1 Legal and enforcement framework
1.1 What general regulatory regimes and issues should blockchain developers consider when building the governance framework for the operation of blockchain/distributed ledger technology protocols?
India has no dedicated law or regulation that governs the development, use and operation of blockchain/distributed ledger technology (DLT). Over the past few years, as the adoption of blockchain technology in India has increased, the government has taken a positive stance towards its deployment.
However, at the same time, the Ministry of Finance and the Reserve Bank of India (RBI) have expressed concerns about the risks associated with virtual currencies, cautioning the public at large that virtual currencies are not an authorised medium of payment, and that entities operating virtual currency schemes or otherwise dealing with virtual currency (including Bitcoin) have no licence or authorisation to conduct such activities.
In addition, the Inter-ministerial Committee constituted under the chairmanship of the secretary of the Department of Economic Affairs to examine the policy and legal framework for the regulation of virtual currencies has submitted a draft bill – the Banning of Cryptocurrency and Regulation of Official Digital Currency Bill, 2019 – along with a report to the government. Among other things, the bill seeks to prohibit the use, issuance, transfer, mining, generation, disposal and sale of cryptocurrencies in the territory of India. While the bill has still not been tabled before Parliament, it is imperative that blockchain developers building products or protocols relating to virtual currencies stay abreast of any regulatory changes that may be introduced with regard to the use of virtual currencies in India.
1.2 How do the foregoing considerations differ for public and private blockchains?
In our view, irrespective of whether a blockchain is public or private, the considerations discussed in this Q&A will apply. However, implementing governance standards in a public blockchain (legal or regulatory) may be more difficult, given that the system is likely to be spread across multiple jurisdictions and thus there may be no centralised ‘operators' to hold accountable.
1.3 What general regulatory issues should users of a blockchain application consider when using a particular blockchain/distributed ledger protocol?
As mentioned in question 1.1, the RBI has issued several cautionary advisories in the form of press releases (issued on 24 December 2013, 1 February 2017 and 5 December 2017) to users, holders, investors, traders and similar parties that deal in virtual currencies, highlighting the potential financial, operational, legal, customer protection and security-related risks associated with dealing in virtual currencies.
In its press releases, the RBI highlighted the following risks:
- The electronic wallets in which virtual currencies are digitally stored are prone to losses due to hacking, malware attacks and so on. As virtual currencies are not traded through an authorised central agency, the loss of an electronic wallet could result in the permanent loss of the virtual currency stored therein.
- Users of blockchain-based applications should be mindful not to transact using virtual currencies or engage with entities within the RBI's regulatory supervision, such as banks and financial institutions, in connection with virtual currencies. As payment of virtual currencies over such applications takes place on a peer-to-peer basis, without regulation by an authorised central agency, customers may have no recourse in case of problems or disputes.
- There have been media reports of the use of virtual currencies for illicit and illegal activities in various jurisdictions. The absence of information of counterparties in peer-to-peer anonymous/pseudonymous systems could subject them to unintentional breaches of laws relating to anti-money laundering and counter-terrorist financing.
However, the above issues are relevant only in the case of virtual currencies. For applications other than virtual currencies, organisations using blockchain technology should be cognisant of the regulatory framework that governs the use of technology over the Internet and the sectoral regulations that may apply to the deployment of such technology, keeping in mind the sector in which it is proposed to be implemented.
In this regard, the Information Technology Act, 2000 and rules framed thereunder (including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules') not only provide legal recognition and protection for transactions carried out through electronic data interchange and other means of electronic communication, but also contain provisions which are aimed at safeguarding electronic data, information and records, and preventing unauthorised or unlawful use of a computer system.
While compliance with the requirements stipulated under the IT Act and the rules framed thereunder (including the SPDI Rules) could pose practical challenges in implementation, due to the decentralised nature blockchain technology (as there is usually no controlling ‘body corporate' to hold accountable for adherence to the data privacy and cybersecurity framework), it is advisable that users of blockchain technology:
- implement reasonable security practices and procedures with respect to the collection, handling and sharing of personally identifiable data or information, in conformity with the SPDI Rules; and
- build a robust governance framework that is designed to mitigate cybersecurity risks.
1.4 Which administrative bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
Given that there are no laws or regulations that specifically govern the use of blockchain/DLT, there is no dedicated administrative body in India that monitors the use and deployment of blockchain /DLT.
