India has recently also taken a step in this direction. Clause 24 of the Digital Personal Data Protection Bill, 2022[“Bill”] provides that the Data Protection Board [“Board”] may accept voluntary undertaking at any stage and that the acceptance of such undertaking by the Board would constitute a bar to proceedings.
However, while voluntary undertaking provisions may work elsewhere, Clause 24 should be removed from the Bill for the following reasons:
1] Excessive Scope of Voluntary Undertaking Provision
The voluntary undertaking regime in Singapore clearly provides that the request to invoke a voluntary undertaking process must be made “soon after the [breach] incident is known”. But the voluntary undertaking provision in the Bill states that the undertaking can be given at “any stage” including before a breach has even taken place. This will allow data fiduciaries to delay their compliance with the provisions of the Bill and postpone the implementation of important provisions of the Bill.
For example Clause 9(4) of the Bill provides that “Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.” A fiduciary could offer a voluntary undertaking stating that it will comply with this clause after a period of six months, during which time multiple breaches can occur. The scope of the voluntary undertaking clause in the Bill is thus massive and is likely to give too much leeway to data fiduciaries to circumvent the law and violate the rights of the Data Principals.
2] Lack of Regulatory Standards for Voluntary Undertaking
Additionally, there is no set standard for what a voluntary undertaking offer is supposed to contain. While Clause 24 states that a voluntary undertaking may include “undertaking to take specified action within a specified time, an undertaking to refrain from taking specified action, and an undertaking to publicise the voluntary undertaking”, the requirements are not specific enough to ensure that fiduciaries will adequately comply with the provisions of the Bill. Data fiduciaries have no requirement to provide for an in-depth remediation plan unlike in Singapore.
3] Excessive Discretion of the Board
Clause 24 merely says that the Board “may” accept voluntary undertakings. While it is clear that the Board has the discretion to decide whether it is appropriate to accept an undertaking or not, it is necessary to have standards for acceptance or rejection of such undertakings in order to reduce possibilities of arbitrariness and misuse of the voluntary undertaking regime.
Hence, while it is important to ensure that the compliance burden on data fiduciaries is not too heavy in order to achieve effective implementation of the Bill, the current voluntary undertaking provision acts as a loophole which will allow fiduciaries to circumvent formal proceedings and exempt themselves from liability under the Bill.
Conclusion
The voluntary undertaking provision in the Bill should be removed. It provides too much leeway to fiduciaries to submit voluntary undertakings that will exempt them from application of key provisions of the Bill. Moreover, it fails to constrain the Board from accepting such offers.
In addition, several clauses of the Bill adequately provide for flexibility in case of non-compliance. Clause 25(2) ensures that data fiduciaries are not penalised excessively and Clause 21(11) ensures that they are not punished for non-significant non-compliance.
The benefit of a voluntary undertaking system is that data fiduciaries will aid the Board in understanding the technological difficulties and processes involved in the regulation of data protection. However, this understanding is something that can be achieved through regular and active discussions with stakeholders. This is the direction that countries like the United Kingdom are also moving towards.
*Tejaswita is a Research Analyst at the Centre for Communication Governance.
As boundary-less cyberspace becomes increasingly pervasive, cyber threats continue to pose serious challenges to all nations’ economic security and digital development. For example, sophisticated attacks such as the WannaCry ransomware attack in 2017 rendered more than two million computers useless with estimated damages of up to four billion dollars. As cyber security threats continue to proliferate and evolve at an unprecedented rate, incidents of doxing, distributed denial of service (DDoS), and phishing attacks are on the rise and are being offered as services for hire. The task at hand is intensified due to the sheer number of cyber incidents in India. A closer look suggests that the challenge is exacerbated due to an outdated framework and lack of basic safeguards.
This post will examine one such framework, namely the definition of cybersecurity under the Information Technology Act, 2000 (IT Act).
Under Section 2(1)(nb) of the IT Act:
“cyber security” means protecting information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction;
This post contends that the Indian definitional approach adopts a predominantly technical view of cyber security and restricts effective measures to ensure cyber-resilience between governmental authorities, industry, non-governmental organisations, and academia. This piece also juxtaposes the definition against key elements from global standards under foreign legislations and industry practices.
What is Cyber security under the IT Act?
