Finance Minister Nirmala Sitharaman had indicated in her budget speech that technology and digitisation will play a crucial role in achieving the $5 trillion milestone by 2024. According to a new report by Internet and Mobile Association of India (IAMAI), data governance, cybersecurity, encryption, and surveillance, cloud computing, AI, and Internet of Things should be the policy focus areas.
Reconsidering data localisation norms, encouraging a free flow of data across borders, simplifying KYC norms for digital payments are among the IAMAI’s 70 recommendations for a policy on digital technology. These recommendations will set as guiding principles for the government, regulators and other stakeholders while developing the digital technology policy in India, the IAMAI said. Ikigai Law authored the report.
The key recommendations have been summarised below:
1. On digital connectivity infrastructure
Recommendation 1: Prioritise the implementation of National Digital Communication Policy’s (NDCP) goals and key recommendations. It recommends development of “regulatory frameworks and incentives for promoting the establishment of international data centres, content delivery networks and independent interconnect exchanges in India”. It also emphasises the creation of enabling infrastructure for the convergence of IT , telecommunications and broadcasting services.
Recommendation 2: Ease licensing and regulatory requirements for telecommunication services: The government should focus on boosting foreign investment and should facilitate the development of next-generation technologies. These reforms should allow companies that are not traditionally licensed telecom players to participate in the provision of telecom services.
Recommendation 3: Improve the efficiency of implementing agencies such as Bharat Broadband Network Limited as this could potentially act as a decisive factor in realising the vision for universal broadband coverage and other similar goals.
2. On the mobile device ecosystem
Recommendation 4: Align various regulations governing the mobile device ecosystem. The government should institute a single-window compliance mechanism for the registration and testing of mobile devices to be sold in India as this will facilitate the ease of doing business for both sellers and manufacturers.
Recommendation 5: Simplify product testing and certification requirements for imported products, as India’s current process is expensive and time-consuming for importers and manufacturers. These processes are also redundant for devices being imported from countries such as the US, that already have strict standards for exported products.
Recommendation 6: Create an export-focused electronics manufacturing hub in India. The government must implement the National Electronics Policy’s recommendations for the creation of a globally competitive domestic electronics manufacturing hub in India on a priority basis.
3. On digital literacy and consumer awareness
Recommendation 7: Implement a national digital literacy strategy that integrates the needs of various stakeholders, covers multiple skill clusters and disseminates information at various levels. This strategy must also include a focus on the value to the users and encourage them to go digital. The digital literacy program, if implemented effectively, will ensure that there is awareness and protection of consumer rights.
Recommendation 8: Approach digital literacy is a holistic manner: The requirements of different demographic groups, the urban-rural divide, the end use of the digital medium, and the impact on employability are factors that should be considered.
Recommendation 9: Address lack of awareness regarding grievance redressal procedures. Also, government and regulatory bodies should encourage public-private partnerships to create more awareness on the routes for grievance redressal to address this problem.
4. On data governance
Recommendation 10: Harmonise the data governance frameworks under different instruments. All government policies on data governance should be harmonised in keeping with the frameworks suggested by the Srikrishna committee and the Personal Data Protection Bill, as these will serve as the basis for the national law on data protection.
Recommendation 11: Reconsider the imposition of data localisation, as there are a number of concerns for operationalising it. The storage of the country’s critical data within India is vulnerable to cyber-attacks, foreign surveillance, and other threats. Alternatively, an incentive framework should be created to incentivise a voluntary shift to storage on local data servers in India in the long term, without disrupting ease of doing business in the country.
- What other countries are doing: A study by the Leviathan Security Group has found that for many countries that are considering or have considered mandatory data localisation laws, local companies would be required to pay 30-60% more for their computing needs than if they could go outside the country’s borders.
Recommendation 12: Redesign notice and consent frameworks for the digital age as such frameworks lead to consent fatigue and a lack of informed consent, impair the development of new technologies, and do not safeguard data principals’ rights. Therefore, accountability-based models should be adopted. Such frameworks should also ensure that the control over data remains with the data principal and is not passed on to the data processor.
Recommendation 13: Encourage free flow of data across borders to ensure that Indian companies have access to the best cloud service platforms, big data analysis tools, and other emerging technologies from around the world. Focus on strengthening inter-governmental cooperation arrangements and Mutual Legal Assistance Treaties to facilitate cross-border flows of data. Additionally, focus on alternate measures (including bilateral agreements and adequacy arrangements) to address concerns relating to the transfer of data.
