India does not have any specific law or regulation to govern any act or omission committed within the metaverse. However, any entity that extends its services across the metaverse will continue to be bound by the provisions of the Information Technology Act, 2000 (IT Act) and its rules pertaining to cybersecurity, data collection and intermediary liability. Further, the entity would be required to abide by the central bank’s regulations on payment systems, know-your-customer (KYC) obligations, data localisation, and cross border financial data transfer. With the incidence of the taxation liability under the Income Tax Act, 1961, where virtual digital assets are involved in any transactions, they may be subject to appropriate taxation. Consumer protection statutes and allied guidelines, along with the penal codes, will further regulate activities in the metaverse and the host of digital services on offer. Consumer protection statutes and guidelines provide for offences related to unfair trade practices and misleading advertisements that may be implemented in the digital sphere. Further, the IT Act and the Indian Penal Code, 1860 (IPC) factor in any offences which may take place on the metaverse, owing to the immersive experience offered, in some rudimentary form. The Consumer Protection (E-Commerce) Rules, 2020, have also been notified to regulate e-commerce entities and may also extend to social media platforms.

The intellectual property regulatory framework in India does not grant software any protection in patent law, and accordingly reliance must be placed on copyright laws. Separate components of this ecosystem will have to rely upon different statutes for seeking protection of the trade marks, copyrighted works, and where there is a hardware component, patent and design protection must also be sought, as required. Since a lot of applications will be relying upon the combination of both hardware and software solutions, it will be necessary that they are able to establish enough evidence to seek patent protection as computer-related inventions. India does not have any comprehensive legislative framework for data privacy and data protection; it relies on sectoral prescriptions from the banking, insurance, and health regulators, depending on the specific sector.

A draft data privacy and protection legislation has been issued by the appropriate Ministry for stakeholder comments, and further changes are expected to be brought in 2023. With respect to blockchain specifically, no framework has been prescribed already. However, several government agencies have issued white papers and have conveyed their intentions to rely on blockchain, decentralised ledger technology (DLT) oriented solutions for the implementation of governmental and private functions. There are telecoms regulations that have recognised DLT methods being put to use by service providers for defined purposes. It is expected that the incoming Digital India Act, which will seek to replace the IT Act, 2000, will address harms in the metaverse and provide for indicative guidance on the compliance actions to be undertaken by enterprises to offer such services in India. Considering that the metaverse may be implemented upon DLT, it is likely that future trade agreements with overseas jurisdictions may cover such instances of cross-border co-operation for grievance redressal.

The digital economy is regulated under the provisions of the IT Act and its allied rules pertaining to cybersecurity, data processing and intermediary liability. The data collection rules require entities to seek user consent before seeking sensitive personal data, and they provide for defined cybersecurity (technical and organisational standards), which must be implemented within the framework of an enterprise to ensure fair processing of information. The government has further sought to impose compliance basis the nature of intermediary function, performed by an enterprise. For instance, news publishers, social media intermediaries and gaming intermediaries (pending enforcement of the amended law) are treated differently in law, due to the difference in their outreach, objectives, and social impact, which provides for a graded approach to compliance.

Further, entities offering paid services will be required to abide by the directions issued by the banking regulator (Reserve Bank of India ‒ RBI) on payment systems, know-your-customer obligations, data localisation, and overseas data transfer. Consumer protection statutes, and allied rules on operation of e-commerce websites, shall further regulate transactions on the internet. Entities will be required to abide by the advertising regulations prescribed under the Consumer Protection Act, 2019, and any other guidelines released by the Central Consumer Protection Authority, and the Advertising Standards Council of India. The Competition Act, 2002 and the Companies Act, 2013 will regulate the corporate structuring of entities in this space. Telecoms regulations, such as the Indian Telegraph Act, 1885 (Telegraph Act), the Wireless Telegraphy Act, 1933 (WT Act), the Telecom Regulatory Authority of India Act, 1997 (TRAI Act) may also require compliance, depending on the mode of operation of the entity. The Telegraph Act regulates the establishment, maintenance and work of telegraphs, which enjoy a wide definition, with a scope covering every aspect of communication.

With the surge in uptake of OTT communication services, it is expected that the incoming telecommunications bill will address concerns around regulation of such services which are hitherto not under any form of regulation from a telecom perspective, akin to the European Electronic Communications Code. Additionally, there are several statutes at the pre-legislative consultation stage that relate to telecommunications services, data protection, digital services; these may be notified shortly.

