The year 2018 witnessed some significant developments for the TMT sector in India with some key changes to the personal data regime, e-commerce guidelines, drone regulations, commercial communications framework etc. This update summarizes some of the major developments in the past year and gives a brief overview of what can be expected in 2019.


The year 2018 saw monumental changes in the regulation of personal data of Indian citizens.  The Supreme Court's ruling in Justice K.S. Puttaswamy v. Union of India (Aadhaar Judgement), substantially curtailed the involvement of the private sector in the Aadhaar ecosystem and the first draft of the long-awaited Personal Data Protection Bill, 2018, promises to overhaul our personal data protection regime.  Data localisation requirements were introduced by the Reserve Bank of India with respect to payment systems.

2018 also witnessed the introduction of much-needed regulations for drones, in alignment with the Government of India's stated aim of putting the country on the path to becoming a leader in this sector.  In the e-commerce space, the year closed out with the introduction of new requirements with respect to FDI in e-commerce entities.

Several new developments in the telecommunications space, such as the Telecom Commercial Communications Customer Preference Regulations, 2018, and the National Digital Communications Policy along with the amendments to telecom licenses pursuant to it, will enable consumers to take advantage of a modern telecommunications infrastructure that puts them front and centre as a priority.  2018 also saw the implementation of the regime for Mandatory Testing and Certification of Telecom Equipment, with a view to unify testing and certification processes that were required by different regulators.


1.  Payments

(a)  Storage of Payment Data

The Reserve Bank of India (RBI) issued a notification in April 2018, directing payment system providers to ensure that the entire data relating to payment systems operated by them is stored in a system only in India.  The payment system providers were directed to ensure that all their service providers, intermediaries, vendors and all other entities in the payment ecosystem comply with this requirement to localise data.  This was done with the view to ensure unfettered supervisory access and monitoring of payments data.

(b)  Guidelines for Interoperability of Prepaid Payment Instruments (PPIs)

In its Master Directions on Issuance and Operation of Prepaid Payment Instruments (Master Directions), the RBI put in place a three-phase road-map to enable interoperability of all KYC- compliant PPIs.  To this end, on 16 October 2018 the RBI came out with Guidelines for Interoperability of PPIs (InteroperabilityGuidelines).  Interoperability allows a payment system to be used in conjunction with others.  PPI issuers who wish to participate in such an environment are required to comply with these guidelines, in addition to the requirements in the Master Directions.

2.  Technology

(a)  The Draft Personal Data Protection Bill, 2018

On 27 July 2018, the committee of experts set up by the Ministry of Electronics and Information Technology (Meity) and headed by the Justice BN Srikrishna submitted its recommendations to the Meity along with a Personal Data Protection Bill (Draft Bill).  The Draft Bill establishes a fiduciary relationship between the users (Data Fiduciaries) and providers of personal data (Data Principals) based on fair and reasonable processing and accountability.  It creates various categories of personal data and lays down the lawful grounds for processing it.

The Draft Bill provides for the rights of Data Principals in the processing of their personal data and introduces data localisation.  Further, the Draft Bill sets up the Data Protection Authority as the regulator charged with adjudication, enforcement and the power to make regulations.  The Daft Bill also creates criminal offences relating to the use of personal data and prescribes hefty fines for Data Fiduciaries violating its provisions.  (b)  Requirements for Operation of Civil Remotely Piloted Aircraft Systems (Drone Regulations)

The Ministry of Civil Aviation has, through the Directorate General of Civil Aviation (DGCA), released the Requirements for Operation of Civil Remotely Piloted Aircraft Systems (Drone Regulations 1.0).  Under these Regulations, the Government of India aims to permit, with appropriate safeguards, the commercial application of various civil Remotely Piloted Aircraft Systems (RPAS).  The Drone Regulations 1.0 create categories of civil RPAs and regulate those categories differently.  The Drone Regulations 1.0 also put in place a no-permit-no-take off regime where the RPAS must obtain specific clearances prior to take off. (c)  The DIPP's Press Note 2 of 2018 (FDI in E-Commerce)

Amid significant backlash from various trader associations and allegations of illegal business models in the e-commerce sector, the Department of Industrial Policy and Promotion (DIPP) issued Press Note 2 on 26 December 2018, seeking to plug certain loopholes in the existing FDI policy for e-commerce.  This was closely followed by a clarification on 3 January 2019, outlining some of its policy objectives and responding to media criticism.  Key requirements of Press Note 2 include:

-  Equity participation: Marketplace entities are prohibited from selling products of sellers in which such marketplace entities or their group companies have an equity interest.

-  Inventory ownership and control: In addition to the existing restriction preventing marketplace entities from owning inventory, the policy now also prevents such marketplace entities from having any control over such inventory.  If more than 25% of a seller's inventory is purchased from a marketplace entity or its group companies then such marketplace entity will be deemed to have control over the inventory sold by such seller.

-  Level playing field for all sellers: Services provided by marketplace entities (such as warehousing, logistics, order fulfilment, advertising, marketing, payments, financing, etc.) are now to be provided on an arm's length basis and in a fair and non-discriminatory manner to all sellers.

