Centre for Internet and Society

Comments on the Draft Second Protocol to the Convention on Cybercrime (Budapest Convention)

vipul — 2019-02-25T16:48:18Z

Following consultations with data protection, civil society, industry and others, during the Cybercrime Convention Committee (T-CY) meeting from 29 November 2018 onwards, the Cybercrime Convention Committee has sought additional contributions regarding the provisional draft text for a Second Additional Protocol to the Budapest Convention on Cybercrime (“Budapest Convention”).

The Centre for Internet and Society, (“CIS”), is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, artificial intelligence, freedom of expression, and cyber-security. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the rights of stakeholders. CIS is thankful to the Cybercrime Convention Committee for this opportunity to provide feedback to the Draft.

The draft text addresses three issues viz. language of requests, emergency multilateral cooperation and taking statements through video conferencing. Click to download the entire submission here.

For more details visit http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-february-25-2019-comments-on-draft-second-protocol-to-convention-on-cybercrime-budapest-convention

Comments by the Centre for Internet and Society on the Report of the Committee on Medium Term Path on Financial Inclusion

vipul — 2016-03-01T13:53:38Z

Apart from item-specific suggestions, CIS would like to make one broad comment with regard to the suggestions dealing with linking of Aadhaar numbers with bank accounts. Aadhaar is increasingly being used by the government in various departments as a means to prevent fraud, however there is a serious dearth of evidence to suggest that Aadhaar linkage actually prevents leakages in government schemes. The same argument would be applicable when Aadhaar numbers are sought to be utilized to prevent leakages in the banking sector.

The Centre for Internet and Society (CIS) is a non-governmental organization which undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives.

In the course of its work CIS has also extensively researched and witten about the Aadhaar Scheme of the Government of India, specially from a privacy and technical point of view. CIS was part of the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee and was instrumental in drafting a major part of the report of the Group. In this background CIS would like to mention that it is neither an expert on banking policy in general nor wishes to comment upon the purely banking related recommendations of the Committee. We would like to limit our recommendations to the areas in which we have some expertise and would therefore be commenting only on certain Recommendations of the Committee.

Before giving our individual comments on the relevant recommendations, CIS would like to make one broad comment with regard to the suggestions dealing with linking of Aadhaar numbers with bank accounts. Aadhaar is increasingly being used by the government in various departments as a means to prevent fraud, however there is a serious dearth of evidence to suggest that Aadhaar linkage actually prevents leakages in government schemes. The same argument would be applicable when Aadhaar numbers are sought to be utilized to prevent leakages in the banking sector.

Another problem with linking bank accounts with Aadhaar numbers, even if it is not mandatory, is that when the RBI issues an advisory to (optionally) link Aadhaar numbers with bank accounts, a number of banks may implement the advisory too strictly and refuse service to customers (especially marginal customers) whose bank accounts are not linked to their Aadhaar numbers, perhaps due to technical problems in the registration procedure, thereby denying those individuals access to the banking sector, which is contrary to the aims and objectives of the Committee and the stated policy of the RBI to improve access to banking.

Individual Comments

Recommendation 1.4 - Given the predominance of individual account holdings, the Committee recommends that a unique biometric identifier such as Aadhaar should be linked to each individual credit account and the information shared with credit information companies. This will not only be useful in identifying multiple accounts, but will also help in mitigating the overall indebtedness of individuals who are often lured into multiple borrowings without being aware of its consequences.

CIS Comment: The discussion of the committee before making this recommendation revolves around the total incidence of indebtedness in rural areas and their Debt-to-Asset ratio representing payment capacity. However, the committee has not discussed any evidence which indicates that borrowing from multiple banks leads to greater indebtedness for individual account holders in the rural sector. Without identifying the problem through evidence the Committee has suggested linking bank accounts with Aadhaar numbers as a solution.

Recommendation 2.2 - On the basis of cross-country evidence and our own experience, the Committee is of the view that to translate financial access into enhanced convenience and usage, there is a need for better utilization of the mobile banking facility and the maximum possible G2P payments, which would necessitate greater engagement by the government in the financial inclusion drive.

CIS Comment: The drafting of the recommendation suggests that RBI is batting for the DBT rather than the subsidy model. However an examination of the discussion in the report suggests that all that the Committee has not discussed or examined the subsidy model vis-à-vis the direct benefit transfer (DBT) model here (though it does recommend DBT in the chapter on G-2-P payments), but only is trying to say is that where government to people money transfer has to take place, it should take place using mobile banking, payment wallets or other such technologies, which have been known to be successful in various countries across the world.

Recommendation 3.1 - The Committee recommends that in order to increase formal credit supply to all agrarian segments, the digitization of land records should be taken up by the states on a priority basis.

Recommendation 3.2 - In order to ensure actual credit supply to the agricultural sector, the Committee recommends the introduction of Aadhaar-linked mechanism for Credit Eligibility Certificates. For example, in Andhra Pradesh, the revenue authorities issue Credit Eligibility Certificates to Tenant Farmers (under ‘Andhra Pradesh Land Licensed Cultivators Act No 18 of 2011'). Such tenancy /lease certificates, while protecting the owner’s rights, would enable landless cultivators to obtain loans. The Reserve Bank may accordingly modify its regulatory guidelines to banks to directly lend to tenants / lessees against such credit eligibility certificates.

CIS Comment: The Committee in its discussion before the recommendation 3.2 has discussed the problems faced by landless farmers, however there is no discussion or evidence which suggests that an Aadhaar linked Credit Eligibility Certificate is the best solution, or even a solution to the problem. The concern being expressed here is not with the system of a Credit Eligibility Certificate, but with the insistence on linking it to an Aadhaar number, and whether the system can be put in place without linking the same to an Aadhaar number.

Recommendation 6.11 - Keeping in view the indebtedness and rising delinquency, the Committee is of the view that the credit history of all SHG members would need to be created, linking it to individual Aadhaar numbers. This will ensure credit discipline and will also provide comfort to banks.

CIS Comment: There is no discussion in the Report on the reasons for increase in indebtedness of SHGs. While the recommendation of creating credit histories for SHGs is laudable and very welcome, however there is no logical reason that has been brought out in the Report as to why the same needs to be linked to individual Aadhaar numbers and how such linkage will solve any problems.

Recommendation 6.13 - The Committee recommends that bank credit to MFIs should be encouraged. The MFIs must provide credit information on their borrowers to credit bureaus through Aadhaar-linked unique identification of individual borrowers.

CIS Comment: Since the discussion before this recommendation clearly indicates multiple lending practices as one of the problems in the Microfinance sector and also suggests better credit information of borrowers as a possible solution, therefore this recommendation per se, seems sound. However, we would still like to point out that the RBI may think of alternative means to get borrower credit history rather than relying upon just the Aadhaar numbers.

Recommendation 7.3 - Considering the widespread availability of mobile phones across the country, the Committee recommends the use of application-based mobiles as PoS for creating necessary infrastructure to support the large number of new accounts and cards issued under the PMJDY. Initially, the FIF can be used to subsidize the associated costs. This will also help to address the issue of low availability of PoS compared to the number of merchant outlets in the country. Banks should encourage merchants across geographies to adopt such applicationbased mobile as a PoS through some focused education and PoS deployment drives.

Recommendation 7.5 - The Committee recommends that the National Payments Corporation of India (NPCI) should ensure faster development of a multi-lingual mobile application for customers who use non-smart phones, especially for users of NUUP; this will address the issue of linguistic diversity and thereby promote its popularization and quick adoption.

Recommendation 7.8 - The Committee recommends that pre-paid payment instrument (PPI) interoperability may be allowed for non-banks to facilitate ease of access to customers and promote wider spread of PPIs across the country. It should however require non-bank PPI operators to enhance their customer grievance redressal mechanism to deal with any issues thereof.

Recommendation 7.9 - The Committee is of the view that for non-bank PPIs, a small-value cashout may be permitted to incentivize usage with the necessary safeguards including adequate KYC and velocity checks.

CIS Comments: While CIS supports the effort to use technology and mobile phones to increase banking penetration and improve access to the formal financial sector for rural and semi-rural areas, sufficient security mechanisms should be put in place while rolling out these services keeping in mind the low levels of education and technical sophistication that are prevalent in rural and semi-rural areas.

Recommendation 8.1 - The Committee recommends that the deposit accounts of beneficiaries of government social payments, preferably all deposits accounts across banks, including the ‘inprinciple’ licensed payments banks and small finance banks, be seeded with Aadhaar in a timebound manner so as to create the necessary eco-system for cash transfer. This could be complemented with the necessary changes in the business correspondent (BC) system (see Chapter 6 for details) and increased adoption of mobile wallets to bridge the ‘last mile’ of service delivery in a cost-efficient manner at the convenience of the common person. This would also result in significant cost reductions for the government besides promoting financial inclusion.

CIS Comment: While the report of the Committee has already given several examples of how cash transfer directly into the bank accounts (rather than requiring the beneficiaries to be at a particular place at a particular time) could be more efficient as well as economical, the Committee is making the same point again here under the chapter that deals specifically with government to person payments. However even before this recommendation, there has been no discussion as to the need for linking or “seeding” the deposit accounts of the beneficiaries with Aadhaar numbers, let alone a discussion of how it would solve any problems.

Recommendation 10.6 - Given the focus on technology and the increasing number of customer complaints relating to debit/credit cards, the National Payments Corporation of India (NPCI) may be invited to SLBC meetings. They may particularly take up issues of Aadhaar-linkage in bank and payment accounts.

CIS Comment: There is no discussion on why this recommendation has been made, more particularly; there is no discussion at all on why issues of Aadhaar linkage in bank and payment accounts need to be taken up at all.

For more details visit http://editors.cis-india.org/internet-governance/blog/comments-by-the-centre-for-internet-and-society-on-the-report-of-the-committee-on-medium-term-path-on-financial-inclusion

Can Bitcoin Be Banned by the Indian Government?

vipul — 2017-04-07T12:56:21Z

The paper analyses the laws and regulations that apply to Bitcoin in India, and comes to the conclusion that the government has wide powers that it can exercise, if it wishes, to regulate Bitcoin. Given the lack of existing legal and regulatory analysis on this issue in India, we greatly welcome comments on this issue.