Recommendation 14: Remove criminal penalties from the PDP bill, because such penalties are harsh and disproportionate, particularly since the civil penalties themselves function as effective deterrents against data breaches and other violations of the PDP Bill. These criminal penalties would also disincentivise small and medium-sized enterprises from participating in the digital economy.
Recommendation 15: The definition of the term ‘child’ under the PDP Bill should be amended, such that the parental consent requirements for children are equivalent to laws such as the European Union’s General Data Protection Regulation (GDPR), where parental consent is only required for children below the age of 16 years.
Recommendations 16: Revise the classification of data under the Personal Data Protection Bill, 2018 to exclude indirectly identifiable data from the ambit of ‘personal data’. Moreover, ‘indirectly identifiable data’ may also be read to include pseudonymised data, which will then qualify as personal data and therefore should be rectified.
Recommendation 17: Remove financial data (such as bank numbers or UPI handles) from the ambit of Sensitive Personal Data (SPD), since they cannot be abused to the detriment of the data principal. On the contrary, only data related to second-factor authentication may be made SPD.
5. On Cybersecurity
Recommendation 18: Formulate implementation strategies for the National Cyber Security Policy 2013, which will boost the development of India’s cybersecurity framework.
Recommendation 19: Encourage private sector participation in the formulation of cybersecurity policies. Given the dynamic nature of cyber threats that create vulnerabilities and opportunities for disruption from a variety of sources, the lack of private sector participation in formulating policies thwarts the adoption of innovative and nimble solutions to combat cyber threats.
Recommendation 20: Strengthen regulatory accountability frameworks applicable to the CERT-In, by mandating and enforcing standard response procedures in response to cybersecurity incidents. The government can also limit the discretion granted to intelligence agencies for accessing personal data by permitting such access requests only if they are required for a specific purpose under statutory authority, as is practiced in the UK.
Recommendation 21: Arrest the rise in cyber-security breaches and enact a robust cybersecurity law that will help address the rise in cybersecurity breaches and ensure the better implementation of cybersecurity protocols.
Recommendation 22: Reconsider data localisation requirements under the PDP Bill as storing data across several jurisdictions keeps it more secure and helps in data recovery in case of disasters. Also, the data localisation framework must consider unintended consequences such as the exacerbation of cybersecurity threats.
Recommendation 23: Promote more resilient authentication processes such as risk-based authentication (“RBA”) or multi-factor authentication (“MFA”) over two-factor authentication (“2FA”). However, additional factors of authentication are solicited if the risk score is deemed to be high, therefore RBA is more flexible, contextualised and robust compared to 2FA or MFA.
6. On encryption and surveillance:
Recommendation 24: Align the various laws governing cybersecurity, encryption, and surveillance to address overlaps and conflicts. It will also balance individual privacy, business interests, and law enforcement objectives.
Recommendation 25: Adopt leading industry standards for encryption in place of the standards currently prescribed under Indian law, as they do not adequately secure information.
Recommendation 26: Prescribe narrow and tailored grounds for decryption that balance law enforcement imperatives with individual privacy. The Telegraph Act, the PDP Bill, and the IT Act have broad grounds for issuing interception and Surveillance Orders. Terms such as ‘to enhance cybersecurity’, ‘interest of public safety’, and ‘detrimental to interests of data principals’ under the IT Act, Telegraph Act, and PDP Bill respectively, are broad. It is unclear whether decryption keys fall under the definition of passwords under the PDP Bill or not.
Recommendation 27: Introduce legislative or judicial oversight over government surveillance to safeguard the privacy and align Indian law with global best practices.
Recommendation 28: Disclose law enforcement requests to impacted persons in the interests of government transparency and individual privacy.
Recommendation 29: Retain end-to-end encryption and do not institute encryption backdoors. While end-to-end encryption enables the freedom of expression and privacy of individuals, backdoors create cybersecurity vulnerabilities that may be exploited by hackers and attackers.
Recommendation 30: Permit bulk encryption as it provides a high degree of data and cybersecurity, and a ban on bulk encryption increases business costs.
Recommendation 31: Promote more resilient authentication processes such as risk-based or multi-factor authentication to enhance transactional security.
