Subscribe to regular updates:
A close-up of India’s regulatory approach to data governance, content moderation, competition and more
This is the first issue of the new “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.
Johannes Fritz, Tommaso Giardini
06 Mar 2023
This could be India’s moment: The G20 presidency, a sought geopolitical ally and a resourceful domestic ecosystem to establish itself as a leading digital economy. A December 2022 report by the Reserve Bank of India (RBI) estimates that India’s core digital economy’s Gross Value Addition increased from 5.4% in 2014 to 8.5% in 2019, growing 2.4 times faster than its analogue counterpart. India’s digital economy boasts a growing user base of over 800 million internet users, over 107 unicorns and over 1.3 billion digital identities. India thus has a significant stake in the global digital economy that is subject to the risk of digital fragmentation.
But what digital policies does India stand for? This DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments for major policy areas as well as India-specific focal points.
Discover the details of India’s approach below and stay informed on our dedicated page:
Remain up-to-date on new and upcoming policy developments with our free notification service: https://digitalpolicyalert.org/subscription
Data protection policy developments
Legislators currently deliberate India’s first comprehensive data protection law at the federal level. The current draft, the Digital Personal Data Protection Bill 2022, was opened for consultation in November 2022, after the rejection of the previous proposal in the summer. In a liberalising step, the new data protection bill replaced a broad data localisation requirement contained in its failed predecessor with a yet undefined adequacy mechanism. In terms of data subject rights and business obligations, the current draft is also narrower than its predecessors. For instance, the new draft does not foresee a right to data deletion, nor one to data portability and thus removes the need for data traceability in the covered applications. A distinguishing feature of the proposal is the right to post-mortem privacy whereby a data subject may nominate a rightsholder to inherit its place.
Data localisation developmentsIn August 2022, India expanded its Companies (Accounts) Rules of 2014 to require that electronic accounting information be stored on servers located in India. The expanded rules are the most recent of several data localisation requirements implemented by sectoral regulators exist. The Indian Computer Emergency Response Team’s Cybersecurity Directive requires all private and public organisations to store their ICT systems logs locally for at least 180 days. The Department of Science & Technology stipulates that geospatial data must be stored and processed on servers or cloud services physically located in India. Financial sector data is treated most restrictively. The Security and Exchange Board of India advises financial service providers generally to store critical financial activity data and client personal information locally. The Reserve Bank of India requires digital lenders and payment providers to store the entire data relating to payment systems and their transactions in India. Likewise, all information about insurance policies issued and claims made in India must be stored in local data centres.
Enforcement developmentsThe enforcement of data governance rules is under the purview of the Ministry of Electronics and Information Technology (MEITY). MEITY has repeatedly banned foreign apps due to unauthorised data collection and cross-border transfers “to ensure the safety, security and sovereignty of the Indian cyberspace”. Under the objective of cyberspace safety, India was the first major economy to ban a series of Chinese apps including TikTok in the wake of a border dispute between the two countries.
Content moderation developments
Under the stated objective of upholding public morals and national security, India is actively moderating online content. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules impose a broad range of obligations on information intermediaries. The Rules explicitly target (large) social media platforms and messaging services. They also cover news publishing services and OTT providers of any size. All information intermediaries must observe a series of due diligence requirements to avoid liability for user-generated content. Similarly, all intermediaries must appoint grievance redressal officers to acknowledge and resolve complaints swiftly. For “significant” social media intermediaries, grievance officer teams must reside in India and the Chief Compliance Officer is personally liable for violations of the Rules. Special first-originator and traceability rules for messaging services are currently contested by Whatsapp for their apparent inconsistency with end-to-end encryption.
Since March 2023, three governmental Grievance Appellate Committees have appellate jurisdiction over social media platforms’ content moderation decisions. Recently proposed amendments to the Rules would grow the role of the Indian government in content moderation. If the proposed amendments were to take effect, a governmental Fact Check Unit could flag content it finds “false", "untrue" or "misleading" and consequently require intermediaries to hinder its distribution. The unit has already been established and recently begun flagging channels. Finally, the Information Technology Act of 2000 will reportedly be modernised by the Digital India Act, which is yet to be published.
Enforcement developmentsThe Ministry of Information and Broadcasting (MIB) enforces Indian content moderation rules. In January 2023, attempts to block the digital dissemination of a BBC Documentary on Prime Minister Narendra Modi caused controversy, though this action was not officially confirmed beyond a tweet by a Senior Adviser of MIB. The MIB uses its enforcement powers to block content on various social media platforms, especially YouTube, regarding “anti-India” information in different contexts, including the Ukraine invasion. Blocking orders during the 2021 Indian farmers’ protest have been contested in a lawsuit by Twitter. Starting 1 March 2023, Grievance Appellate Commissions (GACs) will offer users recourse against content moderation decisions of significant social media intermediaries.
Competition policy developments
In August 2022, the Competition (Amendment) Bill was introduced into the Indian parliament. The draft bill would amend the Competition Act of 2002 to account for the digital economy. If enacted, it would expand rules regarding both mergers and anti-competitive agreements. Mergers exceeding a value threshold of INR 20 billion (ca. USD 250 million) would require approval by the Competition Commission of India (CCI), provided that one of the parties has "substantial business operations in India". The definition of what business counts as “substantial” is left to subsequent regulation. Furthermore, any agreement amongst enterprises or persons that “causes or is likely to cause an appreciable adverse effect on competition in India” would be deemed anti-competitive. Investigations into potential violations may be initiated by the CCI and are subject to a maximum fine of 10 percent of average income over the three preceding financial years.
