Technology Laws – 369 enterprises

In a modern and global business world, technological advancement is both an essential factor and driving force. Emerging technologies such as cryptocurrency, blockchain and artificial intelligence have transformed traditional mindsets and ideals and led to the development of new and innovative business models.

The changing face of technology makes it necessary for technology law and policy to be equally adaptive and transformative. This is particularly important in a jurisdiction such as India, where information technology and relative services make up a major part of the economy. The Indian government in particular has risen to this challenge and the legislative changes brought about by the government in recent years, in the technology law space, clearly showcase the same.

By way of brief background, the principal statute governing the technology law space in India is the the Information Technology Act, 2000 (‘IT Act’). While the IT Act itself was brought in force at the time of the advent of the internet in India (with the aim of facilitating governance in the technology law and policy space in the country), the Indian Ministry of Electronics and Information Technology (‘MeitY’) has since rolled out subordinate legislation (under the ambit of the IT Act) for regulating the latest emerging technologies seen in the technology law and policy space. Such legislation includes the following technology laws and regulations:

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘Intermediary Rules’): The Intermediary Rules are applicable to all intermediaries functioning in India. For reference, an intermediary (per the IT Act) can be understood as ‘person who receives, stores or transmits any electronic record and provides any service relating to such record on the behalf of another person.’. The Intermediary Rules classify intermediaries into various different categories (including publishers of news and current affairs, OTT platforms and social media intermediaries) and prescribe various compliances for each category of intermediary. Notably, there has been a recent major amendment to the Intermediary Rules, which provide for regulation of online gaming and recognize a new category of intermediary (viz. ‘online gaming intermediary).

Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘CERT-In Rules’): The Indian Computer Emergency Response Team or ‘CERT-In’ (set up under the ambit of these rules) is the national nodal agency for responding to computer security incidents as and when they occur and preforms various functions in area of cyber security, cyber incidents, information security practices, etc.

CERT-In is also authorized for issuing various directions, guidelines, whitepapers and advisories. Notably, in a series of guidelines issued in 2022 concerning the reporting of cyber security incidents, Cert-In has imposed various compliances in this regard upon intermediaries, body corporates, governmental entities and various categories of service providers (including VPN service providers, among others). Among other things, the Directions impose a stringent 6-hour timeline for reporting a cybersecurity incident and broaden the ambit of the kinds of cybersecurity issues that must be reported by the relevant entities.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘RSP Rules’): The RSP Rules are presently the predominant legislation in India that governs the collection, storage, transfer, disclosure, and other processing of the ‘personal information’ as well as ‘sensitive personal data and information’ of ‘providers of information’ (being Indian individuals) by a body corporate via its online platform.

As mentioned, the principal statute governing the technology law space in India is the IT Act (and the subordinate technology laws and regulations thereunder). Stakeholders operating in specific industry and business sectors are also subject to observe technology regulations of regulatory bodies such as the Reserve Bank of India (‘RBI’), Securities and Exchange Board of India (‘SEBI’) and Insurance Regulatory and Development Authority of India (‘IRDAI’).highlight a few, the RBI (Outsourcing of Information Technology Services) Directions, 2023 have been issued this year (as of April 10, 2023) with the aim of reducing the degree of risks associated with outsourcing information technology services. These are applicable to RBI regulated entities (such as the commercial banks, urban co-operative banks, non-banking financial companies, credit information companies).

Similarly, the IRDAI (Insurance Web Aggregators) Regulations, 2017 regulate ‘insurance web aggregators’ or insurance intermediaries, who ‘maintain a website for providing interface to the insurance prospects for price comparison and information of products of different insurers and other related matters.’. In furtherance, the IRDAI has recently issued the IRDAI Information and Cyber Security Guidelines, 2023 (as of April 24, 2023) for insurance intermediaries.

To highlight a few, the RBI (Outsourcing of Information Technology Services) Directions, 2023 have been issued this year (as of April 10, 2023) with the aim of reducing the degree of risks associated with outsourcing information technology services. These are applicable to RBI regulated entities (such as the commercial banks, urban co-operative banks, non-banking financial companies, credit information companies).

In light of the above, it is clear that the Indian government is particularly active in recent years, in rolling out amendments and creating technology laws and regulations to cater to the changing requirements in the technology law and policy space.

In fact, MeitY is currently working on the finalising the ambitious Digital India Act (not currently in the public domain), which is proposed to repeal and replace existing technology laws and regulations in the country.