Information technology law in india
In a modern and global business world, technological advancement is both an essential factor and driving force. Emerging technologies such as cryptocurrency, blockchain and artificial intelligence have transformed traditional mindsets and ideals and led to the development of new and innovative business models.
The changing face of technology makes it necessary for technology law and policy to be equally adaptive and transformative. This is particularly important in a jurisdiction such as India, where information technology and relative services make up a major part of the economy. The Indian government in particular has risen to this challenge and the legislative changes brought about by the government in recent years, in the technology law space, clearly showcase the same.
By way of brief background, the principal statute governing the technology law space in India is the the Information Technology Act, 2000 (‘IT Act’). While the IT Act itself was brought in force at the time of the advent of the internet in India (with the aim of facilitating governance in the technology law and policy space in the country), the Indian Ministry of Electronics and Information Technology (‘MeitY’) has since rolled out subordinate legislation (under the ambit of the IT Act) for regulating the latest emerging technologies seen in the technology law and policy space. Such legislation includes the following technology laws and regulations:
- The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘Intermediary Rules’): The Intermediary Rules are applicable to all intermediaries functioning in India. For reference, an intermediary (per the IT Act) can be understood as ‘person who receives, stores or transmits any electronic record and provides any service relating to such record on the behalf of another person.’. The Intermediary Rules classify intermediaries into various different categories (including publishers of news and current affairs, OTT platforms and social media intermediaries) and prescribe various compliances for each category of intermediary. Notably, there has been a recent major amendment to the Intermediary Rules, which provide for regulation of online gaming and recognize a new category of intermediary (viz. ‘online gaming intermediary).
- Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘CERT-In Rules’): The Indian Computer Emergency Response Team or ‘CERT-In’ (set up under the ambit of these rules) is the national nodal agency for responding to computer security incidents as and when they occur and preforms various functions in area of cyber security, cyber incidents, information security practices, etc. CERT-In is also authorized for issuing various directions, guidelines, whitepapers and advisories. Notably, in a series of guidelines issued in 2022 concerning the reporting of cyber security incidents, Cert-In has imposed various compliances in this regard upon intermediaries, body corporates, governmental entities and various categories of service providers (including VPN service providers, among others). Among other things, the Directions impose a stringent 6-hour timeline for reporting a cybersecurity incident and broaden the ambit of the kinds of cybersecurity issues that must be reported by the relevant entities.
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘RSP Rules’): The RSP Rules are presently the predominant legislation in India that governs the collection, storage, transfer, disclosure, and other processing of the ‘personal information’ as well as ‘sensitive personal data and information’ of ‘providers of information’ (being Indian individuals) by a body corporate via its online platform.
As mentioned, the principal statute governing the technology law space in India is the IT Act (and the subordinate technology laws and regulations thereunder). Stakeholders operating in specific industry and business sectors are also subject to observe technology regulations of regulatory bodies such as the Reserve Bank of India (‘RBI’), Securities and Exchange Board of India (‘SEBI’) and Insurance Regulatory and Development Authority of India (‘IRDAI’).
To highlight a few, the RBI (Outsourcing of Information Technology Services) Directions, 2023 have been issued this year (as of April 10, 2023) with the aim of reducing the degree of risks associated with outsourcing information technology services. These are applicable to RBI regulated entities (such as the commercial banks, urban co-operative banks, non-banking financial companies, credit information companies). Similarly, the IRDAI (Insurance Web Aggregators) Regulations, 2017 regulate ‘insurance web aggregators’ or insurance intermediaries, who ‘maintain a website for providing interface to the insurance prospects for price comparison and information of products of different insurers and other related matters.’. In furtherance, the IRDAI has recently issued the IRDAI Information and Cyber Security Guidelines, 2023 (as of April 24, 2023) for insurance intermediaries.
In light of the above, it is clear that the Indian government is particularly active in recent years, in rolling out amendments and creating technology laws and regulations to cater to the changing requirements in the technology law and policy space. In fact, MeitY is currently working on the finalising the ambitious Digital India Act (not currently in the public domain), which is proposed to repeal and replace existing technology laws and regulations in the country.