However, as mentioned in questions 1.1 and 1.3, the RBI, which regulates the financial services sector, has been proactive in issuing advisories in the form of press releases to users, holders and traders dealing in virtual currencies, cautioning them about the potential financial, operational, legal, customer protection and security-related risks associated with virtual currencies. The RBI also issued a directive to entities regulated by the RBI prohibiting them from dealing in virtual currencies or providing any services to facilitate any person or entity from dealing in or settling virtual currencies, including maintaining accounts, giving loans against virtual tokens, accepting virtual tokens/currencies as collateral and opening accounts with exchanges that deal with them.
This directive was challenged before the Supreme Court of India by the Internet and Mobile Association of India (IAMAI) – a not-for-profit organisation which represents the interests of the online and digital services industry – shareholders and founders of crypto-asset exchange platforms, and individual crypto-asset traders, among others. On 4 March 2020 the Supreme Court set aside the RBI directive on the grounds of proportionality, holding that the RBI had failed to establish how regulated entities have suffered loss or otherwise been adversely affected, directly or indirectly, on account of their interactions with virtual currency exchanges. It reached this conclusion on the grounds that there is nothing in Indian law that prohibits trading in virtual currencies.
As a result of this judgment, regulated entities are no longer restricted from providing banking services relating to the purchase or sale of virtual currencies.
While the judgment struck down the RBI directive, it nonetheless recognised the extensive powers of the RBI to regulate financial systems under the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1934 and the Payment and Settlement Systems Act, 2007.
The Supreme Court held that the RBI is akin to any other statutory regulator and its decisions – including circulars – in the economic domain are supplemental to the statutes, including as regards its power to regulate anything that may pose a threat to or have an impact on the financial system. It held that the RBI has the power to regulate or restrict virtual currencies, which have the potential to interfere with matters within its regulatory domain.
In addition, the draft Banning of Cryptocurrency and Regulation of Official Digital Currency Bill, 2019 (as discussed in question 1.1), in its current form, empowers ‘investigating authorities' to undertake searches and seizures to investigate offences that are contemplated under the bill. The bill defines an ‘investigating authority' as a police officer not below the rank of deputy superintendent. The activities that are punishable under the bill include selling, issuing, transferring and using cryptocurrencies for investment, purchase, sale or storage.
1.5 What is the regulators' general approach to blockchain?
The government's approach towards blockchain/DLT has generally been favourable. However, its approach towards virtual currencies – one such application of blockchain technology – has been radically different, as outlined in questions 1.1 and 1.3.
On several occasions, the government has made pro-blockchain remarks through its various committees and instrumentalities, expressly acknowledging the benefits of adopting blockchain in India.
Former Finance Minister Arun Jaitley, in his Union Budget speech of 2018, stated that the government does not consider cryptocurrencies as legal tender and will take all measures to eliminate the use of these crypto-assets to finance illegitimate activities or as part of the payment system. However, he added that India will explore the use of blockchain technology proactively to help promote the digital economy.
To fulfil this objective, the National Institution for Transforming India Aayog, the government's think tank, has been tasked with studying use cases of blockchain technology and developing viable prototypes.
Further, among other things, the IMC report recommends that:
- the DEA take necessary measures to facilitate the use of DLT across the financial sector after identifying its potential uses; and
- regulators such as the RBI, the Securities and Exchange Board of India, the Insurance Regulatory Development Authority of India, the Pension Fund Regulatory and Development Authority and the Insolvency and the Bankruptcy Board of India explore the evolution of appropriate regulations for development of DLT in their respective areas.
The IMC also recommends the use of DLT to reduce compliance costs for know-your-customer requirements.
In addition, in August 2019 the RBI introduced an enabling framework for a regulatory sandbox. The aim of the regulatory sandbox is to encourage innovations intended for use in the Indian market where:
- there is an absence of governing regulations; or
- there is a need to temporarily ease regulations in order to promote innovation or because a proposed innovation has the capacity to streamline the delivery of financial services.
The framework covers innovative products, services and technologies which could be considered for testing, such as applications of blockchain technologies. This reflects the positive approach of the RBI towards blockchain.
There are a few other use cases in which blockchain technology has been implemented by state governments to enhance governance (see question 2.2).
The above initiatives attest to the positive attitude of the government and the regulators with regard to blockchain technology.