The current definition of cyber security was adopted under the Information Technology (Amendment) Act, 2009. This amendment act was hurriedly adopted in the aftermath of the Mumbai 26/11 terrorist attacks of 2008. The definition was codified to facilitate protective functions under Sections 69B and 70B of the IT Act. Section 69B enables monitoring and collection of traffic data to enhance cyber security, prevent intrusion and spread of contaminants. Section 70B institutionalised Computer Emergency Response Team (CERT-In), to identify, forecast, issue alerts and guidelines, coordinate cyber incident response, etc. and further the state’s cyber security imperatives. Subsequently, the evolution of various institutions that perform key functions to detect, deter, protect and adapt cybersecurity measures has accelerated. However, this post argues that the current definition fails to incorporate elements necessary to contemporise and ensure effective implementation of cyber security policy.
Critique of the IT Act definition
It is clear that deterrence has failed as the volume of incidents does not appear to abate, making cyber-resilience a realistic objective that nations should strive for. The definition under the IT Act is an old articulation of protecting the referent objects of security- “information, equipment, devices computer, computer resource, communication device and information” against specific events that aim to cause harm these objects through “unauthorised access, use, disclosure, disruption, modification or destruction”.
There are a few issues with this dated articulation of cybersecurity. First, it suffers from the problem of restrictive listing as to what is being protected (aforementioned referent objects). Second, by limiting the referent objects and events within the definition it becomes prescriptive. Third, the definition does not capture the multiple, interwoven dimensions and inherent complexity of cybersecurity which includes interactions between humans and systems. Fourth, due to limited enlisting of events, similar protection is not afforded from accidental events and natural hazards to cyberspace-enabled systems (including cyber-physical systems and industrial control systems). Fifth, the definition is missing key elements – (1) It does not include technological solutions aspect of cyber security such as in the International Telecommunication Union (2009) definition that acknowledges “technologies that can be used to protect the cyber environment” and; (2) fails to incorporate the strategies, processes, and methods that will be undertaken. With key elements missing from the definition, it falls behind contemporary standards, which are addressed in the following section.
To put things in perspective, global conceptualisations of cybersecurity are undergoing a major overhaul to accommodate the increased complexity, pace, scale and interdependencies across the cyberspace and information and communication technologies (ICT) environments. In comparison, the definition under the IT Act has remained unchanged.
Although wider conceptualisations have been reflected through international and national engagements such as the National Cyber Security Policy (NCSP). For example, within the mission statement the policy document recognises technological solution elements; and interactions between humans and ICTs in cyberspace as one key rationale behind the cyber security policy.
However, differing conceptualisations across policy and legislative instruments can lead to confusion and introduce implementational challenges within cybersecurity regulation. For example, the 2013 CERT-In Rules rely on the IT Act’s definition of cyber security and define cyber security incidents and cyber security breaches. Further emphasising the narrow and technically dominant discourse which relate to the confidentiality, integrity, and availability triad.
The following section examines a few other definitions to illustrate the shortcomings highlighted above.
Key elements of Cyber security
Despite a plethora of definitions, there is no universal agreement on the conceptualisation of cybersecurity globally. This has manifested into the long-drawn deliberations at various international fora.
Cybersecurity aims to counter and tackle a constantly evolving threat landscape. Although it is difficult to build consensus on a singular definition, a few key features can be agreed upon. For example, the definition must addressinterdisciplinarity inherent to cyber security, its dynamic nature and the multi-level complex ecosystem cyber security exists in. A multidisciplinary definition can aid authorities and organizations in having visibility and insight as to how new technologies can affect their risk exposure. It will further ensure that such risks are suitably mitigated. To effectuate cyber-resilience, stakeholders have to navigate governance, policy, operational, technical and legal challenges.
An inclusive definition can ensure a better collective response and bring multiple stakeholders to the table. To institutionalise greater emphasis on resilience an inclusive definition can foster cooperation between various stakeholders rather than a punitive approach that focuses on liability and criminality. An inclusive definition can enable a bottom-up approach in countering cyber security threats and systemic incidents across sectors. It can also further CERT-In’s information-sharing objectives through collaboration between stakeholders under section 70B of the IT Act.
When it comes to the regulation of technologies that embody socio-political values, contrary to popular belief that technical deliberations are objective and value-neutral, such discourse (in this case, the definition) suffers from the dominance of technical perspectives. For example, the definition of cybersecurity under the National Institute of Standards and Technology (NIST) framework is, “the ability to protect or defend the use of cyberspace from cyber-attacks” directs the reader to the definitions ofcyberspace andcyberattack to extensively cover its various elements. However, the said definitions also has a predominantly technical lens.