Bitcoin: Legal Treatment under the Current Indian Legal and Regulatory Regime

This paper is an effort to examine the legal basis and treatment of Bitcoin under the current legal and regulatory regime in India. It seeks to explore whether Indian laws and regulations as they stand today would even consider Bitcoin as ‘currency’ and which regulations would govern different kinds of Bitcoin transactions. In this paper we shall first give a brief description of Bitcoin and then move on to what its legal treatment would most likely be which would then lead us to examine which regulations would most likely apply to various Bitcoin transactions.

What is Bitcoin?

Bitcoin is a cryptography based digital currency first described in a 2008 paper by a single or group of pseudonymous developer(s) by the name of Satoshi Nakamoto, who called it a “peer-to-peer, electronic cash system”. Bitcoin creation and transfer is based on an open source cryptographic protocol and is not managed by any central authority. Each Bitcoin is subdivided down to eight decimal places, forming 100,000,000 smaller units called satoshis. Bitcoins can be transferred through a computer or smartphone without an intermediate financial institution. The processing of Bitcoin transactions is secured by servers called Bitcoin “miners”. These servers communicate over an internet-based network and confirm transactions by adding them to a ledger which is updated and archived periodically using peer-to-peer filesharing technology, also known as the “blockchain”. The integrity and chronological order of the blockchain is enforced with cryptography. In addition to archiving transactions, each new ledger update creates some newly-minted Bitcoins. The number of new Bitcoins created in each update is halved every 4 years until the year 2140 when this number will round down to zero. At that time no more Bitcoins will be added into circulation and the total number of Bitcoins will have reached a maximum of 21 million Bitcoins.

Each user of Bitcoin gets a digital wallet and a Bitcoin address which is the address from and to which Bitcoins can be transferred once this address is given to another party for the transfer. A transaction or transfer of Bitcoins is simply a transfer of value between Bitcoin addresses that gets included in the block chain or the system log, which ensures that each transaction is valid and that nobody can use his or her Bitcoins more than once i.e. it avoids double spending.. Bitcoin wallets keep a secret piece of data called a “private key” for each Bitcoin address. Private keys are used to sign transactions, providing a mathematical proof that they have come from the owner of the addresses. The “signature” also prevents the transaction from being altered by anybody once it has been issued.

With this very basic and brief understanding of Bitcoin, we shall now try to examine whether Bitcoins should be treated under Indian law as (i) currency, (ii) security, (iii) derivative, (iv) negotiable instrument, (v) prepaid payment instrument, or (vi) movable property.

Can Bitcoins be Treated as Currency?

Indian laws do not define digital currency or virtual currency, so we will have to look at the traditional definition of currency to see if Bitcoin falls in that definition. The term currency is defined in section 2(h) of the Foreign Exchange Management Act, 1999 (“FEMA”) in the following words:

“currency” includes all currency notes, postal notes, postal orders, money orders, cheques, drafts, travellers cheques, letters of credit, bills of exchange and promissory notes, credit cards or such other similar instruments, as may be notified by the Reserve Bank;

It is notable here that this is an inclusive definition which means that it has a large scope for expansion. The legislature has consciously made the definition capable of further expansion by making it inclusive and also by giving the Reserve Bank of India (“RBI”) the authority to notify other similar instruments. This means that if any instrument which is being used as a currency is not covered by the definition as it stands, then the RBI is free to notify it and include it in the definition of currency. All “currency” other than Indian currency is considered by the FEMA as “foreign currency” which would have to then comply with various rules and regulations under FEMA. This means that if Bitcoin is classified as a “currency”, it would have to come under the definition of “foreign currency” and Bitcoin transactions would therefore have to comply with the entire foreign exchange regime under FEMA.

It is clear that Bitcoin is not really similar to any of the instruments mentioned in the definition, not least because none of them are digital or virtual in nature. On May 3, 2000 the RBI notified “debit cards, ATM cards or any other instrument that can be used to create a financial liability” as “currency” under the FEMA (by Notification No. FEMA 15/2000/RB dated May 3, 2001). Since Bitcoin is not really backed by any institution and has no backing by any central bank or institution and because most of the transactions involving acceptance of Bitcoin are voluntary in nature, therefore it does not seem that Bitcoin is an instrument that can be used to create a financial liability. This can be explained further with the help of two examples:

(i) If a person owns Indian rupee notes worth Rs. 500 and everyone stops accepting the currency, he can always go to the Governor of the RBI and claim Rs. 500 from him, however if I own Bitcoins then whether my Bitcoins can be used to buy any goods or services is entirely dependant upon the willingness of third parties to accept Bitcoin as a valuable item.

(ii) If I order a pair of shoes worth Rs. 500 from flipkart.com and pay for those shoes using Indian currency, then it does not matter if flipkart decides to not accept Indian currency (whether by means of cash, credit card, cheque, etc.) and accepts payment only in Bitcoins. As soon as I give flipkart currency notes or coins worth Rs. 500, my legal obligation to pay for the shoes is fulfilled. On the other hand if I pay for those shoes with Bitcoins then unless flipkart voluntarily accepts payment in Bitcoin, my liability to pay for the shoes will still legally exist till I pay flipkart Rs. 500 in Indian currency.

Therefore it is clear that Bitcoins do not fit into the plain vanilla definition of currency under Indian law. However this does not mean that the RBI cannot regulate Bitcoins or transactions involving Bitcoins. The RBI can very well notify Bitcoins as “currency” and then come out with rules and regulations for Bitcoin transactions. Cynics may argue that this is not possible due to the peer to peer nature of Bitcoins and the Bitcoin network and they would be right to the extent that it may not be physically feasible for the RBI to regulate every Bitcoin transaction, but it would be possible for them to target Bitcoin exchanges which is the entry point for most users of Bitcoin. To sum up, although Bitcoins may not be classified as a currency at present, this does not preclude the RBI from regulating them in the future.

Can Bitcoins be considered as Securities?

The term “securities” is defined in section 2 (h) of the Securities Contracts (Regulation) Act, 1955 in the following manner: “securities” include —

(i) shares, scrips, stocks, bonds, debentures, debenture stock or other marketable securities of a like nature in or of any incorporated company or other body corporate;

(ia) derivative;

(ib) units or any other instrument issued by any collective investment scheme to the investors in such schemes;

(ic) security receipt as defined in clause (zg) of section 2 of the Securitisation and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002;

(id) units or any other such instrument issued to the investors under any mutual fund scheme;

(ii) Government securities;

(iia) such other instruments as may be declared by the Central Government to be securities; and

(iii) rights or interest in securities;”

It is clear from a bare reading of this definition that Bitcoin does not come within any of the parts of the definition of securities, other than possibly ‘derivative’ (which is something we shall examine in the next part of this paper). Apart from the term derivative, the only other way in which Bitcoins can be brought under the definition of ‘securities’ is if the Central Government notifies Bitcoins as such since the Central Government has the power to declare any instrument as a ‘security’. In such a scenario it will be the entire gamut of regulations governing securities including the various rules and regulations prescribed by the Securities and Exchange Board of India (SEBI). Another argument is that Bitcoin may fall under the definition of a “derivative”.

Can Bitcoins be considered as a Derivatives or a Negotiable Instruments?

The definition of “derivative” under the SCRA is

(ac) “derivative” includes— (A) a security derived from a debt instrument, share, loan, whether secured or unsecured, risk instrument or contract for differences or any other form of security; (B) a contract which derives its value from the prices, or index of prices, of underlying securities;

As discussed above, Bitcoin is not a security and therefore would not satisfy the first part of the definition of “derivative” within the SCRA. Further since Bitcoin is only a voluntary currency based on two parties deciding that the code itself has some value, therefore Bitcoin can also not be described as a contract which derives its value from the prices or index of prices of underlying securities. Therefore it is clear that Bitcoin would not satisfy the requirements of being a derivative under the SCRA. Under Indian law, another definition of the term derivative is provided under the Reserve Bank of India Act, 1934 which defines “derivative” in section 17(6A) to mean:

an instrument, to be settled at a future date, whose value is derived from change in one or a combination of more than one of the following underlyings, namely:--

(a) interest rate,

(b) price of securities of the Central Government or a State Government or of such securities of a local authority as may be specified in this behalf by the Central Government,

(c) price of foreign securities,

(d) foreign exchange rate,

(e) index of rates or prices,

(f) credit rating or credit index,

(g) price of gold or silver coins, or gold or silver bullion, or

(h) any other variable of similar nature.

Since Bitcoins are used as currency because Bitcoin users think it has inherent and not because its value is derived from any other underlying thing or object, therefore Bitcoin cannot be said to fall under the definition of “derivative” under the Reserve Bank of India Act, 1934 either.

The term negotiable instrument on the other hand is defined in the Negotiable Instruments Act, 1881 and defines a negotiable instrument as a “promissory note, bill of exchange or cheque payable either to order or to bearer”. Since the terms promissory note, bill of exchange or cheque are easily understood in trading parlance, there is no need to go into the definitions of these instruments as provided under the Negotiable Instruments Act, 1881, suffice it to say that Bitcoins do not fall under the definitions of any of these terms under the Act.

Can Bitcoin be Classified as a Prepaid Payment Instrument?

The enactment of the Payment and Settlement Systems Act, 2007 has brought the payment systems involved in the issuance of prepaid payment instruments under the regulatory jurisdiction of the RBI. In exercise of its powers under Section 18 of the Payment and Settlement Systems Act, 2007 the RBI on April 27, 2009 issued policy guidelines governing institutions issuing prepaid payment instruments such as mobile wallets, Paypal, etc. In these guidelines the term Prepaid Payment Instrument is defined in the following words:

Pre-paid payment instruments are payment instruments that facilitate purchase of goods and services against the value stored on such instruments. The value stored on such instruments represents the value paid for by the holders by cash, by debit to a bank account, or by credit card…

Since Prepaid Payment Instruments have a definite value stored on them which is equal to the amount paid by the holders in cash or by debit or credit card, it seems that Bitcoins cannot be classified as Prepaid Payment Instruments since there is no static value stored in Bitcoins, rather they have an inherent value. In other words the amount of money that a person pays to buy Bitcoin does not represent the value of the Bitcoins that the person is buying, rather the value (or exchange rate) of Bitcoins keeps changing on a daily basis. Therefore Bitcoins cannot be classified as prepaid payment instruments because the value stored on prepaid instruments such as Paypal is always constant and is equal to the amount of money paid to the system to get a Paypal balance, but this is not the case with Bitcoins.

What can Bitcoins be Classified As?

