A trend of Blockchain-MMORPGs and legal uncertainties surrounding MMORPGs


Massive Multiplayer Online Role-Playing Games (“MMORPGs”) are virtual worlds in which players act as inhabitants and band together to engage in immersive gameplay.[1] There are MMORPGs which are real-world simulations, and allow players to create an avatar in the game and collect assets such as money, weaponry, clothing, land, or other goods that have “value” inside the game’s virtual world.  The characters purchase homes, cars and other everyday items with the use of in-game’s currency which could be in form of ‘credits’ or ‘tokens’. These credits are bought by players using real-money. These games also provide a marketplace where players can sell or trade the virtual assets to each other. Some MMORPG’s provide the option of cashing out the real money by redeeming the credits earned through trading of virtual assets. Therefore, certain numbers of MMORPGs have now become a source of generating revenue as well.


This blog traces and analyses a list of MMORPGs and the common practices they follow while serving online gamers.


There are two categories of real-world simulation MMORPGs right now. One is traditional real-world MMORPGs, such as the Entropia Universe and Second Life, where players were given the option to trade virtual in-game currency back for fiat money. Others are blockchain based MMORPGs where players are actually buying in-game assets which are non-fungible tokens (NFTs) based assets or cryptocurrency based virtual currency and trading it back for fiat money.

Key difference: Blockchain based MMORPGs have cyptocurrency based assets, for instance if you buy a land which is based on ERC 20 tokens, you are effectively buying a ERC 20 token. This really allows a player to assert the absolute ownership over the virtual assets even if game ceases to exist. Unlike Entropia Universe, which charges subscription, taxes and maintenance fees for each asset you buy and if the site goes down, the in-game assets also cease to exist.[2] 

Please find the following list of popular MMORPGs along with their category:

S. No.Game Name (with hyperlinks to relevant whitepapers, code of ethics or ToU)Category
1.Entropia UniverseIn-game currency based MMORPG
2.Second LifeIn-game Currency based MMORPG
3.RobloxIn-game Currency based MMORPG
4.DecentralandBlockchain based MMORPG
5.The SandboxBlockchain based MMORPG
6.NeoworldBlockchain based MMORPG
7.CryptovoxelsBlockchain based MMORPG


Following takeaways can be made out on reading of whitepapers and legal documents released by the aforementioned games:

  • In blockchain based MMORPGs, land or assets are parcels based on non-fungible tokens (this varies extensively – ERC 2O, ERC 271, or ERC 1155) and, therefore, allows a player to be assure about his ownership to an in-game asset which he/she buys in exchange of money. It is just like buying a bitcoin.
  • All these platforms have marketplaces where players can buy virtual assets or credits for certain real money or fiat currency. The platforms have facilitated the movement of funds between buyers and sellers in these marketplaces. Surprisingly, they do not provide exhaustive code of conduct related to marketplaces.
  • The user-verification related process is not standard and inconsistent across all the platforms. Only one platform, Decentraland mentions about Know Your Client (KYC) process. In this situation, if a regulator scrutinizes a MMORPG platform from the money laundering perspective, then the platforms with no KYC/AML processes in place are likely to face the regulatory heat i.e. a possible ban.
  • All the platforms recognize the threat of uncertain regulatory environment, even in-game currency based MMORPGs, and they specifically mention in their disclaimer that continuity of services is subjected to regulatory actions in a particular jurisdiction.
  • Majority of successful platforms like Decentraland, Entropia Universe, and Second Life, acknowledge in terms of use, their responsibility to maintain records of finance for all funds transactions in connection with the use of the gaming service.
  • Out of all blockchain based MMORPGs, only Decentraland specifically acknowledges the risk associated with cryptocurrency – volatility risks, regulatory risks, and risk of drastic changes in Ethereum blockchain.
  • All the gaming platforms provide that in case of any tax will be required to pay for virtual assets and transactions owned by players in their jurisdiction, the player is responsible to pay that tax.
  • Only Entropia Universe clarifies that ‘gambling’ activities are expressly forbidden in its virtual in-game universe.


Following are the best practices that players interested in playing a MMORPG or developers interested in developing a MMORPG, shall consider to obviate risks in an environment of regulatory uncertainty: 

  • Platforms looking to incorporate a virtual currency into a game or app without triggering potential money laundering obligations must have proper KYC/AML procedures in place.
  • The virtual currency should be for in-game purchases only, such that there should be no ability for players to directly sell, exchange, transfer, or cash out any virtual currency they have purchased in exchange of cash.
  • As most of the popular platforms have deployed, avoid a claim that the in-game virtual currency represents fiat currency. Further, a disclosure that the virtual currency represents certain risk subject to prospective regulatory actions.
  • There should be a simple and readable policy related to marketplace transactions with focus on avoiding risks of assumption by players that the marketplace purchases imply any sort of ownership of virtual assets.

(Authored by Abhijeet Vaishnav, volunteer-researcher, with inputs from Aryan Babele)

[1] http://www.commonlii.org/in/journals/INJlLawTech/2006/4.pdf

[2] https://cryptobriefing.com/will-second-life-get-a-second-life-five-virtual-lands-on-the-blockchain/.

Comments on the NITI Aayog’s draft ‘Guiding Principles’ for the ‘Regulation of Online Fantasy Sports Platforms in India’

On 5th December 2020, NITI Aayog released a draft for discussion titled ‘Guiding Principles for the Uniform National-Level Regulation of Online Fantasy Sports Platforms in India’ (“Draft Report”), seeking comments from different stakeholders of fantasy sports industry. The Draft report hits two birds with one stone; firstly, it proposes to establish a single Self-Regulatory Organization (SRO) for Online Fantasy Sports Platforms (OFSP) so as to enable ‘light touch’ regulatory framework, secondly, these guidelines also act as a ‘regulatory sandbox’ for OFSP.  

A brief summary of our submission to NITI Aayog with comments, concerns and recommendations in relation to the Draft Report are as follows: 

Recognition for all categories of “pay-to-play” online games

Apart from online fantasy sports, there are many other pay-to-play format of online games like rummy, cricket simulation etc. that are offered using the same digital interface through which they offer online fantasy sports contests. For instance, Paytm First Games and Mobile Premier League, to name a few. We have raised the concern that governing only OFSP could result in complex situation for online gaming industry in general and such all-in-one online gaming platforms in particular. We recommend that by virtue of these guidelines all “pay-to-play” formats of online games should be recognised.

Specify definition and extent of the term ‘fantasy sports’

The Draft Report neither defines the term neither ‘fantasy sports’ nor enlists activities that might constitute the same under the proposed framework. The framework proposes that “all formats” of fantasy sports offered by OFSP must be skill-predominant. There is no clarity whether ‘free to play’ formats, which doesn’t involve any stake of players and are risk-free, are also required to be game of skill. In our comments, we have formulated an element-wise definition of ‘fantasy sports’ wherein we have specifically pleaded that the definition should exclude free to play format specifically from the definition of fantasy sports.

The proposed framework requires a platform to take approval from SRO if offering a fantasy format different from judicially determined game of skill. There are three HCs which have analysed the Dream 11’s format as game of skill and no definitive criteria have been laid down by any of them for determining whether a fantasy format is game of skill or not. Therefore, we believe that ‘judicially determined’ format of fantasy sports is subjective and the framework should itself provide objective test in the Draft Report itself.   

Uniform and diverse representation in the SRO

The Draft Report prescribes that only a fantasy sports industry body, which have as members OFSPs with registered user base, in aggregate, equivalent to at least 66 percent of registered users of online fantasy sports in India, could be recognised as SRO by the Government. This is an absurd eligibility criterion as the concentration of users is not uniform across OFSPs. In such a scenario, there is a risk of disadvantage to the interests of OFSPs with small user base.

The proposed model of membership of SRO leaves aside many other participants of the fantasy sports industry like advertisers, payment service providers, consumer bodies etc. We recommend that the eligibility criterion for recognition of an industry body as SRO must be based on diversity and number of members rather than the strength of user base of its members. This will lead to a holistic and pervasive regulatory framework.

Requirement of minimum safeguards in the organizational framework of SRO

Three internal bodies have been envisaged within the proposed SRO: an independent oversight board, a grievance redressal mechanism and an evaluation committee. We recommend that a governing body, in addition to the internal bodies, must be constituted. Further, basic principles and minimum safeguards must be incorporated in the framework to ensure independence of oversight board, transparency in working of grievance redressal body and evaluation committee, etc.

Clarity on how safe-harbour exemption will be implemented

The guiding principles proposed in the Draft Report grant safe-harbour exemption or a criminal immunity to all the member-OFSPs of the SRO. As “gambling and betting” is a subject of the state list, it is recommended that a clarificatory note be released by the NITI that fantasy sports be construed as a class apart from gambling rather than exception. In short, fantasy sports should be governed by the Union using its residuary powers under Entry 97 of List I.

(Authored by Eukti Garg, Volunteer-Researcher at LawforIT, with inputs from Aryan Babele)

The case of Content Aggregator Platforms: PVR Ltd. v. Just Dial Ltd.

Content aggregation platforms like JustDial are sites that collate, index and distribute hyperlinks to third-party content and displays it on a single webpage for their users’ reference.[1] Aggregators ensure listing of businesses by associating latter’s websites with their platforms using various tools such as deep-links, framing and meta-tags.

Deep-links are hyper-links in the form of an image or text which on selection redirects the user to the specific content/webpage of the source’s website.[2]

Framing is the process by which multiple webpages of another websites are displayed as separate windows/frames on a single webpage of the aggregator’s platform.[3]

Meta-tags are words and phrases in the HTML code of the website, related to the particular content, which become identifiable and a part of the search results when a user searches using the terms on search engine corresponding to the embedded words and phrases.[4]

The case of copyright, trademark and/or other proprietary rights of entities listed on its platform

Content aggregator’s ability to publish or post the relevant content that it obtains from the third-party sources is limited by the copyright and trademark laws of India and by the terms of any agreement entered into with the content-provider or listed entities.[5]

Observation: Aggregator lists business entities on its platform in exchange for a fee. If any entity willingly lists itself on the platform after paying a fee and agrees to the client’s terms of use which provides for use of the information/links/metatags of the business by the aggregator then there will be no violation of the copyright, trademark and/or other proprietary rights of entities listed on the platform.[6] However, if JustDial provides information on its platform about any listed entity, without any prior agreement or consent for utilizing the deep-links or separate frames to the website of the entity, then such links shall inadvertently infringe copyrights or trademarks owned by the entity’s website, as it results in by-pass or duplication of the information contained in the linked webpage.[7] Further, aggregator’s use of meta-tags of such listed entity will result in misapprehension in the mind of the former’s customers that it is authorized by or associated with the latter entity.[8]

Relevant Law: Copyright subsists in the “original literary works” such as the content of any website.[9] The Copyright Act 1957 (“the Act of 1957”) entitles the first owner i.e. the listed entity, with the exclusive right to reproduce, publish, perform, display, or create “derivative works” from its website’s content (primary works). [10] Therefore, a copyright is “deemed to be infringed” if any of these exclusive rights (listed entity’s rights to publish or create “derivative works” through deep-linking or framing respectively to its website) are exercised by the infringer without the permission of the former.[11] Further, the Trademarks Act 1999 (“the Act of 1999”) provides an inclusive definition of “mark” which includes the meta-tags of a website as well.[12] By virtue of the Act of 1999, unauthorized use of trademarks as meta-tags constitutes infringement of registered trademark.[13] However, deep-links, frames and meta-tags could be utilized subjected to “fair use” and “nominative use” exceptions.[14]

In PVR Ltd. v. Just Dial Ltd,[15] the Delhi High Court prima facie held that unauthorised listing of information (ticket-booking details, movie schedule, addresses and pictures of PVR movie theaters), as available on PVR.com, by JustDial using deep-links and frames to and meta-tags of PVR.com, gives the public impression that there is a nexus between the both. Thus, it resulted in exploitation of PVR’s goodwill by JustDial that amounted to copyright and trademark infringement and passing-off. It is considered as the first case in India which deals with the legality of content aggregation tools collectively.

The legality of use of deep-links, frames and meta-tags has also been questioned multiple times in cases of major jurisdictions such as the USA, the UK and Canada.[16] The majority of courts of these jurisdictions have held that the unauthorised use of deep-links, frames and meta-tags of primary website is deceptive to the public and has granted an injunction against content aggregation platforms.   

What are the liabilities that the aggregator’s platform can incur due to the user reviews? What are the measures that aggregator’s platform can put in place to mitigate these liabilities?

