- All intermediaries are now required to observe the following:
- Blocking access to unlawful information within 36 hours upon an order from the Court, or the government.
- Retaining information collected for the registration of a user for 180 days after cancellation or withdrawal of registration. Further, the Intermediaries are required to report cybersecurity incidents and share related information with the Indian Computer Emergency Response Team.
- Additionally, for large intermediaries, additional due diligence shall be observed. This includes:
- Appointing a chief compliance oﬃcer to ensure compliance with the Information Technology Act and the Digital Media Ethics Code, a nodal contact person and a resident grievance officer.
- Publishing a monthly compliance report on complaints received, action taken, and content removed.
- Having a physical contact address in India which shall be published on its website or mobile application or both.
- For intermediaries that provide messaging as a primary service, they must enable the identiﬁcation of the ﬁrst originator of the information on their platform. If the ﬁrst originator is located outside India, the ﬁrst originator of that information within India will be deemed to be the ﬁrst originator.
- Notably, in case of digital media publishers relating to news and OTT content publishers, a three-tier grievance redressal mechanism shall be put in place for dealing with complaints regarding its content.
- Offensive content by the social media intermediary should be removed either (i) voluntarily, (ii) based on a complaint or grievance or (iii) pursuant to an order of a court or government notification.
- In the event of a social media platform removing a user’s content on its own, it will have to provide prior intimation for the same to the user along with explanation/ reasons for taking such action. Further, the users will be given opportunity to dispute such action taken by any intermediary.
An online news portal has approached the Delhi High Court challenging the new rules. The matter is sub judice.
Digital Payments Guidelines
In February 2021, the Federal Bank of India known as the Reserve Bank of India (the RBI) notified the Reserve Bank of India (Digital Payment Security Controls) Directions 2020 (the Master Directions). As per the circular issued by RBI, these Master Directions are intended to provide necessary guidelines for regulated entities (Scheduled Commercial Banks, Small Finance Banks, Payment Banks and Credit Card issuing NBFCs) (the REs) to set up a full-bodied governance structure and implement common minimum standards of security controls for digital payment products and services. The Master Directions are aimed at consolidating important control aspects broadly in the following areas viz., Governance and Management of Security Risks, Generic Security Controls, Application Security Life Cycle (ASLC), Authentication Framework, Fraud Risk Management, Reconciliation Mechanism, Customer Protection, Awareness and Grievance Redressal Mechanism, specific controls related to Internet Banking, Mobile Payments Application Security Controls and Card Payments Security. All REs have been given six (6) months to ensure compliance with the Master Directions from the date they were notified. The features of the Master Directions have been discussed in brief below.
- The Master Directions are technology and platform agnostic and aimed to create an enhanced and enabling environment for customers to use digital payment products in a more safe and secure manner.
- The Master Directions also specify the criteria under which REs can form partnerships and interact with third-party applications and ecosystem players such as mobile applications, payment operators and gateways.
- Not only do the Master Directions require REs to conduct periodic assessment of their applications, REs are also required to assess associated third-party services. REs will have to assess cyber risk based on defined parameters like technology stack, operational risk, data storage, etc.
- Further, REs would be required to conduct source-code checks, vulnerability testing and penetration testing every six months for payment systems. Thus, third-party operators will not only be subject to rigorous periodic testing, but they will also have to submit their source code to REs to ensure continuity in service. Also, in case of non-compliance, there will be penalties.
- The Master Directions requires the REs to set up a near-real-time conciliation mechanism (24-hour settlement) along with a robust grievance redressal system that can process requests faster. Besides, the Master Directions lay down methods for multi-factor authentication and more secure internet-banking services, requiring REs to follow the highest security standard protocols.
- Additionally, as the intensity of phishing attacks using SMS, e-mails and tele-calling have increased, the Master Directions call upon REs to focus on preventing such attacks and further requires the REs to secure such data.
Author: Ms Osheen Sharma, Lawyer, email: firstname.lastname@example.org
Main tel:+91 11 46517878; 41634910
A-842, Second Floor, Sushant Lok Phase-1
+91 11 46517878; 41634910