Contemporary Issues

[By Shivam Tripathi] The author is a fourth year student of Maharashtra National Law University, Nagpur. The global payments landscape is under fundamental transformation and India is no exception to this. The Reserve Bank of India (“RBI”) notified the 2020 guidelines[i] governing Payment Aggregators (“PA”) and Payment Gateways (“PG”) (“Guidelines”). PA is a service provider through which merchants can process their payment transactions, and PG provides the technical support for securely transferring money from the customer bank account to the merchants’ payment portal. In the process, both PA and PG act as intermediaries facilitating online payment methods. Under the existing regime governed by Directions for Opening and Operation of Accounts and Settlement of Payments for Electronic Payment Transactions involving Intermediaries, 2009[ii] (“2009 Direction”) the intermediaries have to maintain a nodal account, in the form of an internal account, thus both PA and PG were not being directly governed by the RBI. The Guidelines recently issued by the RBI provide structure to regulate every activity of the PA, along with recommendations regarding the maintenance of online data security of the customers. Key Takeaways from the Guidelines The Guidelines adopt a licensing method, under which no PA will be allowed to operate without prior authorization by the RBI. The key takeaway of these Guidelines is that firstly it define PA[iii] and PG[iv] as the 2009 Directions only recognised the intermediary as a whole. Secondly any e-commerce marketplace providing services that are covered under the definition of PA are to be separated from the marketplace. Thirdly every PA seeking authorization under the Guidelines must be a registered company under the Companies Act 1956/2013. Fourthly banks providing PA services as a part of the normal banking services need not acquire separate authorization and lastly all the entities governed under the Guidelines are to be managed professionally and are required to maintain an escrow account with one of the scheduled commercial banks. Additionally, all the entities must maintain a customer grievance redressal and dispute management framework. The Guidelines do not regulate the functioning of PG, however, they do provide for the protection of consumer information. The Guidelines are a welcome step as they bring intermediary payment platforms under the direct control of RBI.[v] However certain steps taken under the Guidelines might act as roadblocks rather than furthering effective implementation. Regulating the Payment Gateway The Guidelines distinguish between PA and PG, which leaves a chunk of entities outside the ambit of the Guidelines. Instead, the Guidelines should incorporate a method under which payment services[vi] are regulated. A similar method is adopted by Singapore[vii] and the European Union.[viii] FAQ[ix] of the Payment Service Act, 2019 (Singapore) states that the scope of the Act also includes payment gateways. The European Union under the Payment Service Directive (“the EU Directives”) also adopts a similar approach[x]. Such an approach enables the government to adopt a more comprehensive regulatory mechanism. However, in both these cases, an exception is carved out for entities providing purely technical support, for instance, privacy protection services, data processing services, communication network services, etc. Whether registration under the Companies Act, 1956/2013 is necessary? The Guidelines require any entity applying for a license/authorization to operate as PA, to be a registered company under the Companies Act 1956/2013,[xi], and the MOA of such a company should specify the proposed activity of operating as a PA. Such an approach acts as an impediment in attracting international payment services providers in India. Looking at foreign jurisdictions, Singapore has a similar requirement under the Payment Services Act. However the FAQ’s released under the Payment Service Act, 2019 state that both local and foreign companies are permitted to apply for a licence under the legislative framework.[xii] On the other hand, the European Union Payment Services Directives do not contain any such requirement at all. Third-Party Payment Service providers The Guidelines leave a gap as to the regulations imposed on the third party payment service providers which included payment initiation and account information services. These services providers access the customer’s security details through online banking, but as there is no legal framework governing third-party service providers, issues like breach of privacy may arise. Under the EU Directives, third party payment services are also included. The Directives state that these providers will be governed by the same rules as the other online payment service provider, i.e. registration, licensing, and supervision by the competent authorities.[xiii] Furthermore the EU Directives also state that the banks have the duty to establish a safe and secure communication channel for transmission of data.