7. On regulating cloud service providers:
Recommendation 32: Allow cross border data flows as these are integral to the business models of global cloud service providers, ensuring data security, and access to innovative cloud computing services for Indian businesses.
Recommendation 33: Ease the regulatory burden on Cloud Service Providers (CSPs) and implement light-touch regulation and ease the regulatory burden on them
Recommendation 34: Govern CSPs under the ambit of MeitY and ensure regulatory consistency by ensuring that they are only under India’s IT laws, and not as a telecommunications service.
Recommendation 35: Allow CSP to build and light their own fibre and establish captive fibre networks. This will enable CSPs to improve their service offerings in India, which in turn will benefit Indian consumers.
8. On emerging technologies: IoT & AI
Recommendation 36: Design data governance frameworks that are well-suited for emerging technologies, re-visit traditional notice and consent models, purpose limitation mandates, and data localisation, while also addressing privacy concerns.
8.1 Internet of Things (IoT):
Recommendation 37: Introduce device-specific certification standards for IoT devices depending on their functionality, security concerns, and data collection capabilities. For technologies that use facial recognition to track management and attendance of a group, obtaining the consent of hundreds of individuals simultaneously will be impracticable. Therefore, some degree of flexibility in the standards of notice and consent imposed on IoT service providers is needed. IoT developers and service providers may have to coordinate with the Data Protection Authority proposed to be established under the PDP Bill to develop practical guidelines to work around these issues.
Recommendation 38: Revise purpose limitation requirements for IoT devices as it is difficult to limit the purpose for which personal data may be used in the future in the case of IoT ecosystems. These purposes continue to evolve with the evolving functionality of IoT devices.
Recommendation 39: Introduce device-specific certification standards because this will also allow devices such as IoT enabled smartphones to have different certification requirements compared to IoT enabled smart-bulbs, which have entirely different functionalities.
Recommendation 40: Encourage adoption of IoT within the government. A standardised module of training for government officials should be prepared and tested on a pilot basis and be rolled out on a large scale if it is successful.
Recommendation 41: Promote consumer awareness and make them aware of the various benefits that IoT devices can bring to their lives in terms of convenience, energy conservation, and lower costs.
Recommendation 42: Recognise global best practices for IoT devices.
8.2 Artificial Intelligence:
Recommendation 43: Develop an implementation roadmap, that tailors the broad-based recommendations of the AI National Strategy for different sectors to ensure their practical applicability.
Recommendation 44: Revise purpose limitation requirements for AI and the revisions to the purpose limitation requirements for IoT service providers should be made applicable to AI service providers as well.
Recommendation 45: Discuss patent frameworks for AI algorithms, which are exempted from patentability under current Indian law. Reforming this position will enable AI development and prevent intellectual property theft related to AI.
Recommendation 46: Address privacy concerns associated with AI. However, this may conflict with existing privacy laws, the proposals of the PDP Bill, and individual privacy and freedoms including speech and assembly.
Recommendation 47: Introduce AI in government offices to ensure that there is a sense of ownership and accountability in the use of AI technology in these departments and instill a sense of trust and comfort with this technology. It would also help overcome resource constraints.
9. On Digital Payments
Recommendation 48: Lower regulatory barriers to entry for new businesses by narrowly defining payment systems and regulating technology service providers differently from payment systems.
Recommendation 49: Adopt industry-led standards for non-systemically important payment systems that do not pose a threat to the financial market infrastructure to ease costs and increase flexibility in operations for new businesses.
Recommendation 50: Ease eligibility criteria for the Reserve Bank of India’s regulatory sandbox framework. This will allow more mature start-ups and licensed payment systems to participate in the sandbox environment.
Recommendation 51: Relax additional factor authentication requirements for recurring transactions, in order to promote subscription-based businesses.
Recommendation 52: Simplify KYC norms for pre-paid instruments, which currently require the same level of KYC as banks. The RBI must allow simpler and digital KYC processes to incentivise PPI issuers to promote PPI as a viable payment option. It must also reduce the level of KYC required to issue semi-closed PPIs. Simplifying KYC norms will also drive interoperability between PPIs.
Recommendation 53: Implement security by design principles that adhere to global norms for information and network security protocols to ensure robust cybersecurity in critical national financial infrastructure.
Recommendation 54: Encourage the adoption of digital payments by introducing tangible benefits including tax incentives and dis-incentivise cash transactions to reduce India’s dependence on cash.