Alternatively, definitions of cyber security would benefit from inclusive conceptions that factor in human engagements with systems, acknowledge interrelated dimensions and inherent complexities of cybersecurity, which involves dynamic interactions between all inter-connected stakeholders. An effective cybersecurity strategy entails a judicious mix of people, policies and technology, as well as a robust public-private partnership.
Cybersecurity is a broad term and often has highly variable subjective definitions. This hinders the formulation of appropriately responsive policy and legislative actions. As a benchmark, we borrow the Dan Purse et al. definition of cybersecurity– “the organisation and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights.” The benefit of this articulation is that it necessitates a deeper understanding of the harms and consequences of cyber security threats and their impact. However, this definition cannot be adopted within the Indian legal framework as (a) property rights are not recognised as fundamental rights and (b) this narrows its application to a harms and consequences standard.
Most importantly, the authors identify five common elements to form a holistic and effective approach towards defining cybersecurity. The following elements are from a literature review of 9 cybersecurity definitions are:
technological solutions
events
strategies, processes, and methods
human engagement; and
referent objects.
These elements highlight the complexity of the process and involve interaction between humans and systems for protecting the digital assets and themselves from various known and unknown risks. Simply put, any unauthorized access, use, disclosure, disruption, modification or destruction results in at least, a loss of functional control over the affected computer device or resource to the detriment of the person and/or legal entity in whom lawful ownership of the computer device or resource is vested. The definition codified under the IT Act only partly captures the complexity of ‘cyber security’ and its implications.
Conclusion
Economic interest is a core objective that necessitates cyber-resilience. Recognising the economic consequences of such attacks rather than protecting limited resources such as computer systems acknowledges the complex approaches to cybersecurity. Currently, the definition of cybersecurity is dominated by technical perspectives, and disregards other disciplines that should be ideally acting in concert to address complex challenges. Cyber-resilience can be operationalised through a renewed definition; divergent approaches within India to tackle cybersecurity challenges will act as a strategic barrier to economic growth, data flow, investments, and most importantly effective security. It will also divert resources away from more effective strategies and capacity investments. Finally, the Indian approach should evolve and stem from the threat perception, the socio-technical character of the term, and aim to bring cybersecurity stakeholders together.
On March 4, 2020, the Supreme Court of India, in the case of Internet And Mobile Association Of India v Reserve Bank Of India, overturned the April 2018 circular of Reserve Bank of India. The 2018 RBI circular had banned all the RBI regulated entities from trading in cryptocurrency or virtual currency (VC). While there was no per se ban on VCs, it led to a shutdown of VC start-ups in the country and a massive decline in its trading volumes. The 180-page judgment of the Supreme Court held the circular to be in violation of Article 19(1)(g), recognising trading in VCs as a fundamental right. The decision was primarily based on the principle of proportionality and the fact that RBI had been unable to prove any adverse effect of VCs on the operations of financial institutions and banks.
This article first looks into why a legislation regulating VCs ought to be enacted. Then the various factors that need to be kept in mind while formulating such a legislation are elucidated, including a) the issues with definition, b) judicial precedents and c) approach of foreign jurisdictions on the subject.
However, the VCs require an amalgamation of exchange, marketing, issue of new tokens etc for their effective working. All of these are highly centralised aspects, requiring standardized oversight to prevent illegality and impropriety.
The primary reason for the need of a legislation arises from the Supreme Court’s judgment itself. One of the rationales used by the Supreme Court to give a decision in the favour of the VC industry was the absence of any law prohibiting VCs yet. This implies that the verdict would lose its effect if such a law is put in place. It should be noted that the petitions were filed against the RBI, not the Ministry of Finance. The verdict of the Supreme Court only addresses the regulatory concerns of RBI. It refrains from issuing any directive to the policymakers about the treatment of VCs.
Further, the inclusion of trading in VCs under Article 19(1)(g) can be nullified by a legislation affirming the contrary. Hence, in the absence of a statute which clearly states the legality of cryptos and their regulation, they remain constantly vulnerable to negative legislative actions.
The fate of Banning of Cryptocurrency & Regulation of Official Digital Currency Bill, 2019 (Cryptocurrency Bill, 2019), which prohibits the use of VCs as a legal tender or currency, is yet to be decided. It ought to be noted that the text of the bill was leaked and hence, has not been formally endorsed by the Government. Even though it has not been introduced in the parliament as of now, it is hoped that the judgment would reset the discourse on VCs and sway government thinking. Given below are some of the specific indices the legislature shall have to keep in mind while formulating a legislation on VCs.