[xiv] The Banks will also be liable for maintaining the accounts and ensuring that there is no delay or incorrect payments. Additionally, to prevent leakage of any sensitive data, the EU Directive mandates that the third-party service provider, should ensure that the information regarding the payment shall only be conveyed to the recipient and to no other party, furthermore no sensitive data can be stored. Approach for revised regulations With the ever-evolving technology, the traditional approach of “one size fits all” fails. Instead, the regulators should come up with a new innovative approach to regulate the payment service sector. For instance, the current regime focuses on the design of the entity, i.e. whether the entity is a payment aggregator or a payment gateway. To determine the applicability of the Guidelines, instead the regulators should focus on the performance standards. Performance standards specify an outcome, but leave the specific measures to achieve the outcome to the discretion of the regulated entity. Performance standards can better account for changes in the practices of regulated entities, empower innovation in compliance methods, and incentivize the developments that are occurring in the industry while ensuring that the regulatory goal is achieved. Traditionally, policymakers used to face certain issues while implementing performance standards, because earlier it was very difficult to test how the goal is met, owing to the information gap between the regulators and the industry. Additionally, regulators attempting to implement classical performance standards lacked the technical knowledge to be able to measure, monitor,

[By Shubham Jain] The author is a fourth year student of National Law University, Jodhpur. Introduction The issue of privacy and data protection was thrown into the limelight after the Justice K.S. Puttaswamy Judgement which recognized the right to privacy as a fundamental right enshrined under Article 21 of the Indian Constitution.[i] Instances like the AADHAR data leak,[ii] Cambridge Analytica and Facebook data breach;[iii] etc. raised concerns about data protection, existing infrastructure, and the current state of affairs pertaining to cross-broader trading of data. While the concerns regarding privacy were grabbing headlines, FinTech industry in the country was booming because of demonetization, and government’s push towards boosting e-payments in the country. The term FinTech is often defined as the “technologically enabled financial innovation that could result in new business models, applications, processes, or products with an associated material effect on financial markets and institutions and the provision of financial services”.[iv] The FinTech industry is aimed at bringing technological innovations to the banking and financial sector.[v] According to estimates, the digital payments industry in India is projected to reach USD 700 billion by 2022 in terms of the value of transactions.[vi] FICCI projects the global FinTech sector’s value at $45 billion by 2020, growing at a compound annual growth rate of 7.1%.[vii] Needless to say, the concerns regarding data protection affect the FinTech industry as well. Therefore it is important to ensure that the data of the consumers provided to the FinTech entities protected, while ensuring the industries growth. Data Protection and Privacy The Srikrishna Committee noted that the conception of privacy is based on society and culture which determines what may be construed as violation of privacy.[viii] It further noted that the data protection principles are founded in the trust of citizens over the entities governing it.[ix] The entities could be either the regulatory authorities; or the private corporations. In the US, these relations are dictated by the capitalistic principle of lassiez-faire; however, the courts have recognized the Right to Privacy, as indicated in their constitution.[x] The US has sector specific laws with regards to privacy and use of data by private entities.[xi] The citizen and corporate relations are based on free markets and merely regulating the data handling process;[xii] whereas the state has to follow stricter laws stemming from the principles of liberty.[xiii] The EU is leading the world in terms of regulations regarding data protection; especially with EU-General Data Protection Regulation, 2018 (“GDPR”).[xiv] The EU Approach to data protection is based on upholding human dignity and protecting privacy.[xv] It was further noted that the Srikrishna Committee noted that the Indian citizen-state relationship does not coincide with either US or EU. The Indian Constitution envisions state as a (i) facilitator of human progress as indicated through the DPSPs, and (ii) checks and balances to prevent misuse of power by the state as enshrined in the federal structure and three organs of the government.[xvi] Therefore, the Indian conception of privacy as a right seems to be exercise of autonomy within a limited sphere as prescribed by the regulators. The decisions of the regulators can checked through the judicial review in case of excessive measures or encroachment on rights of citizens. Fintech – Regulatory Regime In India, the arena of FinTech is regulated by several regulators like the RBI and SEBI for intermediaries in securities market, IRDA for insurance related regulations and TRAI for regulatory mechanisms related to telecom.[xvii] The FinTech companies often find themselves being governed by overlapping jurisdictions. The Working Committee Report remarks that FinTech entities are regulated within the framework of ‘payment systems’[xviii] and need the authorization by the RBI.