Observation: Aggregator’s platform is also a user-review platform which gives its users the ability to review and rate the various businesses listed on its directories. Evaluation platforms/sites provide an opportunity for users to post comments on businesses, in addition to reviewing and ranking them.[17] Such reviews and ratings are usually couched in terms of opinion but could be extremely negative, false or defamatory at times. Since these reviews and ratings are entirely users’ opinions and user-generated contents, the consumer review site cannot be held liable for the same.[18]

Relevant Laws: A user-review platform is an ‘intermediary’ under the Section 2(w) of the Information Technology Act, 2000 (“IT Act”).[19] The ‘intermediaries’ like JustDial are granted an immunity under Section 79 of the IT Act from offences caused due to the user-generated content wherein such intermediary had no knowledge about the nature of content.[20] The Information Technology (Intermediary Guidelines) Rules, 2011 (“Intermediary Guidelines”) provide the due diligence requirements that must be observed by intermediaries to avail the safe-harbor protection (immunity).[21] However, upon receiving actual knowledge or being notified by the Government or its agency about any unlawful content on the platform, intermediaries are liable to take down or disable access to it.[22]

Indian Jurisprudence: In the case of Procentris India (Pvt,) Ltd. v. Mouthshut.com (Pvt.) Ltd.[23], Mouthshut (a popular consumer review site) was ordered by the Bombay High Court to delete reviews critical of Procentris. Subsequently, Mouthshut.com filed a writ petition in the Supreme Court for quashing the IT Rules, 2011 on account of it being violative of Articles 14, 19 and 21 of the Constitution of India. This case was clubbed with the petition in landmark case of Shreya Singhal v. Union of India which introduced ‘safe harbor’ provisions in India.[24]

International Jurisprudence: India doesn’t have enough record of litigations on the issue of liability incurred by consumer review sites due to user-reviews. However, there are significant precedents in international jurisdictions such as the USA, the UK and European Union which provide that no liabilities (except the take-down obligation on notice) are incurred by intermediaries (such as user-review sites) due to the false, incorrect and defamatory nature of the underlying user ratings and reviews as uploaded on their platforms.[25]

Recommended Measures:

In order to avoid liabilities with respect to user-reviews, an aggregator platform should put certain safeguards in its Terms and Conditions (“T&Cs”), in line with various international precedents, such as:

  • Add a mandatory set of Community Guidelines which should specifically prohibit user-reviews which are false, unlawful, misleading, defamatory, harassing, or otherwise objectionable.[26]
  • Add a clause in the T&C which will prevent users from posting user-reviews or ratings anonymously.[27]
  • Add a clause in its Community Guidelines which strictly mandates the user-reviews to be unbiased and objective in order to prevent conflict of interest.[28]
  • Forbidding users from posting any copyright or trademarked content in the user-reviews that they do not own.
  • The T&C shall contain a clause indemnifying the platform from any liability for users’ content including user-reviews.
  • The platform is required to deploy technology based automated tools or appropriate mechanisms with appropriate controls to proactively identify and remove access to unlawful content.[29]

(Views are personal only. The content of this blog should not be construed as legal advice in any case.)


[1] Jaani Riordan, The Liability of Internet Intermediaries, 28 (1st ed., 2016).

[2]Linking, Framing, Meta Tags and Caching, Berkman Klein Center for Internet & Society at Harvard University, Berkman Klein Center, available at https://cyber.harvard.edu/property00/metatags/main.html, last seen on 14/02/2020.

[3] Futuredontics Inc. v. Applied Anagramic Inc., 45 U.S.P.Q. 2d 2005 (1998, C.D. Cal.).

[4] World Wrestling Entertainment, Inc. v. Savio Fernandes, 2015 (62) PTC 573.

[5] Posting Third Party Content and Linking, American Bar Association, American Bar Association, available at https://www.americanbar.org/groups/business_law/migrated/safeselling/content/, last seen on 13/02/2020.

[6] Rajiv Kr. Choudhry, Data Extraction: Intersection of Copyright and IT laws in India, SpicyIP, available at https://spicyip.com/2013/10/data-extraction-intersection-of-copyright-and-information-technology-laws-in-india.html, last seen on 08/02/2020.

[7] TATA Sons Limited v. Hoop Anin and Ors., 2012 (188) D.L.T. 327; Washington Post v. Total News Inc., No. 97 Civ. 1190 (PKL) (1990, S.D.N.Y.).

[8] Mattel Inc. & Ors. v. Jayant Agarwalla & Ors., 2008 (153) D.L.T. 548.

[9] S. 13, The Copyright Act, 1957.

[10] S. 17, The Copyright Act, 1957; Eastern Book Company v. D.B. Modak, (2008) 1 SCC 1.

[11] S. 51, The Copyright Act, 1957.

[12] Ss. 2(m) & 2(zb), The Trade Marks Act, 1999; People Interactive (I) Pvt. Ltd. v. Gaurav Jerry & Ors., NMS (L) NO. 1504 of 2014.

[13] S. 29, the Trade Marks Act, 1999; Christian Louboutin Sas v. Nakul Bajaj, 2018 (76) PTC 508 (Del).

[14] S. 52, The Copyright Act, 1957; S. 30(2)(d), the Trade Marks Act, 1999.

[15] PVR Ltd. v. Just Dial Ltd., 2019 SCC OnLine Del 8181.

[16] Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 DDP (1997, C.D. Cal.); Shetland Times Ltd. v. Jonathan Wills and Zetnews Ltd., S.C. 316 (1997, Court of Sessions); Imax Corp. v. Showmax Inc., (2000) 5 C.P.R. (4th) 81 (FCTD).

[17] A.S. Cheung & W. Schulz, Reputation Protection on Online Rating Sites, 21 Stanford Technology Law Review 310, 318 (2018).

[18] Braverman v. Yelp Inc., 5. No. 158299/2013 W.L. 712618, at 3 (2014, N.Y.S.C.).

[19] S. 2(w), The Information Technology Act, 2000.

[20] S. 79, The Information Technology Act, 2000. (“Safe-harbor” provisions)

[21] The Information Technology (Intermediary Guidelines) Rules, 2011.

[22] S. 79(3)(b), The Information Technology Act, 2000.

[23] NMSL 968-13 in SL 364-13-954.

[24] Procentris India (Pvt.) Ltd. v. Mouthshut.com (Pvt.) Ltd., AIR 2015 S.C. 1523.

[25] Mcgrath v. Dawkins, E.W.H.C. B3 (QB) (2012, U.K.H.C.) (This case is concerned with reviews and comments posted on the claimant’s book product page at Amazon.co.uk. The Court dismissed the claims of defamation against Amazon); Hassell v. Bird, 5 Cal. 5th 522 (2018, Cal. S.C.) (The US law firm sued its former client for defamation for posting a false negative review on the Yelp! platform, a consumer review site. The Supreme Court of California held that Yelp! clearly falls under Communications Decency Act, 47 U.S.C. § 230 immunity); Magyar Tartalomszolgaltatok Egyesulete v. Hungary, [2016] E.C.H.R. 135 (EU) (The Hungarian courts held the news portal liable for causing reputational harm to a business caused by “false and offensive” user comments. The European Court of Human Rights disagreed with national courts).

[26] Delfi A.S. v. Estonia, (2016) 62 E.H.R.R. 6. (The case concerned threats and anti-Semitic slurs in the user comments section of online newspaper portal, Estonian courts held, and the ECHR in 2015 affirmed, that the platform could be liable for those comments).

[27] Yelp Inc. v. Hadeed Carpet Cleaning, 752 S.E.2d 554, 568-69 (2014, (Va. Ct. App.). (The Court held that litigants may also target intermediaries with subpoenas seeking the identities of anonymous users for claims other than copyright, such as defamation)

[28] Moving & Storage, Inc. v. Panayotov, No. 12-12262-GA. (2014, U.S.D.C. D. Mass.) (when a moving-company review site owned by a particular moving company selectively deleted user-reviews that were beneficial to its competitors, the intermediary lost the “good faith” protection).

[29] Rule 9, The Information Technology [Draft Intermediaries Guidelines (Amendment) Rules] 2018.

National Digital Health Blueprint 2020 needs a review?

With an aim to fix the ailing healthcare facility of the country, Indian government (like other sectors – Finance, Public Distribution System etc.) has opted for digitization as a solution. In January, 2020, the government released a National Digital Health Blueprint which sets out a comprehensive framework for “Federated National Health Information System”. In March, soon enough the COVID-19 pandemic struck the country and underlined the importance of having the National Digital Health Blueprint in action. However, the pandemic situation has also highlighted the many areas of improvement for the Blueprint and the need for urgent action on such improvements. This blog post will put forth the author’s views on the need of studying the Blueprint again and including the concepts like digital therapeutics, digital diagnostics and telemedicine in its scope. The blogpost will also aim to present a picture of the diverse elements of a futuristic digital health ecosystem for India and the role that science, scientists and technology can play in establishing such an ecosystem.


It seems like that Indian government has developed a formidable belief that technology is solution for all the deep-seated problems which are haunting the country’s socio-economic growth since independence. In 2015, the ambitious Modi government launched the “Digital India” programme with an aim to transform India into a knowledge economy, empowered with on-the-go access to information, governance and essential services. This ambition quickly received a reinforcement in the form of JIO’s success, which resulted in increasing the smartphone penetration rate and making India the second-fastest digital adopter in the world. Around the same time, the image of India’s healthcare remained pitiful and harrowing. In the Healthcare Access and Quality (HAQ) Index, India ranked below what can be considered as dismal position – 145th out of 195 countries.

India significantly lacks in implementing most of the World Health Organisation’s (WHO) recommendations regarding the adequacy in terms of doctors, nurses, medical technicians and healthcare facilities as required to cater the population. Owing to such inefficiencies, the country’s healthcare policy has been inconsistent such that India is overburdened with the task of eradicating infectious tuberculosis disease. It is only in this decade that India was able to get the polio-free status for itself. Our country is also facing exponential rise in cases of lifestyle disorders ensuing the endemic of diseases like diabetes and clinical depression. Simply put, these statistics are omen for India as a contender to be in the league of top three fastest growing economies of the world. The government of India itself has noted that in order to realize the real growth potential, the country has to fix the health systems on priority basis by investing adequate finance and manpower. Presently, Indian labor workforce is performing far below its optimum productivity due to many ill-health issues.

Therefore, the government, considering the nation’s emerging forte in digital space, has decided to go digital in healthcare reforms as well in order to analyse the consumption of health services by the population. As per the GoI, the future is technology, and India cannot accomplish its goal of ‘Health for All’ in the absence of digitization of health infrastructure and delivery. India is seeing Artificial Intelligence or Machine Learning as the foundation of accessible, affordable and quality health solutions at the intersection of technologies like biotechnology, robotics and computer science. The digital approaches for upgrading the conventional healthcare infrastructure could definitely be an antidote for the frail healthcare infrastructure given the nation’s population  is increasingly on-boarding various digital platforms. It can also be a great overall strategic direction for India to shape its influence in terms of policy-making in the context of global health. It is indeed a possibility given India’s competitive position in technology innovations and the fact that health-tech market is in a nascent stage, with all the countries almost on level playing field.   

The National Digital Health Blueprint 2020 (NDHB)

The ruling government is envisioning the digital health infrastructure as a system that will fit well or accurately with its larger aim to modernize (specifically ‘digitize’) the public health welfare system. In this line, the missions that have been already initiated by government are Ayushman Bharat, Swachh Bharat, Digital India, and Make in India.

The Ministry of Health and Family Welfare of India (MoHFW), pursuant to its afore-mentioned digital health policy initiatives, released NDHB in January 2020. This is the only detailed official explanation of PM Modi’s proposed National Digital Health Mission. It provides a picture of the entire framework of a “Federated National Health Information System”. It elaborates that the envisioned framework will inter-link systems of private and public health provider organisations serving across primary-, secondary- and tertiary-healthcare services. As the blueprint specifies, this is clearly in alignment with one of the objectives envisaged under the National Health Policy of 2017 i.e., to create an integrated health information system for all stakeholders in the health system, to improve efficiency, transparency and citizen experience.