As discussed above, Bitcoins cannot be classified as regular financial instruments such as ‘currency’, ‘security’, ‘derivative’ or ‘negotiable instruments’ as these instruments are currently defined under Indian law. What therefore, should be the legal treatment of Bitcoins under Indian law? Bitcoins are essentially lines of code which create the system of transfer of Bitcoin currency from one account to another. The Indian Copyright Act defines the term “computer programme” as “a set of instructions expressed in words, codes, schemes or in any other form, including a machine readable medium, capable of causing a computer to perform a particular task or achieve a particular result”. Based on this definition as well as the generally understood meaning of computer programme it would be fairly safe to say that Bitcoins would fall under the definition of the term “computer programme”. Now the General Clauses Act, 1897 defines the term movable property as property of every description, except immovable property. Immovable property has been defined to include land, benefits arising out of land or things attached to the earth or permanently fastened to anything attached to the earth. Clearly a computer programme would not fit into the definition of immovable property and relying upon the broad definition of movable property in the General Clauses Act, 1897 it can be said that a computer programme and by logical extension Bitcoins should be considered as movable property. Further the Forward Contracts (Regulation) Act, 1952 also defines goods to mean “every kind of movable property other than actionable claims, money and securities”. It would seem that on a bare reading, Bitcoins would also fulfill this condition and be generally defined as goods under Indian law.

Now that we have determined that Bitcoins would in all likelihood be treated as goods or movable property under the current legal regime in India, it would be beneficial to discuss what laws would regulate the various Bitcoin transactions that occur in general practice, for the purposes of this paper we shall limit our discussion to the following transactions:

i) Mining of Bitcoins; ii) Transfer of Bitcoins from one person to another within the territory of India; iii) Exchange of Bitcoins for Indian Rupees, provided the entire transaction is based in India; iv) Transfer of Bitcoins from one person to another where the person sending the Bitcoins is not resident in India; v) Exchange of Bitcoins for Indian Rupees, where the exchange is based outside India.

Mining of Bitcoins

Since Bitcoins are essentially lines of code and therefore would fall within the definition of “computer programme”, the mining of Bitcoins is essentially the utilization of one’s own computing power and electricity to generate more computer programmes or an extension of an existing computer programme. Thus Bitcoin ‘mining’ would be like making your own computer programme and there is no law which prevents or prohibits a person from doing so, therefore it seems that mining Bitcoins in India would be a perfectly permissible and legal activity.

Transfer of Bitcoins from one person to another within the territory of India

Although we have determined above that Bitcoins would in all probability be treated as goods and therefore any sale of Bitcoins would be governed by the Sale of Goods Act, 1930 however it must be noted that the Sale of Goods Act does not regulate barter transactions. This is so because the sale of goods means a contract whereby the property in the goods is actually transferred by the seller to the buyer and according to section 4 of the Sale of Goods Act the transfer of the property in the goods is for a price, i.e., for money consideration. As price is an essential element of a contract of sale, barter is ruled out from a transaction of sale of goods. This means that any transaction whereby payment is made in Bitcoins would come within the category of a barter transaction, for example if flipkart.com starts accepting payment in Bitcoin then the transaction of paying for a pair of shoes through Bitcoin would infact be a barter transaction and would not be governed by the Sale of Goods Act.

Exchange of Bitcoins for Indian Rupees, provided the entire transaction is based in India

In case there is an online Bitcoin exchange where one can buy or sell Bitcoins using real currency (such as Mt.Gox) based in India which deals only with Indian residents and buys or sells Bitcoins for Indian Rupees, then as per our discussion above all the transactions of this online exchange would be governed by the Sale of Goods Act and all relevant laws regarding sale of goods on an exchange platform with regard to goods such as computer programmes would be applicable to such an online exchange including the Forward Contracts (Regulation) Act, 1952. (As noted above, Bitcoins would satisfy the definition of ‘goods’ within the Forward Contracts (Regulation) Act, 1952.) This would imply that as long as the online exchange does plain vanilla buying and selling of Bitcoins it would not be amenable to regulatory oversight but if it wants to offer Bitcoin derivatives such as Bitcoin futures then it would have to get itself registered as per the provisions of the Forward Contracts (Regulation) Act and also follow all the rules and regulations prescribed thereunder.

Transfer of Bitcoins from one person to another where the person sending the Bitcoins is not resident in India

If Bitcoins are transferred from a person residing outside India to a person resident within India then that would amount to import of computer programmes within India. If this transfer is done in return for the Indian party sending an item or rendering a service to the foreign party then this would be a barter transaction. It is useful to note that although the Indian import and customs regulations do not mention barter transactions, the guidance on the website of the Directorate General of Valuation, Central Board of Excise and Customs, Government of India seems to suggest that barter transactions for import of goods although are not prohibited but do present unique problems of valuation of the goods. However since software imported online does not attract any duty under Indian law, therefore it would be immaterial to discuss exactly how a barter transaction involving Bitcoins should be valued under the Indian customs regime. For the purposes of this discussion it is sufficient to note that a Bitcoin transaction entered into by an Indian with a party outside India is not prohibited as long as the item or service being exported out of India is itself legal and above board. For example, a transaction involving an Indian designing a website for a person sitting in Australia and being paid in Bitcoin would be legal whereas sending contraband substances to the same person while getting paid in Bitcoin would not be allowed. This would be the legal analysis for a general citizen but this analysis is subject to regulations governing specific instances, for example exchange or goods or items from certain countries may be declared illegal or the receipt of foreign articles by certain class of entities may be banned or otherwise regulated, such as political parties or Non Governmental Oorganisations (“NGOs”).

Can an NGO based in India receive donations in Bitcoin?

This is an interesting question because it would be perfectly legal for a regular citizen to receive Bitcoins from abroad as a gift or donation, etc. However if the entity receiving such Bitcoins is an NGO then there would be the added layer of regulation from the Foreign Contributions Regulation Act, 2010 (“FCRA”) which regulates all foreign contributions received by NGOs. Section 2(1)(h) of the FCRA defines foreign contribution to include the receipt of any article from a foreign source. This means that even if an NGO based in India receives contribution from a foreign source in Bitcoins, such a transaction would fall within the regulatory ambit of the FCRA and any such a transaction would have to be reported to the Ministry of Home Affairs in Form FC – 7 under Rule 17(3) of the Rules under the FCRA.

Exchange of Bitcoins for Indian Rupees, where the exchange is based outside India

If a person imports a computer programme into India he would have to pay the customs duty at the prevalent rates, however if this import of software is done via the internet and does not involve any physical shipments (e.g. downloading paid software from the internet) then no import duty is levied on the import of computer software in India. This would mean that any person buying a computer programme or software from a vendor abroad would not be liable to pay any customs duty or file any documentation with the customs authorities in India. This situation would also be applicable to any person buying Bitcoins from an online exchange based outside India. The only documentation that would be required for buying Bitcoins from an online exchange abroad would be that which the bank may insist upon for exchanging Indian rupees into a foreign currency and then transferring it to an overseas account. This documentation would involve filing of Form A-1 if the total value of the money being exchanged is greater than USD 5,000 however if the amount of money being exchanged is less than USD 5,000 then the person is only required to give a simple letter containing basic information viz. the name and the address of the applicant, name and address of the beneficiary, amount to be remitted and the purpose of remittance. If the transaction is done using a credit card then in most instances, banks would not be insist upon this letter since these transactions usually go through their automated channels.

Conclusion

Although Bitcoins can currently be classified only as movable property and more specifically as computer software, this position is not tested in a Court of law. Further it appears from the analysis of the definitions of ‘currency’ and ‘prepaid payment instrument’ that the government has the power to bring Bitcoins into the definition of either currency or prepaid payment instrument by just amending the regulations, which is not a very cumbersome process since financial regulations, by their very nature, are quite fluid and prone to changes. Even so it is worth noting that even as the legal regime stands now offering of derivative products in Bitcoins might require registration and approval under the Forward Contracts Regulation Act.

It is worth noting that unlike other digital currencies such as e-gold, liberty reserve, etc. Bitcoin is a peer to peer network based currency which does not have one centralized agency or institution regulating the entire system and therefore an argument is made that even if the agencies want to regulate or shut it down they will not physically be able to do so as there is no nodal institution that the authorities can go after. However this argument is fallacious to a certain extent in that the authorities can go after online exchanges which are websites or portals run by individuals or entities which have a physical manifestation. They would have names, addresses, bank accounts, etc. and the authorities could easily go after the major exchanges to cut off the supply or cash into the Bitcoin system by attacking the source where cash or ‘real currency’ enters or leaves the system thereby severely reducing the efficacy of Bitcoins.

Looking at the relatively small number of people who use Paypal or other e-wallets in India, it would not be entirely unlikely that the regulations to govern Bitcoin, whenever they come, would be a reaction to a particular event and whether these regulations are enabling or disabling in nature would probably depend upon the nature of the event to which they are reacting.

Note: Although not referred to here because of the limited context of this paper, a similar and much more thorough examination of the legality of Bitcoins done by Nokolei M. Kaplanov in the article titled Nerdy Money: Bitcoin, the Private Digital Currency, and the Case Against Its Regulation in the Temple Law Review.

For more details visit http://editors.cis-india.org/internet-governance/bitcoin-legal-regulation-india

Budapest Convention and the Information Technology Act

vipul — 2018-11-20T16:18:51Z

The Convention on Cybercrime adopted in Budapest (“Convention”) is the fist and one of the most important multilateral treaties addressing the issue of internet and computer crimes.

Introduction
It was drafted by the Council of Europe along with Canada, Japan, South Africa and the United States of America.[1] The importance of the Convention is also indicated by the fact that adherence to it (whether by outright adoption or by otherwise making domestic laws in compliance with it) is one of the conditions mentioned in the Clarifying Lawful Overseas Use of Data Act passed in the USA (CLOUD Act) whereby a process has been established to enable security agencies of in India and the United States to directly access data stored in each other’s territories. Our analysis of the CLOUD Act vis-à-vis India can be found here. It is in continuation of that analysis that we have undertaken here a detailed comparison of the Information Technology Act, 2000 (“IT Act”) and how it stacks up against the provisions of Chapter I and Chapter II of the Convention.^{^[2]}

Before we get into a comparison of the Convention with the IT Act, we must point out the distinction between the two legal instruments, for the benefit of readers from a non legal background. An international instrument such as the Convention on Cybercrime (generally speaking) is essentially a promise made by the States which are a party to that instrument, that they will change or modify their local laws to get them in line with the requirements or principles laid out in said instrument. In case the signatory State does not make such amendments to its local laws, (usually) the citizens of that State cannot enforce any rights that they may have been granted under such an international instrument. The situation is the same with the Convention on Cybercrime, unless the signatory State amends its local laws to bring them in line with the provisions of the Convention, there cannot be any enforcement of the provisions of the Convention within that State.[3] This however is not the case for India and the IT Act since India is not a signatory to the Convention on Cybercrime and therefore is not obligated to amend its local laws to bring them in line with the Convention.

