highly ranked as a recommended lawyer for IP Litigation, and, telecoms, media & entertainment by Chambers & Partners (Asia Pacific), WTR- 1000; as a recommended lawyer for IP litigation by Legal 500, and recommended as an IP Star by MIP

Suvarna Mandal is a Partner at Saikrishna & Associates. She has nearly a decade of experience in providing trade & regulatory compliance advice to domestic and international clients for understanding and complying with a wide range of national, state as well as sector-specific legislations and regulations in the spheres of telecommunications, technology law, consumer law, environmental law, product compliance and safety regulations (including packaging standards, labels and safety standards), data protection and privacy, media law, advertising regulations, etc. She provides end-to-end compliance counselling to clients across various industries and sectors such as software services, consumer electronics, technology, telecom, media, intermediaries, e-commerce, online value-added services sectors, consumer goods and medical devices. Suvarna also works closely with clients’ Government Affairs team to prepare strategic policy documents, representations and formal communications towards policy development and policy reform efforts with the Government.

About Lex Witness

Lex Witness Bureau

The LW Bureau is a seasoned mix of legal correspondents, authors and analysts who bring together a very well researched set of articles for your mighty readership. These articles are not necessarily the views of the Bureau itself but prove to be thought provoking and lead to discussions amongst all of us. Have an interesting read through.

Related Articles

The Legal Luminary and Visionary Leader Who Shaped Andhra Pradesh’s Future

The Legal Luminary and Visionary Leader Who Shaped Andhra Pradesh’s Future

Lex Witness Bureau

Readers’ Feedback – May 2025

Readers’ Feedback – May 2025

Lex Witness Bureau

GC’s are often involved in Shaping Corporate Culture, Ethics, and Governance, Aligning Legal Objectives with Broader Business Goals

GC’s are often involved in Shaping Corporate Culture, Ethics, and Governance, Aligning Legal Objectives with Broader Business Goals

Lex Witness Bureau

Latest Edition

May 2025

Subscribe Us

Advertisement

About Witness

For over 10 years, since its inception in 2009 as a monthly, Lex Witness has become India’s most credible platform for the legal luminaries to opine, comment and share their views. more...

The Lex Witness Summits Legacy

The Grand Masters - A Corporate Counsel Legal Best Practices Summit Series

www.grandmasters.in | 8 Years & Counting

The Real Estate & Construction Legal Summit

www.rcls.in | 8 Years & Counting

The Information Technology Legal Summit

www.itlegalsummit.com | 8 Years & Counting

The Banking & Finance Legal Summit

www.bfls.in | 8 Years & Counting

The Media, Advertising and Entertainment Legal Summit

www.maels.in | 8 Years & Counting

The Pharma Legal & Compliance Summit

www.plcs.co.in | 8 Years & Counting

Explore Further!

We at Lex Witness strategically assist firms in reaching out to the relevant audience sets through various knowledge sharing initiatives. Here are some more info decks for you to know us better.

Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved