IMA India session highlights recent tech regulations and their business implications

India’s technology regulatory environment has undergone a profound shift in the past year with the enactment of the Digital Personal Data Protection Act (DPDP Act) in August 2023, marking a watershed moment. This sweeping legislation, along with the draft Digital India Bill and potential regulations in the AI space, is reshaping how businesses operate in the digital realm.

Key regulatory developments

• Telecommunications Act: The Act aims to modernise outdated laws like the Telegraph and Wireless Telegraph Acts, and license agreements. It offers a dual regime for up to ten years, letting businesses choose between old and new rules while the government incentivises licensees to switch to the new system.
• Digital Competition Act: New rules are in the works to regulate the practices of big tech companies, emphasizing fair competition. The Competition Commission of India (CCI) is actively investigating and penalizing firms, especially major tech players. These rules will align with existing CCI enforcement measures, underlining the emphasis on fair competition in the digital market.
• Ecommerce Rules: Upcoming ecommerce regulations will enforce strict requirements on B2C businesses, spanning data usage, cross-selling, flash sales, and data transfers between platforms. These rules will add layers of compliance for e-commerce operators and intersect with the digital competition rules and FDI regulations.
• Cybersecurity Directions and CERT-In: The Indian Computer Emergency Response Team (CERT-In) has transitioned from advisory to enforcement, imposing strict breach reporting deadlines. Companies must report cybersecurity incidents within six hours, with penalties for non-compliance.
• DPDP Act: This landmark legislation broadens the scope of data protection, strengthens data subject rights, and establishes a dedicated Data Protection Board for enforcement. Organisations must now adhere to stringent data handling practices and comply with breach notification requirements. Non-compliance with the Act can result in substantial penalties of up to Rs 250 crores, creating a strong deterrent for data misuse.
• Digital India Act: This Act aims to overhaul the existing Information Technology Act, 2000, and addresses a wide range of issues, including digital competition, AI regulation, cybersecurity, and cybercrime.
• AI regulation: India’s approach to AI regulation reflects a laissez-faire stance towards a structured governance framework, emphasizing responsible and human-centric AI deployment. Regulations will likely address concerns related to deepfakes, bias, privacy, and intellectual property rights.

Enforcement landscape

The enforcement landscape has transformed from a siloed approach to an interconnected system, with regulators collaborating across domains. Businesses must now contend with proactive, onsite enforcement actions, truncated timelines for response, and stricter penalties for non-compliance. Entire industries may face systemic scrutiny, leading to potential disruptions in operations.

 Platform regulation

Marketplaces, brand usage, and consumer manipulation tactics are under increased scrutiny. Platforms are expected to adhere to constitutional principles of non-discrimination and bias-free operations. There is a growing emphasis on the costs of compliance, impacting the ease of doing business for some entities.

Cybersecurity landscape

Incident response and breach notification have become paramount. Regulatory requirements are becoming more stringent, with increased penalties for non-compliance. Boards are under scrutiny regarding their handling of cybersecurity incidents. Sectoral regulators are also establishing detailed regimes, raising the cost of doing business.

Emerging best practices for CFOs

CFOs, as the ultimate owners of risk and compliance, must adapt to this evolving landscape. Key recommendations include:

• Conducting thorough data audits and mapping to understand data collection, storage, and processing practices.
• Implementing robust security measures and breach notification mechanisms.
• Ensuring compliance with sectoral regulations and staying updated on emerging legal standards.
• Developing incident response plans and establishing clear roles and responsibilities.
• Seeking expert guidance on legal and regulatory matters.

The way forward

India’s emerging tech-regulation landscape presents both challenges and opportunities for businesses. By understanding the evolving regulatory framework, CFOs can proactively manage risks, ensure compliance, and leverage technology to drive innovation and growth. The path ahead requires vigilance, adaptability, and a commitment to responsible and ethical data practices.

The contents of this paper are based on discussions with Arun Prabhu, Partner and Head – Technology & Telecommunications, Cyril Amarchand Mangaldas (CAM). The views expressed may not be those of IMA India.