42 minute read
Disruptive Technologies
included allegations of abuse of dominance by means of predatory pricing & other anti-competitive behaviour. The CCI’s order in the Ola & Uber cases indeed reflect the challenges faced in regulation of the platform markets. The CCI rejected the claims in almost all of the cases, primarily on the ground that Ola & Uber did not enjoy dominance in the market. The decision of the Commission has caused much debate.
In recent years, quite a number of reports have been published by antitrust organizations & authorities as well as
Advertisement
independent experts all over the world. Notwithstanding, none of the existing Indian laws/regulations holistically award attention to competition issues in digital markets. In view of the rapid growth of the digital & disruptive markets, there is an urgent need for the framing of guidelines with respect to the same.
Scope of the Information Technology Act, 2000 on Disruptive Technologies
In January 2005, the government established an expert group to examine the IT Act. The group consisted of members from the government, the information technology industry, and legal experts, among others. It discovered significant flaws in the current Act and issued a report in August 2005. It was recognized that several amendments to the current IT Act, 2000 were necessary considering worldwide and national trends, particularly in the field of data protection and privacy. They noted that the discipline of cyberlaw is still in its infancy, with expertise in its development and application still growing globally, and particularly in India.
The committee proposed that the IT Act be technology neutral after careful analysis and debate. It reviewed data protection and privacy regulations and suggested stringent restrictions for the management of sensitive personal data. The committee examined the topic of intermediary responsibility and proposed modifications based on the European Union's E-Commerce Directive. It recommended harsh penalties to deter child pornography and offered suggestions about computer-related crime and electronic evidence.
52
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
Disruptive technology
The buzzword "disruptive innovation" appears to be snatching up a sizable portion of space in prominent newspapers and media publications. Ride-hailing applications such as Ola and Uber, online marketplaces like Amazon and Flipkart, instant communication apps such as WhatsApp and WeChat, and online hospitality platforms such as Airbnb, and many others, have become extremely pervasive in our lives. However, what does this popular term truly mean? Disruptive technology can be defined in the available literature as the introduction of a new product/service into a market that, in addition to satisfying the fundamental demands of an existing value network, also adds some extra value, therefore replacing the existing competitors and value network. These disruptive entrepreneurs generally prioritize "innovation" and are therefore able to rapidly build a huge user base and amass massive volumes of consumer data for their product or service.
These disruptive entrepreneurs generally prioritize "innovation" and are therefore able to rapidly build a huge user base and amass massive volumes of consumer data for their product or service. The important topic that is being argued worldwide is whether such acquisition, access, and use of consumer data by digital companies, particularly disruptive innovators, might bestow market power on them, enabling them to misuse their market position.
When examining the Indian competition landscape, the wave of digitization and ever-evolving technology has not only altered the nature of markets and consumer behavior, but also revealed the critical role of "innovation" in determining the degree of competition in markets, both in competition regulation and merger control.
A close review of the Competition Commission of India's (CCI) jurisprudential trend in digital and innovation markets reveals that, except for a few instances, the regulator has largely taken a non-interventionist approach in evaluating anti-competitive
harm and has recognized the critical role of information technology in nascent markets as a competitive advantage force. In the e-commerce arena, the CCI has repeatedly maintained that online marketplaces such as Amazon, Flipkart, and other B2C platforms, as well as offline marketplaces such as conventional brick and mortar stores, are just two distinct distribution channels inside the same retail trade market.
Globally, the increasing increase in mergers and acquisitions activity in technology-driven sectors has generated concerns about competition legislation and data
protection. Access to highly specialized consumer and other types of data by high-tech companies has condensed the interface between competition and data protection rules and demonstrated that, while disruptive innovation in digital markets could seem to have escaped full-fledged antitrust scrutiny with a few notable exceptions, it has not entirely evaded full-fledged antitrust scrutiny. The CCI has always recognized the complexities and immaturity of digital marketplaces in India, as well as the critical role of innovation in novel and creative business models and products.
What becomes a disruptive idea: Three litmus tests
Plenty of the early ideas that become sustaining breakthroughs might just as easily become disruptive business strategies with far more growth potential. However, the molding process must be handled actively and not permitted to run on autopilot. Executives must address three sets of questions to assess if a concept has the potential to be disruptive. The first examines if the concept has the potential to create a new market disruption. This requires the fulfillment of at least one, and in most cases both, of the following two conditions:
• Is there a significant group of individuals who have lacked the funds, equipment, or skills necessary to perform this task independently, and as a result have gone without or had to pay someone with greater experience to perform it for them?
54
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
• Is it necessary for customers to visit an inconvenient, centralized location to use the product or service?
If the technology can be evolved in such a way that a huge population of less skilled or wealthy people can begin owning, including using something which was previously only available to more skilled or wealthy people in a centralized, inconvenient location, then the idea has the potential to evolve into a new market disruption.
The second set of questions examines the possibility of a disruption at the low end. This is feasible if the following two criteria are satisfied:
Are there clients at the low end of the market who would gladly pay a lower price for a product with less (but adequate) performance?
