Introduction
New data protection law
Intermediary platform regulations to be tested
Recurring themes of data sovereignty
More curbs on payment data storage
In 2021, there were a number of regulatory developments, some expected and some surprising, that will shape the Indian digital business ecosystem in interesting ways. The covid-19 pandemic continued to spur digitalisation of businesses, which in turn spurred regulators into taking a keener interest in the technology, media and communications space. Some major regulatory changes are expected in 2022 – this article offers a roundup of which ones to look out for.
On 16 December 2021, a Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill 2019 presented its report on the draft bill before both houses of the Indian Parliament. The report comprises the JPC's recommendations and changes to be made to the draft bill and general data protection framework in India. The JPC's report will lead to a number of consequential changes in the data privacy law, not least adding to it elements of "non-personal" data protection. The new draft data protection law was expected to be passed – with these changes – in early 2022 (for further details please see "Indian data protection law – one step closer with new Parliament committee report").(1)
While the draft law has not been placed before Parliament for debate yet, the situation may progress during the course of 2022.
Intermediary platform regulations to be tested
Amendments to Indian intermediary protection regulations were notified in May 2021. These amendments brought about significant changes, such as requiring:
- on-soil presence in India for large social media intermediaries;
- proactive monitoring of content; and
- the regulation of online content curators and online news providers by specifying "codes of conduct".
The new rules have been controversial, and Indian courts have put certain aspects of it on hold. 2022 will bring more instances where the government and the online content industry will test the enforcement of these rules.
In 2022, the medium- to long-term on-the-ground impact of new IT rules will be tested. Indian courts will finally rule on the legality of certain measures. The year will also show how strictly the Indian government intends to enforce these rules, particularly with politically sensitive state elections, which are scheduled for early 2022.
Recurring themes of data sovereignty
A common thread in the Indian government's new and proposed rules on data protection, blockchain and intermediary liability (among other things) is the assertion of India's sovereignty over Indian data. On the one hand, this will lead (and has led) to data localisation rules that prevent non-Indian players from collecting, storing or monetising people's data. This regulatory outlook also translates into giving the Indian government wide powers to access data present in India for law enforcement purposes. A tricky issue arises when the data in question is not of Indian data subjects. In such cases, these data access rights have to be calibrated to deal with, for example, EU subjects' data. Since the July 2020 Schrems II ruling, European and other overseas players have had to conduct data protection impact assessments to determine if the rights of EU data subjects are adequately protected under Indian regulations.
During 2022, the need to reconcile the government's data access powers will again become relevant when the final version of the data privacy law is notified, and/or when the courts rule on the rights accorded to EU data subjects.
More curbs on payment data storage
With India's payment ecosystem growing exponentially in the past decade, concerns about payment-related frauds and data theft have come to the forefront. The Reserve Bank of India (RBI) has, in the past, introduced several new measures – such as payment data localisation measures since 2018 – in an effort to protect end-users.
In 2021, the RBI also mandated the purging of credit card data by entities in the payment transaction chain. The intention was to have payment system participants transition to tokenisation of card details from 1 January 2022 (for further details please see "RBI introduces new data protection requirements"). After an industry-wide pushback, the RBI relented and the deadline for purging card-on-file data was extended by six months, until 30 June 2022. While this provides some respite, it remains to be seen if tokenisation is a viable solution for the Indian payments ecosystem
In July 2022, the ban on storing credit card data on file will come into force, which has left players scrambling to put in place alternate solutions.
For further information on this topic please contact Vikram Jeet Singh or Kalindhi Bhatia at BTG Legal by telephone (+91 22 6177 2900) or email ([email protected] or [email protected]). The BTG Legal website can be accessed at www.btg-legal.com.
Endnote
(1) Further information on the key recommendations made by the JPC and their consequent impact is available here.