The NDHB is indeed a well drafted document as it comprehensively shows the way the reformers have to tread in order to carry out the colossal task of developing an extensive database of electronic health records, which will be available as single source repository of health data per unique patient within India. Beyond this, state-wise datasets containing information of health-workers (doctors, nurses, paramedics) and health facilities, disease registries, inventories, and insurance claim records will also form the essential element in federated system. The blueprint provides that the database hub and key facilities will be hosted by the Health-Cloud (H-Cloud). Similar to the Aarogya Setu’s API release, the federated system will also be interoperable to allow seamless data exchange.

The blueprint obviously lists the standards for maintaining the privacy and security of the digitized health data (The next blogpost on the National Digital Health Mission will exhaustively deal with privacy and security related aspects – we also have interesting classified updates for you in that post). Project implementation will not be gradual or stage-wise, but it will follow the scheme of technology sandbox to test and roll-out the massive data-management infrastructure. The infrastructure will be further used for tracing the real-time stats related to population-wide health status. The customized and timely interventions will be made if the predictive analytics of the stats forecast community outbreaks or disease spread propensity by region. The running algorithms will be deployed to optimize data analysis and allocate scarce resources at district and state level, and more.

It has to be kept in mind, and can be inferred from the blueprint, that there are three prerequisites for successfully initiating the exercise that the NDHB proposes:

Uniform internet and telecommunications availability across the country;

An extensive network of primary healthcare centres for service delivery; and

Trained health workforce.

Presently, all these three are work in progress in India wherein Second and Third points really require a special focus.  Internet penetration in India has picked up a good rate but healthcare on field is definitely lacking. The government has to create a solid foundation through uninterrupted support, spirit and funding.

The envisioned integrated national-health data hub will be a vital asset to run process and analyze all the complex health data, which can be leveraged for creating accurate policy-designs and well-gripped implementation control. For example, through algorithms, timely automated intervention within the health system will increase cooperation. As soon as certain stat will touch a determined threshold, the notifications will trigger the appropriate health-crisis management authorities. The entire process will include relaying of targeted messages within the population, automated stock and inventory management warnings, and virtual medical training and research, to create a strong foundation for affordable and efficient healthcare. Once operational, the database is expected to connect and expedite India’s slow-moving fragmented health system. While this will not immediately fix the system entirely, it is surely a step towards making it efficient and future-ready.

Is everything right with the Blueprint?

The Blueprint definitely mentions about the great plan of futuristic healthcare infrastructure. However, it is still far from being an “all-encompassing vision document” which is needed to provide solution to two-fold issues: (a) A launch pad for India’s digital health ambition, and (b) Need of resolving the deeply entrenched issues with healthcare that persist for years now. Therefore, it is needed to trace specific to context use cases recognizing the problems that are unique to India.

Even the WHO’s guidance has made the point that digital-health interventions must be treated as supplements, not substitutes, for functioning health systems. The Blueprint requires major upgrades to its dimensions- which means priority push for digital policy on therapeutics, diagnostics and medicine.

Policy action needed to reform therapeutics and diagnostics in India must be aligned with the broader AI policy of India. The current version of India’s AI policy provides “healthcare” as one of the most promising areas but admits the obstacles it will face in creating a new path. India is not alone in this predicament. Recognizing best practices around the world and picking out unique use-cases, the following points must be considered to strengthen the policy in terms of therapeutics and diagnostics:

1. Promoting indigenous innovation in health-tech while maintaining technological sovereignty;

2. The use-cases with respect to healthcare must be selected keeping in mind the inherent infrastructure limitations and resource shortages;

3. While going digital, it is important to keep patient safety as priority through adopting regulatory frameworks that mandate scientific and clinical validation of products/services;

4. One thing that is essential to the traditional doctor-patient relationship is trust. The approach must invest in creating a reliable infrastructure.

5. Real-world transparency, data confidentiality, cyber security and ethics should be the foundational principles when an innovator envisages a health-tech innovation. Proper guidelines for medical software developers and policy on transparent data-sharing agreements wherein, rights of patients are protected must be rolled out at the earliest.


Therefore, it is important to say it again, the Digital Health is not the immediate relief given the limitations of the India’s healthcare, i.e. inadequate infrastructure and resource shortages. However, one thing we have learnt for sure is that a better-connected and digitized nation is better-prepared to achieve sustainable development goals if policy’s approach is inclusive in real sense, and to face unprecedented black swans of magnitude like Covid-19 pandemic. Digital health adoption will bring many changes in the functioning of the current system across the value chain. The benefits of public goods, products and services under this category must be maximized, with minimum disruption to the society. If all goes well i.e. policy implemented properly and limitations checked promptly, the NDHB could be a chance for India to get rid of its ailing healthcare infrastructure.

(These are personal views and opinions of the author and do not necessarily reflect views of any organisation)

Hopes and Doubts related to Telemedicine Guidelines in the context of Data Protection

Author is Vineet Gupta, Volunteer Researcher, LawforIT. He is actively involved in a research on privacy policies of different leading online medical consultation platforms. Policy paper will be soon available on the Blog.


The Medical Council of India jointly with the NITI Aayog notified the Telemedicine guidelines in midst of the Coronavirus Pandemic. These guidelines can be seen as a first attempt in providing some amount of relief, in regards to legal gaps and anxieties around the practice of medicine by doctors via communication devices.

Although, historically (with the advent of technology) telemedicine has been widely performed in India, for long there has not been any type of legal mechanism for the same. From the introduction of the Communication channel by ISRO in 2001, linking Chennai’s Apollo Hospital with the Apollo Rural Hospital at Aragonda village in the Chittoor district of Andhra Pradesh[i] and to the hundreds of apps providing for online consultation today, we have come up a long way. With the technological up-gradation and boom in the telecommunication sector, it was quite common for a patient to seek recommendations from their family doctors on calls, WhatsApp messages, and even video conferencing. Realizing the potential around telemedicine and its outreach, the internet was flooded with many startups acting as intermediaries that provided a channel between patients and doctors for online medical consultation.

On one side telemedicine was gaining popularity and on the other side, there was also a certain amount of anxiety, backlash, and confusion around the practice of telemedicine. With no proper guidelines among the practice of telemedicine, the doctors were kind of hesitant in providing online/telephonic consultations. They were also pressurized by the medical associations (some of which even declared telecommunication as unethical and practice of which can lead to cancelation of license)[ii]. The patients were hesitant to get telemedicine and a little reluctant to provide their sensitive information online to unknown doctors. They were scared as for long there was no telemedicine and data protection law in place. Most importantly many people, especially the rural population were, and are unaware of the potential of telemedicine and its application in this Technological era. The introductory part of the guideline’s states that:

“In India, till now there was no legislation or guidelines on the practice of telemedicine, through video, phone, Internet-based platforms (web/chat/apps, etc). The existing provisions under the Indian Medical Council Act, 1956, the Indian Medical Council (Professional Conduct, Etiquette and Ethics Regulation 2002), Drugs & Cosmetics Act, 1940 and Rules 1945, Clinical Establishment (Registration and Regulation) Act, 2010, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 primarily govern the practice of medicine and information technology. Gaps in legislation and the uncertainty of rules pose a risk for both the doctors and their patients.[iii]


The case of Deep Sanjeev Pawaskar and Anr. v. The state of Maharashtra[iv] was by the high court of Bombay a doctor provided advice to ailing patient online due to lack of unavailability of routine doctor and unfortunately, the patient died. The high court held the doctor as negligent for using telemedicine to treat the emergency. This case led to widespread criticism as the patient would have died irrespective, and telemedicine had no role to play. The above case triggered the need for new legislation, and the need for remote doctors in coronavirus pandemic led to the expeditious introduction of these much-awaited guidelines. These guidelines have opened a door to the future of telemedicine in India. While a lot has been discussed upon the salient features of this act, I will be strictly adhering to the examination the guidelines concerning personal data protection concerns.

Locating privacy under Telemedicine Guidelines

In the course of doctor-patient interaction, a significant amount of data exchange takes place from the side of the patient and the guidelines also makes it compulsory for the RMP to store and keep a record of all this electronic health record[v]. A Registered Medical Practitioner (RMP) is free to choose the mode of communication for providing telemedicine[vi]. The guidelines provide for various types of information related to health conditions which are needed to be provided by the patient to the RMP over telemedicine[vii]. Further, the guidelines provide for the maintenance of privacy as well as medical ethics following the Indian Medical Council act and rules[viii]. The guidelines also state that the RMP would have to follow and abide by various data protection laws such as the Information Technology Act and other data protection laws and rules (present as well as notified in future) which provides for the protection of patient’s data[ix]. The guidelines also highlight the breach of confidentiality by the doctors would be declared misconduct and will be penalized by IMC act, ethics, and other laws[x]. The doctors are exempted from charges in cases where there is reasonable evidence to believe that the breach is due to some technological error with no involvement of the RMP[xi].

Reading Telemedicine Guidelines with data privacy laws

Personal information and Data protection Rules 2011

It is quite clear that telemedicine guidelines would have to be read in conjuncture with data protection laws of the country to protect the privacy of the patients. After the judgment of K.S Putttuswamy v. Union of India[xii], privacy is well recognized as the part of the fundamental rights of the citizens. The data protection laws in India are governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under the IT act. The judgment of Puttuswamy has led forth the Personal Data Protection Bill, 2019 which is in the process of getting passed by the parliament any time soon this year or the coming year[xiii]. The IT rules of 2011, as well as the new personal data protection bill, treats ‘Health Records’ as ‘sensitive personal data or information (SPDI)’. Under the IT acts data protection rules, when a corporate body deals with SPDI (collection, storage, transfer, or processing of SPDI) the data protection rules get activated. The data protection rule considers consent as an important requirement so a doctor or institution is required by law to obtain the consent of the patient in writing for use of any of his data[xiv]. There is also a restriction of sharing SPDI to the third party without the consent of the patient[xv]. The institution collecting such SPDI also has to put a policy in place and mention clearly on their websites[xvi]. A standard of procedure to store data has to be maintained as well as there should be a requirement of modification[xvii] and opt-out[xviii] their SPDI if the need arises.

Role of Intermediaries

There are many e-health apps which just act as a facilitator between the patient and the doctors and are not as such directly involved in the transaction[xix]. In these types of cases, such apps or companies will act as an intermediary and would be subjected guidelines of IT act specifically for the intermediaries. Such intermediaries have to initiate certain due diligence such as including terms of use, the appointment of grievance officer, and removal of offending/unlawful content within 36 hrs of request.

Telemedicine Guidelines: gaps are still needed to be filled to protect mass sensitive data

With the advent of Corona virus pandemic even a lot of state governments are actively involved in providing their own guidelines[xx] and facility of telemedicine[xxi] through their empaneled state government doctors or through Public private partnership Apps and facilities. Although telemedicine has opened a whole new legal world still there are various legal inadequacies in the Telemedicine sector which the present telemedicine guidelines, IT act, and rules do not properly address.

Firstly the telemedicine guidelines make no difference between ‘data fiduciary’ (person who stores, collect and process massive volume of important data) and ‘social media intermediary’ and also what if both are the same. For instance, many corporate hospitals (eg Apollo)[xxii] which have a wide range of medical business are also providing telemedicine. Some pharmaceutical companies (eg. Lybrate)[xxiii] are also in the business of telemedicine.

E-Pharmaceutical companies are already facing uncertainties in regards to online sale of drugs with central government coming out with Draft Rules 2018 to regulate e-pharma amending earlier Drug and cosmetic rules of 1945[xxiv]. These rules will also throw light on protecting data of patients seeking medicines online. But how will draft rules and telemedicine guidelines be able to regulate e-pharma companies who are even providing telemedicine is an area government needs to focus on since these types of companies have huge amount of sensitive data of patients and prone to misuse. Many of these apps even provide for their internal channels of communication for doctors and patients. While taking services from these sites there would be the transmission of the huge amount of electronic medical records to these companies. Since doctors belong to the same company or use a communication channel of the company who is acting as social media intermediary, then believing that data is not shared between them is being very optimistic.

Access to such a huge amount of ‘sensitive personal data’ to the hands of corporates without any supervision is troublesome. These data might be used to create an algorithm for targeted advertising, sharing with 3rd parties, and moving huge data outside the country. In such a scenario if there is any data breach who would be liable? is a question on which the guidelines are silent. And as the data protection law stands today, there is not much to offer.

So, we have to go through the pending data protection bill[xxv] to find some answers. In the Data protection bill two types of entities have a huge due diligence obligation in terms of dealing with personal data’s namely ‘significant data fiduciary’ and ‘social media intermediary’. Under the bill, the obligation which is associated with the significant data fiduciary (a person holding a huge amount of important data to be notified government) is extended to the social media intermediary(‘an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services[xxvi]’). These significant data fiduciaries and social media intermediaries will be notified by the government.

