cyber law

The Information Technology Amendment Rules, 2023

June 27, 2023 Leave a comment

IT AMENDMENT RULES 2023: An Overview

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023

INTRODUCTION 

The aim of this primer is to provide an overview of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023 (“the Amendment”), which amend the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 Rules”). 

The Ministry of Electronics and Information Technology (“Meity”) amended the 2021 Rules, with the aim  to inter alia regulate the online gaming in India, along with ensuring safety to its users, broadly by governing-

  1. Online games
  2. Online real money game
  3. Permissible online game
  4. Permissible online real money game
  5. Online gaming intermediary
  6. Online gaming self-regulatory body and
  7. Restricting the spread of fake & misinformation. 

THE BASICS

The Amendment defines an ‘online game’ as a game that is offered via the internet, wherein the same can be accessed by any user through a computer resource or upon the access of an intermediary.

STAKEHOLDER ANALYSIS

  1. Online Game

The Amendment classifies online games into three subcategories. They are-

i) Online real money game- The Amendment defines ‘online real money game’ as an online game, wherein the user deposits in the form of cash/kind with an expectation and intention of earning winnings in the form of cash/kind on such deposits made. The Amendment further explains the term ‘winnings’ as any prize in cash/kind distributed to the user of the online game based on their performance in accordance with the rules of the game.

ii) Permissible online game- The Amendment defines ‘permissible online game’ as a permissible online real money game, and also includes: online game(s) which is not considered as online real money game (reference to Rule 4C of the Amendment). With this definition, the ambit of the 2021 Rules gets widened as the Central Government will have the power to extend and direct the applicability of the said rules to even those online games that do not require a user to make a deposit. Hence, even covering casual games under the 2021 Rules.

iii) Permissible online real money game- The Amendment defines ‘permissible online real money game’ as an online real money game that has been verified by an online gaming self-regulatory body under Rule 4A of the Amendment.

  1. Online Gaming Intermediary (“OGI”)

i) With the release of the Amendment, it seeks to classify a new category of intermediary i.e., OGI. The Amendment defines an ‘OGI’ as any intermediary that seeks to give access to one or more online games to users on its platform.

ii) Moreover, what is essential to note from the Amendment is that an OGI is required to comply with not just the due diligence obligations mentioned under Rule 3, but also with the additional due diligence requirements under Rule 4, on similar lines, like that of a significant social media intermediary may be required to do under the 2021 Rules.

  1. Online Gaming Self-Regulatory Body (“SRB”)

The Amendment welcomes another soon-to-be established entity(ies) within the purview of the said rules and allows such entity(ies) to self-regulate the online gaming industry in India, in accordance with the 2021 Rules. This self-regulatory body(ies) is to be called as an ‘online gaming self-regulatory body.’ They are defined as an entity designated by Meity under Rule 4A of the Amendment. The primary responsibility of the SRB is to verify ‘online real money game’ as ‘permissible online real money game.’

  1. Fact Check unit of the Govt.
  • A significant change brought in by the Amendment, (apart from regulating online games and platforms), pertains to curtaining fake and misleading information in relation to any business of the Central Government, which has been hosted, published, and transmitted on the intermediary’s platform. 
  • Further, the Amendment directs Meity to appoint a fact-checking unit of the central government, to identify and restrict the flow of fake and misleading information that pertains to the business affairs of the central government. 

DUE DILIGENCE- OGI

The Amendment aims to bring online gaming intermediaries to the same table along with the social and significant social media intermediaries. Earlier, the due diligence obligations mandated under Rule 3 of the 2021 Rules, only applied to social media intermediary(ies) and significant social media intermediary(ies). However, with the present Amendment, now even an OGI will be required to comply with Rule 3 of the 2021 Rules, including some new requirements/obligations brought in by the Amendment-

  1. An OGI shall not offer its users an online game that results in ‘user harm.’ The term ‘user harm’ has been explained in the Amendment as any effect that is considered detrimental to a user and/or child;
  2. An OGI shall not offer any online game unless it is verified as a permissible online game;
  3. Intermediaries shall not indulge in advertising/surrogate advertising or promoting a non-verified online game, and/or an OGI promoting such a game;
  4. An OGI that offers ‘permissible online real money game(s)’ is required to inform its users about the change in its rules and regulations, privacy policy, or user agreement within a time frame of 24 hours and not later than that;
  5. An OGI that offers ‘permissible online real money game’ shall on receipt of an order, provide all and/or any information under its possession to the government agency for the purpose of investigation, detection, prevention, prosecution of offenses, etc, within a time frame of 24 hours and not later than that;
  6. An OGI is required to prominently publish on its website and mobile app, the name and contact details of the grievance officer, along with the complaint mechanism for the user/victim to follow for addressing their complaints and grievances;
  7. Any person being aggrieved by the decision of the grievance officer of the OGI may prefer an appeal within 30 days from the receipt of such decision to the Grievance Appellate Committee;
  8. The OGI and the SRB are required to comply with the orders passed by the Grievance Appellate Committee and further are required to publish a compliance report on their respective website(s).