IT Act, 2000 and Disruptive Technology
Can we develop a business strategy that enables us to generate attractive profits while maintaining the discount prices necessary to capture the business of these underserved clients at the bottom end? Frequently, the breakthroughs that allow low-end disruption include advancements in manufacturing, service, or business processes that enable a firm to make attractive returns on reduced gross margins, along with procedures that accelerate asset turnover.
Once an invention has passed the new-market or low-end test, a third essential factor, or litmus test, must be applied:
Is the technology disruptive to all the industry's key incumbent firms? If it looks to be profitable for one or more of the industry's major players, the odds will be set in that firm's favor, and the new player is unlikely to win. If a concept fails to pass the litmus tests, it cannot be transformed into a disruptive force. It may have potential as a sustaining technology, but in such a scenario, we would assume that it could not serve as the foundation for an entrant company's small business.
Scope of IT Act on Disruptive Technologies like Blockchain
What is blockchain and how safe is it? As the name implies, this technique is built on a chain of blocks. This technology dates all the way back to 1991. Stuart Haber and W. Scott Stornetta were the first to consider inventing a system that would use cryptography to encrypt data in tiny digital blocks. These blocks are composed of codes that safeguard the information not just for security purposes but also to date stamp it for future reference. Thus, not only the data itself is secured, but also the length, date, and temporal elements of the data.
Blockchain technology is built on a peer-to-peer distributed ledger system. It is quite improbable that someone will tamper with the data that has been protected. In other terms, a peer-topeer system ensures that the information submitted to the ledger is accessible to and kept on any computer system connected to the network. Additionally, because information is contained in these digital blocks, any information that must be updated would require the user to change not just one block containing that piece of information, but all the blocks connected to that chain.
If we continue discussing the technical elements for the sake of comprehension, it is critical to grasp a phrase called Hash Function. A hash function is a function that, when given an input, returns an output in the form of code that
is unique for each input. This function is defined to the blocks produced via the use of Blockchain Technology. Thus, altering a block with its own hash function while also modifying the hash function of other blocks in the chain is a completely different ballgame. But without assistance from numerous persons or an incredible level of expertise in this sector, the concept of information being altered under Blockchain Technology cannot be implemented.
Even though there is now no legal authority for blockchain technology, it poses numerous intriguing legal issues that should be explored. Generally, however, assessing the legal ramifications of the blockchain outside of a specific use case is
56
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
more difficult than studying the same issue with Bitcoin. This is because Bitcoin is a specialized use of blockchain technology, but blockchain technology may be used in virtually any situation.
When blockchain technology is used in regulated sectors, it triggers Know Your Customer (KYC) regulations and other reporting responsibilities such as anti-money laundering and counter-terrorist funding (depending on the country). These requirements will be difficult to satisfy when transactions are conducted on blockchains, at least in the way blockchains are currently utilized. The most likely answer to this is for players to be required to give up their anonymity on the blockchain to conduct commercial transactions. This is an issue that legislators might address.
Security and Privacy
The Indian Information Technology Act, 2000 (“IT Act”), for example, may be modified to do this. There are currently technical solutions in place that make this possible. Additionally, 'private' or 'permissioned' blockchains, in contrast to 'public' or 'permissionless' blockchains, govern who has access to and how they engage in the blockchain network. This is a common aspect of the several corporate blockchain solutions available on the market. The Chain Protocol, the previously described blockchain protocol aimed at financial organizations, is an example of a permissioned blockchain.
The Reserve Bank of India (RBI) has imposed restrictions on virtual currencies based on Blockchain technology and issued a circular prohibiting the use of cryptocurrency in India. However, the element of tokenization-related actions is unclear. In banking legislation, it is necessary to comply with nonrepudiation standards through in-person verification, and it is difficult to apply technical solutions for such requirements, particularly for cryptocurrency based on Blockchain.
Digital Signatures are a critical component of Bitcoin networks and applications. As there are currently no specifics in Schedule
I of the Information Technology Act, 2000 on transactions involving immovable property, wills, or negotiable instruments, this clause precludes the technology from being used for such activities.
Presently, Section 43A of the IT Act does not include any privacy precautions when it comes to Blockchain. The ‘Right to be Forgotten’, a prominent component of data protection law such as the Draft Personal Data Protection Bill, 2019, conflicts with the fundamental characteristic of Blockchain, which prevents data from being destroyed and ensures that its history is always available.
Since the blockchain is a novel technology, most existing privacy regulations worldwide, including the Indian Information Technology Act, do not anticipate privacy safeguards for blockchain participants in this manner. Most Internet privacy regulations apply to situations in which a website or application gathers personal information from a user.
For example, the IT Act governs the collection, use, and loss of private personal data or information by an organization that owns, controls, or operates a computer resource. Thus, while members would enjoy these standard Internet privacy and security, they are unlikely to apply to the blockchain due to the lack of a centralized body collecting data. According to the wording of the IT Act (section 43A), privacy on the blockchain is unlikely since there is no one "body corporate" collecting user data and "owning, managing, or operating" a computer resource (unlike a regular web service does, for instance). Rather than that, all blockchain participants exchange information, and power is decentralized. Enterprise implementations of commercial blockchain technology may thus seek to solve these privacy concerns by designing in privacy.
