privacy law

The Information Technology Amendment Rules, 2023

June 27, 2023 Leave a comment

IT AMENDMENT RULES 2023: An Overview

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023

INTRODUCTION 

The aim of this primer is to provide an overview of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023 (“the Amendment”), which amend the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 Rules”). 

The Ministry of Electronics and Information Technology (“Meity”) amended the 2021 Rules, with the aim  to inter alia regulate the online gaming in India, along with ensuring safety to its users, broadly by governing-

  1. Online games
  2. Online real money game
  3. Permissible online game
  4. Permissible online real money game
  5. Online gaming intermediary
  6. Online gaming self-regulatory body and
  7. Restricting the spread of fake & misinformation. 

THE BASICS

The Amendment defines an ‘online game’ as a game that is offered via the internet, wherein the same can be accessed by any user through a computer resource or upon the access of an intermediary.

STAKEHOLDER ANALYSIS

  1. Online Game

The Amendment classifies online games into three subcategories. They are-

i) Online real money game- The Amendment defines ‘online real money game’ as an online game, wherein the user deposits in the form of cash/kind with an expectation and intention of earning winnings in the form of cash/kind on such deposits made. The Amendment further explains the term ‘winnings’ as any prize in cash/kind distributed to the user of the online game based on their performance in accordance with the rules of the game.

ii) Permissible online game- The Amendment defines ‘permissible online game’ as a permissible online real money game, and also includes: online game(s) which is not considered as online real money game (reference to Rule 4C of the Amendment). With this definition, the ambit of the 2021 Rules gets widened as the Central Government will have the power to extend and direct the applicability of the said rules to even those online games that do not require a user to make a deposit. Hence, even covering casual games under the 2021 Rules.

iii) Permissible online real money game- The Amendment defines ‘permissible online real money game’ as an online real money game that has been verified by an online gaming self-regulatory body under Rule 4A of the Amendment.

  1. Online Gaming Intermediary (“OGI”)

i) With the release of the Amendment, it seeks to classify a new category of intermediary i.e., OGI. The Amendment defines an ‘OGI’ as any intermediary that seeks to give access to one or more online games to users on its platform.

ii) Moreover, what is essential to note from the Amendment is that an OGI is required to comply with not just the due diligence obligations mentioned under Rule 3, but also with the additional due diligence requirements under Rule 4, on similar lines, like that of a significant social media intermediary may be required to do under the 2021 Rules.

  1. Online Gaming Self-Regulatory Body (“SRB”)

The Amendment welcomes another soon-to-be established entity(ies) within the purview of the said rules and allows such entity(ies) to self-regulate the online gaming industry in India, in accordance with the 2021 Rules. This self-regulatory body(ies) is to be called as an ‘online gaming self-regulatory body.’ They are defined as an entity designated by Meity under Rule 4A of the Amendment. The primary responsibility of the SRB is to verify ‘online real money game’ as ‘permissible online real money game.’

  1. Fact Check unit of the Govt.
  • A significant change brought in by the Amendment, (apart from regulating online games and platforms), pertains to curtaining fake and misleading information in relation to any business of the Central Government, which has been hosted, published, and transmitted on the intermediary’s platform. 
  • Further, the Amendment directs Meity to appoint a fact-checking unit of the central government, to identify and restrict the flow of fake and misleading information that pertains to the business affairs of the central government. 

DUE DILIGENCE- OGI

The Amendment aims to bring online gaming intermediaries to the same table along with the social and significant social media intermediaries. Earlier, the due diligence obligations mandated under Rule 3 of the 2021 Rules, only applied to social media intermediary(ies) and significant social media intermediary(ies). However, with the present Amendment, now even an OGI will be required to comply with Rule 3 of the 2021 Rules, including some new requirements/obligations brought in by the Amendment-