ISSUES TO BE ADDRESSED BY THE LEGISLATION
Any issues related to VCs that a legislation would want to address will depend on the concerns that the government has with regards to the operation of VCs. As mentioned earlier, the concerns were related to protecting the interests of both, the formal financial sector and the persons dealing in VCs. The question that arises here is whether a total prohibition on operation of VCs in India is the only way to address these concerns. After the preliminary issue of definition, this article will proceed to analyse this question from two perspectives: Supreme Court precedents on restriction of activities under Article 19(1)(g) and the approach of foreign jurisdictions on the subject.
Definition
A formidable task is to define a cryptocurrency or VC. The Supreme Court also noted this difficulty. VCs are defined by different names such as crypto assets, electronic currency, digital assets etc, making it difficult to compartmentalise them into legal tenders solely or goods/commodities. The difficulty with defining them as a legal tender is the absence of a sovereign guarantee, backed by a central authority. In India, a legal tender is maintained by the RBI, but a VC is recorded and shared with users over a network.
The Cryptocurrency Bill, 2019 has been too wide in its approach to the definition. It includes tokens such as information, code or token which has a digital representation of value and is generated through cryptographic means, that neither function at all like VCs, nor pose the same risk.
The Supreme Court also stated that the VCs are a by-product of blockchain technology and the government could consider segregating the two. The draft Blockchain policy of the State of Telangana, released in 2019, also sought to make this distinction, clearly stating that given the novelty of the technology, both of them tend to be confused. At the same time, it refrained from giving a definition of VCs. But most of the federal polices in the world have conspicuously refrained from differentiating the two.
There are other jurisdictions the legislature can look to, in order to define cryptocurrencies, such as the EU. Quite a precise definition has been used by the Financial Action Task Force, (an intergovernmental organisation to combat money laundering) which defines it as “a math-based decentralised, convertible virtual currency which is protected by cryptography.”
Precedents set by the Supreme Court
Whether a prohibition is the only method addressing the concerns related to VCs will need to be evaluated in light of the Supreme Court’s judgments on restriction on Article 19(1)(g).
In Modern Dental College and Research Centre v. State of Madhya Pradesh, the Supreme Court had held that any restriction on Article 19(1)(g) must meet the test of proportionality, meaning that a limitation on a constitutionally protected right must be must be constitutionally permissible. Sub-components of proportionality include, inter alia, that a measure which restricts a constitutionally protected right must not have an alternative that may achieve the same purpose as the measure with a lesser degree of limitation. Hence, while imposing a prohibition on operation of VCs, the government must ensure that no other measure, including regulation of VCs, would achieve the aimed purpose of the government.
Additionally, the state should prohibit an activity only if it can demonstrate that the activity is inherently pernicious or tends to be harmful to the general public, as was laid down by the Supreme Court in Mohd. Faruk v. State of Madhya Pradesh. Therefore, any decision taken by the state regarding the operation of VCs should be based on empirical data regarding the harm caused by such operation, whether the harm be to the formal financial sector or to the persons dealing in VCs. This test of justification by acceptable evidence of a restriction on Article 19(1)(g) has been applied by the Supreme Court in other cases as well, such as M/s. Laxmi Khandsari v. State of Uttar Pradesh and State of Maharashtra v. Indian Hotel and Restaurants Association.
Foreign jurisdictions on Virtual Currencies
The Indian state could also analyse the measures adopted by foreign countries in dealing with VCs. For instance, South Korea recently passed a legislation which legalizes VCs in the country, albeit with heavy regulations. Briefly, all VC related service providers must register with a regulator and partner with a bank to be able to operate. Further, any person registering with a VC service provider must use their real name while registering and link their VC wallet with their real-world bank account. The first measure gives credibility and accountability to the service providers, while the latter ensures that the government can track the movement of funds via VCs. Hence, South Korea is an example of how prohibition is not the only answer to allaying the concerns associated with VCs.
Even the Supreme Court in its judgment uplifting the prohibition on VCs remarked, after relying on a report by the EU Parliament which recommended against a total prohibition on VCs, that the RBI had failed to consider alternatives before issuing the circular which had effectively prohibited the operation of VCs in India.
CONCLUSION
Today, cryptocurrencies have a market capitalisation of over $200 billion. The Indian market has already suffered serious setbacks due to shut down in the VC industries for two years. Any continuity with the uncertainty regarding the regulation of VCs will only deprive the economy of potential benefits. The proposed centralised ‘digital rupee’ in the Cryptocurrency Bill, 2019 goes against the very idea of a non-centralised cryptocurrency, since the former would be issued and regulated by a central agency.