1.6 Are any industry or trade associations influential in the blockchain space?
Yes, various industry associations in India have made a considerable impact in the blockchain space and have been instrumental in encouraging the use and deployment of blockchain technology by stakeholders.
Bankchain is a consortium of banks in India that is leading the development and implementation of blockchain in the banking and finance sector.
The Federation of Indian Chambers of Commerce and Industry has also been proactive in collaborating with various industries engaged in the development of blockchain technology to develop a regulatory and governance framework for the implementation of blockchain technology, and in organising seminars and conferences with leading players that are utilising blockchain technology.
The IAMAI – one of the petitioners in the litigation against the RBI before the Supreme Court regarding virtual currencies – has obtained a favourable decision from the Supreme Court setting aside the ban imposed by the RBI on regulated entities dealing in, or facilitating, virtual currencies.
The National Association of Software and Services Companies – a not-for-profit industry association that represents the IT industry – has prepared a report on the state of the blockchain market and the future direction of the industry, both in India and globally.
These industry associations have continually advocated reforms in the regulatory landscape for the advancement and growth of new technologies, including blockchain.
2 Blockchain market
2.1 Which blockchain applications and protocols have become most embedded in your jurisdiction?
In India, some of the most notable applications of blockchain technology have been witnessed in the financial services/fintech space.
Most recently, the National Payments Corporation of India (NPCI) has developed a platform called Vajra, which is based on distributed ledger technology (DLT) and is designed to automate payment clearing and settlement processes for NPCI products.
In 2017 the State Bank of India formed the consortium BankChain to explore the use of blockchain technology in the banking technology space. The consortium – which today has 37 members and 22 live projects – has been working to set up an integrated corporate electronic know-your-customer platform, a vendor rating system and a blockchain-powered register, which records hypothecations, liens, mortgages and pledges.
Several banks and financial institutions – such as Axis Bank, ICICI Bank, Kotak Mahindra Bank and Yes Bank – have been running blockchain experiments to address their trade finance process requirements by digitising functionalities including bill collection, letters of credit and invoice financing.
Other sectors, such as telecommunications, are also seeking to promote the adoption of DLT by industry stakeholders. The Telecom Commercial Communication Customer Preference Regulation, 2018 (TCCPR), issued by the Telecom Regulatory Authority of India, mandates the use of DLT by telecommunications operators to solve the problem of unsolicited commercial communications. Pursuant to the TCCPR, Tech Mahindra has reportedly entered into a partnership with Microsoft to set up a distributed ledger to record customer preference registration, consent acquisition, dynamic preference setting, stakeholder onboarding, header registration, template registration, scrubbing and complaint handling and tracking.
2.2 What potential new applications/protocols are most actively being explored?
Both the government and players in the private sector have been fairly proactive in exploring the use and adoption of blockchain technology in India.
Prominent examples of new applications of blockchain include the following:
- The Andhra Pradesh government has piloted projects to manage land records to help prevent property-related disputes and streamline vehicle registrations.
- The Maharashtra government has shortlisted entities to participate in pilot projects for the use of blockchain technology in relation to financial inclusion, land records, supply-chain financing, goods and farm insurance, and motor vehicle registration.
- Apollo Hospitals, in collaboration with Oracle, Strides Pharma and National Institution for Transforming India (NITI) Aayog, has built a blockchain solution that will store pharmaceutical details such as serial numbers, labelling and scanning details in manufacturers' supply chains, which will track every change of hands of a pharmaceutical product in the network.
- NITI Aayog, in partnership with Gujarat Narmada Valley Fertilizers & Chemicals Limited, is exploring the use of blockchain technology for fertiliser subsidy management.
- The Indian Patent Office has issued an expression of interest to utilise blockchain in its patent processing system.
- Coffee Board – a project launched by the Ministry of Commerce and Industry to set up a blockchain-based e-marketplace to integrate farmers with markets in a transparent manner and help realise fair prices for coffee producers – has collaborated with M/s Eka Plus to develop a blockchain-based marketplace application. This application can be used for trading in Indian coffee, ensuring traceability from bean to cup, so that consumers taste real Indian coffee and growers are paid fairly for their produce.
2.3 Which industries within your jurisdiction are making material investments within the blockchain space?
The financial services/fintech industry (which includes stakeholders in the banking and payments space) has made substantial investments in the development of blockchain and DLT in facilitating payment transactions, such as Bankchain and the Vajra platform launched by the NPCI.