ADDITIONAL DUE DILIGENCE- OGI

It is essential to note here that following the 2021 Rules, the additional due diligence requirements under Rule 4, were only supposed to be a compliance obligation for the significant social media intermediary. However, with the present Amendment, even an OGI offering permissible online real money game, irrespective of its user base will be required to comply with Rule 4, including-

  1. Appointing a Chief Compliance Officer;
  2. Appointing a Nodal contact person, who shall be a resident in India;
  3. Appointing a resident Grievance officer, who shall be a resident in India;
  4. Publishing periodic reports monthly in relation to the complaints received, and the course of measure(s) duly taken;
  5. Maintaining a physical address in India, and publishing its details on the website and mobile application;
  6. Implementing a complaint and grievance mechanism for the users’ to file, track and check the status of their complaints;
  7. Verifying the users’ accounts, and marking such users with a visible mark;
  8. Displaying the verified mark obtained after due verification done from the concerned SRB;
  9. Informing the users’ about withdrawal/refund policy, manner of determining and distribution of winnings, fees and charges payable by the users, KYC procedure, measures undertaken for protecting the users’ deposits, and the procedure followed for verification of online real money game;
  10. Mandatory KYC before accepting deposits from the users;
  11. Prohibiting and banning OGI from offering its users’ credit facilities and/or enabling third-parties to finance for the purpose of playing such online game.

ELIGIBILITY CRITERIA FOR SRB

  • Verification of online real money game shall only be done by designated SRB(s). An entity may apply to Meity for being designated as an SRB, provided they fulfil the following-
  1. Entity registered under section 8 of the Companies Act, 2013;
  2. Membership is representative of the online gaming industry;
  3. The number of board of directors shall be 8. They shall have no conflict of interest, and possess skills, experience, and knowledge as mentioned under the said rules, for performing their roles & duties as a self-regulating body;
  4. Must have sufficient funds for performing their duties as a self-regulatory body;
  5. The MoA & AoA of the entity shall be compliant with the 2021 Rules and the Amendment.

VERIFICATION OF ONLINE REAL MONEY GAME

  • Upon receiving an application from an online real money game, the SRB shall verify and declare them as permissible online real money game, provided the following is satisfied-
  1. Such an online real money game shall not contain wagering on any outcome; and
  2. The OGI and such online real money game shall be compliant with Rule 3 and 4, law relating  to the age and competency to contract, along with the SRB’s framework.
  • The rule further clarifies the time-frame given to the SRB shall be three (3) months, in which they have to declare the applicant (online real money game) as permissible online real money. It is further stated that initially the SRB shall only rely upon the information provided to them by the applicant. However, the SRB shall complete the due inquiry with the said time-frame to declare them as compliant and permissible or reject their application in writing.
  • SRB must publish on their website and/or website, a list of all the permissible online real money game, their verification expiry date, suspended and revoked online real money game.
  • SRB must maintain and publish their members’ list on their website and/or mobile application.
  • SRB shall have the powers to suspend and revoke the verification of any online real money game, if they are satisfied that the said online real money game is not in compliance with the 2021 Rules and the Amendment.
  • The online real money game and the OGI must display the verified mark granted by the SRB on their platforms.
  • Every SRB is required to publish on their website and/or mobile application their framework of verifying online real money game, which shall also include-
  1. Measures taken to ensure that an online real money game is not against the interests of sovereignty, integrity and security of the nation;
  2. Measures to ensure that an online real money game does not cause user harm as described under the Amendment;
  3. Measures taken to ensure protection to minors;
  4. Measures undertaken to ensure protection against gaming addiction, fraud, financial loss, etc.
  • The Central government before issuing directions for blocking under section 69A of the IT Act, 2000, against a permissible online real money game, may consider the details published by the SRB.
  • SRBs’ must publish a framework of grievance redressal along with the contact details of their Grievance Officer. The complaints must be acknowledged within 24 hours by the Grievance officer, and resolution must be done within 15 days from the date of the complaint.
  • Meity may suspend and/or revoke the designation of the SRB, if it is satisfied and found necessary. However, the SRB shall be given an opportunity to be heard.