  1. An OGI shall not offer its users an online game that results in ‘user harm.’ The term ‘user harm’ has been explained in the Amendment as any effect that is considered detrimental to a user and/or child;
  2. An OGI shall not offer any online game unless it is verified as a permissible online game;
  3. Intermediaries shall not indulge in advertising/surrogate advertising or promoting a non-verified online game, and/or an OGI promoting such a game;
  4. An OGI that offers ‘permissible online real money game(s)’ is required to inform its users about the change in its rules and regulations, privacy policy, or user agreement within a time frame of 24 hours and not later than that;
  5. An OGI that offers ‘permissible online real money game’ shall on receipt of an order, provide all and/or any information under its possession to the government agency for the purpose of investigation, detection, prevention, prosecution of offenses, etc, within a time frame of 24 hours and not later than that;
  6. An OGI is required to prominently publish on its website and mobile app, the name and contact details of the grievance officer, along with the complaint mechanism for the user/victim to follow for addressing their complaints and grievances;
  7. Any person being aggrieved by the decision of the grievance officer of the OGI may prefer an appeal within 30 days from the receipt of such decision to the Grievance Appellate Committee;
  8. The OGI and the SRB are required to comply with the orders passed by the Grievance Appellate Committee and further are required to publish a compliance report on their respective website(s).

ADDITIONAL DUE DILIGENCE- OGI

It is essential to note here that following the 2021 Rules, the additional due diligence requirements under Rule 4, were only supposed to be a compliance obligation for the significant social media intermediary. However, with the present Amendment, even an OGI offering permissible online real money game, irrespective of its user base will be required to comply with Rule 4, including-

  1. Appointing a Chief Compliance Officer;
  2. Appointing a Nodal contact person, who shall be a resident in India;
  3. Appointing a resident Grievance officer, who shall be a resident in India;
  4. Publishing periodic reports monthly in relation to the complaints received, and the course of measure(s) duly taken;
  5. Maintaining a physical address in India, and publishing its details on the website and mobile application;
  6. Implementing a complaint and grievance mechanism for the users’ to file, track and check the status of their complaints;
  7. Verifying the users’ accounts, and marking such users with a visible mark;
  8. Displaying the verified mark obtained after due verification done from the concerned SRB;
  9. Informing the users’ about withdrawal/refund policy, manner of determining and distribution of winnings, fees and charges payable by the users, KYC procedure, measures undertaken for protecting the users’ deposits, and the procedure followed for verification of online real money game;
  10. Mandatory KYC before accepting deposits from the users;
  11. Prohibiting and banning OGI from offering its users’ credit facilities and/or enabling third-parties to finance for the purpose of playing such online game.

ELIGIBILITY CRITERIA FOR SRB

  • Verification of online real money game shall only be done by designated SRB(s). An entity may apply to Meity for being designated as an SRB, provided they fulfil the following-
  1. Entity registered under section 8 of the Companies Act, 2013;
  2. Membership is representative of the online gaming industry;
  3. The number of board of directors shall be 8. They shall have no conflict of interest, and possess skills, experience, and knowledge as mentioned under the said rules, for performing their roles & duties as a self-regulating body;
  4. Must have sufficient funds for performing their duties as a self-regulatory body;
  5. The MoA & AoA of the entity shall be compliant with the 2021 Rules and the Amendment.

VERIFICATION OF ONLINE REAL MONEY GAME

  • Upon receiving an application from an online real money game, the SRB shall verify and declare them as permissible online real money game, provided the following is satisfied-
  1. Such an online real money game shall not contain wagering on any outcome; and
  2. The OGI and such online real money game shall be compliant with Rule 3 and 4, law relating  to the age and competency to contract, along with the SRB’s framework.
  • The rule further clarifies the time-frame given to the SRB shall be three (3) months, in which they have to declare the applicant (online real money game) as permissible online real money. It is further stated that initially the SRB shall only rely upon the information provided to them by the applicant. However, the SRB shall complete the due inquiry with the said time-frame to declare them as compliant and permissible or reject their application in writing.
  • SRB must publish on their website and/or website, a list of all the permissible online real money game, their verification expiry date, suspended and revoked online real money game.
  • SRB must maintain and publish their members’ list on their website and/or mobile application.
  • SRB shall have the powers to suspend and revoke the verification of any online real money game, if they are satisfied that the said online real money game is not in compliance with the 2021 Rules and the Amendment.
  • The online real money game and the OGI must display the verified mark granted by the SRB on their platforms.
  • Every SRB is required to publish on their website and/or mobile application their framework of verifying online real money game, which shall also include-
  1. Measures taken to ensure that an online real money game is not against the interests of sovereignty, integrity and security of the nation;
  2. Measures to ensure that an online real money game does not cause user harm as described under the Amendment;
  3. Measures taken to ensure protection to minors;
  4. Measures undertaken to ensure protection against gaming addiction, fraud, financial loss, etc.
  • The Central government before issuing directions for blocking under section 69A of the IT Act, 2000, against a permissible online real money game, may consider the details published by the SRB.
  • SRBs’ must publish a framework of grievance redressal along with the contact details of their Grievance Officer. The complaints must be acknowledged within 24 hours by the Grievance officer, and resolution must be done within 15 days from the date of the complaint.
  • Meity may suspend and/or revoke the designation of the SRB, if it is satisfied and found necessary. However, the SRB shall be given an opportunity to be heard.