Smart Contracts
Smart contracts extend the ledger capabilities of blockchain technology by enabling for the programming of a variety of self-
58
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
executing instructions on the blockchain. Smart contracts can automate approval procedures and clearance computations by using the blockchain as the single source of information and needing no manual verification. These operations are expensive and time consuming and are prone to delay and human error.
While the term 'smart contracts' does not refer to formal contracts, they are an essential application of them. As previously stated, contractual responsibilities such as payment and delivery may be designed to self-execute when certain criteria are met, for example, payment can be made automatically after a delivery event is established (the delivery would be confirmed automatically on the blockchain). This significantly decreases the resources required for contract administration, which includes the continual monitoring and compliance with contractual commitments.1
The Information Technology Act, 2000: Sections 5 and 10A of the IT Act stipulate that a contract is assumed to be performed if it is authenticated using a digital signature in line with the IT Act's procedures. This type of authentication is accomplished using an asymmetric cryptographic system and hash function. Section 35 of the act specifies that an electronic signature may be obtained only through a Union Government-designated certifying body. As a result, a smart contract performed using a hash key intended to use this as an identifier for blockchain authentication will not be considered a digital signature, as the signature was not acquired in compliance with the IT Act.
Scope of the IT Act and Internet of Things
The internet of things (IoT) is a network of linked items, people, and systems that process and respond to real and virtual data. It accomplishes goals such as enhancing user experience or device and system performance. The term "Internet of Things" increasingly can be used to refer to items that communicate with one another. M2M is an acronym for machine-to-machine communication that refers to the automated transmission of data between machines, systems, individual modules, and systems – all without human involvement. The obvious
distinction between M2M and IoT is that M2M is focused on machine-to-machine communication, whereas IoT is focused on human-to-human connection. On the other hand, the Internet of Things attempts to expand on this notion by connecting 'things' to 'systems', 'people', and the like. M2M, which has traditionally been utilized for managing inventory and fleet tracking, is increasingly acknowledged as a means of enhancing governance (Seth, 2020).
By linking more objects and people to the internet via IoT and M2M, lives will be transformed, particularly in the fields of health, home automation, retail, and transportation, creating monopsonic chains of accessibility for people who will be exposed to emerging data infrastructures per se. Multiple devices communicating with one another and massive data transfer between their users would result in the exchange of personal information, causing privacy and data protection concerns. It is critical that such privacy concerns are addressed at the outset. The Indian government issued a draft ‘Internet of Things Policy' in 2015 to stimulate the invention and development of IoT-based goods particularly to meet Indian IoT demands. Agriculture, healthcare, water quality, and natural catastrophes were the primary topics addressed by the proposed policy. For the MeitY, this may be described as a dream-IoT world. The policy's aspirational draft was issued in 2015. Five years after its publication, the proposal has not matured into a real policy, nor have the organs concentrated on the demanding legal framework required for the IoT, despite widespread use. With a pandemic-affected world that is heavily reliant on the internet, artificial intelligence, the internet of things, and machine to machine (M2M), there are no explicit rules governing the latter three. While confined in the house, there is a noticeable rise in the use of various IoTs, indicating that users are exchanging a greater amount of data (Rao, et al., 2019).
With many IoT devices communicating with one another via the internet, the risk of a data security breach is significant, and as more IoT devices are launched into the market, this issue will only become more complicated. Individual personal information is protected under the requirements of the Information Technology Act, 2000 ("IT Act") and the "Reasonable practices
60
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
and procedures and sensitive personal data or information Rules, 2011" ("Rules") promulgated according to Section 43A of the IT Act (as amended). Section 43A of the IT Act addresses data protection in electronic media and provides that when a body corporate is negligent in implementing and maintaining 'reasonable security practices and procedures' in relation to any 'sensitive personal data that it engages with, possesses, or handles in a computer system that it owns, operates, or control mechanisms and such negligence results in wrongful loss Additionally, Section 72 of the ITA establishes a penalty for violating the confidentiality and privacy of acquired data. To secure the privacy and protection of the data gathered, the IoT service provider can have a custom-drafted privacy policy outlining the private information collected, the breadth and degree to which such information is used, and the safeguards in place to assure the data's security (Sarin, 2018).
Additionally, the service provider may adopt carefully defined terms and conditions that generally govern liability limitations, the service provider's and consumer/responsibilities, user's indemnification, intellectual property rights, assignment/licensing, and dispute resolution. Additionally, to comply with Section 72 of the ITA, the service provider might enter into strict Non-Disclosure Agreements with its clients (Subramaniyan, 2019).
Scope of IT Act in the Case of Artificial Intelligence
One might claim that it is an intelligent machine capable of thinking, comprehending, and acting independently, as well as replicating some human behaviors. Thus, Artificial Intellect refers to a computer that possesses the potential and ability to solve issues that are often solved by humans using their inherent intelligence. To clarify further, the goal of developing AI is to meet the necessity and demand for automation in the fast-paced lives of humans. The repetitive activities, as well as the complicated jobs, are now being completed via the use of AI technology.