Although India and the Council of Europe cooperated to amend the IT Act through major amendments brought about vide the Information Technology (Amendment) Act, 2008, India still has not become a signatory to the Convention on Cybercrime. The reasons for this appear to be unclear and it has been suggested that these reasons may range from the fact that India was not involved in the original drafting, to issues of sovereignty regarding the provisions for international cooperation and extradition.[4]

Convention on Cybercrime

Information Technology Act, 2000

Article 2 – Illegal access

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(a) accesses or secures access to such computer, computer system or computer network or computer resource

Section 66

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

The Convention gives States the right to further qualify the offence of “illegal access” or “hacking” by adding elements such as infringing security measures, special intent to obtain computer data, other dishonest intent that justifies criminal culpability, or the requirement that the offence is committed in relation to a computer system that is connected remotely to another computer system.^{^[5]} However, Indian law deals with the distinction by making the act of unathorised access without dishonest or fraudulent intent a civil offence, where the offender is liable to pay compensation. If the same act is done with dishonest and fraudulent intent, it is treated as a criminal offence punishable with fine and imprisonment which may extend to 3 years.

It must be noted that this provision was included in the Act only through the Amendment of 2008 and was not present in the Information Technology Act, 2000 in its original iteration.

Convention on Cybercrime

Information Technology Act, 2000

Article 3 – Illegal Interception

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.

Although the Information Technology Act, 2000 does not specifically criminalise the interception of communications by a private person. It is possible that under the provisions of Rule 43(a) the act of accessing a “computer network” could be interpreted as including unauthorised interception within its ambit.

The other way in which illegal interception may be considered to be illegal is through a combined reading of Sections 69 (Interception) and 45 (Residuary Penalty) with Rule 3 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which prohibits interception, monitoring and decryption of information under section 69(2) of the IT Act except in a manner as provided by the Rules. However, it must be noted that section 69(2) only talks about interception by the government and Rule 3 only provides for procedural safeguards for such an interception. It could therefore be argued that the prohibition under Rule 3 is only applicable to the government and not to private individuals since section 62, the provision under which Rule 3 has been issued, itself is not applicable to private individuals.

Convention on Cybercrime

Information Technology Act, 2000

Article 4 – Data interference

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.

2 A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;

(j) Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,

he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected. (change vide ITAA 2008)

Section 66

Damage, deletion, diminishing in value and alteration of data is considered a crime as per Section 66 read with section 43 of the IT Act if done with fraudulent or dishonest intention. While the Convention only requires such acts to be crimes if committed intentionally, however the Information Technology Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.

It must be noted that the optional requirement of such an act causing serious harm has not been adopted by Indian law, i.e. the act of such damage, deletion, etc. by itself is enough to constitute the offence, and there is no requirement of such an act causing serious harm.

As per the Explanatory Report to the Convention on Cybercrime, “Suppressing of computer data means any action that prevents or terminates the availability of the data to the person who has access to the computer or the data carrier on which it was stored.” Strictly speaking the act of suppression of data in another system is not covered by the language of section 43, but looking at the tenor of the section it is likely that if a court is faced with a situation of intentional/malicious denial of access to data, the court could expand the scope of the term “damage” as contained in sub-section (d) to include such malicious acts.

Convention on Cybercrime

Information Technology Act, 2000

Article 5 – System interference

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

Section 43

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network -

(e) disrupts or causes disruption of any computer, computer system or computer network;

Explanation - for the purposes of this section -

(i) "Computer Contaminant" means any set of computer instructions that are designed -

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network;

(iii) "Computer Virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;

Section 66

The offence of causing hindrance to the functioning of a computer system with fraudulent or dishonest intention is an offence under the IT Act. While the Convention only requires such acts to be crimes if committed intentionally, however the IT Act requires that such intention be either dishonest or fraudulent only then such an act will be a criminal offence, otherwise it will only incur civil consequences requiring the perpetrator to pay damages by way of compensation.

The IT Act does not require such disruption to be caused in any particular manner as is required under the Convention, although the acts of introducing computer viruses as well as damaging or deleting data themselves have been classified as offences under the IT Act.

Convention on Cybercrime

Information Technology Act, 2000

Article 6 – Misuse of devices

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a the production, sale, procurement for use, import, distribution or otherwise making available of:

i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;

ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

2 This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

3 Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.

This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing offences against the confidentiality, the integrity and availability of computer systems or data. While the IT Act does not by itself makes the production, sale, procurement for use, import, distribution of devices designed to be adopted for such purposes, sub-section (g) of section 43 along with section 120A of the Indian Penal Code, 1860 which deals with “conspiracy” could perhaps be used to bring such acts within the scope of the penal statutes.

Convention on Cybercrime

Information Technology Act, 2000

Article 7 – Computer related forgery

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.

The acts of deletion, alteration and suppression of data by itself is a crime as discussed above, there is no specific offence for doing such acts for the purpose of forgery. However this does not mean that the crime of online forgery is not punishable in India at all, such crimes would be dealt with under the relevant provisions of the Indian Penal Code, 1860 (Chapter 18) read with section 4 of the IT Act.

Convention on Cybercrime

Information Technology Act, 2000

Article 8 – Computer-related fraud

a any input, alteration, deletion or suppression of computer data,

b any interference with the functioning of a computer system,

with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

Just as in the case of forgery, there is no specific provision in the IT Act whereby online fraud would be considered as a crime, however specific acts such as charging services availed of by one person to another (section 43(h), identity theft (section 66C), cheating by impersonation (section 66D) have been listed as criminal offences. Further, as with forgery, fraudulent acts to procure economic benefits would also get covered by the provisions of the Indian Penal Code that deal with cheating.

Convention on Cybercrime

Information Technology Act, 2000

Article 9 – Offences related to child pornography

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct:

a producing child pornography for the purpose of its distribution through a computer system;

b offering or making available child pornography through a computer system;

c distributing or transmitting child pornography through a computer system;

d procuring child pornography through a computer system for oneself or for another person;

e possessing child pornography in a computer system or on a computer-data storage medium.

2 For the purpose of paragraph 1 above, the term "child pornography" shall include pornographic material that visually depicts:

a a minor engaged in sexually explicit conduct;

b a person appearing to be a minor engaged in sexually explicit conduct;

c realistic images representing a minor engaged in sexually explicit conduct.

3 For the purpose of paragraph 2 above, the term "minor" shall include all persons under 18 years of age. A Party may, however, require a lower age-limit, which shall be not less than 16 years.

4 Each Party may reserve the right not to apply, in whole or in part, paragraphs 1, subparagraphs d and e, and 2, sub-paragraphs b and c.

67 B Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form.

Whoever,-

(a) publishes or transmits or causes to be published or transmitted material in any electronic form which depicts children engaged in sexually explicit act or conduct or

(b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes, exchanges or distributes material in any electronic form depicting children in obscene or indecent or sexually explicit manner or

(c) cultivates, entices or induces children to online relationship with one or more children for and on sexually explicit act or in a manner that may offend a reasonable adult on the computer resource or

(d) facilitates abusing children online or

(e) records in any electronic form own abuse or that of others pertaining to sexually explicit act with children,

shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with a fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees:

Provided that the provisions of section 67, section 67A and this section does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form-

(i) The publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern; or

(ii) which is kept or used for bonafide heritage or religious purposes

Explanation: For the purposes of this section, "children" means a person who has not completed the age of 18 years.

The publishing, transmission, creation, collection, seeking, browsing, etc. of child pornography is an offence under Indian law punishable with imprisonment for upto 5 years for a first offence and upto 7 years for a subsequent offence, along with fine.

It is important to note that bona fide depictions for the public good, such as for publication in pamphlets, reading or educational material are specifically excluded from the rigours of the section, Similarly material kept for heritage or religious purposes is also exempted under this section. Such exceptions are in line with the intent of the Convention, since the Explanatory statement itself states that “The term "pornographic material" in paragraph 2 is governed by national standards pertaining to the classification of materials as obscene, inconsistent with public morals or similarly corrupt. Therefore, material having an artistic, medical, scientific or similar merit may be considered not to be pornographic.

Convention on Cybercrime

Information Technology Act, 2000

Article 10 – Offences related to infringements of copyright and related rights

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright, as defined under the law of that Party, pursuant to the obligations it has undertaken under the Paris Act of 24 July 1971 revising the Bern Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.

2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of related rights, as define under the law of that Party, pursuant to the obligations it has undertaken under the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system.

3 A Party may reserve the right not to impose criminal liability under paragraphs 1 and 2 of this article in limited circumstances, provided that other effective remedies are available and that such reservation does not derogate from the Party’s international obligations set forth in the international instruments referred to in paragraphs 1 and 2 of this article.

81 Act to have Overriding effect

The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 or the Patents Act, 1970

The use of the term "pursuant to the obligations it has undertaken" in both paragraphs makes it clear that a Contracting Party to the Convention is not bound to apply agreements cited (TRIPS, WIPO, etc.) to which it is not a Party; moreover, if a Party has made a reservation or declaration permitted under one of the agreements, that reservation may limit the extent of its obligation under the present Convention.

The IT Act does not try to intervene in the existing copyright regime of India and creates a special exemption for the Copyright Act and the Patents Act in the clause which provides this Act overriding effect. India’s obligations under the various treaties and conventions on intellectual property rights are enshrined in these legislations.^{^[6]}

Convention on Cybercrime

Information Technology Act, 2000

Article 11 – Attempt and aiding or abetting

1 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, aiding or abetting the commission of any of the offences established in accordance with Articles 2 through 10 of the present Convention with intent that such offence be committed.

2 Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, an attempt to commit any of the offences established in accordance with Articles 3 through 5, 7, 8, and 9.1.a and c of this Convention.

3 Each Party may reserve the right not to apply, in whole or in part, paragraph 2 of this article.

84 B Punishment for abetment of offences

Whoever abets any offence shall, if the act abetted is committed in consequence of the abetment, and no express provision is made by this Act for the punishment of such abetment, be punished with the punishment provided for the offence under this Act.