In addition to provisions provided for significant data fiduciaries like maintenance of records[xxvii], data protection impact assessments[xxviii], an audit of policies[xxix], and appointment of a data protection officer[xxx], Social media intermediaries are obligated to put forth an option to the users (registering from India or using the services in India) for voluntary verification of their accounts. The provisions for ‘significant data fiduciary’ and ‘social media intermediary’ seems promising for companies dealing with electronic medical health records but whether these hospitals providing telemedicine would be notified under ‘significant data fiduciary’ or the e-health apps storing huge amount of data as ‘social media intermediaries’ is a question of time as the bill is still pending.

Parting note

The telemedicine guidelines are a huge breakthrough in the field of medical sciences. The guidelines have tried to address a huge amount of anxieties and uncertainties about the practice of telemedicine but in the context of data protection, the guidelines sadly have not much to offer. The guidelines have to be read along with data protection laws of the country and as the data protection laws of the country currently stand there is not enough impact to ensure the protection of sensitive patient data from the hands of big hospitals doing telemedicine themselves and e-health apps acting as an intermediary for telemedicine. The new data protection bill, 2019 if passed as it is, it would address a lot of these gaps provided the government notifies these hospitals and e-health apps as significant data fiduciary and social media intermediaries respectively. Another pending bill such as Digital Information Security in Healthcare Act (DISHA), a regulatory platform for sharing digital records among hospitals and will be based on setting digital health records in the country[xxxi].  DISHA  will be clubbed with Personal data protection bill along with telemedicine guidelines would be something to look forward.

[i] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6618173/

[ii] https://medicaldialogues.in/indian-medical-association-seeks-clear-cut-guidelines-on-telemedication-from-medical-council-of-india

[iii] https://www.mohfw.gov.in/pdf/Telemedicine.pdf

[iv] Criminal Anticipatory Bail Application No. 513 OF 2018

[v] Telemedicine guidelines 2020, section 3.7.2

[vi] Telemedicine guidelines 2020, section 1.4.1

[vii] Telemedicine guidelines 2020, section 3.5

[viii] Telemedicine guidelines 2020, section 3.7.1

[ix] Id

[x] Id

[xi] id

[xii] 2017 10 SCC 1

[xiii] https://prsindia.org/billtrack/personal-data-protection-bill-2019

[xiv] Rule 5(1) of the Data Protection Rules

[xv] Rule 7 of the Data Protection Rules

[xvi] Rule 4(1) of the Data Protection Rules

[xvii] Rule 5(7) of the Data Protection Rules

[xviii] Id

[xix] https://www.dr-hempel-network.com/digital-health-startups/doctor-patient-platforms-in-india-success/

[xx] See Maharastra: https://www.maharashtramedicalcouncil.in/Files/Notifications_26032020_MCI%20Notification%20Regarding%20TELEMEDICINE.pdf, See Karnataka: https://www.mondaq.com/india/healthcare/905172/karnataka-government-notificationregulations-on-covid-19

[xxi] See kerela: https://economictimes.indiatimes.com/industry/healthcare/biotech/healthcare/kerala-govt to-use-telemedicine-service-e-sanjeevani-for-non-covid-patient-care/articleshow/76370573.cms?from=mdr,

See Westbengal : https://www.newindianexpress.com/nation/2020/jun/30/west-bengal-sets-up-covid-warrior-club-to-help-contain-pandemic-2163150.html, See Tamil Nadu: https://tsitn.org/telemedicine-facilities-in-tamil-nadu/, See Karnatka: https://economictimes.indiatimes.com/news/politics-and-nation/karnataka-govt-launches-apthamitra-helpline-and-app-to-fight-covid 19/articleshow/75293952.cms?from=mdr, See Delhi: https://www.newindianexpress.com/cities/delhi/2020/jul/04/aap-launches-district-surveillance-telemedicine-hub-to-help-with-covid-19-requirements-2165260.html, See Rajasthan: https://timesofindia.indiatimes.com/city/jaipur/rajasthan-government-starts-free-medical-tele-consultation-service/articleshow/75540116.cms

[xxii] id

[xxiii] id

[xxiv] https://www.mondaq.com/india/food-and-drugs-law/865476/regulations-for-online-sale-of-medicines and-drugs-in india#:~:text=India%3A%20Regulations%20For%20Online%20Sale%20Of%20Medicines%20And%20Drugs%20In%20India&text=The%20draft%20rules%20prescribe%20that,registered%20with%20the%20applicable%20authority.

[xxv] Supra

[xxvi] Section 26 (4) Private Data protection bill, 2019

[xxvii] Section 28 Private Data protection bill, 2019

[xxviii] Section 27 Private Data protection bill, 2019

[xxix] Section 29 Private Data protection bill, 2019

[xxx] Section 30 Private Data protection bill, 2019

[xxxi] https://pib.gov.in/Pressreleaseshare.aspx?PRID=1578929

Public health surveillance in India: concerns of an individual’s liberty and privacy amid a pandemic

(This article extensively borrows from another article that authors wrote for and first published on the Leaflet)

The world is grappling with the kind of situation that it has never seen before. The rapid pace of COVID-19 spread made it necessary for the governments around the world to use extreme means and measures that would otherwise be considered Orwellian. These emergency measures by the governments are attempts to effectively enforce a lockdown and strictly prohibit movement of the citizens in a bid to break the chain of infection.

As Governments are attempting to contain the contagious virus, the use of technology for monitoring people undergoing quarantine has doubled in order to combat the spread of the virus. Ordinarily, under such developing Orwellian state of affairs, civil liberty activists and privacy advocates stir commotion; considering the scale of the crisis, they seem to tacitly embrace these measures. It is obvious that this pandemic is reshaping our relationship with surveillance technology, albeit to the fear of some the surveillance that could become a norm.

World under surveillance

Across the globe, countries are expansively deploying tech-enabled surveillance infrastructure of Face Recognition Technology (FRT) based CCTVs, drones and cell phone tracking devices for contact tracing and enforcing quarantine. Growing number of countries such as Israel and South Korea are ‘contact tracing’ using mobile applications or cell phone records. It is a process of mapping travel history of an infected person by analyzing location records of the cell phones. It is followed by pinpointing the other contacts for quarantine that might have come in contact with such a person. Meanwhile, Taiwan has gone a step further in quarantining the traced contacts by deploying an ‘electronic-fence’. If a mobile user’s SIM card is tracked beyond the reach of a network station or found to be switched off, law enforcement authorities quickly approach the suspect.

In India, law enforcement authorities across the nation are increasingly using technology to monitor and restrict the spread of the virus. In several states such as Rajasthan, Punjab and Delhi, local authorities have published a list of personal details, in online media and newspaper, of those suspected or infected of COVID-19. The Karnataka government has taken this to an inordinate level by mandating all quarantined persons to send a selfie with geo-tags through an official app named ‘CoronaWatch’ every hour, except between sleeping time 10 PM to 7 AM. Now, the Ministry of Electronics and Information Technology (MeitY) has also launched an app- ‘Aarogya Setu’, which uses Bluetooth and GPS to alert an individual if they come within six feet of a Covid-19 infected person.

The case of “Public Health Surveillance”

Law enforcement agencies of different countries are carrying out tech-enabled surveillance on their citizens to ensure compliance with the rules of social distancing and lockdown. In normal times, such measures are targeted against terrorists or criminals; while also scrutinized vide privacy and civil liberty concerns.

However, even the World Health Organisation (WHO) has sought to play down privacy concerns in these unprecedented times, by terming the measure as “public health surveillance”. The WHO has simply legitimized the governments’ argument that the extraordinary situation of COVID-19 pandemic necessitates the use of an extraordinary measure of mass surveillance. The public health emergency of such magnitude is being touted as a valid justification for deploying tech-enabled mass surveillance and subversion of individual rights.

Is surveillance a matter of concern for India?

There are certain unique reasons due to which implementation of these emergency measures, in India, are worrisome.

No clarity on the legal basis for surveillance measures

Firstly, in India, neither the central government nor the state governments have provided any legal basis for directing such tech-enabled surveillance measures. For instance, neither of the official press release of the Aarogya Setu app and Karnataka’s ‘mandatory selfie direction mention any legal grounds for such directions nor have they provided any privacy policy with it. The absolute abandonment of civil liberties and privacy in the interest of public health, without the bare minimum legal foundation, portends negative consequences

The government has invoked the Epidemics Diseases Act, 1897 and Disaster Management Act (DMA), 2005 to deal with the COVID-19 outbreak. Both, the colonial era Epidemics Diseases Act and NDMA, do not cover surveillance in their scope. Although, there is an argument that basic residuary power to take ‘necessary’ steps to curb the spread of virus, under the mentioned laws accord a legitimate authority to government for surveillance.

It is unclear why the government has not availed these very basic residuary powers to also notify the standing rules on privacy or lawful manner of deployment of tech-enabled surveillance measures. As a natural consequence, government directives infringing an individual’s right to privacy cannot be tested for their legality without any standing rules for arbitrariness and lack of accountability. This is particularly dangerous in a country like India where a data protection statute does not exist.

The use of unregulated novel technologies for surveillance provides no legal checks and oversight

Secondly, the details regarding the technological capabilities of the government for surveillance are largely a secret. It is the sudden outbreak of pandemic that has forced the government to openly introduce a deluge of unregulated, contemporary and emerging technologies for mass surveillance. There is a growing concern among certain privacy advocates that the tech-enabled surveillance could persist beyond the pandemic once it gets accepted and normalized in the present emergency times. History is witness that world’s most dictatorships and authoritarian regimes emerge amid the crises.

There is no information available about the extent and scope of the government’s capability and techniques. The secrecy about the techniques of surveillance impedes the legislative checks or institutional audits. If the public is unaware of how a technology works (due to non-disclosure by the Executive), the said manner of surveillance then cannot be even challenged in a court of law. Therefore, such secrecy is nullifying the system of checks and balances in favor of the ever-augmenting executive power.

Several surveillance techniques are disproportionate and unnecessary

Thirdly, due to the use of technologies of varying level of invasiveness, there are doubts regarding the necessity and proportionality of such measures in relation to the right to privacy and individual liberty.

The Puttaswamy (I) judgment upheld, explicitly recognized in reference to public health, that to legitimately restrict fundamental rights such as privacy and liberty for implementing a measure, such measure should be proportionate in nature. In the case, the SC held that a government measure is proportionate if it satisfies following four criteria: 1) that the measure should pursue legitimate purpose; 2) that the measure should be rationally connected to the purpose; 3) that there should no less intrusive alternative measure available; 4) that the measure should accrue public benefit greater than the extent of infringement of a constitutional right.

More than half of the population of the country doesn’t have access to the internet services. In the context of such a scenario, how is surveillance through mobile application is a necessary measure? Further, several state governments are taking extreme measures of disclosing the home addresses and other personal details of infected and suspected persons, which grossly fall afoul of three prongs of the constitutional test upheld in the Puttaswamy I judgment. An obviously lesser intrusive measure such as informing at a locality level about the presence of infected cases in areas could have sufficed. Allahabad HC also held such practices, publishing personal details of anti-CAA protestors in public, of the UP government as “arbitrary invasion of privacy”.

Karnataka has rolled out a mobile application which comprehensively discloses the location history and home addresses of persons infected and quarantined. Also, some of the states are publicly listing such details wide in social media channels. Such invariable disclosure of private information of infected and suspected persons has prompted concerns and possibilities of social intimidation.

There have already been reports from across the nation of infected and suspected patients facing the stigmatisation, and various forms of discrimination which are further resulting in a negative social impact. For instance, in Maharashtra, public listing of coronavirus suspects on social media led to several cases of forceful eviction of quarantined people by their landlords.

Such events question the proportionality and necessity of the measure as it would have been a satisfactory measure if the government has alternatively chosen a lesser intrusive measure.

Ways to resolve the concerns

There is no denying that certain limitations can be imposed on civil liberties given the urgency of the COVID-19 crisis. However, in a democratic set up like India it is expected from the government that its actions should be transparent and provide a window to the public to assess the government’s accountability. All the worrisome aspects related to public health surveillance measures can be subdued by making concerted efforts to introduce legal backing for its actions, to establish institutional oversight and to use the least intrusive means.

