Novi Wallet and the Chaos to Follow

Article Contributed by Rabia Rahim (Associate)                                             

Meta Platforms Inc. (“Meta”), earlier known as Facebook Inc. (“Facebook”), is all set to launch its new mobile payments service, Novi Wallet, across its subsidiary companies, including Facebook, Instagram and WhatsApp. Novi Wallet was initially launched in October, 2021 and is capacitated to make purchases, hold and transfer stablecoins (a type of cryptocurrency, the value of which is dependent on assets that could be other cryptocurrencies or even physical currency). The stablecoin adopted by Novi Wallet, is Meta’s Diem digital currency (“Diem”).

Novi Wallet converts local currency to Diem on the mere addition of local currency into the wallet and enables the user to transfer the resultant Diem to other users worldwide. “Today”, the services of Novi Wallet are offered for free, and it appears from job adverts that Meta intends to continue to provide a “low to no cost” service in the future, which will increase pricing pressure for the remittances industry as consumers will increasingly expect lower prices to send money abroad.

 While the conversion feature is a much-awaited innovation in the fintech world, Novi Wallet has not received a warm welcome.

For starters, Meta has not yet received the requisite regulatory approvals to launch Diem as the transactional asset on Novi Wallet in different countries. Therefore, the pilot of Novi Wallet that permits payments between US and Guatemala, uses PaxDollars, a stablecoin with value pegged on US dollars, instead of Diem. Some US Senators have also expressed, in a letter to Mark Zuckerberg, their apprehension, in permitting the erstwhile Facebook to manage a payment system or digital currency since its existing ability to manage risks and keep consumers safe has proved to be wholly inefficient. It goes without saying that any brand linked to the erstwhile Facebook will be subject to stringent scrutiny and negative criticism, due to Facebook’s ill repute linked to, its inability to properly manage and secure user data and, its prior practice of tax avoidance in many countries where it has been doing business.

Currently in India cryptocurrencies are legal. The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021, which has been listed for the Parliament’s winter session, is not available in the public domain, and so, there is a lot of speculation on whether cryptocurrencies will be regulated or face a complete ban.

Practically, if Novi Wallet were to be launched in India, Meta would also have to do so in compliance with Foreign Direct Investment Policy, 2020 (“FDI Policy”), which does not expressly provide for investment in a business offering or dealing in cryptocurrencies (“Crypto Business”). The FDI Policy states that if any sector or activity is not expressly listed in the FDI Policy, foreign direct investment is permitted up to 100% through the automatic route in such sector. Therefore, it can be argued that since the FDI Policy does not mention Crypto Business, 100% FDI is permitted in Crypto Business.

Even if one takes the view that Novi Wallet is a financial service, the residuary provision for “Other Financial Services” permits 100% FDI through the automatic route. However, the FDI Policy describes ”Other Financial Services” as ‘Financial Services activities regulated by financial sector regulators, viz., RBI, SEBI, IRDA, PFRDA, NHB or any other financial sector regulator as may be notified by the Government of India’. In other words, the FDI Policy does not envisage a financial service which is not regulated. If the Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 is enacted by Parliament and it provides for the regulation of Crypto Businesses, Crypto Businesses should be considered to be a financial service.

In either case, Meta would not face any hurdle under the FDI policy in setting up an Indian subsidiary to offer Novi Wallet to Indians.

It is very likely that, with Meta’s user base and strategic capabilities, Novi Wallet would succeed in the remittances market. But given the history of Facebook (which cannot be atoned for by rebranding the company as Meta) the real worry should be the regulatory and political issues Meta will continue to face.

Central Government Amends Legal Metrology (Packaged Commodities) Rules, 2011

Article Contributed by Pranav Pillai (Associate)

The Central Government, through the Ministry of Consumer Affairs, Food and Public Distribution (“Ministry”), has amended the Legal Metrology (Packaged Commodities) Rules, 2011 (“Rules”) vide a notification dated November 2, 2021 (“Amendment”). A press release by the Ministry states that the Amendments were undertaken for “enhanced protection of consumer rights", and to “safeguard the interests of consumers”.

The Amendment omits Rule 5 of the Rules, which required certain commodities specified in Schedule II to the Rules (such as baby food, biscuits, bread, coffee, tea etc.) to be packed and sold only in the standard quantities prescribed. For example, in the case of Santanu Jagatbandhu Sinha and Ors. v. State of Maharashtra[1], Hindustan Lever Limited was alleged to have violated rule 5 of the formerly existing Packaged Commodities Rules, 1977 for offering detergent with a description that stated “Blue Detergent Cake Net Weight when packed 125 gms. + 25 gms. Free – 20% extra”, which was in excess of the standard quantity of 125 grams prescribed. A violation of Rule 5 made a business liable to be fined Rs. 5,000 (Rupees five thousand), as prescribed under Rule 32 of the Rules. The omission of Rule 5 will now allow businesses more freedom in the packaging of their commodities for sale.