The Indian legal profession is structured in such a way that the
whole process is carried out manually, as the nature of the legal sector is still regarded to be labor intensive. So, AI is in its infancy, since the majority of the older generation proponents believe that technology should be utilized sparingly lest it take over humanity, and thus are opposed to the notion of AI in legislation. There are several tech-savvy lawyers and large legal firms that are capitalizing on technological developments to get an advantage over their competitors. We are all aware that the Indian legal system is enormous, with our Constitution alone becoming the longest in the world; thus, in changing times, it is critical to adapt to the dynamic environment using artificial intelligence in law. By utilizing machine learning technology in the field of legal research, attorneys may get unprecedented insight into the legal realm in a matter of seconds. Cyril Amarchand and Mangaldas is one such firm that has acknowledged the AI's capabilities and is enthusiastically embracing them. CAM made history by becoming the first Indian legal practice to license "Kira," a machine learning program developed in Canada by Kira Systems. This AI-based software can do a variety of tasks, which eliminates the need for lengthy man-hours. The "Kira" system is used to analyze legal papers, detecting, and highlighting potential danger areas, as well as extracting provisions from a variety of legal documents.
The 2000 Information Technology Act makes no reference to telephony or the internet. The Act's primary objective was to provide digital signatures and electronic documents with the same legal standing as paper records. The Indian Telegraph Act, 1885, is the sole piece of legislation dealing with telephony. While the internet is a late twentieth-century development, the applicable legislation dates all the way back to the nineteenthcentury colonial era.
As recently demonstrated by TRAI's rejection of Microsoft's Free Basics program and heroic preservation of the concept of net neutrality, the Telecom Regulatory Authority of India (TRAI) has been forced to step in to fill the legal and regulatory gap. This begs the question about whether basic internet
ideas such as net neutrality should be included into legislation rather than needing to be defined by the regulator in response to a challenge.
62
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
While data is at the heart of AI, there is no regulation in India that protects data privacy rights. The IT Act was amended in 2009 to include section 43A, which establishes a private right of action for compensation against any business that is negligent in installing and monitoring reasonable security methods and processes for the handling of sensitive personal data, resulting in wrongful loss or gain. This clause, which established statutory tort responsibility, was intended to alleviate international data outsourcers' worries amid the outbreak of numerous identity theft cases.
Apart from being confined to sensitive personal data, the clause is effectively unenforceable, as tort proceedings in India take decades to resolve. As a result, the chance of someone successfully suing a business and getting compensation under section 43A within a reasonable time is unlikely.
Additionally, section 43A does not address problems such as whether individuals have privacy rights in their data, the purposes for which data may be used, and, most importantly, whether data may be sold or transferred. The IT Act's liability cap is likewise incompatible with the AI era. Section 79 of the IT Act reflects the notion, adopted from US law, that information technology service providers must be regulated similarly to telephone companies or the postal service. They are only content carriers and cannot be held responsible for the material they transport.
As a result, except in very restricted situations, section 79 exempts intermediaries such as ISPs from liability for any thirdparty information, data, or communication connection made available or hosted by them. However, treating ISPs as wireless carriers is hopelessly unsuitable for emerging app-based technologies, as illustrated by Uber's assertion that it is only an aggregator and so cannot be held responsible for what transpires during the cab trip.
Disruptive innovation theory has some interesting contradictions. The original idea has acquired broad acceptance
among practitioners, and the word disruption has been ingrained in the common corporate vocabulary. A related problem is the widespread usage of disruptive innovation/disruption as a synonym for any new danger (or significant continuing change) and the underutilization of disruptive innovation as a theoretical term. Numerous popular writers use the term "disruptive innovation" to refer to any latest tech or startup that aims to upend an industry and alter its competitive dynamics; previously successful incumbents that face difficulties or go out of business are frequently referred to as having been disrupted.
Social media guidelines and IT Rules 2021
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Rules 2021) were notified under Section 87 of the Information Technology Act, 2000 on February 25, 2021 by the Ministry of Electronics and Information Technology and the Ministry of Information and Broadcasting (MIB). By 2021, a soft-touch supervision mechanism for social media platforms, digital media, and over-the-top (OTT) platforms will be in place to replace the Information Technology (Intermediaries Guidelines) Rules 2011. Sec. 2(w) of the IT Act defines intermediary as any person who receives, stores, or transmits an electronic record on behalf of another person or provides any service related to that record, including telecom service providers, network services providers, internet services suppliers, web hosting suppliers and cyber cafes. Prominent social media intermediaries are those that have a notified number of registered users in India and have more than that. Additional due diligence is expected of SSMIs, including appointing specific personnel for compliance, enabling attribution of information on its platform to its first author under certain conditions, and using best efforts to identify specific types of content through the use of technology-based measures. The Rules lay forth a framework for the regulation of news and current affairs information published online as well as curated audio-visual content by online publishers. For the resolution of complaints from users or victims, all intermediaries must provide a grievance redressal process. Publishers have been given a three-tiered grievance redressal process with different degrees of
64
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
self-regulation. Some of the key features of the Rules are mentioned below.