The healthcare industry is also undertaking large-scale development and deployment of blockchain-based solutions for the safekeeping of health records.
2.4 Are any initiatives or governmental programmes in place to incentivise blockchain development in your jurisdiction?
In July 2016 the Reserve Bank of India (RBI) set up an inter-regulatory working group to review the regulatory landscape of the rapidly evolving fintech industry, among other things. One of the working group's key recommendations was to introduce an appropriate framework for the regulatory sandbox.
The regulatory sandbox facilitates the live testing of new products or services in a controlled regulatory environment, in which regulators may permit certain regulatory relaxations for the limited purpose of testing. It allows the regulator, innovators, financial service providers and customers to conduct field tests to collect evidence on the benefits and risks of new financial innovations, while carefully monitoring and containing their risks.
In line with the recommendations of the working group, on 13 August 2019 the RBI introduced the enabling framework relating to the regulatory sandbox. The framework covers innovative products, services and technologies developed by start-ups, banks, financial institutions and other companies that partner with or provide support to financial services businesses which could be considered for testing, such as applications of blockchain technologies. However, only entities that meet the criteria set out in the enabling framework prescribed by the RBI are eligible to undertake such testing.
Other initiatives include the following:
- The Telangana government has also introduced a draft policy to provide for land subsidy schemes for industries engaged in developing blockchain technology. As part of this policy, the Telangana government proposes to support the use of shared infrastructure – both IT and physical – to encourage research, prototyping and development of blockchain solutions in the state of Telangana. To this end, it will establish shared infrastructure facilities, which can be utilised by start-ups, industry, communities and academia either at a nominal cost or free of charge.
- eMudra – the certifying authority licensed under the IT Act – has launched a research and development (R&D) centre for the development of technology solutions and products based on blockchain. It is also working on a hybrid model to secure transactions with blockchain to streamline identity (ID) verification while using Aadhaar or other forms of ID by storing ID verification records on a blockchain, thereby automatically creating a shared registry that can also be leveraged by other parties.
- The government of Maharashtra and the Monetary Authority of Singapore signed a memorandum of understanding in February 2018 to strengthen cooperation and explore potential joint innovation projects on the application of key technologies such as blockchain.
- The Institute for Development and Research in Banking Technology (IDRBT), established by the RBI, has been awarded a project by the Ministry of Electronics and Information Technology entitled "Distributed Centre of Excellence for Blockchain Technology". The IDRBT has been tasked with developing an R&D ecosystem through which government departments can foster blockchain technology, and design, develop and implement pilot projects/prototyping of blockchain-based application in the domains of governance, banking and finance and cybersecurity.
- Like other state governments, the governments of Rajasthan and Uttar Pradesh have partnered with blockchain developers to design, develop and implement blockchain solutions for the purposes of land registration.
3.1 How are cryptocurrencies and/or virtual currencies defined and regulated in your jurisdiction?
The term ‘cryptocurrency' or ‘virtual currency' has not been defined under any statue in India. However, the RBI, through its various circulars (including the circular dated 24 December 2013), has recognised virtual currency to include Bitcoin, Litecoin, BBQcoin, Dogecoin and similar.
In addition, the Banning of Cryptocurrency and Regulation of Official Digital Currency Bill, 2019 proposed by the Inter-ministerial Committee (IMC), defines the term ‘cryptocurrency' as follows:
Cryptocurrency, by whatever name called, means any information or code or number or token not being part of any Official Digital Currency, generated through cryptographic means or otherwise, providing a digital representation of value which is exchanged with or without consideration, with the promise or representation of having inherent value in any business activity which may involve risk of loss or an expectation of profits or income, or functions as a store of value or a unit of account and includes its use in any financial transaction or investment, but not limited to, investment schemes.
As mentioned in question 1.4, given that the bill submitted by the IMC is currently under consideration by the relevant government stakeholders and has not yet been tabled in the Houses of Parliament, at present there is no specific law that regulates cryptocurrencies and virtual currencies in India.
3.2 What anti-money laundering provisions apply to cryptocurrencies?
As mentioned in question 3.1, as there are no specific laws or regulations that govern cryptocurrencies in India, there are no anti-money laundering provisions in India that apply to cryptocurrencies.