However, pre-packed commodities are now required to declare its ‘unit sale price’, a move the Central Government has stated would allow for easier comparison of prices between commodities. This follows an insertion to Rule 4 which states that when one or more packages intended for retail sale are grouped together to be sold as a retail package or through a promotional offer, the quantity of the package (such as the number of units, pieces, pairs etc.) is required to be mentioned.

The Amendment also simplifies the illustration requirements relating to maximum retail price (“MRP”) prescribed under the Rules, with manufacturers now permitted to declare the MRP in a more simplified manner.

The Amendment shall come into effect on April 01, 2022.

Facebook Takes a Step Forward to Ensuring Data Privacy

Article Contributed by Aishwarya Manjooran (Associate)

On October 28, 2021, Facebook Inc.’s Chairman, Chief Executive Officer, and controlling shareholder Mark Zuckerberg, announced that Facebook Inc. (which owns social media pages such as Facebook, Instagram, and WhatsApp,) would be rebranded as ‘Meta Platforms Inc’ (“Meta”). This re-branding is meant to reflect that the parent entity is more than just Facebook, which would be one of its products.

Soon after, Meta started rolling out policy changes on matters relating to data privacy for which Facebook has been under scrutiny for a while. Of these, two significant changes being executed by Facebook, impact data privacy considerably and are a step in the right direction for the ethical and responsible handling of personal sensitive data of billions of Meta’s users.

The first paradigm shifting policy change was announced on November 2, 2021, when the social media giant released a statement announcing the closure of Facebook’s facial recognition system.

“In the coming weeks, Meta will shut down the Face Recognition system on Facebook as part of a company-wide move to limit the use of facial recognition in our products. As part of this change, people who have opted in to our Face Recognition setting will no longer be automatically recognized in photos and videos, and we will delete the facial recognition template used to identify them.”

Meta revealed that it would be deleting the facial recognition templates of more than 1 billion people, which is about one-third of its user base, who had opted for the use of said feature. Meta went on the elaborate that this move follows growing societal concerns about the use of such technology and since regulatory authorities are still in the process of framing a clear set of rules governing the usage of such technology, limiting the use of facial recognition to a narrow set of cases would be an appropriate course of action.

Facebook’s automatic alt text tool, which creates image descriptions for visually impaired people, will not henceforth include the names of people recognized in photos after the removal of facial recognition, but will otherwise function normally. However, Facebook still believes in using their facial recognition technology in other products, as it could be a powerful tool in instances that require identity verification or to prevent fraud and impersonation to name a few examples.

Facebook is no stranger to controversy arising from the use of this technology. Facebook’s facial recognition system has been the subject of several inquiries for a while, and it was pointed out by the U.S. federal trade commission as a concern, when it fined Facebook $5 billion to settle privacy complaints received against Facebook in 2019.

The second policy revision was announced on November 9, 2021, when Meta revealed that it would remove sensitive advertisements targeting options related to health, race or ethnicity, political affiliation, religion or sexual orientation from January 19, 2022. 

"Starting January 19, 2022 we will remove Detailed Targeting options that relate to topics people may perceive as sensitive, such as options referencing causes, organisations, or public figures that relate to health, race or ethnicity, political affiliation, religion, or sexual orientation," according to the statement released by Meta.

The detailed targeting options being removed are not based on people’s physical characteristics or personal attributes, but instead are based on people’s interactions with content on these platforms. These changes are being introduced to limit the way that Meta’s targeting tools can be abused. Meta which has been under intense scrutiny in India over data privacy violations, revealed in its monthly report that it removed over 30 million pieces of content in September from Facebook and instagram in India, to ensure compliance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

This decision from Meta largely affects advertisers on Meta’s apps such as Facebook, instagram and messenger and Facebook’s audience network, which places ads in third-party apps. In the past, these features have been used to discriminate against people or to spam them with unwanted messaging. An example of this is an instance where the department of housing and urban development in USA sued Facebook in 2019 for permitting landlords and home sellers to unfairly restrict who could see ads for their properties on the platform based on characteristics like race, religion, and national origin, leading to the detailed targeting feature being misused rampantly to discriminate. Apart from this, several instances were reported that allowed this feature to be abused by advertisers.

Facebook has been under fire for data privacy violations and non-compliance with regulatory mechanisms for a long time. A judge this year approved Facebook's $650 million settlement of a class action in Illinois, USA, over allegations that it collected and stored biometric data of users without proper consent. Starting with its shift from ‘Facebook Inc’ to ‘Meta Platforms Inc’, the social media giant has been taking much needed steps towards ensuring data privacy and ethical responsibility in the way it handles its users’ personal, sensitive information.

You can read a statement from Meta about shutting down the facial recognition system here and on the removal of sensitive advertisements targeting options here.