APPLICABILITY & COMPLIANCE OF CERTAIN OBLIGATIONS

The Amendment further states that the compliance obligations upon the OGI shall come into force only after the expiry of three (3) months from the date on which at least three (3) SRBs would have been designated and established in accordance with Rule 4A of the Amendment.

‘ONLINE GAME’ OTHER THAN ONLINE REAL MONEY GAME

The said rules may apply to only those online games, that come under the ambit of online real money game and permissible online real money game. However, if the Central government finds it necessary in the interest and security of the State, public order, and preventing user harm, etc, in those circumstances, even those online game other than online real money game will be required to comply with the following obligations-

  • the obligations under sub-clauses (ix) and (x) of clause (b) of sub-rule (1) of rule 3; sub-rules (1), (5), (6), (7), (10), and clause (d) of sub-rule (11) of rule 4; along with rule 4A.

CONCLUSION

With the significant rise in the development of online games around the globe, the massive user and fan base, along with the amount of money involved were essential to be considered, before regulating this space. However, letting this space go unregulated would be detrimental to the country’s economy and its national security. The notified Amendment aims to promote online gaming by making the industry more accountable and transparent to its users. 

However, there are still some questions unanswered, such as why Meity took this approach to bring online games and the platforms as ‘intermediaries’ and not as ‘publishers’ under the 2021 Rules. Moreover, there are still vagueness and clarifications required in relation to terms such as ‘online real money game’ and ‘user harm’, as the ambit of both these terms is too wide, and might result in overregulation and hamper the growth of the industry as a whole.

Interestingly, the Amendment has been challenged recently in the Bombay High Court, within a week of its notification. The writ petition primarily questions the power of Meity under Rule 3(1) (b) (v), which seeks to appoint a fact-checking unit of the central governing for curbing fake and misleading information relating to the central government’s business affairs.

Lastly, the true impact of this Amendment could only be judged after the provisions come into force, and how the industry reacts toward it.

Privacy concerns abound in the official Beijing 2022 Winter Olympics app

March 23, 2023 Leave a comment

Introduction

The 2022 Winter Olympics were held in Beijing, China from 4th Feb-20th Feb 2022. Even before the start of the Winter Olympics 2022, China was being criticised and accused of allegations pertaining to human rights violations and other related controversies globally. Around 180 human rights groups were of the opinion that all the leaders globally and the governments should boycott the Winter Olympics in Beijing as the Chinese government was held solely responsible for the genocide of the minority communities in China. The Canadian government along with the UK and the United States government were the ones who decided to diplomatically boycott the games; this meant that these countries would only send their athletes to be a part of the games, whereas the government delegates and officials won’t either attend the games or be a part of the event.

But was this the only issue raised by the officials?

The other issue that was largely concerning the majority and the same was being discussed everywhere from news channels to even the U.S Olympics and Paralympics committee was related to the ‘privacy’ of the athletes as well as the ones who were planning to attend the games in Beijing.

The catch to this privacy-related issue is that those who were preparing to attend the 2022 Winter Olympics had to compulsorily download a mobile application called “MY2022”. This app had multiple security flaws and resulted in privacy concerns that were very much applicable to both the domestic as well as international athletes along with the ones who were merely attending. 

What is MY2022?

MY2022 is a mobile application that was made a requirement for all the athletes and the attendees of the Winter Olympic Games. The app performs multiple functions right from real-time chat with your contacts along with that video and audio options are also available for the users; users have the option to even share files with each other, as well as the app notifies its users about the weather and news updates. Furthermore, the app is also used to submit health customs information of those who are visiting China from other nations. This includes submitting the user’s passport details, demographic information along with travel, medical history (if any), COVID-19 vaccination status, and lab test results including users’ daily health status.

China’s intention behind collecting this information as per their official statements was to prevent the transmission of COVID-19 and hence was a part of the COVID protocol that was being followed during the Winter Olympics.

It was prescribed that all the athletes and attendees should download the app 14 days prior to their visit to China, and were required to monitor and submit their health information in order to track their health status on a daily basis. Many countries have relied on similar apps in order to track the health status of their citizens and the foreign travelers, especially if we take India as an example here, the app named ‘Aarogya Setu’ was extensively used and is even used today in order to monitor the health status of the people in India.