Hence, a new statute, giving the VCs their legality as well as regulation, should be pioneered. The need for the same arises out of the regulatory void in the current legal regime. This should be brought about keeping in mind the applicable precedent on the freedom of trade and occupations as well as approaches to regulation of VCs adopted in foreign jurisdictions. All of this will ensure that VCs in India remain a reliable source of trade.
Smitha and I are writing a series of papers on a data protection law for India, based on our research. We hope that our discussion of the options before us and their relative merits and demerits will help other engage with these difficult questions in a nuanced manner.
The first paper sets out the context for the data protection law. It discusses the reasons and purpose for regulation and what specifically will be regulated.
It also discusses who will be regulated, since this is important while considering the regulatory strategies to use while implementing the data protection principles. It is available here.
The Telecom Regulatory Authority of India (TRAI) has come out with a set of regulations explicitly prohibiting differential pricing for data services in India.
3. Prohibition of discriminatory tariffs.— (1) No service provider shall offer or charge discriminatory tariffs for data services on the basis of content.
(2) No service provider shall enter into any arrangement, agreement or contract, by whatever name called, with any person, natural or legal, that has the effect of discriminatory tariffs for data services being offered or charged to the consumer on the basis of content
TRAI recently concluded a public consultation process regarding differential pricing in data services (resources). The consultation paper covered all differently-priced or zero-rated services offered through data. The process has witnessed tremendous public participation, with a spirited campaign by Internet activists (Savetheinternet.in) and a counter-campaign by Facebook where it garnered support through users by using the narrative of connecting those who have no access (https://www.facebook.com/savefreebasics).
CCG submitted a formal response as part of this process, which you can read here, and filed an additional counter-comment signed by ten different civil society and research organizations.
The consultation process also involved a public discussion on the questions raised, where the usual suspects were all present – telecom companies arguing for differential pricing, and internet activists against. Also present were startup- and user- representatives.
Facebook’s telecom partner for carrying the Free Basics platform in India —Reliance Communications — was then instructed by TRAI to put a hold on rolling out Free Basics until they came up with a clear position on differential pricing and net neutrality. The regulator later confirmed that they received a compliance report to this effect as well. Facebook had been aggressively pursuing its campaign to collect support in favour of its platform for the entire duration of the public consultation.
TRAI has clarified that these regulations ‘may’ be reviewed after a two year period, or at an earlier time as decided by the Authority. An exception to the prohibition has also been included, to account for emergency services and services offered during ‘times of grave public emergency’. An additional exception is that of closed networks which charge a special tariff for their usage.
[We will shortly update the piece with more analysis of the regulations]
The past month has witnessed a rise in tide of public debate surrounding net neutrality once more, accompanying the release of another Consultation Paper by TRAI, and another AIB video urging public participation in the ongoing consultation process. To add to this mix there has also been an effort from Facebook to build consensus amongst its userbase regarding the effect of ‘Free Basics’ on net neutrality. The crux of one set of arguments put forth in these debates consists of the harm that a differentially priced platform can cause to competition in the market for Internet applications, along with the related concern of monopolization of a section of the country’s userbase. The other side places emphasis on the need to increase the accessibility of the Internet, and both have disagreements as to the interpretation of the term ‘net neutrality’.
An important issue that gets missed out in the rhetoric is the Fundamental right of Internet users to access a diverse set of media sources on any given platform whose nature is that of a public utility. Media diversity implies that the information stream reaching the public through any public medium must be prevented from being unduly influenced by one or a few entities with a controlling effect on the market for these media content providers. It also rules against any role for the carriers of content (known usually as intermediaries or service providers) in choosing whose or what kind of content is allowed on the medium. The usage and allocation of the medium as a public resource is subject to certain Constitutional principles as well, and these are also ignored while discussing how to regulate (or not) Internet-related services in India.
The Right to be Informed
Article 19 of the Constitution guarantees the right to freedom of expression, but this right also includes the right of citizens to a plural media. As discussed by the Supreme Court in Secretary, Ministry of Information & Broadcasting, Govt. of India v. Cricket Association of Bengal, the debate and opinions sought to be protected by Article 19 need to be informed by a plurality of views and an ‘aware citizenry’. What does this mean for regulation of access to the Internet? It translates into ensuring the possibility of a wide array of options in terms of media consumer choices being made available to the public. Any communication platform cannot remain restricted in its control by one or a few parties. This restricts the nature of the content available through that media, leading to narrowing of the ideas views available to citizens on any public platform.