Explanation: An Act or offence is said to be committed in consequence of abetment, when it is committed in consequence of the instigation, or in pursuance of the conspiracy, or with the aid which constitutes the abetment.

84 C Punishment for attempt to commit offences

Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence or with both.

As can be seen, both attempts as well as abetment of criminal offences under the IT Act have also been criminalised.

Convention on Cybercrime

Information Technology Act, 2000

Article 12 – Corporate liability

1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for a criminal offence established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on:

a a power of representation of the legal person;

b an authority to take decisions on behalf of the legal person;

c an authority to exercise control within the legal person.

2 In addition to the cases already provided for in paragraph 1 of this article, each Party shall take the measures necessary to ensure that a legal person can be held liable where the lack of supervision or control by a natural person referred to in paragraph 1 has made possible the commission of a criminal offence established in accordance with this Convention for the benefit of that legal person by a natural person acting under its authority.

3 Subject to the legal principles of the Party, the liability of a legal person may be criminal, civil or administrative.

4 Such liability shall be without prejudice to the criminal liability of the natural persons who have committed the offence.

85 Offences by Companies.

(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:

Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.

(2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.

Explanation-

For the purposes of this section

(i) "Company" means any Body Corporate and includes a Firm or other Association of individuals; and

(ii) "Director", in relation to a firm, means a partner in the firm.

The liability of a company or other body corporate has been laid out in the IT Act in a manner similar to the Budapest Convention. While, the test to determine the relationship between the legal entity and the natural person who has committed the act on behalf of the legal entity is a little more detailed[7] in the Convention, the substance of the test is laid out in the IT Act as “a person who is in charge of, and was responsible to, the company”.

Convention on Cybercrime

Information Technology Act, 2000

Article 14

1 Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings.

2 Except as specifically provided otherwise in Article 21, each Party shall apply the powers and procedures referred to in paragraph 1 of this article to:

a the criminal offences established in accordance with Articles 2 through 11 of this Convention;

b other criminal offences committed by means of a computer system; and

c the collection of evidence in electronic form of a criminal offence.

3 a Each Party may reserve the right to apply the measures referred to in Article 20 only to offences or categories of offences specified in the reservation, provided that the range of such offences or categories of offences is not more restricted than the range of offences to which it applies the measures referred to in Article 21. Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 20.

b Where a Party, due to limitations in its legislation in force at the time of the adoption of the present Convention, is not able to apply the measures referred to in Articles 20 and 21 to communications being transmitted within a computer system of a service provider, which system:

i is being operated for the benefit of a closed group of users, and

ii does not employ public communications networks and is not connected with another computer system, whether public or private, that Party may reserve the right not to apply these measures to such communications.

Each Party shall consider restricting such a reservation to enable the broadest application of the measures referred to in Articles 20 and 21.

This is a provision of a general nature that need not have any equivalence in domestic law. The provision clarifies that all the powers and procedures provided for in this section (Articles 14 to 21) are for the purpose of “specific criminal investigations or proceedings”.

Convention on Cybercrime

Information Technology Act, 2000

Article 15 – Conditions and safeguards

1 Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.

2 Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

3 To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties.

This again is a provision of a general nature which need not have a corresponding clause in the domestic law. India is a signatory to a number of international human rights conventions and treaties, it has acceded to the International Covenant on Civil and Political Rights (ICCPR), 1966, International Covenant on Economic, Social and Cultural Rights (ICESCR), 1966, ratified the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD), 1965, with certain reservations, signed the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW), 1979 with certain reservations, Convention on the Rights of the Child (CRC), 1989 and signed the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (CAT), 1984. Further the right to life guaranteed under Article 21 of the Constitution takes within its fold a number of human rights such as the right to privacy. Freedom of expression, right to fair trial, freedom of assembly, right against arbitrary arrest and detention are all fundamental rights guaranteed under the Constitution of India, 1950.^{^[8]}

In addition, India has enacted the Protection of Human Rights Act, 1993 for the constitution of a National Human Rights Commission, State Human Rights Commission in States and Human Rights Courts for better protection of “human rights” and for matters connected therewith or incidental thereto. Thus, there does exist a statutory mechanism for the enforcement of human rights^{^[9]} under Indian law. It must be noted that the definition of human rights also incorporates rights embodied in International Covenants and are enforceable by Courts in India.

Convention on Cybercrime

Information Technology Act, 2000

Article 16 – Expedited preservation of stored computer data

1 Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification.

2 Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored computer data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed.

3 Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

Article 17 – Expedited preservation and partial disclosure of traffic data

1 Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to:

a ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and

b ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.

2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

29 Access to computers and data.

(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorized by him shall, if he has reasonable cause to suspect that any contravention of the provisions of this chapter made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (Amended vide ITAA 2008)

(2) For the purposes of sub-section (1), the Controller or any person authorized by him may, by order, direct any person in charge of, or otherwise concerned with the operation of the computer system, data apparatus or material, to provide him with such reasonable technical and other assistant as he may consider necessary.

67 C Preservation and Retention of information by intermediaries

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011

3(7) - When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.

It must be noted that Article 16 and Article 17 refer only to data preservation and not data retention. “Data preservation” means to keep data, which already exists in a stored form, protected from anything that would cause its current quality or condition to change or deteriorate. Data retention means to keep data, which is currently being generated, in one’s possession into the future.^{^[10]} In short, the article provides only for preservation of existing stored data, pending subsequent disclosure of the data, in relation to specific criminal investigations or proceedings.

The Convention uses the term "order or similarly obtain", which is intended to allow the use of other legal methods of achieving preservation than merely by means of a judicial or administrative order or directive (e.g. from police or prosecutor). In some States, preservation orders do not exist in the procedural law, and data can only be preserved and obtained through search and seizure or production order. Flexibility was therefore intended by the use of the phrase "or otherwise obtain" to permit the implementation of this article by the use of these means.

While Indian law does not have a specific provision for issuing an order for preservation of data, the provisions of section 29 as well as sections 99 to 101 of the Code of Criminal Procedure, 1973 may be utilized to achieve the result intended by Articles 16 and 17. Although section 67C of the IT Act uses the term “preserve and retain such information”, this provision is intended primarily for the purpose of data retention and not data preservation.

Another provision which may conceivably be used for issuing preservation orders is Rule 3(7) of the Information Technology (Intermediary Guidelines) Rules, 2011 which requires intermediaries to provide “any such assistance” to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. However, in the absence of a power of preservation in the main statute (IT Act) it remains to be seen whether such an order would be enforced if challenged in a court of law.

Convention on Cybercrime

Information Technology Act, 2000

Article 18 – Production order

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:

a. a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and

b. a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.

2 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

3 For the purpose of this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a the type of communication service used, the technical provisions taken thereto and the period of service;

b the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

Section 28(2)

(2) The Controller or any officer authorized by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-Tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act.

Section 58(2)

(2) The Cyber Appellate Tribunal shall have, for the purposes of discharging their functions under this Act, the same powers as are vested in a civil court under the Code of Civil Procedure, 1908, while trying a suit, in respect of the following matters, namely -

(b) requiring the discovery and production of documents or other electronic records;

While the Cyber Appellate Tribunal and the Controller of Certifying Authorities both have the power to call for information under the IT Act, these powers can be exercised only for limited purposes since the jurisdiction of both authorities is limited to the procedural provisions of the IT Act and they do not have the jurisdiction to investigate penal provisions. In practice, the penal provisions of the IT Act are investigated by the regular law enforcement apparatus of India, which use statutory provisions for production orders applicable in the offline world to computer systems as well. It is a very common practice amongst law enforcement authorities to issue orders under the Code of Criminal Procedure, 1973 (section 91) or the relevant provisions of the Income Tax Act, 1961 to compel production of information contained in a computer system. The power to order production of a “document or other thing” under section 91 of the Criminal Procedure Code is wide enough to cover all types of information which may be residing in a computer system and can even include the entire computer system itself.

Convention on Cybercrime

Information Technology Act, 2000

Article 19 – Search and seizure of stored computer data

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:

a a computer system or part of it and computer data stored therein; and

b a computer-data storage medium in which computer data may be stored in its territory.

2 Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1.a, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system.

3 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to:

a seize or similarly secure a computer system or part of it or a computer-data storage

medium;

b make and retain a copy of those computer data;

c maintain the integrity of the relevant stored computer data;

d render inaccessible or remove those computer data in the accessed computer system.

4 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2.

5 The powers and procedures referred to in this article shall be subject to Articles 14 and15.

76 Confiscation

Any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, in respect of which any provision of this Act, rules, orders or regulations made thereunder has been or is being contravened, shall be liable to confiscation:

Provided that where it is established to the satisfaction of the court adjudicating the confiscation that the person in whose possession, power or control of any such computer, computer system, floppies, compact disks, tape drives or any other accessories relating thereto is found is not responsible for the contravention of the provisions of this Act, rules, orders or regulations made there under, the court may, instead of making an order for confiscation of such computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto, make such other order authorized by this Act against the person contravening of the provisions of this Act, rules, orders or regulations made there under as it may think fit.

While Article 19 provides for the power to search and seize computer systems for the investigation into criminal offences of any type of kind, section 76 of the IT Act is limited only to contraventions of the provisions of the Act, rules, orders or regulations made thereunder. However, this does not mean that Indian law enforcement authorities do not have the power to search and seize a computer system for crimes other than those contained in the IT Act; just as in the case of Article 18, the authorities in India are free to use the provisions contained in the Criminal Procedure Code and other sectoral legislations which allow for seizure of property to seize computer systems when investigating criminal offences.

Convention on Cybercrime

Information Technology Act, 2000

Article 20 – Real-time collection of traffic data

1 Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to:

a collect or record through the application of technical means on the territory of that Party, and

b compel a service provider, within its existing technical capability:

i to collect or record through the application of technical means on the territory of that Party; or

ii to co-operate and assist the competent authorities in the collection or recording of,

traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.

2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory.

3 Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

69B Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security

(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.

(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information.

(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.

(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Explanation: For the purposes of this section, (i) "Computer Contaminant" shall have the meaning assigned to it in section 43.

(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.