However, some of the Bitcoin exchanges operating in the past were voluntarily complying with the know-your-customer/anti-money laundering requirements mandated by the RBI.
3.3 What consumer protection provisions apply to cryptocurrencies?
Like most other laws, the Consumer Protection Act, 1986 does not specifically envisage the use of cryptocurrencies and accordingly provides no protection to consumers or users that deal with cryptocurrencies.
The RBI has reiterated this position while voicing its concerns as to the lack of a consumer protection framework with respect to virtual currencies (in its circular), stating that: "Payments by virtual currencies, such as Bitcoins, take place on a peer-to-peer basis without an authorised central agency which regulates such payments. As such, there is no established framework for recourse to customer problems / disputes / charge backs etc."
3.4 How are cryptocurrencies treated from a tax perspective?
In India, taxes are charged on income or expenditure. Taxes charged on income are direct taxes governed by the Income Tax Act, 1961; whereas taxes charged on expenditure are indirect taxes primarily governed by the Central Goods and Services Tax Act, 2017 and the Integrated Goods and Services Tax Act, 2017 (‘GST Act').
Under the Income Tax Act, a cryptocurrency may be treated as a capital asset in the hands of the holder of cryptocurrency. Therefore, any profit or gain arising from the transfer of cryptocurrency may be treated as a capital gain in the hands of the transferor and taxed accordingly.
However, if the transferor is in the business of trading in cryptocurrencies, income realised from trading in such cryptocurrencies may be taxed as profits and gains of a business or profession at the normal income tax (or corporate tax) rate.
At present, the GST Act includes no specific category for cryptocurrencies. However, we understand that the government is deliberating on measures that would bring cryptocurrencies within the GST regime.
3.5 What regulatory requirements apply to a cryptocurrency trader/exchange?
As yet, there is no specific law that regulates cryptocurrencies in India; thus, no regulatory requirements currently apply to cryptocurrency traders/exchanges.
3.6 How are initial coin offerings and securities token offerings defined and regulated in your jurisdiction?
Currently, initial coin offerings and securities token offerings are not recognised under Indian law.
4 Smart contracts
4.1 Can a smart contract satisfy the legal requirements of a legal contract under the laws of your jurisdiction? What will be considered when making this determination?
The Indian Contract Act, 1872 (ICA) is the principal statute governing contracts entered into, or executed in, India. Additionally, the IT Act is relevant with regard to the enforceability of contracts executed through electronic means.
While the ICA does not specifically envisage smart contracts – or even electronic means of communicating the offer or acceptance of a contracts – technological advances and the advent of e-commerce have compelled the Indian courts to adjudicate disputes arising from contractual relationships created by telephone, fax, email and other means of electronic communication – all of which have been recognised by the courts as valid means of communication for the creation of a contractual relationship.
A smart contract – being a contract entered into through electronic means – is governed by the ICA in the same manner as any other contract physically executed between contracting parties. To be valid, it must have the same attributes as any other contract executed physically.
Accordingly, to be considered valid, a smart contract must have the same attributes as an ordinary paper contract as specified under the ICA – that is:
- the contracting parties must be competent to contract;
- the contracting parties must provide their free consent;
- the underlying consideration must be lawful;
- the contract must have a lawful object; and
- the contract must not be expressly declared to be void under the relevant provisions of the ICA.
The IT Act, on the other hand, gives legal recognition to electronic records and contracts concluded through electronic means. The IT Act stipulates that a contract is not invalid merely because it is entered into in electronic form. In other words, the validity of a contract does not depend on whether it is executed in physical form or electronic form. Hence, a smart contract should independently satisfy the prerequisites for a valid contract under the ICA, as discussed above.
4.2 Are there any regulatory or governmental guidelines or policies within your jurisdiction which provide guidance on regulating/defining smart contracts?
While there is no single universally accepted guidance on or definition of smart contracts in India, the concept has been interpreted by multiple stakeholders. For instance, the Report of the Working Group issued by the RBI on 20 November 2017 has construed smart contracts as computer protocols that can self-execute, self-enforce, self-verify and self-constrain the performance of a contract.