Key features of the rules
Grievance Redressal System: There is a grievance redressal system in the rules, which asks social media sites to have one so that complaints may be made to the Grievance Redressal Officer about any information published that violates public order or is not regulated in any way. A response to the complaint will be expected from the officer within 24 hours, and it will have to be resolved within 15 days. Cases involving crimes against women have a time limit of 24 hours in which to handle the complaint. Monthly reports: monthly reports on customer complaints and actions to be taken. SSMIs are expected to publish a report every month detailing how many complaints they have received and how they have responded to them. Code of Ethics: For news and current affairs publications, the following rules of ethics will be applicable: 1) the Press Council of India's journalistic behaviour rules, and 2) the Cable Television Networks Regulation Act, 1995, which outlines the programme code for cable television networks. The Rules establish a code of ethics for curated content web publishers. For example, this code requires publishing houses to: (i) classify content into ageappropriate categories, constrain children's access to ageinappropriate content, and enforce an age verification mechanism; (ii) exercise due discretion when featuring content that could jeopardise India's sovereignty or integrity, national security, or public order; (iii) consider India's many races and religions before featuring their beliefs and practises; and (iv) make content that could offend minorities available (Rajya Sabha, Parliament of India, 2020). Identify the first source of information: The first source of information must be able to be identified on the platform of an SSMI, which predominantly offers messaging services in India. Depending on the IT Act, this might be mandated by an order of a Court or a competent authority. Some of the reasons for issuing these orders will be to avoid specific offences such as those pertaining to national security, public order, and sexual assault such as those listed above. If the author can be identified with less intrusive methods, such orders will not be filled.
Tech-based detective mechanisms: To detect content portraying child sexual abuse and rape or (ii) information that is identical to the data previously prohibited by a court or government order, SSMIs will employ technology-based methods As a result, such measures: I must be proportional to users' rights in free expression and privacy, and (ii) must have human oversight and be evaluated on a regular basis.
Key issues with the Rules
A number of internet platforms have played a significant role in recent years in providing access to, easing the flow of information, and exchanging information at large scale. The function of many online platforms has evolved beyond that of information hosts to include companies that regulate how material is presented and exchanged online, as well as taking major activities in the areas of moderation, curation, and recommendations (European Parliamentary Research Service, 2021). Unease is spreading over social media's potential misuse in spreading unlawful or dangerous materials, such child sex abuse material, propaganda fueling terrorist attacks, and falsehoods and hate speech that influence elections. As a result, there have been debates over the duty and role of platforms in preventing the spread, identification, and eradication of such material. The publication of such content has been self-regulatory on several sites. However, this has sparked worries about the platforms' ability to act arbitrarily without regard for the rights of others. In light of these changes, the legal framework for intermediaries faces a significant problem in finding the proper balance between expanding the role of platforms and governments in detection, moderation, and curation, as well as protecting individual rights. Some of these concerns may be addressed by the 2021 Rules. The question of privacy: It is required by the Rules that major social media intermediaries, who primarily or exclusively provide messaging services, provide the identification of the first source of information within Indian borders (commonly referred to as traceability). Enabling this type of identification may result in a reduction in the level of privacy enjoyed by all users.If you want to track down the first person who posted anything on a messaging platform, you'll need the service provider to keep track of two pieces of extra information: one who sent the
66
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
message, and second the exact message or specific details that define the item in issue. In order to track the original sender of every communication, this will be necessary for every message exchanged over the platform of the service provider. To be clear, it's not a technological requirement to save communication information indefinitely in order to provide messaging services over the internet. No time frame is specified in the Rules for when the message provider must verify to determine who was the original sender.
As a result, messaging services will be required to retain more personal data, which goes against the spirit of the data minimization concept. When it comes to protecting personal privacy, minimisation of data collection implies just collecting as much as is absolutely essential to achieve a given data processing goal (Press Information Bureau, Government of India, 2021).
New Regulations Introduced Without Proper Legislation New rules introduced without proper legislation have been criticised. Normally, only legislative action triggers new rules. Section 79 of the IT Act was used to "arbitrarily create" these new regulations without any input from the legislature. Furthermore, there was a dearth of public engagement. Section 79 of the IT Act provides 'safe harbour' protection for intermediaries, but these rules threaten that protection. In addition, the restrictions at all levels need greater expenditures and labour on the platforms' side. Preventing Access to Equal Recourse: An intermediary is required to remove content within 36 hours of receiving instructions from the government now instead of the previous 48 hours. As a result, if the intermediary disagrees with the Government's decision because of a tight deadline, it will have no recourse. In the end, the standards are aimed at social media platform users, whose growth is dependent on the platforms' growth. Enduser interests must come first, and laws and regulations must not be drafted in a way that undermines their fundamental rights. In addition, a significant requirement for law and order is needed to limit the spread of misleading information while simultaneously protecting the privacy of residents.