It is far from difficult to balance this concern with the free market. The principle encourages a competitive atmosphere between content providers, and seeks to avoid a situation where there is a disproportionately dominant player in the market exerting undue influence over the functioning of that market. The presence of a single or few dominant entity(ies) enjoying a magnified impact on the market makes it difficult for newer entrants to make a dent in the market-share of the dominant player, thus reducing the possibility of any competition being provided by these smaller players.
This Constitutional requirement comes in conflict with the concept of zero-rated plans at its core: can we really have a telecom company deciding the exact specific pieces of content that we receive in preference to all other content? Are we willing to hand them this power of shaping consumer choice, public access and opinion simply by choosing the right business partners? If we can conclusively answer these questions in the affirmative, zero-rating plans would have no quarrel with Article 19. Indeed, such an affirmation would even successfully dispense with one of the core tenants of the idea of net neutrality – that all data be treated in the same manner irrespective of its content.
Spectrum as a Public Resource
The Cricket Association of Bengal judgment also discusses the regulation of spectrum as a public resource. This is arguably an even more fundamental question, addressing the question of what qualifies as legitimate usage and allocation of spectrum. The Court characterized airwaves as a scarce public resource, which ought to be used in the best interests of the public, and in a manner that prevents any infractions on their rights. Justice Reddy’s opinion in the judgment even acknowledges the requirement of media plurality as part of the required policy approach for regulating spectrum.
Another SC judgment arguing in a similar vein, Association of Unified Tele Services Providers & Ors. v. Union of India & Ors., ruled that the State is bound to use spectrum resources solely for the enjoyment of the general public. Applying the public trust doctrine, it explained that the resources are prohibited from being used or transferred for any kind of private or commercial interest.
What the available jurisprudence effectively lays down can be encapsulated in the following: Spectrum is a public resource that can only be used and/or allocated by the state for general public benefit, and cannot be used in any manner for private or commercial interests. This public interest contains various concerns, one of them being the right to a diverse set of media content sources, so as to avoid interested parties having any kind of power or control over the content available to consumers. What this means for the State is that spectrum must be used in order to maximise the variety of media available to end-users and prohibit control over the medium of transmission being controlled by a single or few player(s).
This creates a tricky situation for TRAI, who have asked for public comments on the desirability of differential pricing in data services. There is a glaring lack of clarity on the exact mandate provided to the state regarding how to use spectrum resources to achieve TRAI’s officially cited objective of providing ‘free’ Internet access to consumers. Without discussion focusing on the exact nature of what we want to achieve, we will continue to be forced take reactionary positions regarding most issues and developments. Forming a concrete policy to connect India’s billion can only get a whole lot easier once we are able to agree upon a common goal and a set of principles regarding how to get there.
Justice Rajiv Sahai Endlaw when hearing a petition in the Delhi High Court on the 23rd of September this year had this to say about ecommerce, “Prima facie, the Union of India/State Governments cannot, on the one hand, for the purpose of tax, treat such sales as retail and on the other hand, for the purposes of investment, not treat the same as retail sale”. This effectively sums up the confusion around ecommerce and Foreign Direct Investment (FDI) policy in India. Whether ecommerce should be considered as B2B (business to business) or B2C (business to consumer) under the FDI Policy is the question.
The above petition was filed by the Retailers Association of India (RAI) and the All India Footwear Manufacturers and Retailers Association (AIFMRA) seeking clarity on FDI in e-commerce, arguing that ecommerce companies have been acting like retailers which is in violation of the current FDI norms. In the beginning of this month, the Confederation of All India Traders (CAIT) had also raised similar objections in a complaint sent to the Secretary of Department of Industrial Policy & Promotion (DIPP) at the Ministry of Commerce and Industry. The letter in particular singled out Flipkart, Amazon and Snapdeal for flouting FDI regulations when offering huge discounts during the festive season sales. The commerce ministry in turn has requested the Enforcement Directorate (ED) and RBI to look into these companies and examine if they are indeed engaging in retailing activity.
This is not the first time that these ecommerce companies have been pulled up by the authorities. A similar probe was said to have been carried out by the ED placing Flipkart under the scanner back in late 2012. None of them to date have been found to be violating the FDI Policy to date. This could change with the Delhi High Court issuing a notice in the above case to the government (the matter is said to be heard by the High Court sometime soon) directing them to file their affidavit on the matter.