The above requirements come into effect from 1 February 2019.  E-commerce marketplaces are required to submit to the Reserve Bank of India a compliance certificate, together with a report of its statutory auditor, by 30 September of each year evidencing compliance with these requirements for the preceding financial year.

(d)  Aadhaar Judgement

On 26 September 2018, a five-judge bench of the Supreme Court issued their verdict in respect of the challenge on the Aadhaar project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act).  The bench, by a 4:1 margin, upheld the constitutional validity of the Aadhaar Act and the requirement to link the Aadhaar Number with the national tax identity number - the PAN.  While upholding the constitutional validity of the Aadhaar Act in the judgement, the Supreme Court has read down provisions of the Aadhaar Act to place limitation on the use of Aadhaar authentication by private parties under a contract.  It has also struck down the mandatory requirement of linking the Aadhaar Number with bank accounts and mobile numbers. 

3.  Telecommunications

(a) The Telecom Commercial Communications Customer Preference Regulations, 2018

The Telecom Commercial Communications Customer Preference Regulations, 2018 (2018 Regulations) issued by the Telecom Regulatory Authority of India (TRAI) provide a revised regulatory framework aimed at regulating 'unsolicited commercial communication' (UCC) in India.  The 2018 Regulations are intended to take effect in a phased manner over a period of 150 days from 19 July 2018 and will replace the Telecom Commercial Communications Customer Preference Regulations, 2010 (2010 Regulations).

The 2018 Regulations provide for a wide range of customer preferences which are to be implemented in near real time using Distributed Ledger Technology (DLT) to make communications traceable and capable of being controlled effectively.  They also provide for the use of cloud-based solutions for handling complaints, the registration of headers and preferences, and use of smart contracts for automated allocation of roles between entities in the commercial communication ecosystem.

(b)  National Digital Communications Policy (NDCP)

The Union Cabinet approved the new digital communications policy (NDCP) on 26 September 2018.  The NDCP will replace the National Telecom Policy 2012 and will be implemented over the next one year.  While the earlier National Telecom Policies focused largely on providing affordable and quality telecommunication services in rural and remote areas, the NDCP aims to ensure greater access to digital services.  It has re-affirmed the government's goal to move towards convergence by proposing to de-link the network layer from the service layer for the purpose of licenses, providing a conducive regulatory framework for over-the-top services and simplifying spectrum availability and management.  The NDCP also aims to promote business and emerging technologies like artificial intelligence, internet of things and smart networks.

(c)  Internet Telephony Amendment and Guidelines for Grant of Unified License (VNO)

With a view to facilitate convergence of digital and telecommunication networks as outlined under the NDCP, the Department of Telecommunications (DoT) has introduced internet telephony as a service under the unified license.  The internet telephony amendments allow telecom service providers (TSPs) to provide internet telephony services to their subscribers.  These services are de-linked from the network of the TSP and can be provided over the network of any other TSP.

The DoT has also issued revised guidelines for the grant of Unified License in the Virtual Network Operator category (UL (VNO) Guidelines).  The UL(VNO) Guidelines provide for resale of telecom services by virtual network operators provided over the network infrastructure owned by TSPs or network service operators.  These guidelines also prescribe the licensing and financial terms associated with the UL (VNO) license. 

(d)  Net Neutrality Amendment

The DoT amended the Unified Access Service License and Cellular Mobile Telephone Service Licenses to incorporate TRAI's recommendations on net neutrality in the license terms.  Under these amendments, a TSP providing internet access services cannot engage in discriminatory treatment of any content that is traversing its network.

(e)  Mandatory Testing and Certification of Telecom Equipment (MTCTE)

The Indian Telegraph Rules, 1951 (Telegraph Rules) through a recent amendment provided that any telecom equipment which is used or capable of being used with any licensed telecommunication network must undergo prior mandatory testing and certification in respect of parameters as determined by the DoT.  This process is the newly notified MTCTE, administered by the Telecommunications Engineering Centre (TEC) under the Ministry of Communications.  The final MTCTE Procedure is undergoing revisions considering clarifications that have been sought from the TEC.


The Central Government has introduced the Personal Data Protection Bill in the Parliament.  The government has also introduced an amendment to the Aadhaar Bill to rationalise the legislative framework pursuant to the Aadhaar Judgment.  The new draft Information Technology (Intermediaries Guidelines) (Amendment) Rules, 2018 propose new restrictions and obligations for intermediaries with respect to unlawful content and law enforcement.

The Central Government is also expected to issue updated Drone Regulations (Drone Regulations 2.0) in 2019.  These are expected to introduce drone corridors and ports and permit 100% FDI under the automatic route, establishment of a directorate for drones and automatic air traffic management.

On 28 August 2018, the Central Government came out with draft amendments to the Drugs and Cosmetics Rules 1945, to enable and regulate e-pharmacies in India.  They propose to put in place a regime whereby persons who wish to sell drugs through an e-pharmacy portal may do so only after obtaining a registration and fulfilling certain compliances.