Database

Retention requirements for service providers are found in the Internet Service Provider licence and Unified Access Services Licence (UASL), which are grounded in the Indian Telegraph Act of 1885. Internet Service Providers are required to retain a complete audit trail of the remote access activities pertaining to the network operated in India for a period of six months. Moreover, all commercial records with regard to the communications exchanged on the network must be maintained for a year.

In addition, the licences identify several categories of records that must be made available and provided for security purposes - which therefore implies that records should be kept. These include:
- a log of all users connected and the service they are using,
- a log of every outward login or telnet through an Internet Service Providers computer,
- copies of all packets originating from the Customer Premises Equipment of the Internet Service Provider,
- a complete list of subscribers must be made available on the Internet Service Provider website with password controlled access,
- a complete list of Internet leased line customers and their sub-customers (including, name of customer, IP address allotted, bandwidth provided, address of installation, date of installation/commissioning, and contact person with phone no./email),
- the geographical location of any subscriber,
- further information.

Under a draft Personal Data Protection Bill, processing of personal data can only be done with a free, informed, specific and clear consent of the data subject which is capable of being withdrawn. For "senstive personal data", a subset of of personal data including passwords, financial data, and health data, among other, explicit consent is required. The bill defines explicit consent as consent that must be specific, having regard to whether the data principal can choose to not consent to certain purposes of processing of their personal data.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules provide that cross-border data flows of sensitive personal data or information can be made:
- provided that such transfer is necessary for the performance of a lawful contract between the body corporate (or any person acting on its behalf) and the provider of information, or
- provided that such transfer has been consented to by the provider of information.

In April 2018, the Royal Bank of India (RBI) issued a one-page directive stating that, within six months, all payment data held by payment companies should be held in local facilities. The Directive noted that this would help the RBI gain "unfettered supervisory access" to transaction data, which it needs to ensure proper monitoring.

Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed to ease this restriction, so as to allow payment firms to store data offshore, as long as a copy was kept in India. In is not clear when the RBI's position will be clarified.

A draft Personal Data Protection Bill would require one copy of all personal data to which the law applies to be stored on a server located in India. The bill also gives the Indian government the authority to classify information as "critical personal data," which may only be stored within India. This would broadly apply to any data, "collected, disclosed, shared, or otherwise processed within the territory of India," meaning, for example that it could capture all personal data provided by foreign entities to Indian IT companies for processing, even if such foreign entities do not process Indian citizens' data.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

In 2015, India’s Ministry of Electronics and Information Technology (MEITY) issued guidelines for a cloud computing empanelment process under which cloud computing service providers may be provisionally accredited as eligible for government procurements of cloud services. The guidelines require such providers to store all data in India to qualify for the accreditation.

India’s National Data Sharing and Accessibility Policy requires that “non-sensitive data available either in digital or analog forms but generated using public funds” must be stored within the borders of India. The policy states that data belongs to the "agency/department/ministry/entity which collected them and reside in their IT enabled facility.”

India relaxed the visa norms for hiring by Indian IT companies. This means that now the IT-industry can hire foreign professionals 'as per requirement' instead of the earlier cap of '20 employees per project'. However, in view of the fact that there was a large influx of low-skilled workers in the sector from the neighboring countries, the government has stipulated that the foreign service supplier in the sector will have to give a declaration to the effect that his/her annual salary is in excess of USD 25,000 per annum. This condition has been introduced to ensure the entry of only high-skilled foreign professionals into the industry.

In case a business visa is granted, which is required for independent service suppliers (ISS), the visa is awareded with a limit of six months each time separately the visitor enters, but it can be awarded for up to five years.

Employment visas are necessary for intra-corporate transferees (ICT) and contractual services suppliers. A business visa is only required for independent services suppliers (ISS). In case an employment visa (as opposed to a business visa), it is required an economic needs test: no employment visas should be granted for jobs for which qualified Indians are available, neither should the employment visa be granted to routine, ordinal and secretarial work.

The US Trade Representative office (USTR) reports that India’s one-time licensing fee (approximately USD 500,000 for a service-specific license, or USD 2.7 million for an all India Universal License) for telecommunications providers serves as a barrier to market entry for small and medium-sized enterprises.

Bharat Sanchar Nigam Limited, the incumbent, is fully owned by the Government of India. BSNL (Bharat Sanchar Nigam Ltd.) provides all types of telecom services namely telephone services on landline, WLL and GSM mobile, Broadband, Internet, leased circuits and long distance telecom services.

In 2002, the foreign filing license requirement was introduced in the Indian Patents Act of 1970. This requirement provides that any inventor who is a resident of India should file a patent application for his/her own invention first in India. Only after a period of six weeks after the date of filing of the patent application, the filing can be extended internationally. Alternatively, the inventor is required to obtain the controller’s permission for filing the patent application outside India. However, given that the process is reported as burdersome, filing an application first in India is the preferred way of complying with these provisions. There violation of such rule results in criminal liability under section 118 of the Indian Patent Act of 1970, with consequent monetary fine or imprisonment up to two years, in addition to the impossibility to proceed with the patent application.

It is reported that the Intellectual Property Management Policy aims to protect the patent portfolio 'defensively and aggressively' to forge strategic alliances and international collaborations, to gain business advantage. The Council of Scientific and Industrial Research (CSIR) with its Internet Protocol (IP) policy aims "to maximise the benefits to CSIR from its intellectual capital by stimulating higher levels of innovation through a judicious system of rewards, ensuring timely and effective legal protection for its IP and leveraging and forging strategic alliances for enhancing the value of its IP".

The US International Trade Commission reports that enforcement of India's copyright laws is weak, resulting in widespread digital piracy of movies, television shows, and unlicensed software. Additionally, the US Trade Representative office (USTR) reports that the value of losses from piracy of music and movies in India totals about USD 4 billion per year, while the commercial value of unlicensed software used in India is approximately USD 3 billion.