Section 69B in the IT Act enables the government to authorise the monitoring and collection of traffic data through any computer system. Under the Convention, orders for collection and recording of traffic data can be given for the purposes mentioned in Articles 14 and 15. On the other hand, as per the Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009, an order for monitoring may be issued for any of the following purposes relating to cyber security:

(a) forecasting of imminent cyber incidents;

(b) monitoring network application with traffic data or information on computer resource;

(d) tracking cyber security breaches or cyber security incidents;

(e) tracking computer resource breaching cyber security or spreading virus or computer contaminants;

(f) identifying or tracking of any person who has breached, or is suspected of having breached or being likely to breach cyber security;

(g) undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;

(h) accessing a stored information for enforcement of any provisions of the laws relating to cyber security for the time being in force;

(i) any other matter relating to cyber security.

As can be seen from the above, the reasons for which an order for monitoring traffic data can be issued are extremely wide, this is in stark contrast to the reasons for which an order for interception of content data may be issued under section 69. The Rules also provide that the intermediary shall not disclose the existence of a monitoring order to any third party and shall take all steps necessary to ensure extreme secrecy in the matter of monitoring of traffic data.

Convention on Cybercrime

Information Technology Act, 2000

Article 21 – Interception of content data

1 Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:

a collect or record through the application of technical means on the territory of that Party, and

b compel a service provider, within its existing technical capability:

i to collect or record through the application of technical means on the territory of that Party, or

ii to co-operate and assist the competent authorities in the collection or recording of,

content data, in real-time, of specified communications in its territory transmitted by means of a computer system.

2 Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory.

4 The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

69 Powers to issue directions for interception or monitoring or decryption of any information through any computer resource

(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if is satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource.

(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed

(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to -

(a) provide access to or secure access to the computer resource containing such information; generating, transmitting, receiving or storing such information; or

(b) intercept or monitor or decrypt the information, as the case may be; or

(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.

There has been a lot of academic research and debate around the exercise of powers under section 69 of the IT Act, but the current piece is not the place for a standalone critique of section 69.[11] The analysis here is limited to a comparison of the provisions of Article 20 vis-à-vis section 69 of the IT Act.

In that background, it needs to be pointed out that two important issues mentioned in Article 20 of the Convention are not specifically mentioned in section 69B, viz. (i) that the order should be only for specific computer data, and (ii) that the intermediary should keep such an order confidential; these requirements are covered by Rules 9 and 20 of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, respectively.

Convention on Cybercrime

Information Technology Act, 2000

Article 22 – Jurisdiction

1 Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed:

a in its territory; or

b on board a ship flying the flag of that Party; or

c on board an aircraft registered under the laws of that Party; or

d by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.

2 Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof.

3 Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition.

4 This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law.

5 When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.

1. Short Title, Extent, Commencement and Application

(2) It shall extend to the whole of India and, save as otherwise provided in this Act, it applies also to any offence or contravention hereunder committed outside India by any person.

75 Act to apply for offence or contraventions committed outside India

(1) Subject to the provisions of sub-section (2), the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality.

(2) For the purposes of sub-section (1), this Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.

The Convention provides for extra territorial jurisdiction only for crimes committed outside the State by nationals of that State. However, the IT Act applies even to offences under the Act committed by foreign nationals outside India, as long as the act involves a computer system or computer network located in India.

Unlike para 3 of Article 22 of the Convention, the IT Act does not touch upon the issue of extradition. Cases involving extradition would therefore be dealt with by the general law of the land in respect of extradition requests contained in the Extradition Act, 1962. The Convention requires that in cases where the state refuses to extradite an alleged offender, it should establish jurisdiction over the offences referred to in Article 21(1) so that it can proceed against that offender itself. In this regard, it must be pointed out that Section 34A of the Extradition Act, 1962 provides that “Where the Central Government is of the opinion that a fugitive criminal cannot be surrendered or returned pursuant to a request for extradition from a foreign State, it may, as it thinks fit, take steps to prosecute such fugitive criminal in India.” Thus the Extradition Act gives the Indian government the power to prosecute an individual in the event that such individual cannot be extradited.

International Cooperation

Chapter III of the Convention deals specifically with international cooperation between the signatory parties. Such co-operation is to be carried out both "in accordance with the provisions of this Chapter" and "through application of relevant international agreements on international cooperation in criminal matters, arrangements agreed to on the basis of uniform or reciprocal legislation, and domestic laws." The latter clause establishes the general principle that the provisions of Chapter III do not supersede the provisions of international agreements on mutual legal assistance and extradition or the relevant provisions of domestic law pertaining to international co-operation.^{^[12]} Although the Convention grants primacy to mutual treaties and agreements between member States, in certain specific circumstances it also provides for an alternative if such treaties do not exist between the member states (Article 27 and 28). The Convention also provides for international cooperation on certain issues which may not have been specifically provided for in mutual assistance treaties entered into between the parties and need to be spelt out due to the unique challenges posed by cyber crimes, such as expedited preservation of stored computer data (Article 29) and expedited disclosure of preserved traffic data (Article 30). Contentious issues such as access to stored computer data, real time collection of traffic data and interception of content data have been specifically left by the Convention to be dealt with as per existing international instruments or arrangements between the parties.

Conclusion

The broad language and wide terminology used IT Act seems to cover a number of the cyber crimes mentioned in the Budapest Convention, even though India has not signed and ratified the same. Penal provisions such as illegal access (Article 2), data interference (Article 4), system interference (Article 5), offence related to child pornography (Article 9), attempt and aiding or abetting (Article 11), corporate liability (Article 12) are substantially covered and reflected in the IT Act in a manner very similar to the requirements of the Convention. Similarly procedural provisions such as search and seizure of stored computer data (Article 19), real-time collection of traffic data (Article 20), interception of content data (Article 21) and Jurisdiction (Article 22) are also substantially reflected in the IT Act.

However certain penal provisions mentioned in the Convention such as computer related forgery (Article 7), computer related fraud (Article 8) are not provided for specifically in the IT Act but such offences are covered when provisions of the Indian Penal Code, 1860 are read in conjugation with provisions of the IT Act. Similarly procedural provisions such as expedited preservation of stored computer data (Article 16) and production order (Article 18) are not specifically provided for in the IT Act but are covered under Indian law through the provisions of the Code of Criminal Procedure, 1973.

Apart from the above two categories there are certain provisions such as misuse of devices (Article 6) and Illegal interception (Article 3) which may not be specifically covered at all under Indian law, but may conceivably be said to be covered through an expansive reading of provisions of the Indian Penal Code and the IT Act. It may therefore be said that even though India has not signed or ratified the Budapest Convention, the legal regime in India is substantially in compliance with the provisions and requirements contained therein.

Thus, the Convention on Cybercrime is perhaps the most important international multi state instruments that may be used to combat cybercrime, not merely because the provisions thereunder may be used as a model to bolster national/local laws by any State, be it a signatory or not (as in the case of India) but also because of the mechanism it lays down for international cooperation in the field of cyber terrorism. In an increasingly interconnected world where more and more information of individuals is finding its way to the cloud or other networked infrastructure the international community is making great efforts to generate norms for increased international cooperation to combat cybercrime and cyber terrorism. While the Convention is one such multilateral effort, States are also proposing to use bilateral treaties to enable them to better fight cybercrime, the United States CLOUD Act, being one such effort. In the backdrop of these novel efforts the role to be played by older instruments such as the Convention on Cybercrime as well as by important States such as India is extremely crucial.

[1] Explanatory Report to the Convention on Cybercrime, Para 304, https://rm.coe.int/16800cce5b.

[2] The analysis here has been limited to only Chapter I and Chapter II of the Convention, as it is only adherence to these two chapters that is required under the CLOUD Act.

[3] The only possible enforcement that may be done with regard to the Convention on Cybercrime is that the Council of Europe may put pressure on the signatory State to amend its local laws (if it is refusing to do so) otherwise it would be in violation of its obligations as a member of the European Union.

[4] Alexander Seger, “India and the Budapest Convention: Why Not?”, https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/

[5] Explanatory Report to the Convention on Cybercrime, Para 50, https://rm.coe.int/16800cce5b.

[6] India is a party to the Berne Convention on Literary and Artistic Works, the Agreement on Trade Related Intellectual Property Rights and the Rome Convention. India has also recently (July 4, 2018) announced that it will accede to the WIPO Copyright Treaty as well as the WIPO Performances and Phonographs Treaty.

[7] The test under the Convention is that the relevant person would be the one who has a leading position within the company, based on:

a power of representation of the legal person;
an authority to take decisions on behalf of the legal person;
an authority to exercise control within the legal person.

[8]Vipul Kharbanda and Elonnai Hickock, “MLATs and the proposed Amendments to the US Electronic Communications Privacy Act”, https://cis-india.org/internet-governance/blog/mlats-and-the-proposed-amendments-to-the-us-electronic-communications-privacy-act

[9] The term “human rights” has been defined in the Act as “rights relating to life, liberty, equality and dignity of the individual guaranteed by the Constitution or embodied in the International Covenants and enforceable by courts in India”.

[10] Explanatory Report to the Convention on Cybercrime, Para 151, https://rm.coe.int/16800cce5b. .

[11] A similar power of interception is available under section 5 of the Telegraph Act, 1885, but that extends only to interception of telegraphic communication and does not extend to communications exchanged through computer networks.

[12] Explanatory Report to the Convention on Cybercrime, Para 244, https://rm.coe.int/16800cce5b.

For more details visit http://editors.cis-india.org/internet-governance/blog/budapest-convention-and-the-information-technology-act

Are Indian Consumer Laws Ready for the Digital Age?

vipul — 2013-08-08T11:52:40Z

The Economic and Social Council of the United Nations, recognizing the need for protection of the rights of consumers, drafted a set of model guidelines on consumer protection which were adopted by the General Assembly in 1985. The United Nations Guidelines for Consumer Protection (UNGCP) act as an international reference point of the consumer movement, however since it has been over a quarter of a century since they were first drafted, there is a strong argument for revising them to bring them in line with new developments in technology and business practices.

It is for this reason that that United Nations Conference on Trade and Development has undertaken a revision of the UNGCP. Consumers International, an international consumer rights organization has along with CIS and other groups been trying to represent the voice of consumers at the negotiations for this revision. As part of this effort, Consumers International has produced a book titled "Updating the UN Guidelines for Consumer Protection for Consumers in the Digital Age". This blog has been produced through a filteration of the essence of some of the arguments and issues addressed in that book.

