INDIA Law and Practice Contributed by: Shivalik Chandan, Hardik Choudhary, Dhruv Singh and Arjun Khurana, G&W Legal
4.2 Compliance and Governance As no specific legislation exists in India govern - ing the IoT sphere, companies must be mindful of a host of laws and regulations (as highlighted above) while deploying IoT solutions. Impor - tantly, the enforcement of the upcoming DPDPA will result in a sea change in India’s data protec - tion regime, as compliance requirements and penalties under the DPDPA are more stringent as compared to the current SPDI Rules. Com - panies must ensure that they are prepared to meet the additional compliance burdens which will be put in place by the DPDPA, including the requirement for specific and itemised consent notices, providing for data subject rights, hav - ing mechanisms in place for the data breach reporting requirements, and ensuring adherence to requirements around processing of minors’ personal data. In addition to the above, companies must ensure that all requisite licences and certifications (the requirements of which have been highlighted above) in relation to their IoT solutions are in place prior to their implementation. Risks aris - ing from this could be mitigated by way of con - ducting adequate due diligence on any service providers, and having contractual provisions in place in the event of an issue with any such licences/certifications, or arising from non-com - pliance with any applicable laws. 4.3 Data Sharing As no specific legislation exists for IoT compa - nies in India, legal requirements with respect to data sharing by IoT companies are governed by Indian privacy law (currently the SPDI Rules, set to be replaced with the DPDPA). Under the SPDI Rules, sharing of “sensitive per - sonal information” with a third party may only be done with the consent of the data subject or
for fulfilment of a contract with the data subject, unless such sharing is required for compliance with an applicable law. Additionally, the trans - fer of sensitive personal information to a third party may only be carried out where such parties can ensure the level of data protection required under the SPDI Rules. The DPDPA relies on consent as the primary basis for processing of personal data, except in the case of certain “legitimate purposes” where personal data may be processed without con - sent. As such, once the DPDPA is brought into force, for any data-sharing activities, IoT com - panies will have to seek specific consent (as required under the DPDPA) for any processing activities involving data sharing, and will have to comply with all the other requirements imposed on data fiduciaries under the DPDPA. 5. Audiovisual Media Services 5.1 Requirements and Authorisation Procedures A number of different legislations govern the provision of audiovisual media services in India. However, these were put in place prior to the advent of the internet as an audiovisual medium, and as such, most do not include internet-based services within their ambit. Cable Television Networks (Regulation) Act, 1995 The Cable Television Networks (Regulation) Act, 1995 (the “Cable Television Act”) governs the operation of cable television networks in the country, defined specifically as systems which are designed to provide cable services for recep - tion by multiple subscribers. This legislation is restricted to terrestrial broadcasting mediums and does not include satellite television within
132 CHAMBERS.COM
Powered by FlippingBook