Database

For the purposes of entry requirements, India has distinguished between goods that are new and those that are second-hand, remanufactured, refurbished, or reconditioned. This distinction has resulted in barriers to trade in goods that belong to the second category. For example, refurbished computer spare parts can only be imported if an Indian chartered engineer certifies that the equipment retains at least 80% of its life, while refurbished computer parts from domestic sources are not subject to this requirement. Problems that industry representatives have reported include excessive details required in the license application, quantity limitations set on specific part numbers, and long delays between application and granting of the license.

Certain goods require a special permission or licensing in order to be imported. Selected consumer goods, which also include some electronic items, are qualified as licensed/restricted items which can only be imported after obtaining an import license from India’s Directorate General of Foreign Trade (DGFT). However, it has been reported that India is increasingly using import licences at the discretion of the authorities to limit imports of sensitive products. Apparently, the licensing system is not automatic as it involves delays and authorised quantities can be lower than requested. The granting of licences is limited to actual users.

To date, there are no cases of discriminatory use or revocation of licenses. However, internet services providers are required to sign a "License Agreement for Provision of Internet Services".

UNESCO reported that between 2012 and 2017, Indian authorities mandated complete internet and mobile network shutdowns in different parts of India. These caused citizens and businesses to be unable to access the internet for as much as 680 days. eCommerce, media and IT services were among the most affected sectors, and it is reported that as much as USD 3 Billion have been lost as a result. Although much of these shutdowns occured in certain regions, nearly half of India's states saw shutdowns of some kind during the reported period. For the most part, these shutdowns occured as a response to political unrest, to prevent the circulation of videos and photos of abuses by the military and clashes with activists and protesters.

India's Ministry of Communications and Information Technology issued an order to all licensed Internet services providers in the country to block access to 32 websites, effective immediately in December 2014.The ban affected access to sites such as archive.org, vimeo.com, dailymotion.com, but also github.com and pastebin.com, which are widely used by software developers.

Officially, the government has admitted blocking 245 web pages for inflammatory content and hosting of provocative content. However, a report by Bangalore-based Center for Internet and Society states that 309 specific items (URLs, Twitter accounts, img tags, blog posts, blogs, and a handful of websites) have been blocked by the government.

Rule 3(4) of the Information Technology (Intermediaries Guidelines) Rules creates a notice and takedown regime for what concerns "any information that is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating to or encouraging money laundering or gambling, harm minors in any way, impersonate another person, belongs to another person and to which the user does not have any right to or violates any law among other things". The regime mandates that the intermediary has to remove such information within 36 hours, either when it gets to know on its own or receives actual knowledge that such information is being stored, hosted or published on its computer system.

The Rules for administration of takedowns by intermediaries have been criticised extensively by both national and international actors for creating uncertainty in the criteria and procedure for administering the takedown, thereby inducing the intermediaries to err on the side of caution and over-comply with takedown notices in order to limit their liability.

Moreover, in 2014, Mumbai-based Internet and Mobile Association of India (IAMAI) filed a petition to the Supreme Court that frequent, unilateral and arbitrary orders from governments asking internet service providers to remove "objectionable" content created and posted by third parties on websites seriously affected their online business.

Section 69 of the Indian Information Technology Act (IITA) requires intermediaries to extend all facilities and technical assistance to intercept, monitor or decrypt information as well as to provide information stored in a computer or provide access to a computer resource, when called upon to do so by certain agencies. This extends to online intermediaries which are required to designate an officer to facilitate the execution of such orders. Intermediaries that fail to meet these obligations may be punished with imprisonment of up to seven years.

The Information Technology Act sets fines up to 500,000 INR (around 8,000 USD) or imprisonment up to three years; or a combination of both.

A draft Personal Data Protection Bill would increase the fines for breach of its provision up to 150,000,000 INR (approximately 2,100,000 USD) or 4% of its total worldwide turnover of its preceding financial year.

The Internet Service Provider licence and Unified Access Services Licence identify several categories of records that must be made available and provided for security purposes to the Telecom Authority or authorized Intelligence Agencies. (more information available under data retention subchapter)

A draft Personal Data Protection Bill would require that data breaches be reported to the Indian Data Protection Authority "as soon as possible and not later than the time period specified by the authority." The period of time in question is to be specified on a later date.

Additionally, "upon receipt of notification, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm."

A draft Personal Data Protection Bill would require that "significant data fiduciaries" appoint a Data Protection Officer to oversee compliance with the law; comply with annual independent audits of their processing of personal data; and conduct impact assessments for new technologies or large-scale profiling or use of personal data.

A draft Personal Data Protection Bill would require that "significant data fiduciaries" perform impact assessments, "where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data [subjects]"

A draft Personal Data Protection Bill would provide data subjects with the right to be forgotten, which would give them authority to restrict how companies use data that they previously shared, although the Bill would not require companies to delete such data altogether.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

A draft Personal Data Protection Bill would prohibit "significant data fiduciaries" from retaining personal data longer than "may be reasonably necessary to satisfy the purpose for which it is processed."

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

Banking information must be stored for 10 years "from the date of cessation of the transactions between the client and the banking company, financial institution or intermediary, as the case may be".