The 5 January 2017 white paper on applications of blockchain technology in banking and finance issued by the Institute for Development and Research in Banking Technology describes smart contracts as pieces of software that extend the utility of blockchains from simply keeping a record of financial transaction entries to automatically implementing terms of multi-party agreements. Smart contracts are executed by a computer network that uses consensus protocols to agree upon the sequence of actions resulting from the contract's code. With a shared database running a blockchain protocol, the smart contracts auto-execute, and all parties validate the outcome instantaneously and without the need for a third-party intermediary.
In addition, the Telecom Commercial Communication Customer Preference Regulation (TCCPR), which regulates unsolicited commercial communications, defines a ‘smart contract' as:
a functionality of intelligent and programmable code which can execute pre-determined commands or business rules set to pre-check regulatory compliance without further human intervention and suitable for DLT system to create a digital agreement, with cryptographic certainty that the agreement has been honored in the ledgers, databases or accounts of all parties to the agreement.
Regulation 13 of the TCCPR requires access providers (eg, basic telephone service providers, cellular mobile phone service providers and unified access service providers) that adopt distributed ledger technology (DLT) with permissioned and private DLT networks for the implementation of systems, functions and processes described in their code(s) of practice to operate smart contracts among entities to effectively control the flow of commercial communications, among other things.
In the absence of specific guidelines or policies that outline the regulatory framework for smart contracts, the legality of smart contracts could be evaluated on the premise that, as long as such contracts contain all attributes and essentials of a valid contract in terms of the ICA, they will be considered to be valid and enforceable, as described in question 4.1.
4.3 What parts of traditional contract might smart contracts be able to replace?
Smart contracts may prove to be more effective than traditional contracts in the case of standard agreements where performance does not require human intervention, and where the terms of the arrangement are non-negotiable and are unlikely to change or be renegotiated during the subsistence of the contract.
The implementation of smart contracts for such arrangements would reduce the time and resources spent on contract management and help to manage compliance with the parties' obligations, which could be burdensome to track in the case of traditional contracts. We believe that supply chain, trade finance and insurance arrangements may be best suited for smart contracts.
4.4 What parts of traditional contracts might smart contracts be unable to replace?
Smart contracts may prove to be ineffective for complex arrangements where the roles and responsibilities of the parties are unique and dynamic. This is because, unlike traditional contracts, smart contracts cannot be altered or amended freely at any point of time at the option of the parties.
This could be a significant limitation, as under traditional contracts, the parties are free to decide on certain key aspects of the agreement and change their arrangements over a period of time. Under a traditional contract, having considered the long-term commercial benefits of the relationship, one party may even decide to excuse a non-material breach by not enforcing the remedies available under the contract. This ability to enforce the contract on an ad hoc basis is unlikely to be present under a smart contract.
Certain arrangements may warrant the imposition of subjective obligations on the parties. For instance, under a traditional contract, a party may be obliged to use ‘best efforts'. However, this stipulation cannot be effectively reduced into computer code to be incorporated into a smart contract.
4.5 What issues might present themselves in your jurisdiction with regard to judicial enforcement of smart contracts?
The issues relating to the judicial enforcement of smart contracts could extend from the validity of such contracts to their admissibility in a court of law, as smart contracts are not specifically recognised under Indian law.
If smart contracts are construed as in the nature of electronic contracts as per the IT Act, the provisions relating to the admissibility of electronic contracts will need to be examined. In this context, the Evidence Act 1872 provides that:
- in a proceeding involving a ‘secure' electronic record, the court must presume, unless the contrary is shown, that such record has not been altered; and
- in case of an electronic record that is not ‘secure', no automatic presumption relating to the authenticity and integrity of the electronic record will be made by the courts and accordingly such authenticity will have to be established by the concerned party in a court of law.
Also, since blockchain has the ability to cross jurisdictional boundaries, as the nodes on a blockchain can be located anywhere in the world, the enforcement of smart contracts may pose a number of complex jurisdictional issues which will require careful consideration.
4.6 What are some practical considerations that parties should consider when drafting a smart contract?
As smart contracts are typically drafted by technical experts/programmers (who are non-lawyers), the parties to a smart contract must ensure that the programmer drafting the contract understands the nuances of the arrangement and the commercial and legal terms agreed between the parties.
Unlike with the drafting of traditional contracts, where lawyers are generally privy to the negotiations, programmers might have little insight into the business objectives that the parties are seeking to achieve through the legal arrangement. Hence, the parties must ensure that the programmer is educated about the same. Simply handing over a copy of the term sheet to the programmer would be unproductive, as it would require the programmer to decipher a legal document, which he or she may not be trained to read and comprehend.