Disruptive technology
The buzzword "disruptive innovation" appears to be snatching up a sizable portion of space in prominent newspapers and media publications. Ride-hailing applications such as Ola and Uber, online marketplaces like Amazon and Flipkart, instant communication apps such as WhatsApp and WeChat, and online hospitality platforms such as Airbnb, and many others, have become extremely pervasive in our lives. However, what does this popular term truly mean? Disruptive technology can be defined in the available literature as the introduction of a new product/service into a market that, in addition to satisfying the fundamental demands of an existing value network, also adds some extra value, therefore replacing the existing competitors and value network. These disruptive entrepreneurs generally prioritize "innovation" and are therefore able to rapidly build a huge user base and amass massive volumes of consumer data for their product or service. These disruptive entrepreneurs generally prioritize "innovation" and are therefore able to rapidly build a huge user base and amass massive volumes of consumer data for their product or service. The important topic that is being argued worldwide is whether such acquisition, access, and use of consumer data by digital companies, particularly disruptive innovators, might bestow market power on them, enabling them to misuse their market position. Understood as "big data," this information is primarily collected from consumers or by analyzing consumer behaviour on the internet. It is then processed by self-learning algorithms to create highly specialized consumer information that can be used to raise the efficiency of existing products/services or to launch new product lines. For instance, each "keyword" entered into Amazon's search feature is recorded and analyzed in order to ascertain the consumer's shopping/viewing behaviour. Similarly, for a ride-hailing company such as Uber/Ola Cabs, it might be the frequency with which a user travels particular routes that become critical data from the service provider's perspective. When examining the Indian competition landscape, it is clear that the wave of digitisation and ever-evolving technology has not only altered the nature of markets and consumer behaviour, but also revealed the critical role of "innovation" in determining
68
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
the degree of competition in markets, both in competition regulation and merger control. A close review of the Competition Commission of India's (CCI) jurisprudential trend in digital and innovation markets reveals that, with the exception of a few instances, the regulator has largely taken a non-interventionist approach in evaluating anticompetitive harm and has recognized the critical role of information technology in nascent markets as a competitive advantage force. In the e-commerce arena, the CCI has repeatedly maintained that online marketplaces such as Amazon, Flipkart, and other B2C platforms, as well as offline marketplaces such as conventional brick and mortar stores, are just two distinct distribution channels inside the same retail trade market. Globally, the increasing increase in mergers and acquisitions activity in technology-driven sectors has generated concerns about competition legislation and data protection. Access to highly specialized consumer and other types of data by high-tech companies has condensed the interface between competition and data protection rules and demonstrated that, while disruptive innovation in digital markets could seem to have escaped fullfledged antitrust scrutiny with a few notable exceptions, it has not entirely evaded full-fledged antitrust scrutiny. The CCI has always recognized the complexities and immaturity of digital marketplaces in India, as well as the critical role of innovation in novel and creative business models and products.
What becomes a disruptive idea? Three litmus test
Plenty of the early ideas that become sustaining breakthroughs might just as easily become disruptive business strategies with far more growth potential. However, the moulding process must be handled actively and not permitted to run on autopilot. Executives must address three sets of questions in order to assess if a concept has the potential to be disruptive. The first examines if the concept has the potential to create a new market disruption. This requires the fulfilment of at least one, and in most cases both, of the following two conditions: Is there a significant group of individuals who have lacked the funds, equipment, or skills necessary to perform this task independently, and as a result have gone without or had to pay someone with greater experience to perform it for them?
Is it necessary for customers to visit an inconvenient, centralized location in order to use the product or service? If the technology can be evolved in such a way that a huge population of less skilled or wealthy people can begin owning, including using something which was previously only available to more skilled or wealthy people in a centralized, inconvenient location, then the idea has the potential to evolve into a new market disruption. The second set of questions examines the possibility of a disruption at the low end. This is feasible if the following two criteria are satisfied: Are there clients at the low end of the market who would gladly pay a lower price for a product with less (but adequate) performance?
IT Act, 2000 and disruptive technology
Can we develop a business strategy that enables us to generate attractive profits while maintaining the discount prices necessary to capture the business of these underserved clients at the bottom end? Frequently, the breakthroughs that allow low-end disruption include advancements in manufacturing, service, or business processes that enable a firm to make attractive returns on reduced gross margins, along with procedures that accelerate asset turnover. Once an invention has passed the new-market or low-end test, a third essential factor, or litmus test, must be applied: Is the technology disruptive to all of the industry's key incumbent firms? If it looks to be profitable for one or more of the industry's major players, the odds will be set in that firm's favor, and the new player is unlikely to win. If a concept fails to pass the litmus tests, it cannot be transformed into a disruptive force. It may have potential as a sustaining technology, but in such a scenario, we would assume that it could not serve as the foundation for an entrant company's small business.
Scope of IT Act on Disruptive technologies like Blockchain
What is blockchain and how safe is it? As the name implies, this technique is built on a chain of blocks. This technology dates all the way back to 1991. Stuart Haber and W. Scott Stornetta were the first to consider inventing a system that would use cryptography to encrypt data in tiny digital blocks. These blocks are composed of codes that safeguard the information not just for security purposes but also to date stamp
70
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
it for future reference. Thus, not only the data itself is secured, but also the length, date, and temporal elements of the data. Blockchain technology is built on a peer-to-peer distributed ledger system. It is quite improbable that someone will tamper with the data that has been protected. In other terms, a peer to peer system ensures that the information submitted to the ledger is accessible to and kept on any computer system connected to the network. Additionally, because the information is contained in these digital blocks, any information that has to be updated would require the user to change not just one block containing that piece of information, but all the blocks connected to that chain.