Recommendation 55: Create better customer protection frameworks that will lead to better customer trust in innovative finance products by promoting multi-lingual financial literacy and a robust grievance redressal machinery.
Recommendation 56: Create an independent and transparent supervisory board for regulating payment systems to foster competition, consumer trust, and stability in the payments sector. Also, in order to avoid overlapping regulatory oversight, RBI must nominate a certain percentage of the board members to the payment regulatory board (PRB).
Recommendation 57: Promote interoperability between digital payments’ interfaces by giving impetus to the RBI’s Prepaid Payment Instruments (PPIs) – Guidelines for Interoperability.
Recommendation 58: Reform the National Payments Corporation of India (NPCI) to resolve the conflict of interest it faces as a participant in the digital payments’ space as well as a rule-making body for UPI in India. Further, the government may explore regulatory checks on NPCI or introduce measures to enhance the transparency in the working of the NPCI to address any concerns around NPCI’s neutrality.
Recommendation 59: Enhance industry participation to realise the RBI’s vision for digital payments for the period 2019-2021.
10. On platform regulation: Intermediary Liability
Recommendation 60: Preserve safe harbour protection for internet intermediaries, as they are crucial for innovation and entrepreneurship, and the freedom of expression of Indian citizens. Therefore, the existing safe harbour protection under Section 79 of the IT Act must be strengthened. Additionally, the Draft Intermediary Guidelines should not be implemented in their present form as they impose a number of onerous obligations on intermediaries.
Recommendation 61: Do not introduce pro-active content monitoring requirements for internet intermediaries as they contravene the directions of the Supreme Court, and may lead to intermediaries censoring legal content and deploying opaque, automated content filters, all of which harms free speech. Also, the Draft Intermediary Guidelines must be revisited.
Recommendation 62: Do not mandate intermediaries to set up registered offices in India as these are strategic business decisions best left to market forces. The Draft Intermediary Guidelines require certain intermediaries to have a registered office in India, however, this will increase operational cost. Moreover, while facing increased compliance costs, companies may altogether cease to offer their services in India, harming Indian consumers and businesses.
Recommendation 63: Do not regulate content on online platforms as the Information Technology Act, 2000 and rules framed under it are sufficiently equipped to deal with the regulation of online content. The online platforms should be allowed to function within the bounds of the IT Act and its frameworks, as well as supplementary self-regulatory/co-regulatory models.
11. On evolving issues such as Competition Law and digital taxation
11.1 Competition law:
Recommendation 64: Incentivise participation of experts in the think tank and invest in capacity building. The Competition Commission of India (CCI) should also encourage internal capacity building in collaboration with industry stakeholders so that persons remain up to date with the developments on the technology landscape.
Recommendation 65: Increase transparency in internal processes of the CCI, the think tank and other committees constituted. In addition, the CCI should ensure that stakeholder consultations on key issues take place.
Recommendation 66: Update the Competition Act, 2002 to address issues of a growing digital economy and innovative business models, such as virtual market places. The Act still pegs the definition of a ‘market’ to its geographical or product market, which may not be suited to the e-commerce market space where physical presence is not a pre-requisite for doing business. The CCI instituted the Review Committee (RC) to propose amendments to the Act, yet no recommendations have been given yet. Therefore, it is recommended that the RC must be directed to submit its report at the earliest.
Recommendation 67: Consider the introduction of settlement proceedings in line with global best practices to ensure the swifter resolution of disputes, and customised remedies for each case. The government should consider introducing settlement proceedings within the framework of the Competition Act.
11.2 Digital Taxation:
Recommendation 68: Apply new rules affecting taxation prospectively and clarify that they have no bearing on ongoing assessments or appellate proceedings.
Recommendation 69: Adopt a balanced approach to amending India’s tax framework based on in-depth consultation with all stakeholders, as these amendments will replace long-settled international norms, and have ripple effects throughout the Indian economy.
Recommendation 70: Honour existing Advance Pricing Agreements (APA) that the Central Board of Direct Taxes (CBDT) has entered into with numerous taxpayers. These APAs relating to marketing activities performed by Indian entities have addressed the attribution risks for non-residents. Therefore, an exception should be carved out for non-residents already covered by the APA program.
Please find the link to IAMAI’s website– https://www.iamai.in/
Also, please find the link to Ikigai Law’s website– here.