[xix] The RBI has the power to issue directions to payment systems and systems participants;[xx] which may be invoked by the RBI to issue directions. The RBI regulates payment space under the Payment and Settlement Systems Act, 2007 and the Payment and Settlement System Regulations, 2008. Further, RBI Also governs the functioning of peer-to-peer lending through the P2P Master Directions (published in Oct., 2017) which requires P2P NBFCs to register with RBI. Further, RBI recently recognized the need to strengthen the consumer confidence in digital payments and thus launched Ombudsman Scheme for Digital Transactions (OSDT) as a complaint redressal mechanism.[xxi] Regulating Privacy and Data Protection in Fintech Industry Transfer of personal data categorized as sensitive personal data is currently governed by the SPD Rules issues under Section 43A of the IT Act. In case of any negligence in implementing, and maintaining reasonable security practices to ensure protection of the sensitive personal data, the body corporate are held responsible, and are required to compensate for leak/loss of data.[xxii] Furthermore, the disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract is punishable with up to 3 years of imprisonment and fine.[xxiii] The data protection, as of now, is merely governed by a contractual relationship between the parties.[xxiv] Terms of the contract are dictated by the service provider, and the users have very little or no say in the same. The provisions of the IT Act are not sufficient to ensure protection of the sensitive information and data of the consumers. Concerned the sector’s recent boom, RBI issued notifications mandating data protection and localization. It has also showed concerns about the security standards/measures, and has assumed unfettered access to the data.[xxv] RBI also recommended the need for exhaustive stand-alone legislation on data protection in order to ensure customer faith in the FinTech Industry and protect the citizens from exploitation of personal information.[xxvi] The Sectoral Regulators are already taking initiative to protect the data of the consumers.[xxvii] The Working Committee has recommended that the data must be classified based on extent of their sensitivity and risk of exposure associated with the same.[xxviii] The FinTech entities were to ensure that the data does not suffer from any “loss of confidentiality, loss of integrity, and loss of availability”, by implementing the safe transaction principles.[xxix] The RBI also suggested requirement of establishing a Network

[By Arpit Saini] The author is a third year student of National Law University, Jodhpur and can be reached at [email protected] The Crisis Vodafone Idea Ltd. and Bharti Airtel have sustained their position as top-ranked mobile service providers in the Telecom Industry for several years. Within the last 14 years in the industry, as many as 10 players have either closed down their business or have undergone insolvency proceedings but these two operators stood their ground against all adverse situations, noticeable from their reaction to the revolutionary introduction of Reliance Jio, increased price competition and decreasing tariffs on calls and data usage. However, the Supreme Court (“SC”) decision on 24th October 2019 concerning the definition of Adjusted Gross Revenue gave a crippling blow to these operators. Consequent to the decision, Vodafone and Airtel are supposed to pay Rs. 28,309 Cr. and Rs. 21,682 Cr. respectively to the Department of Telecommunications (“DoT”). These operators, now, face a threat of possible bankruptcy which will leave Reliance Jio as the only major private player in the market. The companies seek a remedy in the form of review petition to the SC.[i] However; the decision to file a review is only ‘evasive’. SC has made the decision after a long-standing dispute of 16 years and has manifestly pinpointed the reckless attitude of these operators which lead them to this situation. The disputed definition of AGR In the telecom sector, DoT issues a license to the operator in consideration of certain license fees and spectrum usage charges. Upon liberalization of the industry in 1994, DoT determined a fixed amount of money as consideration. The operators often defaulted in their payments since the fixed amount was highly burdensome. As a result, they made a representation to the Government of India (“GoI”) for a relief in the amount. GoI addressed the issue and formulated a new National Telecom Policy in 1999. The policy gave the operators an option to shift from the fixed license fee to a revenue-sharing model. Through the model, GoI became a partner of the operators and would share every operator’s gross revenues. It entered into a Draft License Agreement (“Agreement”) with the operators wherein it was to receive a certain percentage from the head of Adjusted Gross Revenues (“AGR”). Clause 18.2 of the Agreement specified that an annual license fee had to be paid as a percentage of AGR. However, DoT’s determination of quantum of fees caused several issues before long. The department included within the definition of the term “AGR” various other elements of income which did not accrue from operations under the license such as dividend, interest, discounts on calls, profits on sale of fixed assets, revenues from other activities separately licensed, etc. Conflictingly, operators opined that the definition only included revenue from operations related to telecom services. Thus, the Association of Basic Telecom Operators (known as Cellular