In December 2012 there was a news report that pegged the market for online commerce in India at roughly USD 14 billion,[1] which is why some of the poster children of online retail in India are getting stratospheric valuations even though they are yet to show any major profits, case in point, Flipkart had a valuation of around USD 800 million[2] in 2012 and is looking for an IPO in around three to four years. Such huge numbers give a sneak peek into the size and scope of the Indian e-commerce marketplace which begs the question, if there are so many transactions occurring in the online marketplace and since a large number of those transactions are between retailers and domestic consumers, then are there any specific laws out there protecting the interests of consumers in the online world.

Apart from the Information Technology Act, 2000 and various circulars by the Reserve Bank of India regarding online banking and money transfer activities which are more generic in nature trying to secure the online space as a whole, there are no specific laws that seek to protect consumers in the online space. However, that does not necessarily mean that the consumers are left without any recourse and in this post we shall examine whether it is possible to use the Consumer Protection Act, 1986 to protect consumer rights in the online environment as well.

The Consumer Protection Act, 1986 (“COPRA”) was enacted with the purpose of empowering consumers to take on the might of large corporations and preventing unscrupulous businessmen from taking undue advantage of the weak position which consumers are inherently placed in under the archaic Indian judicial system. It set up special tribunals, simpler procedures and enacted special provisions to help consumers get a better bargaining position vis-à-vis manufacturers and retailers, etc. However, since this law was enacted more than a quarter of a century ago and it is not entirely geared towards protecting consumer rights in the digital era. However, that does not mean it is entirely toothless in the online environment although it certainly needs some major provisions to come to grasp with the special circumstances and practices of the online marketplace, as the rest of the discussion will demonstrate.

For any transaction to come under the purview of COPRA, it should have the following three essential requirements:

There should be a ‘good’ or ‘service’ sold or provided to a consumer;
Such good or service must be ‘sold’ i.e. there must be a ‘sale’;
There should be a ‘defect’ in the good or ‘deficiency’ in the service;

We will now examine different types of e-commerce transactions and discuss whether they fulfill the requirements given above and therefore are amenable to the jurisdiction of COPRA.

There should be a ‘good’ or ‘service’
This is issue is not very complicated so far as digital purchases of physical items are concerned. Since a book or a mobile phone is considered as a ‘good’ then it will always be considered as a ‘good’ irrespective of whether it has been bought from a physical shop or an online retailer. However, the question does take on an air of some complexity when dealing with digital items such as mp3 files and software programmes. The General Clauses Act, 1897 states that all property which is not immovable property is considered as movable property. Since immovable property is defined as land and things attached to the land, therefore it is pretty clear that ‘computer software’ would in all likelihood be considered as movable property. Whether such movable property can be considered as a ‘good’ or not is a question which is yet to be tested in the courts of law in India, however it must be mentioned that in the context of the Sales Tax Act, the Supreme Court of India has held canned software to be a ‘good’. Laying down a test for determining whether a property is a ‘good’ or not, the Supreme Court in that case laid down the following test:

“A 'goods' may be a tangible property or an intangible one. It would become goods provided it has the attributes thereof having regard to (a) its utility; (b) capable of being bought and sold; and (c) capable of transmitted, transferred, delivered, stored and possessed. If a software whether customized or non-customized satisfies these attributes, the same would be goods.”[3]

It must be emphasized again that the Supreme Court’s ruling was given in the context of the Sales Tax Act and it may not be accepted by a court deciding a case on COPRA. This is one issue which could and should be addressed under Indian laws to ensure that the large numbers of Indian consumers who buy items in the online marketplace are not left in a lurch and without the protection of the COPRA.

There must be a “Sale” of the good or service
Just as the previous issue, this question again can be simple when asked in relation to sale of physical goods using the internet but may not be so when talking about digital goods. When a physical item is purchased using the internet, a sale may be said to have occurred when the ownership of the good passes from the seller (online retailer) to the buyer (consumer) and the payment and delivery are complete. However, the question whether sale of software (here we are using this generic term for all sorts of computer programmes and data because the reasoning and legal analysis can be applied to both types of data) in an online environment would actually constitute a ‘sale’ requires a little more analysis. A huge problem in labeling online software purchases as a ‘sale’ is that most of these ‘sales’ are made in the form of a license. The manufacturers or retailers would argue that such an online purchase is not really a sale since the consumer usually only gets a license to use the product under strict conditions and does not buy the product as an owner, further this is really the industry standard when it comes to software purchases. The argument on the other side is that most websites advertise these products as an outside sale, for example, if you go to the Quick Heal antivirus website today and go to the page for “Home Users”[4] the page clearly shows a “Buy Now” tab and indicates the price at Rs. 1549/-. In fact in a number of cases you can actually buy the file containing the software without ever being shown the contractual terms of the agreement. These terms usually specify that you are only getting a license to use the product and may not have the right to resell or lend the product to others, rights which a traditional buyer of a product enjoys under law.

This issue was also discussed by a Full Bench of the Supreme Court of India in the case of Tata Consultancy Services v. State of Andhra Pradesh,[5] which ultimately held that the ‘sale’ of canned software (the term the court used for non customized software which is sold off the shelf) would be a sale of goods and therefore liable to be taxed under the Sales Tax Act. As is evident this decision was given in the context of the Sales Tax Act, but it could be argued that since tax statues are anyways supposed to be interpreted strictly and beneficial statutes such as the COPRA are required to be interpreted broadly, as per the accepted rules of legal interpretation, therefore it is possible that such a ‘license’ for computer software bought by an ordinary consumer could be considered as a ‘sale’ so as to bring the item within the ambit of the COPRA.

Here again we see that although there might be arguments which could be made to justify such licences for computer software as a ‘sale’, however it is still an untested issue and the COPRA certainly needs to take these issues into account if we want to protect the rights of the ever growing number of online consumers.

There should be a “defect” in the goods
If I order a pair of shoes from flpikart.com and the shoes arrive with one of the soles torn off, it’s a pretty straightforward case of there being a defect. In such a scenario unless the retailer has a specified return policy (which incidentally flipkart has) the consumer would have a right to approach the consumer forum to lodge a compliant. Similarly, if I buy a software from a manufacturer for my personal use and the file has a bug in it, it can fairly easily be considered as a defect since any fault, imperfection or shortcoming in the quality, quantity, potency, purity or standard or the good can be considered as a defect.

This is where things get a little interesting. What if we argue that stringent Digital Rights Management techniques by some online retailers are actually a defect in the goods since they do give the consumer all the rights that a buyer of goods would traditionally have. For example, if I buy an e-book with DRMs which restrict lending and on-selling, then two of my rights as a traditional book buyer are straightaway rescinded. Let us now examine the issue in the traditional context of the term ‘defect’.

If an article bought has any fault, imperfection or shortcoming in the quality, etc., then it would be considered as a defective good. For example, if a person buys a generator which is creating excessive noise, then it can be said that there is a shortcoming in the quality or the standard which is required to be maintained. A generator may supply electricity perfectly well and there may not be any fault at the time of running the machine but while operating the machine if it is creating more noise than the prescribed level, it can be said that there is a defect in the manufacture. An e-book with DRMs may also let a consumer read its contents but that may not be the only criteria to determine whether an item is defective or not. Using the traditional definition of a ‘buyer’, we can argue that a traditional buyer commonly has rights such as the right to resale, the right to make copies for personal use, the right to lend, the right to gift, etc., which may not exist in a an e-book with DRMs. Thus, an argument could be made that such measures constitute a ‘defect’ in the goods under the COPRA.

Again, this is only an argument and it is entirely possible that a court of law may reject such an argument, especially in light of the fact that the consumer has entered into a license agreement while completing the transaction which specifically grants the consumer only specific and limited rights in regard to the item being purchased. A possible counter to this argument could be that the agreement is generally long and verbose and is only presented to the consumer towards the end of the transaction when the consumer generally does not have the time to read it. Further, there is hardly ever a situation where the consumer can negotiate the terms of the contract, it is usually a standard form of contract which is heavily tilted in favour of the seller and the consumer is given no real choice in this regard. This is why in common law jurisdictions the courts have laid down certain principles or extra conditions which a standard form of contract has to abide by for it to be enforceable viz.,:

Sufficient notice: This principle requires that the major and specially the unusual terms in a contract should be displayed in a sufficiently highlighted manner so that a reasonable consumer is not likely to miss these unusual terms.[6]
Fundamental breach of contract: If the contract is so drafted that it would impose additional obligations on the consumer or restrict the liability and obligations of the seller in such a way that it would result in breaching any of the fundamental or main terms or obligations that one expects in such a contract, then such a contract may not be enforceable.[7]
Exclusion of unreasonable terms: Another type of protection that is available to consumers is the principle which seeks to exclude unreasonable terms from a contract i.e. a term which would defeat the very purpose of the contract or if it is repugnant to the public policy.[8]

Relying on the above principles of standard form contracts, it is possible to at least argue that highly strict and limiting terms which are put into a long verbose standard form contract which backs the Technology Protection Measures on a protected software may not be entirely enforceable, in which case the alleged consent of the consumer for such DRMs gets negated and the software with all its DRM limitations could be considered as ‘defective’.

Conclusion
From the discussion above it is clear that the nature of online transactions and digital goods presents certain unique problems for the legal regime which seeks to protect consumer rights. The law needs to be amended to take into account the unique circumstances of this fledging marketplace that exists online and ensure that the legal regime is fully capable of facing the challenges thrown up by e-commerce. One of the initiatives in this regard is the effort by Consumers International to include amendments in the Model United Nations Guidelines for Consumer Protection to include various provisions which deal with the online marketplace and its unique challenges as well as issues relating to access to knowledge (A2K). Perhaps it is time for the establishment in India to also take this into account and bring our quarter of a century old consumer protection legislation in line with the digital age.

[1]. http://goo.gl/Mh74vB

[2]. http://goo.gl/By5x3i

[3]. Tata Consultancy Services v. State of Andhra Pradesh, 5 November, 2004, available at http://goo.gl/Bn7KRp

[4]. http://goo.gl/lMdoI

[5].http://goo.gl/Bn7KRp

[6]. Henderson & others v. Stevenson, 1875 2 R (HL) 71, Interfoto Picture Library Ltd v. Stiletto Visual Programmes Ltd. [1988] 1 All ER 348.

[7]. Harbutt's "Plasticine" Ltd. v. Wayne Tank and Pump Co Ltd [1970] 1 QB 447.

[8]. Lily White v. R. Mannuswami, AIR 1966 Mad.13.