As such, the terms of the contract that are intended to be incorporated in the smart contract code should be unambiguous. The terms may also contemplate the cost involved in the creation of the smart contract and the costs related to running the smart contract on the applicable blockchain.
In addition, representations and warranties are essential, to allocate risks surrounding the creation and deployment of a smart contract. It is possible that a party to a smart contract may claim that it did not understand the nature of the transaction embodied in the smart contract, given the technical nature of the coding. Accordingly, each party should provide a representation that it has reviewed the terms of the smart contract and understands them at the time the smart contract is entered into.
Also, since smart contracts are automated, the incorrect entry of a force majeure event could trigger an unintended suspension event, which may cause loss to the parties. Therefore, it is essential that the force majeure provision be given considerable attention and that events be clearly outlined.
Further, where the parties enter into both traditional and smart contracts for the same arrangement, there could be unforeseen conflicts between the contractual terms. Accordingly, there should be abundant clarity as to which terms should prevail in order to avoid any ambiguity in the interpretation of the contract by the courts. Best practice would be to specify in the corresponding traditional contract that its terms will prevail over any conflicting term or outcome of the smart contract.
In certain scenarios, the parties may also want to include a kill function in the smart contract that enables them to exercise an override mechanism to undo any inadvertent or unplanned result arising from the smart contract. The parties should carefully consider the circumstances in which a party should be able to run that function (eg, the ability to activate the kill function would amount to a right of termination for convenience) when not intended to be exercised.
4.7 How will the foregoing considerations differ when smart contracts are running on a private versus public blockchain?
While most of the considerations highlighted in question 4.6 remain the same regardless of whether a blockchain is public or private, certain confidentiality and data security risks may be more significant in a public blockchain. Therefore, parties proposing to transact using smart contracts should consider the security of their smart contract codes and carefully audit it before deploying them on a blockchain – especially in the case of a public blockchain. Poorly written or insufficiently tested code can leave a smart contract exposed to security threats, allowing unauthorised parties to trigger or otherwise interact with highly confidential and commercially sensitive smart contracts. The level of privacy and confidentiality inherent in smart contracts can vary, depending on whether the smart contract is stored on a public or private blockchain.
5 Data and privacy
5.1 What specific challenges or concerns does blockchain present from a data protection/privacy perspective?
The IT Act and the Sensitive Personal Data or Information (SPDI) Rules set out the legal framework with respect to privacy and data protection in India. The SPDI Rules regulate the collection, use, handling and transfer of SPDI. The SPDI Rules also require body corporates that possess, deal with or handle SPDI through a computer resource to implement and maintain prescribed "reasonable security practices and procedures" to safeguard such data from unauthorised access, use, alteration, disclosure or damage.
Given that in a blockchain construct, there is no centralised agency or organisation, and the information is shared with all blockchain participants in a decentralised manner, there may be ambiguity as to the applicability of the obligations under the SPDI Rules, including implementation of the requirement to comply with "reasonable security practices and procedures". This is because there is no single body corporate that collects and uses SPDI in a computer resource.
5.2 What potential advantages can blockchain offer in the data protection/privacy context?
Blockchain has the inherent advantages of undisputed computing and ledger keeping of transactions, which provides for confidentiality, authenticity, non-repudiation, data integrity and data availability at the same time.
One of the key benefits of blockchain is its potential for watertight data protection. Data – especially that which is maintained by governmental authorities – is highly vulnerable to cyberattacks, which could lead to devastating consequences.
Blockchain ensures that data is stored in a decentralised and trusted manner, and that the user's digital identity is also stored securely.
One such application of blockchain technology that has demonstrated the above characteristics is National Institution for Transforming India Aayog's partnership with Oracle, through which it has piloted a drug supply chain using blockchain technology. In this use case, blockchain has exhibited its ability to facilitate the secure sharing of information across the drug supply chain, with every exchange of information recorded. This precludes the tampering and deletion of records of the movement of drugs throughout the supply chain, so that there can be no dispute if an offender is caught.
