India: Technology

The In-House Lawyer Logo

This country-specific Q&A provides an overview to technology laws and regulations that may occur in the India.

It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.

This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology

  1. Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?

    Communications networks and services are regulated in India. The Indian Telegraph Act, 1885 (the “Telegraph Act”) and the Indian Wireless Telegraphy Act, 1933 (the “Wireless Telegraphy Act”), provide a framework for the Government to issue licenses to telecommunication service providers. The Telegraph Act defines “telegraph” in so broad a manner as to include most modern communication devices, irrespective of the underlying technology. Accordingly, the Ministry of Communications, which forms part of the Central Government, is empowered to manage, license and regulate all matters relating to telecommunications and networks. There are several Departments, which are either a part of or under the control of, the said Ministry, each responsible for carrying out a given function, as follows:

    a. Telecommunications Commission: This is a high-level body represented by various Union Ministers and high-ranking bureaucrats. This body is responsible for policy formulation, implementation of Government's policy in all matters concerning telecommunication, and working with foreign governments towards better cooperation.

    b. Department of Telecommunications (“DoT”): This body is empowered under the Telegraph Act and the Wireless Telegraphy Act to grant licenses for telecommunications services and telecommunications infrastructure. The DoT also oversees 2 specialised departments, namely; (i) Wireless Planning and Coordination Wing (responsible for planning, regulating, and managing the limited resources of radio frequency spectrum and associated satellite orbits, licensing of wireless stations in the country under the Telegraph Act and the Wireless Telegraphy Act); and (ii) Telecommunication Engineering Centre (responsible for driving telecom standards, manufacturing support and network building skill sets). The types of licenses/ registration granted by the DoT in relation to telecommunication services are:

    • Unified license – an umbrella license for all forms of telecommunications services (including basic telephony, carrier service, national long distance service, international long distance service, access service, cellular telephony, internet service, and satellite phones, among others).
    • License for voice mail/audiotex/ unified messaging services.
    • Other service provider (“OSP”) registration (including for call centre services).

    c. Telecom Regulatory Authority of India (“TRAI”): This is a body created by the Telecom Regulatory Authority of India, 1997 (“TRAI Act”), and performs 2 primary functions: (i) make recommendations to the DoT relating to licensing policy and terms; and (ii) regulatory functions. In its regulatory capacity, the TRAI is empowered to monitor and ensure compliance with the terms and conditions of license, fix telecommunications tariffs (including minimum and maximum consumer charges, as well as interconnecting charges between service providers) and terms of interconnectivity between service providers, and ensure technical compatibility and effective interconnection between service providers. In exercising such powers, the TRAI is empowered to initiate inquiries, as and when necessary, against any service provider.

    d. Telecom Dispute Settlement Appellate Tribunal (“TDSAT”): The TDSAT is a quasi-judicial body created under the TRAI Act, and is the authority responsible for adjudicating upon telecommunications-related disputes.

    In addition to the above, the Ministry of Electronics and Information Technology, is the primary governing and regulatory body under the Information Technology Act, 2000 (the “IT Act”). Since the passing of the Information Technology (Amendment) Act, 2008, the scope of the IT Act has been expanded to telecommunication service providers. Pursuant to the said Amendment, telecommunications devices, such as mobile phones, are classified as “communications devices” and telecommunication services, such as services provided through the use of satellite, wire, wireless, terrestrial line or other communication media, are classified as “computer network”, which are subject to the provisions of the IT Act. Further, telecom service providers are classified as “intermediaries”, and the IT Act, along with the Information Technology (Intermediary Guidelines) Rules, 2011, specifies conditions that need to be fulfilled in order for an intermediary to claim immunity from offences defined under the IT Act.

