OVERVIEW OF THE PERSONAL DATA PROTECTION BILL

INTRODUCTION

With a growing online footprint, one is at a higher risk of privacy breach than ever before. Also, at this juncture employees and customers are increasingly becoming sensitive about their privacy rights. So, legal framework was required to include policies that support innovation, but which, simultaneously protects individuals and entities from risks associated with data. Thus, data privacy measures are both critical and can provide companies a real business advantage if handled well.

The Ministry of IT, Govt. of India (“MeitY”) constituted a committee of experts chaired by Justice Sri Krishna for issues related to data protection in India on July 31, 2017 (the “Sri Krishna Committee”). It submitted its report titled “Free and Fair Digital Economy, Protecting Privacy and Empowering Indians” (“Report”) and also the Personal Data Protection Bill, 2018 (“PDPB 2018”) on July 27, 2018.

The Report says that legal regime must aspire to the common public good of both a ‘free’ and ‘fair’ digital economy. The Free implies autonomy of the individual with regard to their personal data. And the Fairness pertains to developing a regulatory framework where the existing inequalities in bargaining power between individual and the entities that process such personal data is mitigated.

In August 2017, the Supreme Court in K. S. Puttaswamy v. Union of India (the “Judgement”) recognised right to privacy as a Fundamental Right. The court stated that every person should have the right to control commercial use of their identity. The Judgement, therefore, established that people (citizens and non-citizens) could assert their individual rights against unlawful government invasions to their privacy and it also imposed an obligation on the state to protect the individual’s right to privacy by private entities.

Globally, the enactment of the EU General Data Protection Regulation (“GDPR”) in 2016 which came into force in May, 2018 established a global norm in personal data protection. The PDPB 2018 reflects principles contained in the GDPR, while simultaneously attempting to bespoke the law to Indian needs.

Now, finally, the Government has tabled a modified Personal Data Protection Bill, 2019 (the “PDPB 2019”) in the parliament on December 11, 2019. It has been sent to 20 members Joint Parliamentary Committee for further deliberations. The Committee is expected to submit its Report in the budget session (i.e., February, 2019).

FEMA guidelines for FDI in e-commerce entities

FEMA guidelines for FDI in e-commerce entities

‘E-commerce’ means buying and selling of goods and services including digital products over digital & electronic network.

‘E-commerce entities’ are the following entities conducting the e-commerce business:

•    a company incorporated under the Companies Act, 1956 or the Companies Act, 2013.

•   a foreign company covered under section 2 (42) of the Companies Act, 2013.

•   an office, branch or agency in India owned or controlled by a person resident outside India.

There are three models in which e-commerce entities conduct their business activities which are as mentioned below:

                                       

a.     B2B E-commerce: The entities conducting B2B e-commerce would engage only in Business to Business (B2B) e-commerce and not in retail trading, inter alia implying that existing restrictions on FDI in domestic trading would be applicable to e-commerce as well. Guidelines on cash and carry wholesale trading apply to B2B e-commerce activities also.

b.  ‘Inventory based model of e-commerce’ means an e-commerce activity where inventory of goods and services is owned by e-commerce entity and is sold to the consumers directly.

    It is noteworthy that foreign investment is not permitted in Inventory based model of e-commerce.

c.     ‘Market place model of e-commerce’ means providing of an information technology platform by an e-commerce entity on a digital & electronic network to act as a facilitator between buyer and seller.

    It is pertinent to mention here that 100% foreign investment under automatic route is  permitted in ‘Market place model of e-commerce’.

    Further there are certain other conditions which need to be complied by ‘Market place model of e-commerce’ which are as follows:

(i)     Digital & electronic network mentioned above will include network of computers, television channels and any other internet application used in automated manner such as web pages, extranets, mobiles etc.

(ii)    Marketplace e-commerce entity is permitted to enter into transactions with sellers registered on its platform on B2B basis.

(iii)    Marketplace e-commerce entity is permitted to provide support services to sellers in respect of warehousing, logistics, order fulfilment, call centre, payment collection and other services. Order fulfilment services relate to receiving, processing and delivering orders to end customers.

(iv)      Marketplace e-commerce entity cannot exercise ownership or control over the inventory i.e. goods purported to be sold.