If we continue discussing the technical elements for the sake of comprehension, it is critical to grasp a phrase called Hash Function. A hash function is a function that, when given an input, returns an output in the form of code that is unique for each input. This function is defined to the blocks produced via the use of Blockchain Technology. Thus, altering a block with its own hash function while also modifying the hash function of other blocks in the chain is a completely different ballgame. But without assistance from numerous persons or an incredible level of expertise in this sector, the concept of information being altered under Blockchain Technology cannot be implemented. Despite the fact that there is now no legal authority for blockchain technology, it poses numerous intriguing legal issues that should be explored. Generally, however, assessing the legal ramifications of the blockchain outside of a specific use case is more difficult than studying the same issue with Bitcoin. This is because Bitcoin is a specialized use of blockchain technology, but blockchain technology may be used in virtually any situation. When blockchain technology is used in regulated sectors, it triggers Know Your Customer (KYC) regulations and other reporting responsibilities such as anti-money laundering and counter-terrorist funding (depending on the country). These requirements will be difficult to satisfy when transactions are conducted on blockchains, at least in the manner in which blockchains are currently utilized. The most likely answer to this is for players to be required to give up their anonymity on the
blockchain in order to conduct commercial transactions. This is an issue that legislators might address. Security and Privacy The Indian Information Technology Act, 2000 (“IT Act”), for example, may be modified to do this. There are currently technical solutions in place that make this possible. Additionally, 'private' or 'permissioned' blockchains, in contrast to 'public' or 'permissionless' blockchains, govern who has access to and how they engage in the blockchain network. This is a common aspect of the several corporate blockchain solutions available on the market. The Chain Protocol, the previously described blockchain protocol aimed at financial organizations, is an example of a permissioned blockchain. The Reserve Bank of India (RBI) has imposed restrictions on virtual currencies based on Blockchain technology and issued a circular prohibiting the use of cryptocurrency in India. However, the element of tokenization-related actions is unclear. In banking legislation, it is necessary to comply with non-repudiation standards through in-person verification, and it is difficult to apply technical solutions for such requirements, particularly for cryptocurrency based on Blockchain. Digital Signatures are a critical component of Bitcoin networks and applications. As there are currently no specifics in Schedule I of the Information Technology Act, 2000 on transactions involving immovable property, wills, or negotiable instruments, this clause precludes the technology from being used for such activities. Presently, Section 43A of the IT Act does not include any privacy precautions when it comes to Blockchain. The 'Right to be Forgotten,' a prominent component of data protection law such as the Draft Personal Data Protection Bill, 2019, conflicts with the fundamental characteristic of Blockchain, which prevents data from being destroyed and ensures that its history is always available. Due to the fact that the blockchain is a novel technology, the majority of existing privacy regulations worldwide, including the Indian Information Technology Act, do not anticipate privacy safeguards for blockchain participants in this manner. The majority of Internet privacy regulations apply to situations in which a website or application gathers personal information from a user.
72
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
For example, the IT Act governs the collection, use, and loss of private personal data or information by an organization that owns, controls, or operates a computer resource. Thus, while members would enjoy this standard Internet privacy and security, they are unlikely to apply to the blockchain due to the lack of a centralized body collecting data. According to the wording of the IT Act (section 43A), privacy on the blockchain is unlikely since there is no one "body corporate" collecting user data and "owning, managing, or operating" a computer resource (unlike a regular web service does, for instance). Rather than that, all blockchain participants exchange information, and power is decentralized. Enterprise implementations of commercial blockchain technology may thus seek to solve these privacy concerns by designing in privacy. Smart Contracts Smart contracts extend the ledger capabilities of blockchain technology by enabling for the programming of a variety of selfexecuting instructions on the blockchain. Smart contracts can automate approval procedures and clearance computations by using the blockchain as the single source of information and needing no manual verification. These operations are expensive and time consuming, and are prone to delay and human error. While the term 'smart contracts' does not refer to formal contracts, they are an essential application of them. As previously stated, contractual responsibilities such as payment and delivery may be designed to self-execute when certain criteria are met, for example, payment can be made automatically after a delivery event is established (the delivery would be confirmed automatically on the blockchain). This significantly decreases the resources required for contract administration, which includes the continual monitoring and compliance with contractual commitments (Seth, 2020). The Information Technology Act, 2000: Sections 5 and 10A of the IT Act stipulate that a contract is assumed to be performed if it is authenticated using a digital signature in line with the IT Act's procedures. This type of authentication is accomplished through the use of an asymmetric cryptographic system and hash function. Section 35 of the act specifies that an electronic signature may be obtained only through a Union Governmentdesignated certifying body. As a result, a smart contract
performed using a hash key intended to use this as an identifier for blockchain authentication will not be considered a digital signature, as the signature was not acquired in compliance with the IT Act.