    Further, the Cable Television Networks (Regulation) Act, 1995 regulates the operation of cable television networks in the country and to operate a cable television network as a cable operator, necessary registration is required under the said Act. Broadcasting services fall under the purview of Ministry of Information and Broadcasting and are mainly controlled under the following regulations and legislations: (i) Prasar Bharti (Broadcasting Corporation of India) Act, 1990; (ii) Sports Broadcasting Signal Act (Mandatory Sharing with Prasar Bharati), 2007; (iii) Policy Guidelines for Uplinking of Television (“TV”) channels; and (iv) Guidelines for Downlinking of TV channels. Specifically, in relation to direct to home (“DTH”) services, Ministry of Information and Broadcasting has issued the “Guidelines for obtaining license for providing DTH broadcasting service in India”. These guidelines, inter alia, prescribe the eligibility criteria, the procedure for obtaining the license to set up and operate DTH services in the country, and the basic terms and conditions/obligations reposed in the operators. It is pertinent to note here that the Ministry of Information and Broadcasting is a separate ministry altogether. However, the TRAI has formulated numerous regulations with regard to broadcasting services, mainly under the broad heads of “interconnection”, “quality of service” and “tariff orders”.

  2. Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?

    As stated in the response to Question 1 above, there are 2 regulatory bodies responsible for telecommunications licensing and regulation, namely the DoT and the TRAI, respectively. It is pertinent to note that private telecommunications service providers operate solely on the basis of a license granted by the Government. The DoT is a government department under the Ministry of Communications, and it cannot be considered independent of government control to any extent. The DoT may solicit the views of the TRAI before making any changes to telecom policy or the standard terms of telecommunications licenses, but is not bound by any such recommendations. The regulation of telecommunication licenses is undertaken by the TRAI, as stated in the response to Question 1 above. It is pertinent to note here that the Supreme Court, the highest court in the country, while deciding on the constitutionality of the National Telecom Policy, 1994, suggested that the TRAI should be an independent body. The aforementioned policy, which allowed for private participation in the telecommunication sector, was held to be valid by the Supreme Court and it further emphasised on the necessity of the independent statutory authority in a deregulated and competitive telecom market that is in place today. Although the TRAI has the independence to appoint senior subject-matter experts in the field, several key officers of the TRAI are appointed by the Government of India, and further, some senior executives of the DoT hold ex officio positions at the TRAI. Further, the Central Government i.e. the DoT has the power to issue directions and formulate rules on various subjects which the TRAI has to abide by. Given that, the TRAI is not a wholly independent regulator.

  3. Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?

    Any entity that seeks to obtain a license / seek registration from DoT must be a company registered under the (Indian) Companies Act, 1956 or Companies Act, 2013. The license agreement executed between the Government of India (DoT) and a service provider in relation to licenses/registrations clearly provides that the licensee must be an entity incorporated in India. The Foreign Direct Investment (“FDI”) policy of India published by the Department of Industrial Policy and Promotion under the Ministry of Commerce and Industry, stipulates the maximum permissible foreign investment in Indian companies in various sectors. As per the currently applicable FDI policy, Indian companies with 100% foreign investment can provide telecommunication or telecom infrastructure service, provided that only the first 49% of foreign investment is under the automatic route (i.e., without the prior approval of Government of India), whereas any additional foreign investment would need prior permission of the concerned administrative department/Ministry. Teleports, DTH, cable networks, mobile TV and Headend-in-the Sky broadcasting services have all been opened up to 100% FDI under the automatic route. However, where there is infusion of fresh foreign investment beyond 49% resulting in a change of ownership or transfer of stake in favour of a new foreign investor, and the Indian company not seeking any license or permission from the Government, such investment will be under the Government approval route. Companies that provide call centre services and require OSP registration are permitted to receive 100% FDI under the automatic route. Companies that publish newspapers and periodicals dealing with news and current affairs can receive up to 26% foreign investment, only with prior Government approval. Companies that are in the business of terrestrial broadcasting network and up-linking of ‘News & Current Affairs’ TV Channels, may have only up to 49% foreign investment, which can be made only with prior Government approval. Further, the license agreement executed between the Government of India and a service provider may contain additional conditions in relation to foreign ownership, investment and control, which the Indian company will need to adhere to.

  4. Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?