The legislation pertaining to digital services, digital markets and content regulation is antiquated and in urgent need of an upgrade to bring it in line with the innovative pace of the industry, as well as the global standards for regulation. To that end, the government of India has commenced public consultations for a slew of pieces of legislation to be introduced to regulate digital services and digital markets. It is expected that the new statute will impose an array of additional compliance rules, and mandate entities to have a corporate presence in India to offer their services to Indian audience. Any business seeking to commence digital services may be required to urgently modify their front-end and backend systems, should the legislations come into force during such timeline. It is also expected that this impending legislation may also include contours around overcoming appreciable adverse effects in competition. Any such incoming statute will likely impose regulations upon gatekeeping entities, which function as gateway to a host of services/products made available to end users.

Also, it is possible that a lot of the information which will be available in this ecosystem may qualify as trade secrets under global conventions and treaties; however, at present, there is no specific legislation in India to protect know-how, trade secrets and confidential information. In the absence of statutory protection, several judicial decisions have upheld trade secret protection on the basis of principles of equity, and often, upon a common law action of breach of confidence, which in effect amounts to a breach of contractual obligation.

India does not have any designated laws or regulations catering to the specific regulation of cloud and edge computing, and deference is made to the existing laws governing the information technology and enabled services ecosystem. Accordingly, the industry will be regulated under the provisions of the IT Act and its allied rules. In the absence of any specific law for data privacy and protection, sectoral regulations for the protection of health information and financial information which are in furtherance of the privacy principles must be adhered to, as well as the apex court’s pronouncement in the matter of Justice KS Puttaswamy (Retd) v Union of India and Ors (Puttaswamy Judgment), which held the right to privacy as a fundamental right.

Apart from this, general compliance with respect to consumer laws and compliance rules that apply to the corporate entity under the relevant business and corporate laws shall be applicable. To put in other words, while there is no specific regulation of cloud computing and related services, cloud services have been specifically included as an entry under the goods and services tax regime.

The delivery of cloud services may involve a range of providers and intermediaries:

• the owner and controller of the cloud facility;
• intermediaries that connect such persons with cloud users; and
• aggregators that package and integrate several cloud services into a composite offering for cloud users.

Accordingly, enterprise must remain cognizant of any developments in the telecommunications sector, should it have a material impact on the provision of cloud services. The Telecommunications Regulatory Authority of India (TRAI) had, vide its recommendations to a published consultation paper, recommended that industry bodies for cloud services may be set up, with their specific codes of conduct and grievance redressal protocols, and be regulated under the purview of the Department of Telecommunications. TRAI has conducted several rounds of consultation to bring in a framework for the regulation of cloud computing activities.

The RBI and the insurance regulator have specific prescriptions that regulated entities must respect when they are engaging with cloud service providers. The RBI provides indicative guidance in the use of cloud computing services by regulated banking entities, and mandates that cloud service providers (CSPs) be selected on the basis of a comprehensive risk assessment exercise. The CSPs must be based in a jurisdiction where agreements executed under Indian laws are enforceable, they must have adequate vulnerability management, and disaster recovery protocols must have been put in place by such CSP. Similar obligations have also been imposed by the insurance regulator in India to ensure that the registered entity remains accountable to the end users for any actions of the cloud service provider. The capital markets regulator, the Securities Exchange Board of India (SEBI), has proposed a cloud framework for its regulated entities, highlighting risks and control measures entities need to consider before adopting cloud-based solutions.

The proposed cloud framework has suggested nine high-level principles:

• governance, risk and compliance (GRC);
• data localisation;
• data ownership and process visibility;
• access, risk assessment and due-diligence on CSPs;
• security controls;
• legal and regulatory obligations;
• business continuity planning (BCP);
• disaster recovery and cyber-resilience; and
• vendor lock-in.

India does not have any specific regulations for processing personal information in the context of cloud computing; however, the regulations of the central bank, insurance regulator and capital markets regulator provide guidelines on cybersecurity measures and disaster recovery protocols to be maintained by a regulated entity under such sectoral regulations. The sectoral regulations flow on similar lines, to ensure liability upon the entity availing such services. They provide for compliance rules to be extended to service providers by way of service level agreements.