For providing the legal basis, the government can issue the standing rules that would lay down the legal and accountability measures for the responsible local authorities undertaking public health surveillance. The governments should avail the residual powers under the NDMA and the Epidemic Diseases Act to also issue the ad-hoc rules and guidelines in addition to the emergency surveillance measures. These rules and guidelines will provide the mechanism under which surveillance can be carried out without causing deterrence to an individual’s privacy and liberty.

The government can presently provide such ad-hoc rules for privacy protection based on similar principles as delineated in the Personal Data Protection Bill 2019 (“PDPB 2019”) for the data collection during health emergencies. Clause 12 of the PDPB 2019 exempts the data fiduciaries from taking consent under urgencies like pandemic, but strictly imposes requirements of data minimization or purposes limitation, lawful processing, transparency and accountability. Introduction of such principles will ensure that the information collected surveillance is being handled under the constitutional checks to maintain privacy as much as possible

Such ad-hoc rules will obligate the government as a data fiduciary to follow principle of purpose limitation such that the authorities should only collect the minimum possible data which is sufficient for tracing contact, enforcing quarantine and any other lawful and specific purpose. The government shall use the anonymised data only and adopt all security measures to prevent leaks and maintain confidentiality of personal data of data subject. The rules will also mandate the government to delete the collected data at the earliest after it has been used for the specified purpose. This will automatically shun away the emerging concern that the surveillance’s effect could persist beyond pandemic. Further, it will inhibit the misuse of personal data and abuse of surveillance measures.

The surveillance measures aim to keep people in quarantine and check the spread of infection for their benefit, therefore it is suggested that the government should hold no secrets about its surveillance techniques and manners. It should adopt a method of “Public Notice” system such that the local district administration has to notify the model of surveillance to the public before conducting surveillance.

At the very least, this notice should disclose the legal rules governing the tech-enabled surveillance measure, and its purpose. It should be clear on the authorization required for the retention, access, and use of information collected through the use of such novel technology. Such a notice would provide the transparency in the process of imposition of surveillance and allow the legislature and public to exercise meaningful control and oversight over the manner of deployment of unregulated technologies for surveillance.

Parting note

Unarguably, the present situation calls for the governments to take substantial measures to protect the lives and health of public at large, but this should not happen in the utter disregard of constitutionally recognized rights to privacy and individual liberty. The policies and techniques of government should be legitimate and proportionate in order to maintain the democratic principles of public trust and transparency. There is no hard choice between public health and individual’ right to privacy and liberty. Both can mutually co-exist under the legal framework that guarantees the challenge to unnecessary expansion of the surveillance regime.

As pointed out by Deborah Brown, senior digital-rights researcher at Human Rights Watch, “surveillance measures should come with a legal basis, be narrowly tailored to meet a legitimate public health goal, and contain safeguards against abuse”.

Therefore, the government should definitely focus on the situation of urgency for many, instead of investing focused efforts in ensuring rights for few but should not absolutely ignore its accountability towards any section of the community. These fundamental rights are lung to the edifice of our entire constitutional system. The government should make efforts to prevent any injuries to it as much as possible.

COVID-19 crisis is changing Tech related Law and Policy: Surveillance, Fake news, Telemedicine, and Internet

As I view things and events around the world from the comfort of my home, this blog is my take on how regulations related to technology will get impacted due to the COVID-19 pandemic. As they say, sudden and unexpected events often lead to systematic and permanent changes.  Work from home is a mandate now, as the fear of personal contact and surface contact is prevalent, everyone has uncertainty about the impact of infection. There are even doubts on the globalization given the infection is spreading from one corner of the world to another.

Given the fact that COVID-19 is a pandemic, the authorities have commanded us to practice ‘social distancing’ (trending buzz word on social media) under the twenty-one days lockdown. Hence, there is an unwillingness to engage socially among masses now. As there are shifts in perceiving the world now, there is a shift in the understanding of technology as well. Governments around the world are now valuing its role more than ever and understanding the need for the well-drafted technology policy, as they rush to contain the spread of COVID-19.

Following are the potential changes that we can see in the technology policy of India during and after the COVID-19 crisis.

Increase in the adoption of internet services

With the reach of the internet increasing up to 500 million users and over 660 million broadband subscriptions, internet penetration in India is much evident. However, the present situation is proof that it has been a boon for us that Jio entered the market and made the internet more accessible than ever. The internet is an essential service and something that has kept the masses engaged and sane in their homes during the nationwide lockdown. India has the cheapest internet access in the world, but still, as the crisis gets over, the government will definitely consider more options of making internet services more accessible to the poor of the country which is largely suffering in this crisis. In the present lockdown state, it is important to mention the situation that exists in Kashmir where just the 2G internet is available with the speed which is good for nothing.

India has the cheapest mobile data in the world with 1GB costing just Rs 18.5 (USD 0.26) as compared to the global average of about Rs 600, research by price comparison site Cable.co.uk showed. Average Wireless Data Usage per wireless data subscriber per month is 10.37 GB.

Work from Home

Zoom, a video-meeting app, has seen a significant rise in its download over the last week. With employees are unable to attend offices, video conferencing services that work over the internet has become significant. Again, such applications make access to internet an essential service for operating the business online (a fundamental right). As the employment laws are being discussed these days to understand the place of Work from Home in the law, post the crisis policymakers will definitely deliberate on this and provide a permanent solution for it.

Certain important points for reference of readers from the advisory issued by the government in relation employment laws:

The Ministry of Labour & Employment, Government of India advised on March 20, 2020, that all public and private organizations are to refrain from terminating the services of their employees or reducing their wages.

The Ministry of Labour & Employment has extended the deadline for filing the Unified Annual Return for 2019 under eight laws that were filed on the Shram Suvidha Portal to April 30, 2020 (the previous deadline was February 1, 2020). The notification further states that authorities are not to take action against any entity that did not meet the earlier deadline.

The Employees’ State Insurance Corporation (ESIC), through its communication dated March 16, 2020, has extended the dates for filing of ESI contribution and payment. Accordingly, all contributions for the months of February 2020 and March 2020 can be filed and paid up to April 15, 2020 and May 15, 2020, instead of March 15, 2020 and April 15, 2020, respectively.

The Government of India will contribute the employer contribution (on behalf of companies) and employee contribution (on behalf of employees of those companies) towards the Employee Provident Fund Organization (EPFO) for the next three months for establishments with up to 100 employees meeting certain base salary thresholds.

All EPFO members (employees) will now be able to withdraw up to 75 percent of their total EPFO fund or an amount equivalent to three months of their salary, whichever is lower. The amount withdrawn from EPFO shall be non-refundable, and the employees do not need to return the same to their EPFO account.

Streaming services and regulations

In the process of home quarantine, the dependence on the streaming services is so much that the internet service providers have asked streaming platforms like Netflix and Amazon Prime to reduce the bits rate, in order to lower the stress on networks. The streaming platforms have duly conceded to this demand considering the continuous requirement of providing services to consumers. Consumers are realizing the benefits of streaming platforms and hence there is going to be a potential increase in subscriptions going forward, converting to paying users. In terms of policy-making, if streaming services have the potential to displace traditional entertainment services, the Indian government will look for regulating the content more than ever. Government is already in consultation with the stakeholders regarding options of self-regulation or government regulation.

Increase in demand for spectrum to meet the consumer demand

The percentage of connections that are based on a wireless medium is a staggering 96% approx. Therefore, in the light of increased adoption of the internet for continuous entertainment and work at home has led to increased stress on telecom operators. Therefore, with the 20% sudden increase in demand, telecom operators have sought more spectrum allotment from the government.

A new perspective for e-commerce

The government has rightly considered E-commerce as the provider of essential services during the present situation. Their adequate performance under the lockdown can provide them with a deep sigh of relief, as for the past few months, their food and grocery delivery services have been under the strict supervision of the government. There are several lobbies representing the brick and mortar retailers of groceries and food that have targeted e-commerce market and posed it as a threat to the business of offline retailers across the country. The opportunity for them to legitimize the need for online service during the lockdown has done what demonetisation did for digital payments.

Offline print becomes the victim

Online media channels are also opportunists that are gaining certain traction in terms of consumers. The newspaper industry seems to have been hurt by contact to contact the spreading nature of the COVID-19. Various online posts and WhatsApp threads are flowing in the online media that newspapers are potential vectors of COVID-19. In one of the cases, the Times Group has sent a legal notice to The Print for an article which suggested that COVID-19 can potentially spread through newspapers as well. Therefore, there could be a rise in online media usage and could lead to a rift between offline and online media.

A struggle to contain fake news or misinformation

The sensational way in which COVID-19 crisis has led to the nationwide lockdown is much due to the sensationalized content related to COVID-19 which is spreading through the social media across the country faster than the virus itself. The amount of misinformation spreading about COVID-19 is at large scale, and platforms are struggling to deal with it, especially given the lack of continuous moderation by social media platforms which are not warranted legally. This has given several blows to the effectiveness of lockdown given the people believed on certain misinformation such as cow urine is the cure of COVID-19, the religious congregation will protect from the disease etc, which led to people not take lockdown seriously. Understanding the struggles with automatic moderation of the content on the internet, the government can sooner than before enforcing its strict moderation policy which undermines the right to free speech.

The twenty-one days lockdown recently faltered when an exodus of the large number of migrant workers from urban cities like Delhi and Jaipur came in light. The Supreme Court’s division bench in a hearing on Tuesday, while reviewing the steps that the central government has taken to provide relief to the poor migrant workers during the lockdown, expressed serious concern over spread of fake news or misinformation regarding lockdown’s duration on social, electronic and print media causing the mass exodus of migrant worker from cities to their homes in villages. Read the SC’s order here. Centre in this light has sought direction from SC that no media stakeholders should publish COVID-19 news without ascertaining facts with government. Although, The constant and close monitoring has been held as not warranted by law as per various precedents of Indian courts.

Privacy, necessity and proportionality

While the right to free speech could be threatened in the future due to the present crisis, the right to privacy has already dealt with several blows. Considering the situation of emergency and lack of any comprehensive law protecting the privacy, the privacy of a number of citizens have been compromised. The health status of quarantined/ or infected is open to all as their homes are being marked and personal details are being made public on social media. Governments are openly surveilling quarantined people for ensuring the enforcement of quarantine and inviting bids from technology companies to procure technology that can make continuous surveillance more effective. In India, several governments are already tracking citizens by keeping a tab on their phones or utilizing geofencing. The crisis has legitimized much longing plans of the government to create an infrastructure which can assist in surveilling its citizens whenever the need arises. Given the opportunity, the Department of Science and Technology has invited proposals and has set up a task force for building surveillance, AI and IoT tools.

As several privacy activists have opinions against the government’s plan to keep track of infected persons. If litigation arises, the question is whether the present circumstances will meet the necessity and proportionality test in order to justify the violations of privacy?

Drones as part of law enforcement

Drones, in some cities, are being used for surveillance to ensure that the current curfew is not violated. Drones allow the police to surveill and document, in a low risk manner. In cities like Chennai, they are being used to disinfect areas. If all goes well in these difficult times of crisis, then expect that police will place more orders for drones going forward, and many tasks will be automated.

Telemedicine guidelines

One of the prime examples of the proposition that experience of COVID-19 crisis will pace up the policy-making with respect to regulate technology is the rollout of a set of guidelines for telemedicine or remote delivery of medical services. Telemedicine practice means that doctors will now be allowed to use information and communication technologies as per guidelines for the exchange of valid information for diagnosis and treatment of ailments with patients. In order to assure steady and quick medical services during the nationwide lockdown, Ministry of Health and Family Welfare finally sanctioned the guidelines that have been proposed ten years ago. Globally, telemedicine has emerged as a front-line weapon against the COVID 19 pandemic. The situation under present crisis motivated the government to provide the concept of telemedicine among masses explaining that the unnecessary exposure of people involved in the delivery of healthcare can be avoided using telemedicine, as patients can be screened remotely.

COVID-19 Lockdown Guidelines [updated with Addendum]: E-commerce for essential services, key takeaways & punishment under section 188 of IPC

The Ministry of Home Affairs has issued guidelines on the measures to be taken by government authorities for containment of COVID-19 epidemic, which exempts delivery of all essential goods through e-commerce from the 21-day lockdown that had come in effect from midnight today. E-commerce will operate without restrictions in order to deliver food, pharmaceuticals, and medical equipment.