    As part of its regulatory functions, the TRAI is tasked with regulating interconnection between telecommunications services providers, including provision of a basic framework for interconnection and ensuring fair charges are imposed on service providers for interconnection. Service providers for telephony, internet and related services, as well as service providers for broadcasting/television related services are required to enter into interconnection agreements with other providers for the same services, and such agreements must be based on a standard model contract published by the TRAI. Further, all such interconnection agreements are required to be registered with the TRAI. The TRAI has issued the Telecommunication Interconnection (Reference Interconnect Offer) Regulations, 2002, along with the Model Reference Interconnect Offer which forms the basis of a Reference Interconnect Offer (RIO) to be published by all telecommunication service providers with “significant market presence”. Further, the Telecommunications Interconnection Usage Charges Regulations, 2003 stipulates a framework for interconnection charges that may be levied by one service provider on another service provider. These Regulations, and various directives issued thereto, specify minimum and maximum charges that may be levied by a service provider. These Regulations also define a service provider as having a ‘significant market presence’ as one who has at least 30% of market share measured by any parameter among subscriber base, revenue, switching capacity and volume of traffic. The Consumer Protection Act, 1986 provides for redressal of complaints by individual consumers of various services, including telecom services, before local, state-level and national-level Consumer Disputes Redressal tribunals. Any complaints relating to service quality and delivery of telecom services may be filed before such tribunals. In addition, the TRAI has issued several Regulations to address specific forms of consumer complaints such as call quality, quality of internet bandwidth, telemarketing, and charges for telecommunications services. Such consumer complaints will be addressed specifically by the “Call Centres” set up by the various service providers. Further, the TDSAT has also been empowered to handle complaints against licensors of telecom resources and telecom service providers relating to quality, metering, interconnection and telecom services. Additionally, every “telemarketer” registered with the TRAI has to adhere to: (i) Telecom Commercial Communications Customer Preference Regulations, 2010; and (ii) the standard agreement entered into telemarketer and access provider. For the sake of clarity, “telemarketer” means a person or legal entity engaged in the activity of transmission of commercial communications and “access providers” include basic telephone service providers, cellular mobile telephone service providers and unified access service providers. Telemarketers have an obligation to not send: (i) any unsolicited commercial communications to a subscriber (consumer) whose telephone number has been registered under the “fully blocked category” (earlier called the “National Do Not Call Register”) of the National Customer Preference Register; and (ii) unsolicited commercial communication relating to categories/topics specifically blocked by a subscriber (consumer) under the “partially blocked” category of the National Customer Preference Register. Under the said Regulations, an “access provider” is required to set up a facility for registration of consumer complaints regarding receipt of unsolicited commercial communications, and such facility can be accessed by the consumer via voice call or SMS.

  5. What legal protections are offered in relation to the creators of computer software?

    Computer software is recognised as a ‘literary work’ under the Copyright Act, 1957. In this manner, any ‘computer programme’ is protected as the copyright of the creator of the software. Under the Patents Act, 1970, as amended by the Patents (Amendment) Act, 2002, a computer programme per se is not patentable. However, any patent application that reveals novelty, inventive step, and industrial applicability in the process associated with development of software applications or the functionality of software applications may be patentable in India. Under the Trade Marks Act, 1999, the name of a software company, its products and taglines can be protected, thus preventing competitors from using similar names. Trademarks protect software brands, but not the software or underlying code itself. While there is no statutory protection for trade secrets in India, the courts have recognised that key business secrets and information can be protected through contracts. Typically, contractual provisions that seek to protect confidentiality and trade secrets, which may include computer software and design, are enforceable during and after the term of the contract.

  6. Are specific intellectual property rights in respect of data/databases recognised?

    The Copyright Act, 1957 defines a ‘literary work’ to include a computer database, which means that a computer database is offered copyright protection under Indian law. In addition to civil and criminal remedies specified under the said Act for infringement of copyright, the said Act provides specific protection to infringement of rights contained in computer programmes and stipulates imprisonment ranging between 7 days to 3 years and monetary penalties ranging between INR 50,000 (approximately US$ 777) to INR 200,000 (approximately US$ 3106) for such infringement. The IT Act provides for civil and criminal remedies against any person who, without due authorisation from the owner of a computer or computer system, downloads copies or extracts any data stored in such computer or computer system. While the IT Act does not create any intellectual property rights in computer data or databases, the owner of such data or databases has an additional remedy in the event of unauthorised access or copying of data.