If you are seeking legal assistance or advice on technology laws, the team at A&A is well equipped to provide you with end-to-end services for achieving your business objectives, beginning from briefings and advisory on compliances under the latest technology laws and regulations, negotiation and drafting of the requisite agreements and other documentation and policies to be put in place subject to such technology laws and regulations, procuring license and certifications incompliance with such technology laws and regulations and handling and closing complex disputes and transactions in this regard. An outline of the nature of services offered at A&A is provided below:
- Technology Laws and Business Advisory
The technology laws team at A&A prides itself in providing end-to-end legal and regulatory advisory relating to development and use of various information and emerging technology business ventures, assets, products, and services. We regularly advise a diverse range of clientele – including intermediaries, fintech, gaming and crypto entities, financial institutions, e-commerce, and other digital businesses, etc. – concerning website and other software products and services development, software licensing and transfer of rights arrangement, data, know-how and trade secret protection etc.
We also offer holistic advisory to clients on leveraging technological innovation, protecting proprietary technology, data and trade secrets and undertaking efficient compliance with relevant technology laws and regulations.
In this regard, we further advise and assist client structure and set up their business operations in and outside the country through liaison with our vast network of partner firms and entities in other jurisdictions.
- Negotiation, Vetting, Drafting of Contract and Documentation
We regularly assist clients in negotiating, vetting and drafting and closing requisite documentation and contracts and complex transactions. The nature of arrangements and contracts we’ve worked on include include strategic business and technology collaborations, technology products and services agreements, master agreements, manufacturing and supply agreements, sub-contracting and supply chain agreements, ownership and licensing agreements, technology services outsourcing agreements amongst others.
- Statutory and Regulatory Compliance
We regularly advise and assist international and domestic clients with observing compliances under the IT Act, including compliances as prescribed under the Intermediary Rules for various intermediaries including online gaming intermediaries, social media intermediaries, significant social media intermediaries, publishers of news content and OTT platforms. In this regard, we assist intermediaries draft and put in place requisite policies and terms of service and handle any issues with publication of content, user grievances as well as co-ordinate with and issue responses to government agencies.
We further assist clients – including various intermediaries, body corporates, service providers – in meeting the cyber security obligations and reporting requirements imposed by CERT-In, to co-ordinate with and issue responses to CERT-In, and to deal with incidents of data breaches and data leaks, and other cyber security incidents.
We also assist clients in meeting data compliances under the RSP Rules in respect of data collected and processed by them through digital means. In addition, A&A maintains a full-fledged data protection practice which complements its technology laws and regulations practice. The technological laws team, along with the data team at the firm, regularly advise intermediaries and body corporates (engaged in maintaining online businesses and platforms) regarding privacy and data protection compliance management.
The team offers client’s working with high level sensitive data and dealing in cross border data follows, advisory regarding structuring security frameworks and certification, agreements for transfer, storage, disclosure, licensing, etc. of data and advisory on cyber security incidents and data breaches and leaks.
- Sector Specific Advisory Services
We further advise clients operating in specific sectors (including in the finance, insurance, banking and securities) on sectoral regulations and rules, licenses, permits and other requirements in keeping with the latest technology laws and regulations of sectoral regulators such as the RBI, SEBI and IRDAI.
We assist clients working in business sectors subject to regulation of regulators such as the RBI, SEBI and IRDAI customized legal solutions in compliance with the rules and regulations of such bodies as well as the latest advisories and guidelines issued by the bodies in these sectors.
We assist client’s in engaging with the regulatory bodies. We act as a liaison on behalf of our clients with banks, financial institution and other third-party professional agencies to procure requisite licenses and permits required for their business to function in India.
We further assist in preparation and drafting of the requisite documentation as required by the regulatory and other bodies and also assist clients in undertaking filings as prescribed under extant technology laws and regulations.
A&A is among the leading technology law firms in India with a well-established practice in technology laws and regulations. The technology laws and regulations practice of our firm is handled by a dedicated team led by Mr. Gaurav Bhalla, Partner at A&A, who has considerable expertise and knowledge in the field. The members of our team possess a unique combination of both technical insight and insight regarding the latest technology laws and regulations insight.