APPLICABILITY & COMPLIANCE OF CERTAIN OBLIGATIONS

The Amendment further states that the compliance obligations upon the OGI shall come into force only after the expiry of three (3) months from the date on which at least three (3) SRBs would have been designated and established in accordance with Rule 4A of the Amendment.

‘ONLINE GAME’ OTHER THAN ONLINE REAL MONEY GAME

The said rules may apply to only those online games, that come under the ambit of online real money game and permissible online real money game. However, if the Central government finds it necessary in the interest and security of the State, public order, and preventing user harm, etc, in those circumstances, even those online game other than online real money game will be required to comply with the following obligations-

  • the obligations under sub-clauses (ix) and (x) of clause (b) of sub-rule (1) of rule 3; sub-rules (1), (5), (6), (7), (10), and clause (d) of sub-rule (11) of rule 4; along with rule 4A.

CONCLUSION

With the significant rise in the development of online games around the globe, the massive user and fan base, along with the amount of money involved were essential to be considered, before regulating this space. However, letting this space go unregulated would be detrimental to the country’s economy and its national security. The notified Amendment aims to promote online gaming by making the industry more accountable and transparent to its users. 

However, there are still some questions unanswered, such as why Meity took this approach to bring online games and the platforms as ‘intermediaries’ and not as ‘publishers’ under the 2021 Rules. Moreover, there are still vagueness and clarifications required in relation to terms such as ‘online real money game’ and ‘user harm’, as the ambit of both these terms is too wide, and might result in overregulation and hamper the growth of the industry as a whole.

Interestingly, the Amendment has been challenged recently in the Bombay High Court, within a week of its notification. The writ petition primarily questions the power of Meity under Rule 3(1) (b) (v), which seeks to appoint a fact-checking unit of the central governing for curbing fake and misleading information relating to the central government’s business affairs.

Lastly, the true impact of this Amendment could only be judged after the provisions come into force, and how the industry reacts toward it.

California Privacy Rights Act & what it’s bringing to the table

March 23, 2023 Leave a comment

Introduction

In 2019, during the Facebook F8 Developer Conference, Facebook (now Meta) CEO- Mark Zuckerberg said something which was never been said before by any big techs, he said: “the future is private.” Based on this statement we can understand it’s not just Facebook alone or any other big techs, who are working in order to come in line with privacy, as privacy is the only hope available for tech companies to survive in this competing market today. We have seen and witnessed the rise in privacy-related concerns raised by millions of people, organizations, activists, lawyers, institutions, and other governmental agencies. This has only been possible due to the recent changes in the market, earlier the concept of privacy and the laws relating to privacy weren’t common, but due to global awareness about data & privacy of the individuals, lawmakers around the world have tried to accommodate legislations on data protection & privacy, one such example is of the General Data Protection Regulation (GDPR). 

The GDPR has truly influenced many nations to formulate their own laws regulating the flow of personal data in and outside their economy. As rightly said, “data is the new oil of the digital economy.” Having a regulation along with a regulatory authority becomes an essential part to monitor and safeguard the rights of the individuals as well as flow of this new oil in this digital era. 

In light of the above, California is one such state in the United States that has been successful in formulating a law on data protection & privacy for the residents of California, it was called the CCPA or California Consumer Privacy Act. It came into effect on 1st January 2020. But what we all need to know about this Act is that in November 2020, the voters in California approved and voted for an amended version of the CCPA and very soon this Act will get replaced by its successor called the CPRA or California Privacy Rights Act. In this blog we will dive into the new legislation i.e., the CPRA  and what all it brings to the table.

What is CPRA?

The California Privacy Rights Act (CPRA) is an extension or a successor to the former law on data protection & privacy also known as the California Consumer Privacy Act (CCPA). The CPRA will be effective from 1st January, 2023. However, some of its provisions have already been in action since 1st January, 2022, such as the consumers’ data collected by businesses and organizations on or after 1st January, 2022, CPRA will apply to such entities. Hence, it is advised that organizations and businesses that fall under the ambit of this new legislation should comply with its requirements starting from 1st January, 2022.