  7. What key protections exist for personal data?

    Protection of personal data is primarily addressed in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Privacy Rules”). As per the Privacy Rules, the following types of data or information are defined as ‘sensitive personal data or information’: (a) Password; (b) Financial information, including information relating to bank accounts and payment cards (credit and debit cards); (c) Physical, physiological and mental health condition; (d) Sexual orientation; (e) Medical records and history; and (f) Biometric information. “Personal Information” is also defined under the Privacy Rules and means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available, is capable of identifying such person.

    The Privacy Rules state that a body corporate that obtains personal information including sensitive personal data or information has the following obligations:

    1. Publish a privacy policy on its website for handling such information, explaining the types of information collected, means and purpose of collection, usage and disclosure of such information, and the security practices adopted by it;
    2. On request, to review the information provided and ensure that any information found to be inaccurate or deficient is corrected or amended as feasible;
    3. Provide an option to the provider of the information to not to provide the data or information sought to be collected and withdrawal of consent;
    4. Designate a grievance officer;
    5. Ensure that information is used for the purpose for which it was collected; and
    6. Maintain the specified standards of information security to ensure the safety and confidentiality of such information.

    The Privacy Rules state that a body corporate that obtains sensitive personal data or information has the following additional obligations:

    1. Obtain written consent from the provider of such information regarding the purpose of usage prior to collection of information;
    2. Ensure that the collection of information is for a lawful purpose connected with the activity of the body corporate collecting the information and is considered necessary for that purpose;
    3. Retention of information for no longer than is required for the purposes for which such information may lawfully be used or is otherwise required under law;
    4. Disclose of information to third parties only upon obtaining prior consent of the provider of information, unless such disclosure has been agreed to under contract or is in compliance with a legal obligation, and ensure that the third party to whom such information is disclosed shall not disclose it further; and
    5. In the case of transfer of information, require the transferee to maintain the requisite security standards to protect such information.

    Therefore, the Privacy rules impose more stringent obligations while dealing with sensitive personal data or information.

    Apart from the above, personal data can be protected by way of contracts such as nondisclosure agreements. Indian courts have extended protection created by confidentiality contracts or provisions both during and after the term of such contracts.

  8. Are there restrictions on the transfer of personal data overseas?

    As per the Privacy Rules, transfer of sensitive personal data or information is permitted to an entity subject to the following: (a) it is necessary for the performance of the lawful contract between the transferor and the provider of information or where the provider has consented to such data transfer; and (b) the transferee should adhere to the same level of data protection as the transferor.

  9. What is the maximum fine that can be applied for breach of data protection laws?

    The IT Act provides for monetary penalties, to the extent of any actual wrongful loss or wrongful gain incurred, against a person who fails to follow the practices and procedures specified in Question 7 above, in relation to personal information including sensitive personal data or information. Further, if a service provider including an “intermediary”, in the course of performing a contract, discloses an individual’s personal information including sensitive personal data or information without such individual’s consent and in breach of contract, then such service provider may be liable for monetary penalties of up to INR 500,000 (approximately US$ 7,700) and/or imprisonment of up to 3 years. “Intermediary”, as per the IT Act includes a telecom service provider, network service provider, internet service provider, web-hosting service provider, search engine, online payment site, online-auction site, online-market place and cyber cafe. Further, the IT Act lays down penalty for breach of confidentiality and privacy, whereby a service provider is liable for imprisonment for a term extending up to 2 years, and/or with a fine extending to INR 100,000 (approximately US$ 1,500) or with both.