MeitY Releases FAQs on the 2021 IT Rules

Article Contributed by Udit Mendiratta (Partner) and Dhruv Bhatnagar (Senior Associate)

Recently, in an attempt to “explain the nuances” of the due diligence obligations imposed upon intermediaries and the newly created class of ‘significant social media intermediaries’ (“SSMIs”) under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“2021 IT Rules”), the Ministry of Electronics and Information Technology (“MeitY”) released frequently asked questions (“FAQs”) on the 2021 IT Rules. The scope of the FAQs is limited to Part II of the 2021 IT Rules, relating to due diligence obligations by intermediaries and grievance redressal mechanism. MeitY has also clarified that the FAQs are not a legal document and do not amend/ alter the provisions of the 2021 IT Rules.

 Key clarifications by MeitY in the FAQs are as under:

1. Definition of ‘social media intermediaries’ (“SMIs”): Rule 2(1)(w) of the 2021 IT Rules defines ‘SMIs’ as intermediaries “which primarily or solely enables online interactions between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services”. The FAQs additionally clarify that entities which only incidentally enable online interactions cannot be classified as SMIs[2]. They also state that intermediaries whose primary purpose is enabling commercial or business-oriented transactions, providing access to internet or search-engine services, email services, or online storage services, etc. will not qualify as SMIs.
2. Appointment of personnel by SSMIs: According to the FAQs, the ‘chief compliance officer’ (“CCO”) and ‘nodal contact person’, who are required to be appointed by SSMIs under Rule 4(1) of the 2021 IT Rules, cannot be the same person. However, the roles of the ‘nodal contact person’ and ‘resident grievance officer’ may be discharged by the same individual[3].
3. Manner of publishing periodic compliance reports: The FAQs offer some flexibility to SSMIs, regarding publication of compliance reports under Rule 4(1)(d) of the 2021 IT Rules, by clarifying that: (a) physical copies of the reports need not be submitted to MeitY and SSMIs can simply publish these on their respective platforms; (b) no specific format needs to be adhered to for preparing the reports so long as the essential information prescribed under the rules is captured; and (c) SSMIs need not disclose granular data about each complaint received by them, as long as aggregated information about the complaints received by them -- such as nature of complaints and action taken -- is disclosed in the report[4].
4. Requirements for content removal orders: Rule 3(1)(d), 2021 IT Rules creates a parallel mechanism for issuance of content removal directions to intermediaries, in addition to the pre-existing framework under Section 69A of the Information Technology Act, 2000 (“IT Act”) read with the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (“Blocking Rules”). As per the FAQs, blocking directions under Rule 3(1)(d) should, typically: (a) specify URLs of the content at-issue; (b) the law being administered by the appropriate government/ agency issuing the direction and the specific law being violated by the content at-issue; and (c) justification and evidence[5].
5. Traceability and its impact on privacy: MeitY claims that the intent behind the obligation to enable traceability of originator information, imposed under Rule 4(2), 2021 IT Rules upon SSMIs providing services primarily in the nature of messaging, is not to weaken encryption but to obtain “registration details of the first Indian originator of the message”. MeitY maintains that the typical principle of detection is based on ‘hash’ value of unencrypted messages, wherein identical messages result in a common hash (message digest) irrespective of the encryption used by a messaging platform[6]. The FAQs allow SSMIs flexibility in coming up with alternative technological solutions to implement this principle[7]. MeitY also asserts that enabling traceability does not violate users’ privacy due to the safeguards provided under Rule 4(2) for issuance of orders requiring SSMIs to enable traceability[8].
6. Penalties for users: In the FAQs, MeitY has reiterated that intermediaries who are non-compliant with the provisions of the 2021 IT Rules would lose their immunity conferred under Section 79, IT Act and consequently be liable for prosecution under applicable law(s). The FAQs inform that while no penalties are prescribed for individual users for non-compliance with the 2021 IT Rules, they can be prosecuted if the content circulated by them violates other laws like the Indian Penal Code, 1860, IT Act, Copyright Act, 1957, etc, in the manner prescribed under such laws.

Analysis

Although the FAQs contain some helpful clarifications, such as the requirement to specify URLs of the at-issue unlawful content in governmental orders directing intermediaries to take it down, several lacunae/ ambiguities under the 2021 IT Rules still persist. These, inter-alia, include: (1) the procedural safeguards to be followed while issuing blocking orders to intermediaries; (2) which alternatives the Government ought to consider before issuing directions requiring relevant SSMIs to enable traceability of originator information; and (3) the extent of liability of personnel to be appointed by intermediaries for non-compliance with the 2021 IT Rules. Further, some of the assertions made by MeitY in the FAQs regarding the constitutionality of these rules, especially that they are consistent with the constitutional contours of freedom of speech and right to privacy, are questionable.

Our detailed analysis of the FAQs can be accessed here.