If we compare CPRA to its earlier version- CCPA, then the current Act in some way is more friendly toward small-businesses. Additionally, the CPRA widens the scope of the following-

  1. Consumers under this law get more rights;
  2. Fines for violating the provisions pertaining to children’s privacy have tripled;
  3. Limitation in the use of “sensitive personal information” of the users;
  4. Prevents and restricts businesses and organizations from knowing the users’ geolocation;
  5. Restricts businesses and organizations from profiling the users;
  6. Establishes a new agency- California Privacy Protection Agency, in order to ensure rigorous enforcement of the law;

However, we will be discussing all the new changes brought into this law in the later part of this blog.

CPRA applies to which entities?

The present law- CPRA, applies to only for-profit businesses & organizations that are either located in the State of California or do business with the residents of California. The essential ingredient that needs to be satisfied here is that- even if your business is not located in the State of California but if you have users’ from California, and your business is involved in collecting their data, your business would fall under the ambit of CPRA. Further, any one of the following requirements needs to be fulfilled in order to make sure, that CPRA applies to your business/organization-

  1. The entity needs to have annual gross revenue of $25 million or more;
  2. The entity should be involved in selling, sharing, or buying of 100,000 or more users’ personal information who are residing in California per year;
  3. The entity earns 50% or more of its annual gross revenue by way of sharing or selling the personal information of its California users/customers.

The following entities will also fall under the ambit of the current legislation-

  1. Joint ventures & partnerships- When each business has at least 40% or more interest, in such scenarios, each business/entity who falls under this category will be considered as a separate entity in itself.
  2. Moreover, if any entity/business who wishes to comply with CPRA, may do so, even if such entity doesn’t fulfill the above requirements.
  3. Even commonly controlled entities fall under the ambit of this legislation. Controlled entity is either controlled or controls a covered entity; Shares common branding with such entity; or has access to the covered entity’s consumers’ personal information.

Consumer rights under CPRA

  1. Right to opt-out- Under this new legislation, consumers now have the right to opt-in or opt-out in cases of collection, selling and/or sharing (with the third parties) of their sensitive personal information. Businesses that are involved in selling/sharing personal data with third-parties are required to add a “Do not sell my personal information” link on their homepage of their website. Moreover, businesses will also be required to add a “Limit the use of my sensitive personal information” link to comply with the CPRA’s requirement pertaining to limitation of using consumers’ sensitive information.
  2. Right to correct & delete personal information- The CPRA gives the consumer the right to both correct as well as delete their inaccurate personal information. Entities that fall under the ambit of this law, need to disclose this right to the users/consumers and fix all such errors/mistakes with respect to their personal information after receiving such requests from their users.
  3. Right to access data- Under this new legislation, consumers have the right to access their data by the entities who have collected it, and the time period is not restricted  or limited to 12-months, rather it goes beyond 12-month. The only exception to this right is that if doing so is impossible or requires disproportionate effort by the entity, in such scenarios the CPPA will determine what exactly “disproportionate effort” means as it could vary from case to case basis.
  4. Right to opt-out from automated decision making & profiling- Under this law, consumers have the right to opt-out from being part of both automated decisions & getting profiled by businesses and organizations based on their personal or sensitive personal data. Such organizations and businesses who are into collection of these data must notify the public or their users before such collection and also about how automated decision making works along with how it affects such individuals autonomy.
  5. Private right of action- Under this law, consumers have the right to sue and seek damages from the businesses and/or organizations who have collected their personal data and due to their negligence, the consumers’/users’ data get compromised or breached. In such cases, even an individual has a private right of action against such defaulting business/organization. Especially in cases when such user’s or consumer’s data exposes the following information:
  1. Email & password along with the security question and answer due to which it grants the attacker to easily access the user’s/innocent party’s account.
  2. In cases when the business or the organization is negligent in maintaining proper security standards as it is their responsibility and obligation to ensure reasonable security of the personal data of the consumers.
  3. Minors’ rights- The CPRA also aims to protect the privacy of children, as it specifically mentions that businesses and organizations must seek and obtain explicit consent before collecting, sharing or selling their data, how their data will be used and for how long it will be retained.