At this point there is no doubt about the increasing importance that ecommerce is going to play in India’s economy, with the industry said to cross the $100-billion mark over the next five years according to an Assocham-Pricewaterhouse Coopers study. Meanwhile the regulatory landscape for ecommerce looks quite shaky and that includes the FDI regulations.
Regulatory Framework for FDI
FDI in India is regulated under the Foreign Exchange Management Act, 1999 (FEMA). The Ministry of Commerce comes out with the investment policy and the amendments in consultation with the DIPP. This is then notified by the Reserve Bank of India (RBI) through press notes and circulars. It is the Directorate of Enforcement (ED) that carries out investigations when it comes to possible violations of FDI Policy. Penalty under the Act can go up to thrice the sum[1] involved for the guilty entity resulting in the possibility of Flipkart facing a whopping 1400 crore penalty had the earlier ED probe in 2014 found them guilty. This kind of penalty can reduce a company to bankruptcy quite easily.
This is what Amazon’s options look like currently
Now India‘s FDI Policy (Consolidated FDI Policy, 2015) permits FDI up to 100% in e-commerce activities.[2] This however applies only to B2B ecommerce (under the Automatic Route) and not to online retailers/e-retailers also known as B2C ecommerce[3]. B2B stands for Business to Business where the trading is between business entities such as manufacturers and wholesalers or between wholesalers and retailers. B2C on the other hand stands for Business to Consumers where online businesses sell directly to the customers.
In September 2012, the Indian government allowed 51% FDI in multi-brand retail, subject to certain conditions. Whereas retail trading in ecommerce for companies with FDI (single[4] or multi brand[5]) is not allowed under the FDI Policy. The 51% FDI limit in multi-brand retail is subject to some conditions where the states take the final call, which might be difficult to translate into ecommerce which has no geographical boundaries.
All this is not to say that Amazon and the rest haven’t found a way out under the existing FDI framework to attract foreign investment. Amazon follows what is known as the marketplace model that is compliant with the FDI Policy of India. A marketplace model in ecommerce, as a Snapdeal spokesperson explained, “(Snapdeal) is a technology platform that connects sellers with buyers to facilitate transactions”. In the marketplace model, the ecommerce company only engages in the activity of buying and selling which is considered B2B and not retail trading under the Policy (see footnote n.3). Therefore under this model the ecommerce company does not carry out any retail transactions and does not directly sell anything to the customer. Instead the ecommerce platform earns commission from sellers of goods/services for their services. This move to operate as a marketplace enables Amazon[6]and Flipkart which are both majority-owned by foreign investors to still function in the Indian market without running afoul of the FDI Policy.
What Amazon can’t do is run an inventory based model. In this model, ownership of goods and services and the marketplace vests with the same entity. As a comparison India is said to be the only one among a list of developed and developing economies that does not allow FDI in inventory based ecommerce. Keep in mind that in the marketplace model, ownership of the inventory vests with the enterprises who are the ultimate sellers of the goods/services.
Does Ecommerce fall under B2B or B2C?
This section looks at what CAIT, AIFMRA and other brick and mortar associations are complaining about when it comes to e-commerce companies like Amazon, Flipkart among others. Their primary concern is that e-commerce companies are acting like B2C retailers while enjoying foreign investment that is only legal for B2B enterprises.
One of the possible FDI Models as laid out in the paper by Arkay & Arkay and Medianama
The CAIT has pointed out that the intensive advertising campaigns carried by the marketplaces should not be considered B2B activity as these initiatives are directed towards the consumers to promote their sales. Further, the CAIT questions how these ecommerce platforms offer such massive discounts when they have no inventory at their disposal. AIFRMA in their Delhi HC petition argued that marketplaces in ecommerce in India operate as retailers since the payment, delivery, returns and refund are all handled by these companies.
The other accusation made against these companies is that they do in fact have inventories and do not perform as mere marketplaces. In September 2014, the ED was directed to look into Amazon and examine if they are making the sales instead of the vendors. The Karnataka Government also had suspicions about the “fulfillment centres” belonging to Amazon alleging that Amazon “owned” the products in such centres. Interestingly when Flipkart was incorporated in 2008, it started out as an inventory-based B2C model that had to be changed to the B2B marketplace model after raising foreign funds in 2012. The change however was made only in April 2013 leading to an investigation by the ED on Flipkart functioning as a B2C with FDI during 2012-2013. Again, none of these ecommerce companies have ever been found to be violating FDI Policy.