  10. Are there any restrictions applicable to cloud-based services?

    Cloud-based services are covered under the definition of “application services” as part of the terms and conditions issued by DoT for the registration of OSPs. Any entity that seeks to obtain registration as an OSP from the DoT must be a company registered under the (Indian) Companies Act, 1956 or Companies Act, 2013. Further, an OSP does not have the option to switch to telecom services. Since one of the purposes of cloud-based services is storage of information and provision of services thereto, cloud-based services would fall under the purview of the IT Act. Contracts between a cloud services provider and the client/user of such services form the primary basis for providing cloud-based services. The IT Act provides for penalties for beach of data protection laws as specified in the response to Question 9 above. Further, if a service provider of cloud-based services, in the course of performing a contract, discloses an individual’s sensitive personal data or information without such individual’s consent, then such service provider may be liable for penalties as specified in the response to Question 9 above. Further, specified in the response to Question 8 above, transfer of sensitive personal data or information is permitted only to an entity which ensures the same level of protection for such information, as has been discussed in the response to Question 7 above.

  11. Are there specific requirements for the validity of an electronic signature?

    An electronic signature as per the IT Act authenticates an electronic record of a subscriber by following the procedure specified in IT Act. The 2008 Amendment to the IT Act replaced the word “digital” with the word “electronic” in several provisions of the IT Act. The scope of electronic signature is wider in nature; since a digital signature is one of the types of electronic signature. The IT Act also specifies the conditions to be satisfied for an electronic signature to be accepted as authentic and reliable, which are as follows: (i) the signature creation data or the authentication data are linked to the signatory and to no other person; (ii) the signature creation data was, at the time of signing, under the control of the signatory and of no other person; (iii) any alteration to the electronic signature made after affixing such signature is detectable; and (iv) any alteration to the information made after its authentication by electronic signature is detectable. Another proof of authentication of electronic and digital signatures, respectively, is obtaining of Electronic Signature Certificate and Digital Signature Certificate from the relevant authority under the IT Act. The Ministry of Electronics and Information Technology has also prescribed additional procedure for authentication of electronic records by electronic signature under the Electronic Signature or Electronic Authentication of Technique and Procedure Rules, 2015 (specifically relating to Aadhaar e-KYC services) and Digital Signature (End Entity) Rules, 2015 (for digital and xml signatures). The Indian Evidence Act, 1872 recognises electronic documents signed with a secured electronic signature, but where the electronic signature is not secure, the authenticity of the signature needs to be proved.

  12. In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?

    When a company enters into a contract to outsource certain functions or processes to a service provider, there will not be any automatic transfer of the company’s employees, assets or third-party contracts to such service provider. This follows from the concept of “privity of contract” under Indian contract law. The transferred employees, assets and/or third-party contracts of the company to the service provider would be possible only by entering into a specific contract with the service provider to that effect.

  13. If a software program which purports to be an early form of A.I. malfunctions, who is liable?

    It may be understood that any liability arising out of software programmes, whether such programmes appear to be in the form of artificial intelligence (“AI”) or not, may be addressed under tort law, criminal law, intellectual property law and the IT Act. Under the IT Act, if a software programme is designed in such a manner or is intended to be used for “hacking” or “identity theft” or for other computer related offences as prescribed in the IT Act, then the creators of the software programmes shall be held liable and accordingly, be punished with imprisonment and/or fine. Further, if a service provider using computer programmes, in the course of performing a contract, as a result of the programme malfunction, discloses an individual’s personal information including sensitive personal data or information without such individual’s consent, then such service provider may be liable for penalties under the IT Act as specified in the response to Question 9 above. Again, the creators of the software programmes shall be held responsible under tort law for any nuisance caused or for any negligence by engineers of such software programmes. Further, any software programme which is premeditated to be used for commission of criminal offences, the creators of the software programme would be held liable under criminal laws. As far as intellectual property laws are concerned, the Copyright Act, 1957 as specified in the response to Question 5 above includes software programmes under the definition of “literary work”. Further as specified in the response to Question 5, under the Patents Act, 1970, if the processes associated with the creation of computer programmes or their functionality make them novel, inventive and capable of industrial application, such processes are patentable. If a software programme infringes or misappropriates a third party’s intellectual property, the owners of the software programmes will be held liable.

  14. What key laws exist in terms of obligations as to the maintenance of cybersecurity?

    Protection of information, equipment, devices, computer, and computer resource, communication device from unauthorised access, use, disclosure, disruption, modification or destruction comprises “cybersecurity” under the IT Act. The IT Act also requires companies to report incidents of breach of cybersecurity to the designated authority, and this obligation also extends to intermediaries under the IT Act.