There are no specific pieces of legislation governing the use of artificial intelligence and big data in India; however, sectoral regulators have sought to bring in certain guidance towards the use and assessment of these items. SEBI issued a circular in Jan 2019 to Stock Brokers, Depository Participants, Recognised Stock Exchanges and Depositories and another in May 2019 to All Mutual Funds (MFs)/ Asset Management companies (AMCs)/ Trustee Companies/Board of Trustees of Mutual Funds/Association of Mutual Funds in India (AMFI) on reporting requirements for Artificial Intelligence (AI) and Machine Learning (ML) applications and systems offered and used. The reporting is aimed towards creating an inventory of AI systems in the market and establishing the basis for future policies for governance in the space.

In the digital health space, the strategy for National Digital Health Mission (NDHM), now the Ayushman Bharat Digital Mission (ABDM), identifies the need for the creation of guidance and standards to ensure the reliability of AI systems in health. The Data Empowerment and Protection Architecture (DEPA) by NITI Aayog (which is the apex public policy think tank of the government of India) presents a technical framework for people to retain control of their personal data, and the means to leverage it to avail of services and benefits. Furthermore, in anticipation of the use of AI technologies in telecommunications, the Telecommunications Engineering Centre (TEC) of India has released a draft consultation paper on the “Fairness Assessment and Rating of Artificial Intelligence Systems”, enumerating detailed procedures for accessing and rating artificial intelligence systems for fairness.

While the aforementioned guidelines pertain to sectoral considerations, the information technology framework, the IT Act and its allied rules, shall continue to govern any activity conducted over a computer network. In order to support the research and adoption of AI technologies, the Ministry of Electronics and Information Technology (MeitY) has constituted several committees to address issues and provide recommendations for:

• the uptake of AI by big tech;
• the cybersecurity considerations; and
• leveraging such technologies to accomplish national objectives in key sectors.

The points of discussion around IP in 1.1 Laws and Regulations remain prevalent for this purpose. Further, in line with global standards, regulators must seek to develop standards for AI assessment, based on its risk and industry applications as well as its effect on the legal rights of individuals. While the consultation paper released by the TEC is a welcome first step in this direction, there is an urgent need for a pan-Indian framework in this regard, in view of the wide application of AI in diverse sectors. Further, remediation measures for algorithmic bias violations are to be set out as well; in the absence of data privacy legislation that can regulate the manner of processing of information, AI remediation measures may be necessary to ensure that a user is not subject to an adverse impact as a result of any AI data processing in a biased manner.

There are no specific laws to regulate internet of things services in India. The Indian government had released a draft “Internet of Things Policy” in 2015, aiming to promote the creation of an IoT ecosystem and development of IoT products specific to Indian needs in areas such as agriculture, health, water quality and natural disasters. A lot of changes will also be brought in this regard by way of the incoming telecommunications legislation. The policy document is supported by provisions of the IT Act and the allied rules pertaining to cybersecurity, data collection and intermediary liability, which seek to govern activities in the digital space.

Any consumer-facing services or products will invariably fall under the consumer protection laws, and their sale over the internet will also be managed by the applicable laws for e-commerce and protection of users across the online set-up. These statutes will require compliance from most of the entities operating in this space, due to the interconnected network, which may be facilitated by internet access provided by internet service providers.

The National Telecom (NT) Cell, the government body dealing with policy and regulatory aspects related to machine-to-machine (M2M) communication, released a National Telecom M2M Roadmap in May 2015. After this release, the NT Cell formulated KYC norms for SIM-embedded M2M devices, a numbering scheme for M2M, registration of MSP (M2M service provider) and M2M pilots. The Department of Telecommunications (DoT) issued a notification on May 2018 for implementing restrictive features for SIM cards used only for M2M communication services and related KYC instructions for issuing M2M SIM cards to organisations providing M2M communication services. The restrictive features, inter alia, include non-transferability of mobile connections, adherence to KYC norms by M2M service providers prior to SIM issuance, calls/SMS to be from a predefined set of numbers, and predefined IP addresses for data communication.

Further, the DoT released the guidelines for “Registration process of M2M service providers and WPAN/WLAN Connectivity Providers for M2M Services”, in order to address concerns regarding technology service providers (TSP), KYC, security and encryption. M2M service providers must provision resources from an authorised licensee, and details of all customers of M2M services must be made available to such authorised licensee from time to time. Further, any equipment sought to be used for M2M services must be certified by the TEC and comply with any additional instructions issued by the DoT.