While the marketplace model is practiced by Amazon, Flipkart and others, there are also other structures through which foreign investors can enter the Indian ecommerce market legally. One of the structures for instance can be found in the image above. The Delhi HC petition also addressed concerns that ecommerce companies have been creating complex business structures to evade the law. One such case study is that of Amazon Asia’s stake in Cloudtail (see image below), one of the largest sellers on Amazon India. Amazon through Cloudtail can therefore dictate pricing among other things and in effect acts like a retailer. This of course pales in comparison when it comes to Flipkart and their dominant seller WS Retail that accounts for 85% of the total products sold on the portal over the past three years. Flipkart does have operational control over WS Retail even now. This, after the famous corporate restructuring that Flipkart carried out in 2012 which included the divesting of WS Retail. Ecommerce companies are doing all this to make sure that the companies are an arm’s length from directly selling to the consumers.
Amazon being clever: image from ISID paper by Rahul Nath Choudhury
Way Forward
Which brings us to the next question of whether companies should be penalized for creating such business structures or is it time to allow for FDI in B2C ecommerce instead? The DIPP considered the pros and cons of doing so in their Discussion Paper that came out in January 2014 and sought out public opinion. The government has held discussions with several stakeholders including ecommerce companies and bodies such as FICCI, NASSCOM and CII this year. There have also been several reports of foreign retailers like Amazon and Ebay lobbying with the Indian government to permit FDI in online retail in India. It is clear that there are valid arguments both for allowing FDI in e-retail and not. It is crucial however that the government decides on this soon to ensure that the current FDI framework is not manipulated and its purpose defeated. It is also worth exploring how the government can impose conditions (and what conditions) on companies with FDI in online retail, if it were to be allowed.
Fundamentally more clarity is required with respect to the definition of the term marketplace and the difference between retail and wholesale trading[7] on online platforms. With FDI not being the only regulatory concern for ecommerce in India, seeing as concerns regarding taxation of these goods/services and anti-competitive behavior by these companies have also been brought out, maybe it is not a bad idea to go back to the drawing board to figure out the definition of ecommerce in India. A better understanding of what ecommerce in India entails will help characterize it either as B2B or online retail which in turn can bring the “violations of FDI Policy” debate to an end. Answers are expected soon from the government after the commerce and industry ministry received responses from various states on this matter a few days ago. The Vidhi Centre for Legal Policy in a report has proposed for a law to be passed by the Parliament under Entry 42 of the Union List[8] to govern goods/services of online marketplaces and those sold directly on the Internet. Moving forward a uniform policy on ecommerce across states will provide much-needed clarity albeit it has to be done in the near future.
[1] As per S.13 of FEMA, 1999, penalty imposed can be thrice the sum involved in the contravention where such amount is quantifiable.
[2] DIPP Press Note No. 8 of 2015, Annexure 1, paragraph 6.2.16.2.1 allows 100% FDI in B2B Ecommerce activities.
[3] Under paragraph 6.2.16.2.1 of the Consolidated FDI Policy of 2015 (effective from May 12, 2015), 100% FDI is permitted only in B2B ecommerce activities, “E-commerce activities refer to the activity of buying and selling by a company through the e-commerce platform. Such companies would engage only in Business to Business (B2B) e-commerce and not in retail trading, inter-alia implying that existing restrictions on FDI in domestic trading would be applicable to ecommerce as well.”
[4] Under paragraph 6.2.16.3 of the Consolidated FDI Policy of 2015, “Retail trading, in any form, by means of e-commerce, would not be permissible, for companies with FDI, engaged in the activity of single-brand retail trading.”
[5] Paragraph 6.2.16.4 of the Policy provides, “Retail trading, in any form, by means of e-commerce, would not be permissible, for companies with FDI, engaged in the activity of multi-brand retail trading.”
[6] Amazon India (Amazon Sellers Services Private Limited) for instance was set up as a wholly owned subsidiary by Amazon Asia-Pacific Resources Pvt. Ltd., Singapore in 2012, incorporated in Bangalore. They had entered the Indian ecommerce market before through the acquisition of Junglee.com way back in 1998 which came into operation in 2012. Junglee.com, a price comparison website, was also set up under the marketplace model.
[7] Currently under paragraph 6.2.16 of the Consolidated FDI Policy of 2015, B2B ecommerce is considered as wholesale trading.
[8] Entry 42 of the Union List covers inter-state trade and commerce.
(Madhulika Srikumar is a Research Assistant at CCG and a final year student at GNLU)
The CCG Blog 