MeITY issues advisory to State Governments

On the same lines, the Ministry of Electronics and Information Technology (MeITY) through an advisory has directed all state governments to permit IT/ITeS industries to carry out essential functions which include delivery, warehouse operations, shipping and logistics.  There are cases and videos reported from several parts of countries of police officials halting and beating delivery executives in order to enforce the implementation of the lockdown. Therefore, the advisory by MeITY will help in ensuring that delivery executives and other associated employees carry out these functions. The Ministry advised the state governments to treat “copy of orders, waybills, invoices” as evidence.

Reuters had reported that e-commerce and online grocery delivery services were being disrupted across the country as multiple states have locked down to contain the COVID-19 pandemic. Section 144 has also been imposed in multiple parts of the country, making it harder for delivery personnel to operate, and for warehouse employees to get to work. Flipkart and Amazon temporarily suspended logistics services for sellers across regions, according to an Economic Times report. The problem that e-commerce companies are facing right now is that different states have come out with different guidelines on their operations during the pandemic. For instance, the Tamil Nadu government has banned home delivery services such as Zomato and Swiggy as the state goes into lockdown, but the Maharashtra government exempted food delivery as the delivery of an “essentially good”.

Therefore, the MeITY advisory will assist in providing a uniform direction to all the state governments in order to allow the operation of e-commerce deliveries of essential services across the country.

Other important things to know

Further, for the general information of the reader:

As per guidelines,

Closed Exceptions
Commercial and private establishments will be closed. (such as shopping malls, private outlets etc.) Shops, including ration shops (under PDS), dealing with food, groceries, fruits and vegetables, dairy and milk booths, meat and fish, animal fodder/ district authorities may encourage and facilitate home delivery to minimize the movement of individuals outside their homes/ Banks, insurance offices, and ATMs/ Print and electronic media Telecommunications, internet services, broadcasting and cable services/ Delivery of all essential goods including food, pharmaceuticals, medical equipment through E-commerce.


Offices of the Government of India, its Autonomous/ Subordinate Offices and Public Corporations shall remain closed. Police, home guards, civil defence, fire and emergency services, disaster management, and prisons/ District administration, Electricity department, water, sanitation Municipal bodies (Only staff required for essential services like sanitation, personnel related to water supply etc)/ Hospitals and all related medical establishments, including their manufacturing and distribution units, both in public and private sector, such as dispensaries, chemist and medical equipment shops, laboratories, clinics, nursing homes, ambulance etc. will continue to remain functional/ Transportation services for medical purposed will be permitted.


The Ministry of Home Affair issued an addendum to the guidelines to include more services/activities that have been exempted from the 21-day nationwide lockdown. Following additional services have been exempted: [The post has been updated on 26.03.2020]

  • The Government “Treasury” has already been exempted vide the guidelines issued yesterday. It is now clarified that the term “Treasury” would include Pay & Accounts Officers, Financial Advisors, field offices of the Controller General of Accounts;
  • Further, it has been added that the RBI, RBI Regulated financial markets, entities such as NPCI and CCIL, payment system operators and standalone primary dealers would also stand exempted;
  • IT Vendor for banking operations, Banking Correspondent and ATM operation and cash management agencies;
  • Shops for seeds and pesticides;
  • Data and call centres for Government activities only;
  • Operation of Railways, Airports and Seaports for cargo movement, relief and evacuation and their related operational organisations;
  • Inter-state movement of goods/cargo for inland and exports;
  • Cross land border movement of essential goods including petroleum products and LPG, food products, medical supplies; and
  • Veterinary hospitals, pharmacies (including Jan Aushadhi Kendra), Pharmaceutical research labs stand exempted.

Punishment for violating the lockdown order

The guidelines strictly note that-

“Any person violating these containment measures will be liable to be proceeded against as per the provisions of Section 51-60 of the Disaster Management Act, 2005, besides legal action under Section 188 of the IPC.”

Section 188 of the Indian Penal Code provides two offences and their punishments as follows:

  • Disobedience to an order lawfully issued by a public servant, if such disobedience causes obstruction, annoyance or injury to persons lawfully employed. Punishment: Simple Imprisonment for 1 month or fine of Rs 200 or both.
  • If such disobedience causes danger to human life, health or safety, etc. Punishment: Simple Imprisonment for 6 months or fine of Rs 1000 or both.

The Section 3 of the Epidemic Diseases Act talks of penalty on any person found to be disobeying any regulation or order made under the law and would be deemed to have committed the offence under the Section 188 of IPC. Therefore, those violating the lockdown orders can face legal action under the Epidemic Diseases Act, 1897, which lays down punishment as per Section 188 of the Indian Penal Code, 1860, for flouting such orders.

Note from the author: The blog started with the aim of simplifying and compiling laws related to technologies for the understanding of everyone. The keyword that motivated the author to write on such topics is the uncertainty behind the laws that regulate technology. However, this post has been different and dealt with the simplification of certain other issues as well. It is again the uncertainty behind the present times that has motivated the author to write this blog piece. The uncertainty related to the magnitude of the damage due to the corona outbreak may result in more such unprecedented laws and guidelines from the government. The author will continue to simplify them for the understanding of everyone. A very little contribution to society in these difficult times. Let us fight this together. Stay home, stay healthy.

Simplifying FinTech and FinTech Laws: Regulatory Initiatives taken by Government and Regulators in India for FinTech

No industry in the economy can boom unless it is supported by the Government in the country it wishes to further expand in. A fine line exists between regulation and obstacles for the industry to boom. In light of this, the Government of India has begun to take initiatives and steps toward the stronger building of fintech in the country, paving the path for this industry to a brighter future. This post will give you a brief overview of all the regulatory initiatives that the Government and Regulators have taken to promote the FinTech in India. This is the fourth post in the series of ‘Simplifying FinTech and FinTech Laws’.

Fintech in the past decade has expanded rapidly. What once emerged as merely as an intersection point of financial services and technology, has now become an important aspect of India’s economy. With the vision of the country towards a digitized and less dependent economy with ‘make in India’, fintech has gained a larger space to expand in and function smoothly. According to the NASSCOM Report ‘Fintech Landing- Unlocking Untapped Potential’, it is because of initiatives in India that have led India to emerge as a leader for the fintech industry worldwide. According to this research by NASSCOM, India alone harbours 2% of the largest start-up base for fintech in the world and also leads in the rate of adoption of fintech at 87% adoption rate.

Not only the initiatives by the Government adversely affect the success of the fintech industry in the country, but the allied regulators of financial institutions play a role as well. These include regulators such as SEBI, RBI, Insurance Sector, etc. Such an encouraging atmosphere for the development of fintech in the country has increased faith in fintech among the consumers in the country, for easier and grass-root adoption and acceptance of fintech.

Initiatives by the Central Government

Encouragement for the Start-Ups

With the policies such as that of make in India and to boost the Indian economy, the start-ups are increasingly supported by the Government. In 2015 itself, over 12,000 start-ups in the area of fintech emerged across the world. In India, the initiative to support the start-ups was launched by the Central Government in 2016, reserving USD 1.5 billion funds to support the start-ups. Under the increased support, he start-ups began to receive in the country, there are more than 600 startups in fintech at present in India. It is in light of such an initiative begun by the Government and supported by the allied stakeholders that India progresses towards the vision of a completely digitalised economy, promoted innovation and leading economy with sustainable growth.
In further aid of this initiative that the Government has now introduced tax reliefs such as 3-year exemption from paying tax for the start-ups along with other exemptions, credit guarantee, etc.

Digitization of the Economy

The current Government fiercely promotes the digitization of the economy. Whether intended or not, the unprecedented demonetization has acted nothing less than a catalyst in increasing the digital payments in the country. Having scaled the benefits of digital payments, it is now increasingly used by the country than retreating back to the physical currency. Such an environment is an ideal environment for the fintech ecosystem to thrive in.

Taxation Reliefs

Apart from the policies of the Government to support the fintech, taxing regime plays a major role in the growth of the fintech industry in the country. The 2016 Budget introduced tax rebates for those traders who transacted more than 50% of their bill digitally. The Ministry of Finance further proposed withdrawal of surcharge on digital payments of cards and online used to avail government services. The surcharges as of now stay relaxed.

Protection of Intellectual Property

The fintech start-ups are supported with ease in the procurement of intellectual property (IP) acquirement. The facilitation in the acquirement of trademarks, patents, designs, etc. has led to an increase in the start-ups under the fintech industry in the country. Moreover, under the start-ups initiative, the Government offers 80% rebates for the patent costs required for the start-ups.

Infrastructural Plans

The Government’s plans to accelerate the economy of the country with digital India and Smart Cities have led to an increase in reliance upon fintech in the country more than ever. Not only the local fintech industry is expected to benefit out of his but the outsourcing and foreign investment are also expected to be increased to further the advancement of the fintech industry in the country.

National Payments Council of India

It is the umbrella organisation for all retail payments in India, under the guidance of RBI and Indian Banks Association. With the increase of multiple usages of mobiles in India and increased acceptance of Unified Payment Interface (UPI), there was a paved way for the National Payments Council in India (NPCI). The expected userbase of smartphones is by 2020 is 500 million. Thus, the digital footprint is expected to rise as well. Initiatives by the NPCI such as that of Rupay Cards have led to fintech adopting such technologies, penetrating further into the traditional banking system in the country.

India Stack

India Stack is a set of Application Program Interfaces that allow entities such as businesses, start-ups, governments and developers to engage in the utilisation of the digital infrastructure. This unique feature of India Stack helps to solve problems in ground level in India and promote the paperless, cashless and presence-less delivery system in India. India Stack mirrors the support system offered to the telecom industry back in the 1990s for the fintech industry in the country. This has enabled the manifold increase in fintech in the country and has facilitated easy adoption of fintech by the innovators, entrepreneurs, other industries and companies. However, after the Aadhaar judgment, the India Stack programme has stopped.

Initiatives by Financial Market Regulators

The financial market regulators (FMRs) role has gravely impacted the fate of the fintech industry in the country. Some of the primary FMRs are discussed herein:

Reserve Bank of India (RBI)

One of the most recent initiative by RBI for the adoption of fintech in the financial market is allowance to set up the regulatory sandbox. This refers to the controlled environment in which live testing of digitally innovative techniques may be conducted in the arenas of e-KYC, retail payments, management of wealth, etc. RBI has also acknowledged the possibility of fintech disruptions in the financial market, in light of which certain regulatory norms have been introduced. However, it is to be noted that these are purely regulatory in nature in benefit of the consumers and fintech industries, without creating a hurdle for the boom of the fintech industry. Moreover, to better understand the nitty-gritty of fintech in influencing the traditional financial market, RBI set up an inter regulatory working group to come up with an appropriate framework for fintech without disrupting its functions. RBI in 2017 released a ‘Report on Working Group on Fintech and Digital Banking’ acknowledging fintech to be a point of attention in today’s era and uncertain regulatory regime to stunt its growth. Thus, RBI persuades other sectors to be better apprised with fintech to come up with better and definable regulatory regime so as to not cause unprecedented or unforeseen loss to this industry and continue with its growth.

However, with no uniform set of guidelines and no particular authority to govern fintech, fintech at present faces loss in this area. The aforementioned market regulators have their own policies for fintech which often overlap and defeat the purpose of facilitating policies to obstacles fintech needs to overpower to ensure its smooth functioning. The grey areas of fintech require to be urgently addressed so that the booming growth does not reduce to stunted growth of the industry India expected to lead in future. It is expected with RBI’s report and acknowledged lacuna in the current fintech ecosystem, changes are soon to begun to take place across all sectors in the financial market to ease the functioning of fintech for greater benefits.

The RBI has also introduced several small fintech spaces in order to invite comments from general stakeholders before issuing any regulation governing new technologically innovative financial products. The RBI has released a ‘Draft enabling Framework for Regulatory Sandboxes’ which proposes guidelines on governing regulatory sandboxes to be established by RBI to check on the R&D of new fintech products and services.
The RBI, as well, has recognized the need for confidentiality and data protection. The RBI’s “Master Circular on Mobile Banking Transactions in India” states that “technology used for mobile banking must be secure and should ensure confidentiality”.

Below is the table that represents how well are such fin-tech regulatory sandboxes faring. This is an independent research initiative by the author.