Enforcement developmentsOn 19 January 2023, the Indian Supreme Court denied Google’s stay request in the Competition Commission’s case against the Android Mobile Operating System. In October 2022, the CCI issued a fine of INR 14 billion (ca. USD 160 million) for the mandatory pre-installation of Google Mobile Suite, among other practices. The Ruling also included a cease and desist order prohibiting Google to disallow Indian Android users to uninstall Google apps. The Ruling further mandates that the licences for Google’s Play Store cannot be linked with the requirement of pre-installing Google applications.
Beyond this recent example, the Competition Commission of India currently pursues various cases involving tech companies. On 25 October 2022, the CCI issued a fine of INR 9.4 billion (ca. USD 113 million) for self-preferencing in the Google Play Store through the in-app billing system and restriction of external payment methods. On 10 October 2022, the Indian Supreme Court allowed the CCI to go ahead with its investigation against the alleged mandatory data sharing of WhatsApp users with Facebook (Meta) as well as its exclusionary effects on the display advertising market. Two further investigations could come to a preliminary ruling soon. In December 2022, an investigation began into Apple’s App store payment mechanism. Earlier in 2022, the CCI began an investigation on bargaining power and related issues against Google’s news aggregation service.
Further Indian digital policy focal points
Digital public infrastructure
The Indian government emphasises the role of digital public infrastructure and made it an explicit priority for its G20 presidency. Recently, India has presented its proposal on the role of digital public infrastructure in promoting e-commerce to WTO members and invited countries to integrate into the “India Stack”. The “India Stack” is a set of policy initiatives for digital identity, payments and data protection combined with a suite of public services that aim to decentralise the digital economy and foster competition, among other goals.
The most recent initiative is the Open Network for Digital Commerce (ONDC) initiative launched in April 2022. The ONDC seeks to interconnect buyers and sellers across different e-commerce, mobility or delivery platforms and thus make them less dependent on any one platform provider. It is currently rolled out in 85 Indian cities. Further elements (referred to as “layers”) of the India Stack include Aadhar, an online identification and authentication service. Referred to as the base layer of the India Stack, Aadhar currently manages more than 1.3 billion profiles for residents in India. The second layer is the Unified Payment Interface (UPI), a real-time digital payments system that facilitates peer-to-peer and peer-to-merchant payments. By the end of 2022, the UPI grew to over 200 million daily transactions with a total daily volume approaching half a trillion Indian Rupees (ca. USD 6 billion).
Digital taxationOn 1 April 2022, the new definition of “significant economic presence” went into effect. The definition, adopted in the Finance Act of 2018 and clarified through implementing regulation, deems companies with a revenue of over INR 20 million (ca. USD 267’000) stemming from sales to Indian persons or companies with over 300'000 Indian users as having a "significant economic presence" (SEP). Therefore, the revenue which can be attributed to these transactions or activities is taxable in India.
Another notable element of India’s digital taxation environment is the Equalisation Levy on digital services. The E-Levy was established in the Finance Act 2016, imposing a tax of 6% on specified foreign service providers engaging in online advertisement. Effective 1 February 2021, the scope of the Levy expanded to include foreign e-commerce providers. The United States Trade Representative conducted a Section 301 investigation into the E-Levy, concluding that it discriminates against US firms, and raising retaliatory trade measures (additional duties on Indian goods). On 24 November 2021, the US and India reached an agreement for a transitional approach of the E-Levy to the OECD/G20 Inclusive Framework on BEPS, meaning the E-Levy will be removed when the Framework’s Pillar One is implemented.
Online consumer protectionInternationally, India is at the forefront in consumer protection online. The Consumer Protection Act 2019 created the Central Consumer Protection Authority and paved the way for subsequent regulations that focused on electronic commerce. The Consumer Protection (E-Commerce) Rules, 2020 imposed conduct rules and operating conditions, introducing requirements regarding transparency, accuracy, take-backs and grievance mechanisms as well as prohibitions regarding cancellation fees, price manipulation, consumer discrimination and fake reviews. Going further, the Consumer Protection (Direct Selling) Rules, 2021 require the maintenance of an updated website and proper relations between platforms and direct sellers. Furthermore, the recently adopted Standard for Online Consumer Review introduces requirements for the collection, moderation and publication of reviews. Currently, the proposed Telecommunication Bill, 2022 would require user consent for receiving business or advertising messages.
On the international stage, India is calling for advances on consumer protection. In a recent representation to the General Council of the World Trade Organisation, India called for a discussion on consumer protection in electronic commerce to reinvigorate the ongoing WTO work programme on electronic commerce. Consequently, in January 2023, a discussion on consumer protection kicked off a WTO-internal discussion series on the work programme.
Cryptocurrency regulationCryptocurrencies are a final focal point of Indian digital policy. The Finance Act 2022 subjected virtual digital asset income to a 30% income tax, leading to an outflow of approximately 3.8 billion USD in domestic crypto trading volume. The proposed Cryptocurrency and Regulation of Official Digital Currency Bill would prohibit private cryptocurrencies altogether, allowing only certain exceptions to promote the technology. The aim is to establish an official digital currency issued by the Indian Reserve Bank. Since November 2022, a pilot for the wholesale version of this Central Bank Digital Currency is underway.
 There is no formally independent data protection authority in India. Instead, the new draft bill proposes a data protection board appointed by the central government rather than an independent statutory body.