  15. What key laws exist in terms of the criminality of hacking/DDOS attacks?

    Although IT Act does not define “hacking”, it lists out the actions which may qualify as hacking. If a person without the permission of the owner/person in charge of a computer, computer system or computer network (systems): (i) accesses or secures access to such systems; (ii) downloads, copies or extracts data or information from any system; (iii) introduces any computer contaminant or computer virus into a system; (iv) damages a system or database or any programmes in such systems; (v) disrupts the use of any systems; (vi) acts that lead to the denial of access to the owner of the systems; (vii) facilitates or provides assistance to others to access systems; (viii) tampers with or manipulates systems by charging services of one person to the account of another; or (ix) destructs, alters, deletes or conceals a computer resource or computer code, it qualifies as hacking. Further, DDOS, short for Distributed Denial of Service, is a type of attack where multiple compromised systems, which are often inflected with a Trojan, are used to target a single system causing a “Denial of Service”. DDOS attacks which are virus attacks are also covered under the aforementioned actions and are a means of “hacking” a system. Thus, if any person, dishonestly or fraudulently, does any of the aforementioned actions, he shall be punished with imprisonment for a term which may extend to 3 years and/or fine which may extend to INR 500,000 (approximately US$ 7,700). Further, the IT Act prescribes punishment for identity theft and dishonestly receiving stolen computer resource or communication devices. The punishment for both offences are imprisonment for a term which may extend to 3 years and/or fine which may extend to INR 100,000 (approximately US$ 1,500). Hacking/DDOS attacks may meeting the requirements of “theft” and “criminal trespass” under Indian Penal Code, 1860 and hence, any person responsible for causing such actions is punishable with imprisonment and/or fine.

  16. What technology development will create the most legal change in the jurisdiction?

    Over the last few years, the Indian Government has sought to create a Unique Identification Number (“Aadhaar”) card, which includes personal information about each citizen in India, such as name, address, contact number, photograph and biometric information (fingerprints and retinal scan), and store the data of all citizens in a central repository. Though, under law, proof of Aadhaar is necessary for receipt of certain subsidies, benefits and services, it does not make enrolment to Aadhaar compulsory. Some of these services/benefits include payment of taxes, application for telephone connections, opening and operating bank accounts, and application for gas connections. However, citizens who have not yet been assigned the Aadhaar card by the Government are offered alternate and viable means of identification for receipt of certain subsidies, benefits and services. Through Aadhaar, the Government intends to use technology, including electronic storage of massive amounts of personal data, to deliver citizen services. This has raised fundamental questions relating to data security as well as individual privacy. Various petitions have been filed in the Supreme Court questioning the constitutional validity of this massive scale of change brought about by use of technology. Although the Supreme Court is yet to decide on the constitutional validity of the Aadhaar Act, 2016, it has upheld the linking of Aadhaar for the purpose of filing income tax returns. Further, the Court has observed that right to privacy is not an absolute right, and the Government is free to impose reasonable restrictions on the same. The introduction of Aadhaar is also expected to bring about changes to existing technology laws, especially those relating to data security and online privacy.