Country Name of the Regulator Date of Starting Sandbox Name/ Project Name Number of Participants Remarks
The United Kingdom Financial Conduct Authority (FCA) Launched in October 2014- First cohort of applications opened on May 2016 The regulatory sandbox is a part of the project called Innovate by FCA Nearly 375 Applications (Since 2016); Nearly 131 Applications have been accepted. Sources: FCA publication on’Regulatory Sandbox lesson learnt’ https://www.fca.org.uk/publication/research-and-data/regulatory-sandbox-lessons-learned-report.pdf. Also See, Official Webpage of the FCA Regulatory Sandbox, https://www.fca.org.uk/firms/regulatory-sandbox/cohort-1 Following sources have been referred to understand the framework of ‘Regulatory Sandboxes’ in the UK: 1) FCA publication on Regulatory Sandbox https://www.fca.org.uk/publication/research/regulatory-sandbox.pdf; 2) FCA publication on’Regulatory Sandbox lesson learnt’ https://www.fca.org.uk/publication/research-and-data/regulatory-sandbox-lessons-learned-report.pdf; 3) Guide to Financial and Regulatory Innovation https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/701847/UK_finanical___regulatory_innovation.pdf
Singapore Monetary Authority of Singapore Launched in November 2016 There are two kinds of Sandboxes that have been proposed under the MAS supervision: ‘Sandbox’ and ‘Sandbox Xpress’ Nearly 50 Formal Applications have been considered; Half were withdrawn; 1/3rd proceeded without the need of Sandbox; remaining being approved or under review. (till 2019) Source: NUS CBFL working paper 19/04 https://law.nus.edu.sg/cbfl/pdfs/working_papers/CBFL-WPS-1904.pdf The low figures of participation is because MAS is very specifically selective about the applicants and MAS’ view of Sandbox as a last resort to facilitate innovation,
with the primary tool being instituting facilitative regulations in the first place. Further readings are important: https://law.nus.edu.sg/cbfl/pdfs/working_papers/CBFL-WPS-1904.pdf; MAS gidelines on Sandbox https://www.mas.gov.sg/-/media/MAS/Smart-Financial-Centre/Sandbox/FinTech-Regulatory-Sandbox-Guidelines-19Feb2018.pdf?la=en&hash=B1D36C055AA641F580058339 09448CC19A014F7; The MAS Act https://www.mas.gov.sg/regulation/acts/mas-act
Australia Australian Securities and Investments Commission (ASIC) Launched in December, 2016 Fintech Regulatory Sandbox is a part of Project Innovation Hub by the ASIC As set out in ASIC’s Innovation Hub Progress Report as of October 2018, 314 entities requested and received informal assistance, and 67 new AFSLs/ACLs were granted. In 2018–19, the Innovation Hub provided informal assistance to over 190 businesses (fintech and regtech), helping them consider regulatory issues early and where relevant prepare licence or relief applications. Source:ASIC Cooperation Report 2017-18 https://download.asic.gov.au/media/4922434/annual-report-2017-18-published-31-october-2018-section5.pdf & ASIC Cooperation Report 2018-19 https://download.asic.gov.au/media/5314426/asic-annual-report-2018-19-section-5.pdf. The Treasury Laws Amendment (2018 Measures No. 2) Bill 2019 (Bill) could provide an example of ideal specific legislative framework related to Fintech Sandboxes given the number of benefits it proposes. The Bill aims to enhance the existing regime by enabling more businesses to test a wider range of financial products and services, for a longer period of time. The Federal Government anticipates that this will help drive competition in the financial services industry, incentivising financial providers to be more responsive to the needs of consumers. While the Bill broadens the types of credit products and services which are eligible for the regime, it simultaneously imposes stricter requirements on credit services which are already subject to the regime. Sources referred: ASIC expands Sandbox Regime https://www.lexology.com/library/detail.aspx?g=825aafdb-0cf4-4dfd-b6b0-be411bb5f957;
Malaysia Bank Negara Malaysia (BNM) through its cross-functional group the Financial Technology Enabler Group (FTEG) Launched in October 2016 Regulatory Sandbox Till October 2019, 80 applications have been submitted under the Financial Technology Regulatory Sandbox. Source: Assistant Governor Keynote Address at the Takaful Rendezvous 2019 – “Leading in a Disruptive World – Revolutionising Takaful” at https://www.bnm.gov.my/index.php?ch=en_speech&pg=en_speech&ac=841. In 2017, there have been four confirmed participants and while in 2018 , there have been six confirmed participants (in which 1 exited later). Source: The State of Regulatory Sandboxes in Developing Countries, Digital Financial Services Observatory, Columbia Institute for Teleinformation, Columbia University, New York, https://dfsobservatory.com/sites/default/files/DFSO%20-%20The%20State%20of%20Regulatory%20Sandboxes%20in%20Developing%20Countries%20-%20PUBLIC.pdf Sources to refer: 1) BNM has provided a regulatory framework for the ‘Fintech Regulatory Sandbox Framework”. http://www.bnm.gov.my/index.php?ch=57&pg=137&ac=533&bb=file; 2) Infographics explain it all, https://www.myfteg.com/?page_id=1129; 3) The State of Regulatory Sandboxes in Developing Countries, Digital Financial Services Observatory, Columbia Institute for Teleinformation, Columbia University, New York, https://dfsobservatory.com/sites/default/files/DFSO%20-%20The%20State%20of%20Regulatory%20Sandboxes%20in%20Developing%20Countries%20-%20PUBLIC.pdf; 4) FAQs related to Sandbox, https://www.myfteg.com/?page_id=1133.
Hong Kong Hong Kong Monetary Authority Launched in November, 2016 Fintech Supervisory Sandbox (FSS) Nearly 170 Tested Participants [By the end of 2017, 28 fintech products tested (HKMA Annual Report 2017, Pg109, https://www.hkma.gov.hk/media/eng/publication-and-research/annual-report/2017/AR2017E.pdf), then by 2018, 42 products have been tested (HKMA Annual Report 2018, Pg.7, https://www.hkma.gov.hk/media/eng/publication-and-research/annual-report/2018/AR2018E.pdf) and till October 2019, around 92 new technology projects have been tested (Usage of the FSS until the end of October 2019, https://www.hkma.gov.hk/eng/key-functions/international-financial-centre/fintech/fintech-supervisory-sandbox-fss/)%5D. Nearly 84 products have been rolled out in the Market successfully (14 in 2017, 28 in 2018 and 42 till October 2019) Following sources are required to be referred to: HKMA-FSS framework of guidelines, https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2016/20160906e1.pdf; HKMA Annual Report 2017, Pg109, https://www.hkma.gov.hk/media/eng/publication-and-research/annual-report/2017/AR2017E.pdf.
Securities and Futures Commission (SFC) September, 2017 SFC Regulatory Sandboxes In 2018, there have been 2 firms that have been tested. (Source: https://bfsi.economictimes.indiatimes.com/news/regtech/global-sandbox-by-gfin-to-boost-cross-border-innovation-in-financial-services-fintech-association-of-hong-kong/69376356) Checked all the official reports but they have not provided any explicit number. I have scheduled a call with Syed Musari, Chairman of the HK Fintech Assn. [On call also he said there are 2 only such firms that have been confirmed till now) Following Sources: ‘Circular to announce SFC Regulatory Sandbox’, https://www.sfc.hk/edistributionWeb/gateway/EN/circular/openFile?refNo=17EC63
Insurance Authority (“IA”) Launched in September, 2017 IA Insur-tech Sandbox Since the launch of Insurtech Sandbox until end February 2019, IA received eight sandbox applications and two were completed and rolled out to the market. Source: Discussion Paper, Legislative Council Panel on Financial Affairs, LC Paper No. CB(1) 70/18-19(04), Pg.6, https://www.legco.gov.hk/yr18-19/english/panels/fa/papers/fa20190401cb1-760-4-e.pdf Following sources can be referred to: 1) https://www.ia.org.hk/en/aboutus/insurtech_corner.html#1 ; 2) Discussion Paper, Legislative Council Panel on Financial Affairs, LC Paper No. CB(1) 70/18-19(04), Pg.6, https://www.legco.gov.hk/yr18-19/english/panels/fa/papers/fa20190401cb1-760-4-e.pdf
Bahrain Central Bank of Bahrain’s FinTech and Innovation Unit Launched in May 2017 The Regulatory Sandbox Since its launch in 2017, 35 Fintech participants have been included in the Sandbox. (As provided on the official website in the section of ‘Regulatory Sandbox Register’ at https://www.cbb.gov.bh/fintech/). Although, till 2018 CBB received 48 applications. (Source: CBB Annual Report, https://www.cbb.gov.bh/wp-content/uploads/2019/04/CBB-Annual-Report-2018-English-1.pdf) Following sources: 1) ‘Regulatory Sandbox Register’ at https://www.cbb.gov.bh/fintech/ ; 2) CBB Annual Report, https://www.cbb.gov.bh/wp-content/uploads/2019/04/CBB-Annual-Report-2018-English-1.pdf; 3) The Circular https://cbb.complinet.com/net_file_store/new_rulebooks/c/o/Cover_letter-Regulatory_Sandbox-Amended28Aug2017.pdf
Netherlands De Nederlandsche Bank (DNB) Aand Dutch Authority for the Financial Markets (AFM) as per their MoC (Memorandum of Cooperation) Launched in January 2017 Regulatory Sandbox’ under the Innovation Hub There is no specifc register or data that is available for the number of entities that are strictly part of the Regulatory Sandbox (Even in their guiding paper released in December 2016, they specifically stated in Section 4, at Pg.5, that “such requests are confidential and will be treated as such”.) Although, the regulators have shared that total 650 queries has been received by the Innovation Hub and Sandbox together till 28th August 2019 (Source: Report DNB-AFM, Continuing Dialogue, InnHub and RegSandbox: lessons learned after three years, https://www.dnb.nl/en/binaries/Continuing%20dialogue_tcm47-385301.pdf) Following Sources can be referred to: 1) De Brauw Blackstone Westbroek, https://www.debrauw.com/alert/dnb-afm-create-regulatory-sandbox/; 2) Guiding paper/Framework related to Regulatory Sandbox, https://www.dnb.nl/en/binaries/More-room-for-innovation-in-the-financial%20sector_tcm47-361364.pdf?2020011512; 3) Report DNB-AFM, Continuing Dialogue, InnHub and RegSandbox: lessons learned after three years, https://www.dnb.nl/en/binaries/Continuing%20dialogue_tcm47-385301.pd; 4) European Banking Authority, Report, FinTech: Regulatory sandboxes and innovation hubs, https://www.esma.europa.eu/sites/default/files/library/jc_2018_74_joint_report_on_regulatory_sandboxes_and_innovation_hubs.pdf.)
UAE Financial Services Regulatory Authority Launched in August 2016. Although, the first cohort started in May 2017 FinTech Regulatory Laboratory (RegLab) Until October 2019, 185 Applicants, 74 Participated – [First Cohort: 11 Applicants, 5 Selected (Official Press Release, https://www.adgm.com/media/announcements/abu-dhabi-global-market-admits-first-5-regional-and-international-reglab-applicants); Second Cohort: 22 Applicants, 11 Selected (Official Press Release, https://www.adgm.com/media/announcements/abu-dhabi-global-market-admits-2nd-reglab-cohort-with-11-more-local–global-fintech-firms); Third Cohort: 69 Applicants, 26 Selected (Official Press Release, https://www.adgm.com/media/announcements/abu-dhabi-global-market-admits-3rd-reglab-cohort-with-more-uae-fintech-firms); Fourth Cohort:83 Applicants, 32 Selected (Official Press Release, https://www.adgm.com/media/announcements/adgm-admits-4th-reglab-cohort)%5D. Following sources: 1) The official Guidance, The guidance paper, http://adgm.complinet.com/net_file_store/new_rulebooks/f/i/FinTech_RegLab_Guidance_VER01_31082016.pdf; 2) Entire legal framework and associated papers can be found here http://adgm.complinet.com/en/display/display_main.html?rbid=4503&element_id=13995.

Securities Exchange Board of India (SEBI)

The presence of SEBI has largely affected the financial market for over two and a half decades now. The interface of technology in the financial market has only led to a rise in the financial sector. It has led to efficiency in the system of trading, reduced costs of transactions and an increase in consumer base. Not only this, technology has played a significant role in democratising the financial market. While these remain the immediate effect felt of technology as it entered the financial market, more recent are the machine-based and algorithmic trading. SEBI has warmly welcomed technology in the market with screen-based trading, dematerialisation of shares and using it as a platform to offer nationwide trading. The capital market in India with such innovations backed by SEBI has witnessed the transformation in recent years.