As per the Chinese government’s guide on the Olympic games, it was discovered that the MY2022 app was created by the Beijing Organising Committee for the 2022 Winter Olympics. However, later through public records and the App Store’s information, it was revealed that the owner of the app is a state-owned company called the ‘Beijing Financial Holding Groups’. continue reading

Impact of Data Breaches on Brand Value

March 23, 2023 Leave a comment

  

Introduction

Do you know what is more important for an entrepreneur or for a company other than profit making? It’s the reputation of that business in the market, in other words- Goodwill or Brand value. Haven’t you heard before that when a company’s representatives or a start-up seeks investment or funding from an investor(s), they have to do a valuation of their business before meeting their potential investors? Surprisingly, even while calculating the valuation of a company, its goodwill or brand value as of that date is also considered.

Since the brand value of a company is an intangible asset and is based on the trust and perception of the end-users or consumers, it becomes quite essential for every business to maintain that trust and relationship with their customers and users in order to be profitable.

Now this trust as discussed above is always at risk, due to factors such as- competition in the market, quality of the service/product offered, privacy issues, and many such other factors could affect the trust and relationship between the business and its customers and users. As the phrase rightly claims- “Customer is the King.” In this day and age, it is easy for businesses to reach out to a wide audience, thanks to the Internet. With the internet, today any business can easily be established and anyone can sell and provide products and services to anyone. 

The only concern or issue  that we tend to neglect is with regard to the privacy of the customers or the users of such products and services. Neglecting this issue could drastically impact the brand value of the business, and in this blog we will discuss privacy concerns that arise from data breaches and how it impacts the brand value.

       Impact of Data Breaches on Brand Value

To understand the current topic we rely on a report published by Infosys, titled, “Invisible Tech Real Impact.” This report takes into account the top 100 most valuable brands and talks about how privacy issues such as data breaches directly impact the brand value of the business. Since the brand value of a company is an intangible asset and is based on the trust and perception of the end-users or consumers, it becomes quite essential for every business to maintain that trust and relationship with their consumers and clients in order to be profitable. With the shift towards a digital economy, consumers globally prefer their privacy over every other concern.

Did you know?

  1. The year 2021 witnessed an increase in data breaches because every business and organization shifted their work to the online mode, which led to such breaches.
  2. There was a sudden hike in the average cost of a data breach after almost 17 years, and the cost rose from US$3.86 million to US$4.24 million on an annual basis. 
  3. The most common data breaches were of users’ credentials being stolen. The average cost of such breaches was US$4.3 million.
  4. Almost 36% of the breaches reported were connected to phishing attacks. Google identified nearly 2 million phishing websites in January 2022.
  5. The year 2021-22 also witnessed a sudden rise in android banking malware.
  6. Even social engineering attacks were at their peak in the year 2021-22.
  1. If we talk about Financial services (Investment banks, Insurance service providers, Credit/Debit card service providers, and Retail banks), it becomes quite obvious that they hold a lot of personal data or personally identifiable information of their customers, and cyber-criminals are often looking for such data. Hence, privacy issues such as phishing with the aim to compromise the users’ account credentials to gain unauthorized access becomes a prevailing concern in the financial sector. The report states that cyberattacks occur 300 times more in this sector. The cumulative value at risk (both monetary loss and loss in brand value) due to such data breaches in this sector is almost as high as $2.6 billion. Whereas, when it comes to traditional banks then the risk is almost up to 16-17% of their brand value.
  1. Technology companies are also at great risk- A recent survey states that 94% of telecom operators and experts confirmed that data breaches would increase with the advent of 5G technologies. Moreover, the cumulative risk including both the monetary and brand value amounts to as high as $29 billion. 53% of which represents the cumulative brand value of these technology companies. 
  1. The next on the list will be Consumer Brands (including- beverages, baby products, personal care, and food). As consumer brands are increasingly adopting the digital pathway, the potential threat to these brands is also rising. With an estimate of up to $4.3 billion at risk due to cyberattacks. As per a leading cybersecurity company’s statements, there has been a rise in cyberattacks against the manufacturers of these consumer goods by seven times in the year 2020-21.
  1. Automotive brands– The auto brands face reputational risk which can go up to 9% of their total brand value.
  1. The Media industry is also exposed to cyber threats, as it operates in the digital space. Hence their users are also exposed to such threats. The potential of such attacks such as disruption of service due to unauthorized access to their users’ accounts and data without their consent is always there. The OTT platform’s potential brand value at risk due to such threats is nearly 60% of its net income. Whereas, for audio streaming platforms the percentage is nearly 400% of their net income.
  1. Business services such as SaaS, Networking services, and other related services. As these services handle a vast amount of corporate data and it is often on the list of cyber-criminals. The cumulative brand value at risk could be high as $3.5 billion, and in some cases, it could be high by 111%. The work-from-home format during the pandemic has also led to an increase in such data breaches in almost 20% of organizations.