Operators Association of India) and the respective operators filed a petition before the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”) in 2003 asserting that DoT was supposed to follow the recommendations of Telecom Regulatory Authority of India (“TRAI”). TRAI had up till now only made recommendations concerning the terms and conditions under which new operators were to be given a license. Subsequently TDSAT, in 2006, referred to the Indian Telegraph Act, 1885 and ordered that the Government can take a percentage of the share of gross revenue of only those operations for which the license was given. Simultaneously, it urged the TRAI to specifically make recommendations on the definition of AGR and clarify which heads are to be included under it. DoT made an appeal against this order to SC, which dismissed the appeal stating that contentions must first be raised before the TDSAT. When raised before TDSAT, it observed that the matter was already decided upon and cannot be heard again. Eventually in 2011, SC clarified that TDSAT can look into the merits of the claim if appeal is made by the DoT (the licensee) to decide upon the terms and conditions of the agreement. Now, the DoT contended before the TDSAT that the Agreement was put in place before any recommendations were made by TRAI and, therefore, only the terms and conditions of the Agreement should be considered for the definition. Thus, it wanted to give effect to Clause 19 of the Agreement which specifically defined AGR. Meanwhile, TRAI sent its ‘Recommendations on Definition of Revenue Base (AGR) for the Reckoning of Licence Fee and Spectrum Usage Charges’. The Tribunal now had to decide upon the definition having regard to the operators’ claims, TRAI’s recommendations and DoT’s contentions. On April 23, 2015, TDSAT set aside DoT’s demands and decided in favour of the operators keeping in mind the recommendations by TRAI. DoT was resultantly directed to reconsider the license fees. DoT, however, moved the Supreme Court against the TDSAT order. Now, recently on 24th October 2019, the SC ruled in favour of the DoT and ordered the telecom sector operators to pay Rs. 92,641 Cr. for the disputed amount along with the penalty for default and interest on that penalty.[ii] The question which now arises is –‘Who is to be blamed for this crisis faced by the telecom operators?’ The operators have always criticized the telecom sector as unviable and unsustainable. According to their claim, the unsupportive regulatory environment of the sector is beneficial for anybody but the operators. Frankly, however, the operators have only themselves to blame for the present fiasco. Analysing ignorance on part of telecom operators The telecom operators were always legally responsible to follow the terms of the revenue-sharing model as part of their performance under the Agreement with the GoI. The Agreement derived the power to grant license from the proviso to sub-section (1) of Section 4 of the Telegraph Act and was in the nature of a contract between the GoI and these operators. DoT had drawn up the terms and conditions of the agreement after detailed deliberations and consultations with the stakeholders. It

[By Samanth Dushyanth and Yashaswi Rohra] The authors are final year students of Symbiosis Law School, Pune and can be reached at [email protected]. Introduction On 26th December 2018, Department for Promotion of Industry and Internal Trade (DPIIT), released Press Note No. 2 of 2018 (“Pn2”) introducing certain key changes to the Consolidated FDI Policy, 2017 (“FDI Policy”) in the e-commerce sector. Pn2 amends paragraph 5.2.15.2 (E-commerce activities) of the consolidated FDI Policy of India providing for these changes to come into effect from February 1, 2019. The FDI Policy permits 100% FDI through the automatic route. However, FDI is not permitted in the inventory based model of e-commerce. A ‘marketplace based model’ refers to an e-commerce entity which provides the information technology platform and acts as an intermediary that facilitates trade between buyers and sellers.[i] An inventory based model on the other hand is defined to mean a model in which the e-commerce entity exercises ownership over the goods, and sells directly to the consumers (B2C).[ii] The subsequently mentioned changes were introduced as an initiative to bridge the gap, since the current FDI Policy being a widely worded legislation provides a window for the large market players to circumvent the provisions. Key changes Inventory Control Pursuant to the Pn2, ownership or control both shall be the determining factors to differentiate between marketplace and inventory based model. Any control or ownership over the inventory shall render the business of the marketplace entity as an inventory-based model of e-commerce. The control in the aforementioned change is further explained as the marketplace entity shall be ‘deemed’ to have control over the inventory of a seller , if more than 25% of the purchases of such seller are from the Marketplace Entity or its group companies. This statement leads to two possible interpretations: Interpretation 1 – Sales generated by the vendor through the marketplace and its group companies. Interpretation 2 – Purchases of the vendor through the marketplace and its group companies. These interpretations arise due to the different kind of business models that exist in the market to which the government has failed to provide any clarification. Similarly, the earlier restriction on 25% sales on an e-commerce platform not originating from a single seller has been largely ineffective. Large e-commerce entities simply created more affiliated sellers (and ensured that sales from each remain under 25%). Pn2 has removed this requirement. Equity Participation Pn2 dictates that a seller shall not be allowed to sell on the platform of the marketplace entity, if the marketplace entity or its group companies have any equity participation of the seller entity.