Insurance Sector

The innovation in the insurance sector has always been thought about twice, such that its adoption has remained the slowest in this sector in the financial market. However, the past decade with the rise of fintech has seen the regime of insurance sector change, especially with the digital channels and process automation. Technology has further led to the addition of personal touch and customised services for consumers. The fintech had led to increasing common conscience of the society to repose faith in the insurance sector due to customised services and cost-effective functions. Fintech has ensured that the start-ups in the insurance sector do not act as a tool of disruption in the insurance sector and spread a sense of insecurity amongst the existing companies but act as a collaborator, collate the efforts of all and direct services for the benefit of the consumers.

Recommended Readings:

Solve India’s problems’: Modi launches Rs 100 billion fund, generous tax breaks for Indian start-ups, First Post, 17 January 2016, http://www.firstpost.com/business/pm-modis-grandinitiative-for-indian-start-ups-a-rs-10000-cr-fund-3-year-tax-rebate-2587272.html accessed on 25 May 2016.
Budget 2016: Start-ups get 100 per cent tax exemption for 3 years on profits, 29 February 2016, DNA India, http://www.dnaindia.com/money/report-budget-2016-start-ups-get-100-taxexemption-for-3-years-on-profits-2183981(last accessed on 25 May 2019).

Manisha Shroff, Nikita Nehriya, Ankit Chavan and Praneetha Vasan, Data Privacy: Have Banking Laws in India kept pace with Technology, Indian Law News Vol 9 Issue 2, at https://www.khaitanco.com/PublicationsDocs/IndiaLawNews-KCOcoverageManishaShroff-Copy%20(2).pdf

Simplifying FinTech and FinTech Laws: All the laws that govern digital payments and transactions in India

Over the years, the financial services industry has become increasingly regulated in terms of adoption of technologies for facilitation and disintermediation of transactions. The extensively fragmented laws and regulations certainly make it difficult for any person and entity to objectively find the mandatory requirements that a law imposes upon them. This post will give you a brief overview of fintech laws and the various ways in which they govern our digital transactions. This post is the third one in the series of ‘Simplifying FinTech and FinTech Laws’.

The legal topography that regulates the Fintech services in India is majorly distributed, and there is not a single comprehensive regulation or legislation that governs the Fintech industry in the country. The lack of a complete and comprehensive single set of guidelines or regulations makes it hard to refer to actual authorities that are supposed to govern the Fintech in India. The legislative or regulatory, whichever it is, primarily comprises of:

The Payment and Settlements Act, 2007

The sources of law that actually governs payment in Indian jurisdiction are the Payment and Settlement Systems Act, 2007 (PSS Act) and the Payment and Settlement Systems Regulations, 2008 and rules as issued thereunder. Basically, these are the statutes from which India’s central bank, the Reserve Bank of India, derives power to function and regulate payment and settlement system in India. In accordance with the PSS Act, the RBI has wide discretionary powers to issue orders, directions and rules to financial systems established in India. There are several recommendations (pending), to change the PSS Act and form a new regulatory board named as the Payments Regulatory Board (PRB), while the necessary amendments to the PSS Act still await.

As per the PSS Act, any person inclusive of the non-banking financial companies (NBFCs) which want to undertake the operation of a payment system, may do so as upon taking the authorization by the RBI. The Act provides several eligibility criteria that are required to be fulfilled by that person or company wishing to operate as a payment system. Further, technology facilitators between merchants and banking institutions (that process and settle the transactions), are known as ‘Gateway Service Providers’, doesn’t have to acquire any authorization from RBI. For instance, common gateway service providers are BillDesk, RazorPay, InstaMojo etc.

The PSS Act is the primary legislation that governs the regulation pf [ayments in India. The PSS Act provides the definition of the “payment system” such that:

“a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service of all of them, but does not include a stock exchange”.

Master Direction on Issuance and Operation of Prepaid Payment Instruments

Prepaid Payment Instruments (PPIs) that are pre-loaded values (basically your PayTM or Freecharge wallets) and in some cases that value can be utilized for a specified purpose only as payment (basically Ola Money). PPIs provide the value to existing in a specified form which facilitates the payment for goods and services also in certain cases person to person remittance transactions of money for eg. sending money to your friends or family members. As defined in Rule 2.3 of the Master Directions:

“PPIs are payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. PPIs that can be issued in the country are classified under three types viz. (i) Closed System PPIs, (ii) Semi-closed System PPIs, and (iii) Open System PPIs.”

The Master Directions were issued by the RBI on October 11, 2017, and amended from time to time. It provides the eligibility criteria that is required to be followed by the PPI issuers, provides the thresholds for debits and credits that can be done using PPIs, and also provides the other operational obligations that are required to be fulfilled by a PPI issuer at the time of issuing such instruments to its customers in India. PPIs come into the ambit of the term ‘payment system’ as provided under the PSS Act and henceforth have to comply with the PSS Act and the Master Directions, both. PPIs include brand-specific gift cards, e-wallets like PayTM wallet, Freecharge, Mobikwik, shopping or travelling cards as issued by the Banks themselves, etc.

NPCI Guidelines governing the UPI Payments

UPI payments are governed through the Procedural Guidelines related to UPI and Operating and Settlement Guidelines related to UPI, as issued by the NPCI. As per the contemporary governing framework, the Banks only have the scope to provide UPI payment services to consumers. Banks are authorized to integrate the UPI platform into their payment systems. They operate over the UPI platforms by engaging the services of a technology provider, in such circumstances the Guidelines subject such technology providers and the Banks to strict compliance with certain norms as prescribed by the NPCI.

“The Unified Payment Interface enables architecture and a set of standard Application Programming Interface (API) specifications to facilitate digital payments using a mobile phone.”

Regulations related to Non-Banking Financial Companies (NBFCs)

The primary document of legislation that governs the NBFCs is the Reserve Bank of India Act, 1934 and subsequent to other secondary master directions and rules and guidelines and circulars which regulates the licensing and operation of such companies in India. The RBI has formed a set of thresholds that are required to be fulfilled in order to determine whether a business entity is to classified as a “financial services company” which also requires a license. Majority of lenders that operate digitally fall under the ambit of the term ‘NBFCs’. The most important regulation that holistically governs NBFCs is the Master Direction – Non-Banking Financial Company – Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions, 2016, Master Direction – Non-Banking Financial Company –Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions, 2016, and Master Direction – NBFC – Acceptance of Public Deposits (Reserve Bank) Directions, 2016.

Master Directions related to P2P lending platforms

The Master Directions- NBFC- Peer to Peer Lending Platform Directions 2017 incentivized a whole lot of activities for P2P platforms. It provided the P2P platforms to act as an intermediary, such that it has to comply with certain strict legal requirements and has to conduct proper due diligence of participants that are using the platform to finance or borrow. The Master Directions make it mandatory for P2P portals to check the creditworthiness in a form of an assessment and perform risk profiling of the borrower’s business or project, and actively share the disclosures with the potential investors or lenders. Further, RBI regulations bar the P2P platforms from lending or raising deposits or cross-sell any product over the portal. They are not required to facilitate any credit guarantee or secured loans. Cross-jurisdictional flows of funds are barred as per the Master Directions. Therefore, in toto, the Directions prescribe the norms that govern lender exposure and aggregate borrowing thresholds in the context of workings of P2P lending platforms in the country.

Guidelines to govern Payment Aggregators/Intermediaries

The RBI’s circular related to“Directions on opening and operation of Accounts and Settlement of Payments for Electronic Payment Transactions involving Intermediaries” as on November 24, 2009, (“Payment Intermediary Circular”), which lays down the legal framework that applies to the operation of payment gateways and intermediaries in India. Such intermediaries are strictly subjected to be in compliance with guidelines related to the operation of intermediary systems in Inda as provided under the Payment Intermediary Circular.
According to the RB I’s recent discussion papers, it has been suggested that the payment gateways and aggregators form a significantly critical link in the transaction flow, and henceforth it is required to regulate the activities as fall under the ambit of the PSS Act, 2007. The RBI has provided that the established contemporary guidelines governing payment intermediaries and gateway providers have to be reviewed in its Monetary Policy Statement for 2018-19.

RBI Guidelines on Payment Banks

The Guidelines on operation of Payment Banks and Guidelines for Licensing of Payment Banks as provided under the RBI’s governing framework elucidates that the governing regulations and measures related to licensing and operation of payments banks in India. The guidelines, among others, lays down the criteria for eligibility for registration or permissible operation and further other such guidelines that govern the working of payment banks. The Reserve Bank of India provides the purpose of setting-up Payment Banks such that:

“Reserve Bank of India says ―The objectives of setting up of payments banks will be to further financial inclusion by providing (i) small savings accounts and (ii) payments/remittance services to migrant labour workforce, low income households, small businesses, other unorganised sector entities and other users.”

Anti-Money Laundering (AML) Regulations and Know Your Customer (KYC) Regulations

Know Your Customer (“KYC”) is a term that indicates the customer identification process. The KYC norms include the prudential efforts made to ascertain the identity and ownership source of accounts, source of funds, the nature of customer’s business, and accountability of operations in the account in connection to the customer’s businesses etc which further assists banking institutions to manage the risks reasonably. The purpose of the KYC guidelines is to avoid and prohibit banks from being used, specifically as criminal essential of money laundering.

The Reserve Bank of India issued the guidelines to banks under Section 35A of the Banking Regulation Act 1949 and Rule 7 of Prevention of Money-Laundering (Maintenance of Records of the Nature and Value of Transactions, the Procedure and Manner of Maintaining and Time for Furnishing Information and Verification and Maintenance of Records of the Identity of the Clients of the Banking Companies, Financial Institutions and Intermediaries) Rules, 2005.

The key takeaway regulatory guidelines that prescribe anti-money laundering (AML) norms for fintech services in India are part of the PMLA, the PML Rule and the KYC norms included in the Master Directions.

Data Protection Regulations and Rules

Fintech is a data-driven industry due to which it faces a challenge or risk related to the data ownership and its security. Such a risk can be superseded by taking certain legal and technical measures only. There are choices of cybersecurity measures that data labelling, optional information sharing and identified data shareholding, which can be the response to various data-driven challenges that the fintech space is facing.
Unauthorized access to customers’ data is a threat to data privacy, which actually violates the fundamental right to privacy, and therefore a significant challenge to the Fintech platforms engage in gathering and storing several forms of financial and behavioural data. India, right now, doesn’t have any comprehensive legislative or regulatory framework that governs data protection. The Information Technology Act 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, contemporarily provide for the obligations of corporations or businesses to take reasonable measure in order to protect the personal data of consumers.

Further, the draft Personal Data Protection Bill, 2018, that is in pipeline can be best described such that:

“The draft Personal Data Protection Bill (2018) contains provisions that go beyond just the requirements of the IT Rules. The Bill specifies a notice and consent framework with explicit consent in the case of sensitive personal data. Explicit consent is understood as consent that is informed, clear, and specific along with being free and capable of being withdrawn.”

Recommended Readings:

  1. Aayush Rathi and Shweta Mohandas, Fintech in India: A study of privacy and security commitments, The Centre for Internet and Society, at https://cis-india.org/internet-governance/files/Hewlett%20A%20study%20of%20FinTech%20companies%20and%20their%20privacy%20policies.pdf (last accessed on 12/10/2019).
  2. Dr. R Srinivasan and Prof. M. Subramanian, Payment Banks in India – Demystified, SSRG-IJEMS, Vol. 2 Issue 12 (December 2015).
  3. Department of Payment and Settlement Systems, Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators, Reserve Bank of India, at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=943 (last accessed on 12/10/2019).
  4. Latha Ramesh and Yashika Gandhi, Reserve Bank Regulations for P2P lending platforms, Deccan Herald, at https://www.deccanherald.com/business/economy-business/reserve-bank-regulations-p2p-718950.html (last accessed on 12/10/2019).
  5. Rahul Gochhwal, Unified Payment Interface- An advancement in Payment Systems, American Journal of Industrial and Business Management Vol.7 Iss.10, 1174-1191, at https://www.researchgate.net/publication/320661583_Unified_Payment_Interface-An_Advancement_in_Payment_Systems (last accessed on 12/10/2019).
  6. Shilpa M. Ahluwalia & Himanshu Malhotra, Fintech 2019 in India, Golbal Legal Insights, at https://www.globallegalinsights.com/practice-areas/fintech-laws-and-regulations/india (last accessed on 12/10/2019).
  7. Shaikh Zoaib Saleem, What are prepaid payment instruments?, Livemint, at https://www.livemint.com/Money/Wq5AT6vx1JklC0lRSMbnSI/What-are-prepaid-payment-instruments.html (last accessed on 12/10/2019).