Our technology team regularly advises domestic and international clients from multiple jurisdictions around the world ranging from Fortune 500 companies, multinational companies, partnership firms, start-ups, and individuals. The team has worked with and assisted distinguished clientele of the firm in traversing the complex and rapidly evolving technology law and policy landscape in India.
To particularize, a few recent key assignments handled by the A&A tech team include:
- Assisting and advising neo-banking entity in setting up operations in India, including advisory about how to structure such operations under the extant technology laws and regulations, including but not limited to compliances to be observed under SEBI guidelines concerning KYC compliances, RBI guidelines on digital lending platforms and applications, the RSP Rules and Intermediary Rules.
- Assisting and advising various crypto entities concerning the legality of their proposed business operations in India in light of the technology laws and policy ecosystem in the country.
- Assisting various fintech entities in offering online payment services in a legally appropriate manner subject to the RBI’s Payment and Settlement Systems Act, 2007
- Assisting and advising various intermediaries, including OTT platforms, news publications and social media intermediaries and significant social media intermediaries with compliances under the Intermediary Rules and RSP Rules.
- Assisting insurance intermediaries in structuring of business subject to technology laws and regulations, including under the Insurance Regulatory and Development Authority of India (Payment of commission or remuneration or reward to insurance agents and insurance intermediaries) Regulations, 2016, IRDAI Guidelines on insurance e-commerce (dated March 9, 2017), IRDAI Guidelines on Information and Cyber Security for Insurers and other technology rules and regulations of the IRDAI and RBI.
Our teams’ immense knowledge and experience in the technology law and policy space ,and in representing and advising a diverse variety of clientele as regards technology laws and regulations allows A&A to offer highly efficient and customized advice and opinions on technology laws within India.
A&A is the leading technology law firm in India for stakeholders looking to achieve their business objectives in an efficient manner. A&A is part of an extensive network of partner firms in multiple jurisdictions across the world, allowing clients to structure and set up multinational business operations through an exclusive engagement with A&A.
Further, A&A is also a recognized and well-established member of various international legal organizations including Interlegal, ILN (International Lawyers Network), Global Law etc. A&A is an active member in the functioning of these organizations through the publishing of content, attending events and participating in the management of these organizations.
A&A’s reputation as a leading technology law firm in India is also, in no small part, a result of our client-focused and commitment to excellence approach. A&A not only prides itself on providing high quality services (as detailed above), it also provides an efficient and transparent legal cost methodology for our clients.
1. Which are the primary legislations governing technology laws in India?
The primary legislations governing the broad ambit of technology law includes the Information Technology Act, 2000 along with the rules framed thereunder including the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021; the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011; the directions prescribed by the Indian Computer Emergency Response Team; various directions framed by the Reserve Bank of India (RBI); etc.
2. Are there any compliances for social media intermediaries in India?
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 lists our various compliances to be followed by intermediaries as well as further compliances by social media intermediaries. In case the social media intermediary has more than 50 lakh subscribers, it will qualify as a significant social media intermediary (in respect of which additional compliances have been prescribed under the statute).
3. What are the laws governing data privacy and instances of data breaches in India?
The primary legislation governing data privacy aspects in India is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (which is framed under the Information Technology Act, 2000). This statute governs compliances associated with collection, processing, transfer, sharing and ensuring that the personal data of users is adequately protected. As regards breaches, the Indian Computer Emergency Response Team (CERT-In) has framed directions pertaining to ‘information security practices, procedure prevention, response and reporting of cyber incidents for Safe & Trusted Internet’, which needs to be complied by every intermediary.
4. Are there any compliances for OTT platforms in India?
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 contains a separate chapter containing compliances for publishers of online curated content. These include appointment of a grievance officer, establishment of a grievance redressal mechanism, usage of appropriate mechanisms to ensure that age-appropriate content is displayed to users, obtaining membership of self-regulatory bodies, etc.
5. What are the compliances for online news platforms in India?
The compliances for online news publishers (as well as news aggregators) have also been prescribed under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 which were published by the Ministry of Electronics and Information Technology (MeitY).
Get in touch with us today
We can be reached at