[iii] The intent of the legislature with regards to this change is to prevent the e-commerce entities from exercising control over the pricing policy or inventory of the vendor. It does not explicitly state that both direct and indirect equity participation would count. With this requirement, the government has sought to restrict the ability of e-commerce entities to have a minority equity stake in entities that act as sellers on their platforms. However, the same is a blanket prohibition and may claim unintended victims. Level Playing Field E-commerce entities are required to provide the same suite of services or facilities to all sellers under “similar circumstances”. Like any other business, e-commerce entities may wish to reward or provide enhanced services to suppliers/ vendors who stand out. [iv] Interestingly, the Pn2 appears to recognize an existing practice of providing ‘cashbacks’, which is a system set out to selectively incentivise the customers to choose certain products and to reject other products leading to failure of smaller sellers and unfair competitive market. Pn2 considers this system as not being violative of the prohibition on e-commerce entities influencing the sale price of goods. Instead, only requires cashbacks to be given in a fair and non-discriminatory manner. Compliance Pn2 of 2018 requires an e-commerce entity to furnish an annual certificate, confirming compliance with these guidelines by September 1 of every year. This however does not explain whether they will be required to perform any diligence of their own, or can they rely on self-certification by vendors. Exclusivity Pn2 places a blanket restriction adversely impacting the exclusive arrangements between e-commerce marketplaces and manufacturing companies, to sell products exclusively on their online platforms. The ambiguity surrounding this restriction is regarding the question of how would the enforcement authorities determine if a seller has been “mandated” to sell its products exclusively on an e-commerce platform, or if the seller is choosing to do so voluntarily. Recent Developments Due to mass confusion amongst both e-commerce companies as well as parties interested in foreign investments, the DPIIT held a meeting with stakeholders including companies and groups that were affected by the said guidelines. On turning down demands of the deadline, the government convened the meeting to address the concerns of the e-commerce entities. As a consequence, the Union Minister of Commerce and Industry held a marathon meeting with online players on 26th June 2019. The meeting yielded a vague and ambiguous assurance that the institutional framework would be put in place only within a time frame of a year. However, the DPIIT clarified that the objective of conducting the meeting was not to bring about further changes to the existing FDI rules, but to assist with implementation of the guidelines laid down in Pn2. Amazon In compliance with the new guidelines, Amazon reduced its ownership stake in Cloudtail from 49% to 24% of total shareholding. With the compliance clock ticking over Amazon’s head, it is expected to similarly offload its stake in Appario. Amazon India’s Pantry service faced a temporary suspension following the release of the Pn2. NASDAQ-listed Amazon and NYSE-listed Walmart reported a combined loss of 50 billion dollars in the week following the implementation of the regulations. Over a dozen small scale vendors exited or suspended their accounts on Amazon in the month of June 2019, since they were unable to manage deliveries and logistics on their own after the new policy came into effect. Flipkart

[By Ankur Gupta] The author is a law lecturer with Temasek Business School at Temasek Polytechnic in Singapore. Besides facilitating learning and conducting research in various areas of law, he has a keen interest in monitoring how the business of law may change bringing with it changing expectations of employers on Skills of lawyers and other professionals working in the legal services sector. He can be reached at [email protected] or on LinkedIn. Introduction The Business Standard recently carried a report[i] on the how certain law firms in India are at the cusp of engaging and experimenting with applications powered by transformative technology such as Artificial Intelligence (AI).   This ‘think anew, act anew’ mantra informing the business of law stems from global trends shaping the operating environment of law firms. The operating environment, globally, for businesses and in turn for law firms is being transformed on account of novel applications of transformative technologies like AI, Internet of Things (IoT) and Blockchain amongst others.  