            Explanation: Inventory of a vendor will be deemed to be controlled by marketplace e-commerce entity if more than 25% of purchases of such vendor are from the marketplace e-commerce entity or its group companies which will render the business of marketplace e-commerce entity into inventory based model, in which FDI is not permitted.

(v)      An entity having equity participation by e-commerce marketplace entity or its group companies or having control on its inventory by e-commerce marketplace entity or its group companies, will not be permitted to sell its products on the platform run by such marketplace entity.  

It means that the market place e-commerce entity will not sell the products of any vendor on its platform where (i) the marketplace entity or its group companies has contributed in the share capital of such vendor company or (ii) where more than 25% of purchases of such vendor are from the marketplace e-commerce entity or its group companies.

In this connection it may pertinent to point out that prior to amendment to FDI regulations on 31 January, 2019, which came into force from 1 February, 2019, as per earlier FDI regulations, E-commerce entity providing a marketplace could not exercise ownership over the inventory i.e. goods purported to be sold. Such an ownership over the inventory was to render the business of the marketplace entity into inventory based model. Further, an e-commerce entity was not to permit more than 25 percent of the sales value on financial year basis affected through its marketplace from one vendor or their group companies.

In other words, as per amended regulations, the marketplace e-commerce entity is not permitted to own any shares of the vendor company. Earlier there was no concept of control of the vendor company by the marketplace e-commerce entity. As per amended regulations the marketplace e-commerce entity which the owns (in part or full) the vendor company or controls the inventory of the vendor company, is not allowed to sell the products a such a vendor on the platform run by such marketplace entity.

(vi)     For the goods/ services that are made available for sale electronically on website, marketplace e-commerce entity is required to clearly provide name, address and other contact details of the seller. Post sales, delivery of goods to the customers and customer satisfaction is the responsibility of the seller.

(vii)   Payments for sale may be facilitated by the marketplace e-commerce entity in conformity with the guidelines issued by the Reserve Bank in this regard.

(viii)     Any warranty/ guarantee of goods and services sold is also the responsibility of the seller.

(ix)         E-commerce entities providing marketplace will not, directly or indirectly, influence the sale price of any goods or services and shall maintain level playing field. Services should be provided by e-commerce marketplace entity or other entities in which e-commerce marketplace entity has direct or indirect equity participation or common control, to vendors on the platform at arm’s length and in a fair and non discriminatory manner.

Explanation: Such services will include but not limited to fulfilment, logistics, warehousing, advertisement/marketing, payments, financing etc. Cash back provided by group companies of marketplace entity to buyers shall be fair and non-discriminatory. For the purposes of this clause, provision of services to any vendor on such terms which are not made available to other vendors in similar circumstances will be deemed unfair and discriminatory.

Prior to amendment the relevant regulation read as under: E-commerce entities providing marketplace will not directly or indirectly influence the sale price of goods or services and shall maintain level playing field.

It did not talk of the provisions of services to the vendors in fair and non-discriminate manner.

(x)         No e-commerce marketplace entity can mandate any seller to sell any of their product exclusively on its platform.

(xi)      All existing investments are mandated to be in compliance with the above conditions with effect from 1 February, 2019.

Annual Compliances under FEMA:

The e-commerce entity is now required to annually furnish a certificate along with a report of statutory auditor to the Reserve Bank of India, confirming compliance of the e-commerce guidelines.

While the e-commerce sector in India has seen tremendous growth in the past few years, it will be interesting to see how much impact these policy measures will have in the long run and how the e-commerce giants will comply with these norms.

Core Investment Company

Core Investment Companies, (CIC) are those non-banking financial companies which have their assets primarily as investments in shares of group companies but not for trading, and also do not carry on any other financial activity.