In order to receive authorisation from the DoT to offer telecommunication services, entities must enter into a unified licence (UL) agreement with the DoT, which converges multiple licence terms for service providers. The licensee is also required to comply with additional standards prescribed for technology services by the TEC, under the IT Act, or by TRAI advisories. In the event that a M2M service provider engages with an authorised licensee for provision of services, obligations imposed upon the licensee flow down to the service provider contractually for their necessary adherence. The terms of the UL permit the DoT to seek details about the end users, enforce interception requests, and demand complete access to M2M equipment where necessary to counteract espionage, subversive acts, sabotage or any other unlawful activity. The M2M service provider must further provide decryption facilities for the content on its network as and when required by the DoT or any authorised agencies. The entity that encrypts the content shall be responsible for its decryption. Similar obligations for interception may be imposed by way of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009 (Decryption Rules), which permit an authorised agency of the government to intercept, monitor or decrypt information generated or transmitted in any computer resource, subject to procedural safeguards.

In addition to the foregoing, any entity that processes the personal data of end users will be required to comply with the applicable laws as discussed, and depending on the sector that the solution is aimed at, there might be additional considerations and prescriptions made under sectoral frameworks.

The regulation of audio-visual content is dependent upon the mode of delivery of audio-visual content, whether by broadcast or internet services. Broadcasting content is regulated under:

• the Cable Television networks (Regulation) Act, 1995;
• the Cinematograph Act, 1952;
• the Sports Broadcasting Signals (Mandatory Sharing with Prasar Bharati) Act, 2007; and
• the Press Council Act, 1978, which seeks to regulate content provided by news, entertainment and sports channels.

Further, the Cable TV Networks (Regulation) Act, 1995 and its allied rules are instrumental to the regulation of advertising content published on broadcast television as well, by way of the Advertising Code. The Ministry of Information and Broadcasting has formulated guidelines for the uplinking and downlinking of television channels, last modified in 2022. Distribution of cinematographic content is regulated under the Cinematographic Act, 1952, along with the allied rules thereunder. Advertising content must further comply with the regulations issued by the Advertising Standards Council of India (ASCI), a non-statutory body dedicated to self-regulation of the advertising industry. Apart from this, compliance with the IT Act, the Copyright Act, 1957, and provisions of the IPC is also necessary. The provision of news content is further regulated by regulations of industry bodies, such as the News Broadcasters and Digital Association, which lays down the fundamental principles to be adhered to during reporting. Content distributed over the internet must adhere to the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules, 2021), which lays down general principles for digital content made available online, and proposes a voluntary certification scheme, to examine the age-appropriateness of any content distributed over the internet. In order to provide a framework for content regulation on the internet, the IT Rules, 2021 rely upon the aforementioned statutes to devise the “dos and don’ts” for digital content. The sector is further regulated by the advisories and guidelines issued by the Ministry of Information and Broadcasting, which may pertain to advertisements made available online or via television.

Radio services are provisioned upon execution of a Grant of Permission Agreement with the Ministry, whereby compliance rules for incorporation and the content of radio channels are provided for by the government. Radio content must further stand in compliance with any advisories issued by the Ministry of Information and Broadcasting, and they must comply with any advertising regulations in effect.

With respect to the content providers who wish to host or offer services over the internet, there is no requirement to seek a prior approval. However, they are still bound to follow the rules that may apply to them as a result of their status with respect to qualifying as an intermediary, an IT enabler/service provider, and accordingly with consumer and data protection laws.

For the purposes of starting a TV channel, the processing fee of such an application will amount to INR10,000, and the annual permission fee for the purposes of uplinking a channel will be INR200,000 per channel, and for downlinking from India the price is INR500,000 per channel. Where downlinking is for a channel based outside of India, the annual permission fees is INR1,500,000 per channel, and where there is the requirement of uplinking a foreign channel from an Indian teleport, the charge is INR200,000 per channel. A one-time registration fee for downlinking TV channels which are uplinked from other countries shall amount to INR1,000,000. There are other requirements with respect to the net-worth requirements, the amount payable as a performance bank guarantee, and security deposits, depending on the service offerings.

The telecoms laws allow for DLT solutions to be integrated into the solutions that are offered by the approved entities under the telecom regime. However, they do not place any embargo on how and when such technology can be integrated into a solution and provide a general code of practice which is communicated to such service providers. There are prescriptions with respect to how smart contracting can be used by them for the purposes of engaging in commercial communications. The general principle that no harm must be caused to the end user on account of such technology continues to be there.

With respect to the impending telecoms legislation, there is a possibility that consideration may be made with respect to leveraging AI and big data in this sector, as per earlier consultation papers which were floated by the TRAI in this regard.