The chief catalyst for technological transformation impacting law firms are the consumers of legal services, especially multinationals and other heavyweight clients who themselves are in the process of digitization and revamping their own processes and products in a bid to remain competitive. Application of AI, IoT and Cloud Computing and other transformative technologies is playing a vital role. Arguably, these consumers are increasingly demanding that providers of legal services innovate the delivery of legal services, be it law firms or their own in-house legal counsels. This piece discusses broad trends associated with how law firms are positioning themselves in an increasingly crowded market where they must compete with a host of traditional and non-traditional rivals for the same pie of business. It is hoped that this will spur aspiring lawyers and other readers to engage with developments innovation in the business of law given the potential for new career opportunities for law graduates and experienced non law professionals as a by-product of such innovation. The article is jurisdiction agnostic, a reflection of the trend that the innovation and disruption in legal service delivery and legal business models is borderless. Legal Innovation: a demand for value innovation by law firm clients Technological change is not new, neither is disruption. Industries, jobs and economies have transformed on account of innovative technology since the Industrial Revolution, if not earlier. What is, perhaps, different is that change is multi-layered: a series of small and significant changes which add to the complexity.  Such change is charecterised by emergence of new products, new players and new processes which in turn impact and give rise to issues for legal practice, legal education as well as regulators.  This paper limits the discussion to legal innovation and its relevance for law firms. On the availability of new products, it worth noting that legal tech tools are available in almost every area of legal practice[ii].  What is also noteworthy about this proliferation is that several legal tech tools are designed not necessarily with the lawyers in mind but for mass consumption. One example is online dispute resolution and management platforms which are touted as ‘self-service sites and dialogue tools’ promising convenience, cost savings and accessibility to disputing parties[iii]. The efficacy and customizability of generic applications is progressively evolving with greater usage and user feedback flowing back to developers. Lawyers are professionals and law firms are businesses providing solutions to clients. Technology is a means to this end.  How law firms service their clients and continue to provide ‘value’ and ‘value innovation’ is mediated by technology. Clients in the B2B segment i.e. businesses which engage law firms are increasingly concerned about the efficiency of law firms in offering their services. This is perhaps a pressure point for law firms. Another trend forcing law firms to re-think their offerings to make them more appealing as many large clients seek ‘full service’ solutions rather than piecemeal legal advice which has been the case so far. One example of ‘Value Innovation’ is how the Big4 are offering legal services to their clients leveraging on in-house multi-disciplinary expertise delivered by teams of legal practitioners working alongside accountants, auditors, management consultants and other domain experts. This is where technology, process improvement, resourcing and project management are assuming importance in a law firm context[iv].  Established multinational law firms such as Clifford Chance, Linklaters, Dentons Rodyk as well as several national and regional law firms seem to be joining the legal innovation bandwagon, leveraging technology atop their brand, domain expertise and reach to in the face of competition from non-law firm service providers vying a slice of the lucrative pie for legal services markets across jurisdictions. Perhaps most notable about the ongoing transformation of the business of law is the proliferation of Alternate Legal Service Providers (ALSPs) often characterized as impinging on turf traditionally ‘belonging’ to law firms.  At the most basic level, some ALSPs are offering self-service apps for clients to create simple legal documents, thereby ‘commoditizing’ legal services and removing the lawyer from the picture[v]. A wider suite of products on offer includes access to platforms which enable consumers of legal services to resolve disputes online, access to subscription-based software to build contracts and consultancy on automation of workflows and processes, protracting the potential for distermediating[vi] law firms. Developments in legal innovation also catching attention of legal academics globally Legal Innovation and Academia Attempts to capture legal innovation, as an academic subject matter, are also on the rise. Stanford Law School’s Techindex is a unique compilation of legal innovation describes on the website as “a curated list of 1211 companies changing the way legal is done”[vii]. In Asia, the Singapore Academy of Law (SAL) teamed up with the Singapore Management University (SMU) publishing two editions of State of Legal Innovation Report aimed at covering developments in legal innovation and legal technology development in nations across the Asia Pacific.  Beyond reports and compilations, formation of multi-disciplinary, cross border groupings such as Asia-Pacific Legal Innovation and Technology Association (ALITA)[viii] aimed at foster collaboration around legal