Solution: Building a privacy culture and ecosystem

  1. Awareness about digital privacy- The first step to instilling a privacy culture and contributing to the privacy ecosystem of the organization should be taken by the organization’s management. They will have to take the first call to introduce the concept of digital privacy and make this concept familiar to the entire organization through various seminars, conferences, team meetings, campaigns, and conducting many other social events. Nowadays, every organization be it tech or non-tech, consumes a lot of customer data and even their employees’ data too. Hence, it is essential to have a robust privacy ecosystem. This can only be achieved by educating the entire organization about the issues pertaining to data privacy and its impact on the organization’s reputation. 
  1. Understanding the law- The second stage is where the management level members and all the employees from different departments are to be taught about the governing laws regarding data protection & privacy. This stage is more like an extended version of the first stage, as just awareness about data privacy would not impact much. But by teaching them what each data protection law mandates, the technicalities, the compliance requirements, etc. If each employee is equipped with some of the basic privacy skills and knowledge, the organization will soon be privacy ready along with a robust privacy ecosystem.
  1. Training the employees and complying with industry standards- – This is another way of promoting a privacy culture inside an organization by way of training. Training your employees with the relevant skillset is a practice especially followed in the privacy domain today. Moreover, hiring employees with such a skill set is the new trend. It doesn’t matter which position you are applying for, having an additional skill set in privacy is an add-on. There are a few certifications that are recognized as industry standards, and it is considered essential standards of practice in multiple industries today. ISO standards are among them, along with IAPP’s certifications such as CIPP, CIPT, CIPM, etc., are some trending certificates that are seen as relevant in this domain, and people with such certifications have the edge over others.
  1. Investing and developing your security programs and practices- It is quite evident that if the organization has a privacy security program, then the same must be utilized. A security program would help the organization to keep track of all the data that was generated, shared, and used, along with the relevant timelines, the purpose of such data, the retention period, etc. Recording such details about the data in an organization is considered an essential practice, and for such practices to be followed requires investment. Hence, investing in security programs would promote the privacy culture and make the organization’s privacy ecosystem much stronger.   
  1. Choose vendors and other third parties wisely- Another important aspect that an organization should not neglect is to choose vendors and other third parties with whom the organization will share the data, either of their customers or employees.  Everything must be duly recorded, and such transactions should be governed by written contracts with clauses stating obligations upon such vendors and third parties, especially in the event of a data breach or any other potential dispute occurring out of a breach of any of the clauses partially or wholly. 

Conclusion

From the above statistics, we can easily draw the correlation between data breaches and their impact on the brand value of businesses. Every business runs on faith and trust between the business and their users, privacy issues pertaining to data breaches risk not just a handful of their users but every user data becomes a target. This is why countries have been implementing their own federal and state laws on data privacy and consumer safety and businesses are required to comply with those laws if they are processing the personal data of their users. These laws give a wide range of rights to the users such as- right to access to their data, right to deletion/correction of their data, etc.

CERT-In Directions dated 28 April 2022

March 23, 2023 Leave a comment

The Directions issued by CERT-In on April 28, 2022, for ensuring better cyber security measures in India as it focuses on the collection and storage of user’s sensitive information. As per the directions issued, VPNs in the country will have to keep customer names, validated physical and IP addresses, usage patterns, and other forms of personally identifiable information. Let’s discuss the directions in a detailed manner- 

Firstly, as per the directive, VPN companies are mandatorily required to collect and validate customer names, physical addresses, email addresses, and phone numbers along with that they are required to provide the reason each customer is using such service, the dates they use it, and their “ownership pattern.” They are also required to provide the IP address and email address used by a customer to register for the service, along with a registration timestamp. Lastly, they must provide all IP addresses issued to a customer and a list of IP addresses being used by its customer base generally. 

Secondly, the directives by CERT-In will have a wide impact on almost every stakeholder involved in the usage of internet as it is applicable to all service providers, intermediaries, data centers, body corporate and Government organizations. Furthermore, any non-compliance to these directions could lead to criminal imprisonment up to a year as a punishment. 

The CERT-In was set up as a body under the Ministry of Electronics and Information Technology (“MeitY”) to conquer the rising cyber security concerns. Moreover, some form of monitoring of information of users was necessary in order to combat against rising cyber harms. Since the latest directives give CERT-In the power to store and use such sensitive information of users; the directives also mandate that virtual asset service providers must have mandatory KYC and submit their financial transactions report to CERT-In.

It must be noted that the centre will use all the legal and security safeguards along with proper administrative channels to access such information mandated under the present directives. A detailed analysis of the said directions in the next post. Stay tuned!