The RBI directions applicable to the Core Investment Companies are contained in the Master Direction - Core Investment Companies (Reserve Bank) Directions, 2016 dated August 25, 2016 (as updated on June 07, 2018).As per the above referred Master Direction, Core Investment Company (CIC) means:

Core Investment Company (CIC) is a non-banking financial company carrying on the business of acquisition of shares and securities and which satisfies the following conditions as on the date of the last audited balance sheet:-

i. it holds not less than 90% of its net assets in the form of investment in equity shares, preference shares, bonds, debentures, debt or loans in group companies;

ii. its investments in the equity shares (including instruments compulsorily convertible into equity shares within a period not exceeding 10 years from the date of issue) in group companies and units of Infrastructure Investment Trust only as sponsor constitute not less than 60% of its net assets as mentioned in clause (i) above;

Provided that the exposure of such CICs towards InvITs shall be limited to their holdings as sponsors and shall not, at any point in time, exceed the minimum holding of units and tenor prescribed in this regard by SEBI (Infrastructure Investment Trusts) Regulations, 2014, as amended from time to time.

iii. it does not trade in its investments in shares, bonds, debentures, debt or loans in group companies except through block sale for the purpose of dilution or disinvestment;

iv. it does not carry on any other financial activity referred to in Section 45I(c) and 45I (f) of the Reserve Bank of India Act, 1934 except

(a) investment in

(i) bank deposits,

(ii) money market instruments, including money market mutual funds and liquid mutual funds

(iii) government securities, and

(iv) bonds or debentures issued by group companies,

(b) granting of loans to group companies and

(c) issuing guarantees on behalf of group companies.

As per the above referred Master Direction:

1. Core Investment Companies (CIC) with an asset size of less than Rs. 100 Crore will not be required to register themselves with Reserve Bank of India.
2. Core Investment Companies (CIC) having total asset size of 100 Crore or more either individually or in aggregate along with other CICs in the Group and which raises or hold public funds will be regarded as Systemically Important Core Investment Companies (CICs-ND-SI) and shall be required to get themselves registered with Reserve Bank of India .

Besides registration, there are also certain other provisions which are only applicable on Systematically Important Core Investment Companies (CICs-ND-SI).

One such provision applicable only to CICs-ND-SI is contained in Paragraph 27 of the above Master Directions which provides that a systemically important CIC shall require prior written permission of the Reserve Bank of India for any change in the management of the CICs which results in change in more than 30 per cent of the directors, excluding independent directors. There is some ambiguity regarding the calculation of the percentage prescribed by the Reserve Bank of India in the above direction. For example, a CIC was having three directors. A new director had to join the CIC. The management of the CIC did not seek prior approval of Reserve Bank of India, because as per their understanding, addition on one director to the existing three directors in the company would amount to 25% change and therefore did not require prior approval of the Reserve Bank of India. But when the company subsequently intimated the Bank regarding the change in their directors, Reserve Bank of India advised them the addition of fourth director amounted to change in more than 30 per cent of the directors of the company and as such they should have taken prior written permission of the Reserve Bank of India for that change.

In this connection, paragraph 46 of the above Regulations provides that ‘the interpretation of any provision of these Directions given by the Bank shall be final and binding on all the parties’. 

Thus, the company was required to explain to the RBI the reason for their not seeking prior permission of the RBI for the change in the number of directors of the company, as also to seek post facto approval of the Reserve Bank of India for change their number of directors from three to four.

Another point that baffles the NBFCs relates to the compliance and reporting requirements.It is pertinent to mention here that though the directions applicable to Core Investment Companies are contained in Master Direction - Core Investment Companies (Reserve Bank) Directions, 2016 dated August 25, 2016 (as updated on June 07, 2018). In addition to these directions, there are certain other directions which are applicable to Core Investment Companies as are mentioned in other Master Directions issued by Reserve Bank of India from time to time which are equally important and should be adhered to.Further, sometimes the NBFCs are asked to comply with the directions and report to RBI which as per their understanding, are not related to their NBFC. The NBFCs are however obliged to comply with the RBI directions, as per the provisions of Section 45M of the Reserve Bank of India Act, 1934, they are duty-bound to follow RBI comply with the directions given to them by RBI.

Section 45M is reproduced below for perusal:

45M. Duty of non-banking institutions to furnish statements, etc., required by Bank.

It shall be the duty of every non-banking institution to furnish the statements, information or particulars called for, and to comply with any direction given to it, under the provisions of this Chapter. 

Accordingly, Core investment companies should not only comply with the directions contained in the Master Direction - Core Investment Companies (Reserve Bank) Directions, 2016 dated August 25, 2016 (as updated on June 07, 2018), they should not miss out on other relevant directions as applicable to them contained in other NBFC Directions issued by Reserve Bank of India from time to time.

GD Chugh

Associate Partner