Scope of IT act and Internet of Things
The internet of things (IoT) is a network of linked items, people, and systems that process and respond to real and virtual data. It accomplishes goals such as enhancing user experience or device and system performance. The term "Internet of Things" increasingly can be used to refer to items that communicate with one another. M2M is an acronym for machine-to-machine communication that refers to the automated transmission of data between machines, systems, individual modules, and systems –all without human involvement. The obvious distinction between M2M and IoT is that M2M is focused on machine-to-machine communication, whereas IoT is focused on human-to-human connection. On the other hand, the Internet of Things attempts to expand on this notion by connecting 'things' to 'systems', 'people', and the like. M2M, which has traditionally been utilized for managing inventory and fleet tracking, is increasingly acknowledged as a means of enhancing governance. By linking more objects and people to the internet via IoT and M2M, lives will be transformed, particularly in the fields of health, home automation, retail, and transportation. Multiple devices communicating with one another and massive data transfer between their users would result in the exchange of personal information, causing privacy and data protection concerns. It is critical that such privacy concerns are addressed at the outset. The Indian government issued a draft ‘Internet of Things Policy' in 2015 to stimulate the invention and development of IoT-based goods particularly to meet Indian IoT demands. Agriculture, healthcare, water quality, and natural catastrophes were the primary topics addressed by the proposed policy. For the MeitY, this may be described as a dream-IoT world. The policy's aspirational draft was issued in 2015. Five years after its publication, the proposal has not matured into a real policy, nor have the organs concentrated on the demanding legal framework required for the IoT, despite widespread use. With a pandemicaffected world that is heavily reliant on the internet, artificial intelligence, the internet of things, and machine to machine
74
Regulatory Sovereignty in India: Indigenizing CompetitionTechnology Approaches, ISAIL-TR-001
(M2M), there are no explicit rules governing the latter three. While confined in the house, there is a noticeable rise in the use of various IoTs, indicating that users are exchanging a greater amount of data (Rao, et al., 2019). With many IoT devices communicating with one another via the internet, the risk of a data security breach is significant, and as more IoT devices are launched into the market, this issue will only become more complicated. Individual personal information is protected under the requirements of the Information Technology Act, 2000 ("IT Act") and the "Reasonable practices and procedures and sensitive personal data or information Rules, 2011" ("Rules") promulgated according to Section 43A of the IT Act (as amended). Section 43A of the IT Act addresses data protection in electronic media and provides that when a body corporate is negligent in implementing and maintaining 'reasonable security practices and procedures' in relation to any 'sensitive personal data that it engages with, possesses, or handles in a computer system that it owns, operates, or control mechanisms and such negligence results in wrongful loss Additionally, Section 72 of the ITA establishes a penalty for violating the confidentiality and privacy of acquired data. To secure the privacy and protection of the data gathered, the IoT service provider can have a custom-drafted privacy policy outlining the private information collected, the breadth and degree to which such information is used, and the safeguards in place to assure the data's security (Sarin, 2018). Additionally, the service provider may adopt carefully defined terms and conditions that generally govern liability limitations, the service provider's and consumer/responsibilities, user's indemnification, intellectual property rights, assignment/licensing, and dispute resolution. Additionally, to comply with Section 72 of the ITA, the service provider might enter into strict Non-Disclosure Agreements with its clients (Subramaniyan, 2019).
Scope of IT act and AI
By utilizing machine learning technology in the field of legal research, attorneys may get unprecedented insight into the legal realm in a matter of seconds. Cyril Armarchand and Mangaldas is one such firm that has acknowledged the AI's capabilities and
is enthusiastically embracing them. CAM made history by becoming the first Indian legal practice to license "Kira," a machine learning program developed in Canada by Kira Systems. This AI-based software is capable of doing a variety of tasks, which eliminates the need for lengthy man-hours. The "Kira" system is used to analyze legal papers, detecting and highlighting potential danger areas, as well as extracting provisions from a variety of legal documents. The Information Technology Act makes no reference to telephony or the internet. The Act's primary objective was to provide digital signatures and electronic documents with the same legal standing as paper records. The Indian Telegraph Act, 1885, is the sole piece of legislation dealing with telephony. While the internet is a late twentieth-century development, the applicable legislation dates all the way back to the nineteenthcentury colonial era. As recently demonstrated by TRAI's rejection of Microsoft's Free Basics program and heroic preservation of the concept of net neutrality, the Telecom Regulatory Authority of India (TRAI) has been forced to step in to fill the legal and regulatory gap. This begs the question about whether basic internet ideas such as net neutrality should be included into legislation rather than needing to be defined by the regulator in response to a challenge. While data is at the heart of AI, there is no regulation in India that protects data privacy rights. The IT Act was amended in 2009 to include section 43A, which establishes a private right of action for compensation against any business that is negligent in installing and monitoring reasonable security methods and processes for the handling of sensitive personal data, resulting in wrongful loss or gain. This clause, which established statutory tort responsibility, was intended to alleviate international data outsourcers' worries amid the outbreak of numerous identity theft cases. Apart from being confined to sensitive personal data, the clause is effectively unenforceable, as tort proceedings in India take decades to resolve. As a result, the chance of someone successfully suing a business and getting compensation under section 43A within a reasonable time period is unlikely. Additionally, section 43A does not address problems such as whether individuals have privacy rights in their data, the