  17. Which current legal provision/regime creates the greatest impediment to economic development/ commerce?

    Sadly, the inefficient judicial system in India has failed to keep up with the technological or economic developments that have been taking place at such a rapid pace. Indian courts are inundated with backlog and unlimited adjournments are the order of the day. Thus, the failure of court system as an effective dispute resolution mechanism, has been the greatest impediment to economic development. Among various legislations and legal procedures that are considered as “archaic” in India, perhaps the labour laws of India are often cited as being the most unfriendly to modern business and economic development. Most labour laws in India were drafted over half a century ago, and had been passed in the context of a socialistic model that India had adopted during the time. The fragmented nature of Indian labour legislations has led not only to complex and cumbersome procedures for the opening and operation of businesses in the country, but also to several conflicting obligations and requirements to be observed by companies. However, the current Government has shown intent to simplify, consolidate and modernise these laws, and reduce the financial and compliance burden on various establishments by adopting the Ease of Compliance to maintain Registers under various Labour Laws Rules, 2017, that replaces 56 registers/forms under 9 different labour laws with 5 common registers/forms. Today, there is an unprecedented amount of data collected and stored in the course of providing services. However, there is no specific comprehensive legislation in India that covers all aspects of data protection. Few principles of data protection are stipulated under the IT Act, TRAI, guidelines issued by Reserve Bank of India (RBI), among others. With data being so valuable for the opening and operation of businesses, the Government will soon have to come up with a comprehensive law in relation to data protection. Further, land-use administration and land acquisition procedures in India are complex. Conversion of land-use rights from agricultural to commercial or industrial use is bogged down by laws that are more than a century old, and these vary greatly from State to State. Allocation of tracts of land to companies requires several levels of approvals within the bureaucracy, and these are often delayed and made hard to obtain.

  18. Do you believe the legal system specifically encourages or hinders digital services?

    The legal structures that exist in relation to digital services consists primarily of the IT Act along with several legislations that govern the fundamental, structural and operational aspects of any business in the country. The Government has, in most cases, taken a balanced approach between the interests of businesses and consumers, in the case of laws relating to digital business. For instance, the Government, to keep up with the changing times, has introduced amendments to the IT Act in 2008 whereby: (i) clarity in relation to the definition of “intermediary” was provided; (ii) electronic signatures were recognised; (iii) corporate responsibility for data protection was incorporated; (iv) legal validity of electronic documents was re-emphasised, among others. The Indian judiciary has also held that if the intermediaries have specific knowledge of unlawful content on their website, even in the absence of a court order, they cannot escape liability under the IT Act. This may have a substantial impact on the obligation of intermediaries to delete or take down any content on knowledge of infringement. Recently, service of summons by the court through WhatsApp was considered as an acceptable mode of service in order to reduce the delay in serving summons in the absence of proper address. The Supreme Court has recently struck down a section of the IT Act, as unconstitutional, which gave the Central Government/police, in the name of “national security” unqualified power to arrest a person who posted any content on social media against the Government. While the IT Act is broad enough in its scope to address various aspects of doing business through electronic channels, the pace of development in technology and business models in the digital industry has meant that the legal system fails to address several issues. At the same time, the Government is itself becoming one of the largest consumers of digital services, since it has planned huge investments in areas such as e-governance, smart cities, and the use of technology to improve security. The Government has recently issued guidelines to encourage procurement of cloud-based services by various government departments.

  19. To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?

    There are presently no specific laws dealing with AI. Existing legislations, such as the IT Act, tort laws, intellectual property laws and criminal laws, provide a broad framework to address liabilities arising from the use of technology. AI systems are designed in such a manner that many times the acts are not foreseeable by the engineers and may attract the concept of negligence under the tort law. The Copyright Act, 1957 as specified in the response to Question 6 above includes computer database under the definition of “literary work”. As any literary work is protected under the Copyright Act, 1957 in India and AI functioning mainly on the basis of database, it may be concluded that AI systems are copyright protected. Further, the same rules which are applicable in regard to “computer programmes” under Patents Act, 1970 may be applicable to the AI systems. If the processes associated with the creation or functionality of AI systems make them novel, inventive and capable of industrial application such processes are patentable. However since AI systems have limited human action, control or intervention, there is the added challenge of establishing ownership of intellectual property rights generated through the use of AI systems. Further, if a service provider using AI as part of the software, in the course of performing a contract, discloses an individual’s personal information including sensitive personal data or information without such individual’s consent, then such service provider may be liable for penalties under the IT Act as specified in the response to Question 9 above. Criminal law, specifically, the Indian Penal Code, 1860, may be applicable to numerous crimes committed by the creators of AI systems under the disguise of machines or algorithms. Having said the above, the real challenge lies in attributing liabilities under any of the aforementioned laws to AI systems operating with limited human intervention, since a machine or algorithm cannot be held liable for committing intellectual property infringement, for negligence, for committing crimes or for disclosing confidential or personal information.