General compliance will have to be achieved with respect to how such technology will interact with conventional systems or other laws. Additionally, in case of any hardware components being required to be integrated, one has to ensure that such equipment may be brought into India without violating any trade norms or import restrictions.

With respect to entering into a technology agreement with a local organisation, any company must ensure that in the absence of an absolute patent regime for software and data privacy legislation, there should be sufficient redressal for IP and data privacy requirements. Additionally, as technology agreements could involve flow and availability of data, an incontrovertible migration clause is in place, enabling seamless transfer of data and information in the case of termination of services to another service provider within a defined timeline. Typically, the Service Level Agreement (SLA) contained within a contract covers uptime guarantee, remedies, warranty periods, and similar undertakings. Additionally, clauses ensuring data privacy, continued access to data, confidentiality, ownership of intellectual property, indemnity, limitation of liability, appropriate representations and warranties are few of the clauses inserted for protection of the customer’s rights, as well as clearly etched out consequences of breach and termination.

Additionally, the financial sector requires that any payment and transaction information which pertains to a transaction taking place in India must be stored locally and may be accessed or processed overseas within the first 24 hours, and then that information has to cease to be available overseas. However, there is no embargo on the foreign leg of such transactions. It is in this respect that several companies who offer other services but also allow for incidental services to occur on their platform shy away from overseas transfer of data. With respect to price revision restrictions, there is no prescription in law as such, but a lot of leverage is provided to the parties to the contract in terms of their negotiating tactics.

The IT Act deals with the processes that are to be put in place for issuance of digital signature certificates (DSC), and how to deal with electronic signatures. The concept that governs this process is that any electronic signature that is capable of attribution and non-repudiation is valid in the eyes of law. There are certifying authorities (CAs) recognised in law by the Controller of Certifying Authorities, regulating DSCs. CAs have the authority to issue DSCs to end users and depending on the nature of services for which a DSC is sought by an end user, there are different categories of these DSCs. The CAs are to be governed by the IT (Certifying Authorities) Rules, 2000, which prescribe the framework within which they can operate. These DSCs are issued only after a rigid KYC process is undertaken by the CA, and the deployment process requires additional factor authentication and several robust measures.

In addition to this, with respect to delivery of trust services, the banking sector prescribes for certain minimum standards of compliance expected of their systems and networks. It also provides for the baseline encryption standards to be implemented by the service providers. Furthermore, the advisory that flows from the RBI and the insurance regulator goes beyond providing prescriptions for user interactions, but also require a certain level of compliance for internal systems, and the physical security controls which must be put in place for data security.

Furthermore, the banking, telecoms and health sectors also rely on the unique national identifier (AADHAAR) scheme to bring in verifiable consent schemes for the end users. As AADHAAR details can be verified by validation over a one-time password generated every time a service provider tries to access AADHAAR details, this forms one of the better trusted online resource pools for immediate authentication of a user.

Tied to this is the concept of DigiLocker, which is a service of preservation, retention of online records and delivery of such records to the end users who are registering with this government’s online repository created with the aim of ensuring that people can access, download, and validate online copies of their own official documents. DigiLocker is a platform for the issuance and verification of documents and certificates in a digital form, and these documents are legally valid documents under the IT Act and are to be treated equally to original physical documents. This account can also be linked to the AADHAAR of the individual, which is intended to become the single point of identification for an individual, mapped to their banking, telecoms, health, and other sensitive points of social and official interactions.

Similarly, the National Health Authority is also creating a framework aiming to create a unique health identifier attributable to one individual, and the users who become part of this network will be able to rely on the underlying health information exchange to access and act upon the electronic health records available within the ecosystem.

Very recently, the Ministry of Civil Aviation has also revolutionised the way paperless travel with appropriate security controls can become a reality, enabling smoother processing of passengers journey during air travel. This also allows users to validate their identity either via by AADHAAR – based e-verification, or by extracting relevant documentation from the DigiLocker account of the individual.

The apex court in the Puttaswamy judgment did eliminate the indiscriminate collection of AADHAAR details by private parties, and the court has since gone on to recognise the right to privacy of individuals as a fundamental right. The government has to be careful in processing personal information about individuals and must always adhere to the tests of legitimacy, necessity and proportionality.

While companies are at liberty to seek cybersecurity insurance from the insurers in the country, it is not always a sine qua non for companies who are working in this dominion to seek the same from a counterpart in any IT or information technology enabled service (ITeS) commercial arrangement.