For more details visit http://editors.cis-india.org/a2k/blogs/are-indian-consumers-laws-ready-for-digital-age

Analysis of the RBI’s Draft Framework on Regulatory Sandbox for Fintech

vipul — 2019-05-08T13:56:18Z

For more details visit http://editors.cis-india.org/internet-governance/files/analysis-of-the-rbi2019s-draft-framework-on-regulatory-sandbox-for-fintech

An Analysis of the RBI’s Draft Framework on Regulatory Sandbox for Fintech

vipul — 2019-05-08T13:57:49Z

The term Fintech is generally used to describe innovative technology and technological processes being used in the financial services sector.

Click here to download the file.

It originated as a term referring to the back-end technology used by large financial institutions, but has expanded to include technological innovation in the financial sector, including innovations in financial literacy and education, retail banking, investments, etc. Entities engaged in FinTech offer an array of services ranging from peer-to-peer lending platforms and mobile payment solutions to online portfolio management tools and international money transfers.

Regulation and supervision of the Fintech industry raises some unique challenges for regulatory authorities as they have to strike a balance between financial inclusion, stability, integrity, consumer protection, and competition. One of the methods that have been adopted by regulators in certain jurisdictions to tackle the complexities of this sector is to establish a “regulatory sandbox” which could nurture innovative fintech enterprises while at the same time ensuring that the risk associated with any regulatory relaxations is contained within specified boundaries. It was precisely for this reason that establishment of a regulatory sandbox was one of the options put forward by the Working Group on Fintech and Digital Banking established by the Reserve Bank of India in its report of November, 2017 which was released for public comments on February 8, 2018. Acting on this recommendation the Reserve Bank has proposed a Draft Enabling Framework for Regulatory Sandbox, dated April 18, 2019, (“RBI Framework”) which is analysed and discussed below.

Regulatory Sandbox and its benefits

While the basic concept of a regulatory sandbox is to ensure that there is regulatory encouragement and incentive for fledgling Fintech enterprises in a contained environment to mitigate risks, different regulatory authorities have adopted varied methods of achieving this objective. While the Australian Securities and Exchange Commission (ASIC) uses a method where the eligible enterprises notify the ASIC and commence testing without an individual application process, the Financial Conduct Authority, UK (FCA) uses a cohort approach wherein eligible enterprises have to apply to the FCA which then selects the best options based on criteria laid down in the policy. The RBI has, not surprisingly, adopted an approach similar to the FCA wherein applicants will be selected by the RBI based on pre-defined eligibility criterion and start the regulatory sandbox in cohorts containing a few entities at a time.

A regulatory sandbox offers the users the opportunity to test the product’s viability without a larger and more expensive roll out involving heavy investment and regulatory authorizations. If the product appears to have the potential to be successful, it might then be authorized and brought to the broader market more quickly. If there are any problems with the product the limited nature of the sandbox ensures that the consequences of the problems are contained and do not affect the broader market. It also allows regulators to obtain first-hand empirical evidence on the benefits and risks of emerging technologies and business models, and their implications, which allows them to take a considered (and perhaps more nuanced) view on the regulatory requirements that may be needed to support useful innovation, while mitigating the attendant risks. A regulatory sandbox initiative also sends a clear signal to the market that innovation is on the agenda of the regulator.

RBI Draft Framework

Since the RBI has adopted a cohort approach for its regulatory sandbox process (“RS”), it implies that fintech entities will have to apply to the RBI to be selected in the RS. The eligibility criterion provides that the applicants will have to meet the eligibility conditions prescribed by the government for start-ups as per the Government of India, Department of Industrial Policy and Promotion, Notification GSR 364(E) April 11, 2018. The RS will focus on areas where (i) there is an absence of regulations, (ii) regulations need to be eased to encourage innovation, and (iii) the innovation/product shows promise of easing/effecting delivery of financial services in a significant way. The Framework also provides an indicative list of innovative products and technologies which could be considered for RS testing, and at the same time prohibits certain products and technologies from being considered for this programme such as credit registry, crypto currencies, ICOs, etc.

The RBI Framework also lays down specific conditions that the entity has to satisfy in order to be considered for the RS such as satisfaction of the conditions to be considered a start-up, minimum net worth requirements, fit and proper criteria for Directors and Promoters, satisfactory conduct of bank accounts of promoters/directors, satisfactory credit score, technological readiness of the product for deployment in the broader market, ensuring compliance with existing laws and regulations on consumer data and privacy, adequate safeguards in its IT systems for protection against unauthorised access etc. and a robust IT infrastructure and managerial resources. The fit and proper criteria for Directors and Promoters which requires elements of credit history along with the minimum net worth requirements in the RBI Framework are conditions which may be too difficult for some of the smaller and newer start-ups to satisfy even though the technology and products they offer might be sound. The applicants are also required to: (i) highlight an existing gap in the financial ecosystem and how they intend to address that, (ii) show a regulatory barrier or gap that prevents the implementation of the solution on a large scale, (iii) clearly define the test scenarios, expected outcomes, boundary conditions, exit or transition strategy, assessment and mitigation of risks, etc.

The RBI Framework specifies that the focus of the RS should be narrow in terms of areas of innovation and limited in terms of intake. While limits on the number of entities per cohort may be justified based on paucity of resources, limiting the focus of the RS by narrow areas of innovation is a lost opportunity in terms of sharing of ideas and learning from the mistakes of their colleagues who may be employing technologies and principles which could be useful in fields other than those where they are currently being applied.

The RBI Framework specifies that the boundaries of the RS have to be well defined so that any consequences of failure can be contained. These boundary conditions include a specific start and end date, target customer type and limits on number of customers, cash holdings, transaction amounts and customer losses. The Framework does not put in place any hard numbers on the boundary conditions which ensures that the RS process can be customised to the needs of specific entities since the sample sizes and data needed to determine the viability of fintech entities and products may vary from product to product. However a major dampener is the hard limit of 12 weeks imposed on the testing phase of the RS, which is the most important phase since all the data from the operations is generated during this phase and 12 weeks may not be enough time to generate enough reliable data so as to reach a determination of the viability of the product.

Although the RBI has shown a willingness to relax regulatory requirements for RS participants on a case to case basis, it has specified that there shall be no relaxation on issues of customer privacy and data protection, security of payment data, transaction security, KYC requirements and statutory restrictions. Since this is only an initiative by the RBI the RS participants dealing with the insurance or securities sector would not be entitled to any relaxations from the IRDA or the SEBI even if they are found eligible for relaxations from RBI regulations. This would severely limit the efficacy of the RS process and is an issue that could have been addressed if all three regulators had collaborated thereby encouraging innovative start-ups offering a broader spectrum of services.

Once the RS is finished, the regulatory relaxations provided by the RBI will expire and the fintech entity will have to either stop operations or comply with the relevant regulations. In case the entity requires an extension of the RS period, it would apply to the RBI atleast one month prior to the expiry of the RS period with reasons for the extension. The RBI also has the option of prematurely terminating the sandbox process in case the entity does not achieve its intended purpose or if it cannot comply with the regulatory requirements and other conditions specified at the relevant stage of the sandbox process. The fintech entity is also entitled to quit the RS process prematurely by giving one week’s notice to the RBI, provided it ensures that all its existing obligations to its customers are fully addressed before such discontinuance. Infact customer obligations have to be met by the fintech entities irrespective of whether the operations are prematurely ended by the entity or it continues through the entire RS process; no waiver of the legal liability towards consumers is provided by the RS process. In addition, customers are required to be notified upfront about the potential risks and their explicit consent is to be taken in this regard.

The RBI Framework itself lists out some of the risks associated with the regulatory sandbox model such as (i) loss of flexibility in going through the RS process, (ii) case by case determinations involve time and discretional judgements, (iii) no legal waivers, (iv) requirement of regulatory approvals after the RS process is over, (iv) legal issues such as consumer complaints, challenges from rejected candidates, etc. While acknowledging the above risks the Framework also mentions that atleast some of them may be mitigated by following a time bound and transparent process thus reducing risks of arbitrary discretion and loss of flexibility.

Conclusions

While there are some who are sceptical of the entire concept of a regulatory sandbox for the reason that it loosens regulation too much while at the same time putting customers at risk, the cohort model adopted by the RBI would reduce that risk to an extent since it ensures comprehensive screening and supervision by the RBI with clear exit strategies and an emphasis on consumer interests. On the other hand the eligibility criterion for applicants prescribes minimum net worth requirements as well as credit history, etc. which may impose conditions too onerous for some start ups which may be their infancy. Further the clear emphasis on protection of customer privacy and consumer interests also ensures that the RBI will not put the interests of ordinary citizens at risk in order to promote new and untested technologies. That said, the regulatory sandbox process is a welcome initiative by the RBI which may send a signal to the financial community that it is aware of the potential advantages as well as risks of Fintech and is willing to play a proactive role in encouraging new technologies to improve the financial sector in India.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

Jenik, Ivo, and Kate Lauer. 2017. “Regulatory Sandboxes and Financial Inclusion.” Working Paper. Washington, D.C.: CGAP, available at https://www.cgap.org/sites/default/files/Working-Paper-Regulatory-Sandboxes-Oct-2017.pdf

Other countries which have regulatory sandboxes are Netherlands, Bahrain, Abu Dhabi, Saudi Arabia, etc.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

These conditions are fairly liberal in that they require that the entity should be less than 7 years old; should not have a turnover of more than 25 crores, and should be working for innovation, development or improvement of products or processes or services, or if it is a scalable business model with a high potential of employment generation or wealth creation.

Clause 5 of the RBI Framework.

Clause 6.1 of the RBI Framework.

Clause 6.3 of the RBI Framework.

Clause 6.5 of the RBI Framework.

Clause 6.4 of the RBI Framework.

Clause 6.7 of the RBI Framework.

Clauses 6.2 and 8 of the RBI Framework.

Clause 6.6 of the RBI Framework.

Clause 6.9 of the RBI Framework.

Jemima Kelly, A “fintech sandbox” might sound like a harmless idea. It's not, Financial Times, Aplphaville, https://ftalphaville.ft.com/2018/12/05/1543986004000/A--fintech-sandbox--might-sound-like-a-harmless-idea--It-s-not/

For more details visit http://editors.cis-india.org/internet-governance/blog/vipul-kharbanda-may-8-2019-an-analysis-of-rbi-draft-framework-on-regulatory-sandbox-for-fintech