Note: Businesses and organizations who willfully neglect this criteria/exception, shall be deemed to have had actual knowledge about the consumer’s age.

Obligations for businesses under CPRA

  1. Reasonable implementation of security measures- The businesses and organizations that fall under the ambit of CPRA, are obliged to maintain and implement reasonable security measures in order to protect the personal information of their customers/users. Further, the businesses and organizations are advised to perform annual cybersecurity checks and are required to send the results to the CPPA for the auditing purpose.
  2. Contractual obligations- Under the CPRA, new obligations have been introduced for businesses that are into sharing, selling and/or disclosing personal data of their users/customers to their contractors/third party service providers, etc. In such scenarios, the business and the contractor/service provider must have a written contract stating the following (but not limited to)-
  1. Stating that the information disclosed or sold by the business to the third-party/service provider is only for limited purposes;
  2. Ensuring that both the contracting parties comply with the CPRA requirements;
  3. The third-party/service provider is obliged to notify the business if they are unable/no longer meet the CPRA compliance obligations;
  4. Lastly, the business has the right to take reasonable measures and actions in case of unauthorized access/use of the personal information.

3. Limited Defenses- The present act imposes certain limitation on the defenses used by the businesses, such as- from now businesses won’t be able to reply on the defense of maintaining and implementing reasonable security practices and procedures after a data breach, as the same won’t be considered as a cure or defense for that breach.

4. Storage limitation & principle of data minimization- These two principles can be seen in the EU’s GDPR. The principle of storage limitation states that an entity or a business should not retain the personal data of its users’ no longer than its intended purpose, and once the purpose is met, the data should be discarded. On the other hand, the principle of data minimization states that a business should limit the collection of personal data and should only collect if its directly relevant and necessary to accomplish a required purpose.

California Privacy Protection Agency

One of the major differences between CCPA & the current legislation- CPRA, is it seeks to establish an independent agency known as the California Privacy Protection Agency (CPPA). This agency will initiate actions through the Administrative Law Court as compared to the earlier privacy legislation in California (CCPA), which gave the state court system the authority to enforce the privacy law. 

Whereas the Administrative Law Court would further provide an independent and neutral hearing, and these hearings would be less formal and more transparent.

The present change further shifts the responsibility to enforce the CPRA to the newly established agency i.e, the CPPA, whereas, for the earlier privacy legislation- CCPA, this responsibility was given to the Office of the Attorney General. The CPPA will also be responsible for educating and awaring the general public about their consumer privacy rights.

Penalties under CPRA 

There is a 3X (times) increase in the penalties as compared to the earlier privacy legislation in California. The entities covered under this legislation could be fined up to $7,500/- per intentional violation and even for violations pertaining to personal information of people under the age of 16. Whereas, for non-intentional violations, entities/businesses could still be fined up to $2,500/-. In the earlier legislation (CCPA), there was a 30-days cure period, wherein, the cure-period automatically starts once there is a charge or allegation against the business stating any kind of violation. However, this has been struck down and cannot be found in this new legislation. 

Moreover, under the CPRA, the agency (CPPA) will now decide regarding the cure period or how much time does the business have to correct such violations. 

Conclusion

From the above discussion, we can clearly draw out all the new features of this latest legislation on data protection & privacy for the State of California. The CPRA will be enforced in 2023, however, some of its provisions are in effect starting from 1st January, 2022. It becomes essential for every business and organization to check whether they fall under the ambit of this new legislation or not. Moreover, the legislation applies to all the personal data/information collected starting from 1st January 2022, making it essential for every business to start complying with all the requirements starting from 2022. 

Apart from checking the applicability and scope of this legislation, businesses are further required to update their privacy policies, review and update their contracts with their vendors and other service providers in compliance with the CPRA, and lastly, by updating their websites, and the method of processing in accordance with the upcoming legislation.

Aarlin Moncy: Discussing Law & Technology

April 27, 2020 Leave a comment

Hello everyone! I am yours truly, LawyerStrange, aka Aarlin Moncy!

Thank you for visiting my page. Here, you will find blogs and video content on topics (but not limited to) such as- Data protection & Privacy, Cyber law, Constitutional law, contract law, movies and comics.

But the idea is to make this platform an exclusive page for Technology Law. Help me in this journey to build a community for tech & comic geeks. Let’s grow together.

Feel free to contact me and do share your suggestions.

Thanks again!

Stay safe and Take care!