6.1 What specific challenges or concerns does blockchain present from a cybersecurity perspective?
India has no dedicated cybersecurity law. The IT Act, read with the rules and regulations framed thereunder, deals with cybersecurity and the cybercrimes associated therewith. As discussed in question 1.3, the ‘body corporate' that handles sensitive personal data or information (SPDI) must implement "reasonable security practices and procedures" by maintaining a comprehensive documented information security programme. This programme should include managerial, technical, operational and physical security control measures that are commensurate with the nature of information being protected. In this context, the SPDI Rules recognise the International Standard IS/ ISO/ IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements" as one such approved security standard that can be implemented by a body corporate for the protection of personal information.
However, these requirements may be difficult to implement where blockchain technology is used or deployed. In such cases, there is usually no controlling body corporate to hold accountable for cybersecurity incidents. Where blockchain operators are involved in handling personal data, including SPDI, they will be responsible for compliance with the cybersecurity requirements stipulated under the IT Act and the SPDI Rules. However, as the blockchain infrastructure is decentralised and there is not always a centralised ‘operator' (as is the case with Bitcoin), there may be no mechanism to ensure compliance with the cybersecurity requirements prescribed under the IT Act and the SPDI Rules.
In addition, the existing standards on information security, such as the IS/ISO/IEC 27001, which the SPDI Rules prescribe may not suffice for the purposes of blockchain, as these were not formulated with its decentralised nature in mind.
6.2 What potential advantages can blockchain offer in the cybersecurity context?
Blockchain can be instrumental in maintaining and enhancing data integrity, as its immutable cryptographic blocks are likely to frustrate any attempts to tamper with the data (as these would require a consensus among the majority of participating nodes in the blockchain). Accordingly, this makes a blockchain-based structure almost tamper-proof.
Blockchain technology can serve as a meaningful replacement to architecture that involves a human element in data storage. The human element can potentially cause errors, which can be exploited by hackers, resulting in data breaches. This technology can be used to prevent data breaches, identity theft and foul play in transactions.
Some of the ways in which blockchain can enhance cybersecurity include the following:
- Keeping the Domain Name System (DNS) secure: The DNS is vulnerable to attack by hackers who can disrupt DNS service providers, thereby affecting major web portals. Deploying blockchain to strong DNS entries can enhance the security of DNS, as it acts as a replacement to an identifiable single target which can be attacked.
- Mitigating denial of service attacks: In denial of service attacks, a server or network resource may be a target to deny service to genuine users of such resources. Blockchain can be deployed to provide protection against such attacks.
- Blockchain does not rely on traditional usernames and passwords, but rather on private keys and multi-level authentication, which reliably provides stronger protection.
- Blockchain may be used by organisations to validate their software configurations and component lists to identify malware.
6.3 What tools and measures could be implemented to mitigate cybersecurity risk?
Depending on the nature and extent of the cybersecurity risks and the sensitivity of the sector in which the business operates, cyber-incident response strategies may differ from one business to another. Common measures that can be implemented to mitigate cybersecurity risks include:
- deploying a set of detailed information security policies;
- conducting regular transaction monitoring and information security risk assessments;
- setting up risk mitigation and transition plans;
- updating relevant stakeholders within the organisation on their respective roles in advancing and allocating appropriate personnel to engage with the regulatory authorities; and
- dealing with clients, service providers and other stakeholders.
Many companies also conduct regular assessment of the vulnerabilities in their systems, including by inviting focused hacking. Depending on the sector, organisations can also reach out to the Indian Computer Emergency Response Team and seek advice with respect to incident recovery, damage containment and systems recovery.
Audit firms in India are also developing measures to counter cybersecurity threats for the clients they represent. Some of these measures include:
- building in-house facilities for managed security services, including situational awareness on cybersecurity risks, ongoing monitoring and analysis of security parameters;
- implementing secure, vigilant and resilient approaches towards cybersecurity, to test their capability to counter cyberattacks; and
- adopting auditing codes for blockchain solutions that test the cybersecurity of such solutions.
7 Intellectual property
7.1 What specific challenges or concerns does blockchain present from an IP perspective?
One of the key challenges that blockchain is likely to present from an IP perspective concerns the enforcement of IP rights in blockchain technology. Given that a blockchain protocol may be developed across multiple locations globally, there may be issues relating to the jurisdiction in which the intellectual property should be protected and enforced.
7.2 What type of IP protection can blockchain developers obtain?
The IP protection available to blockchain technology will depend on the end use of the technology – whether it constitutes a computer programme, a data compilation or a design, for example. For instance, protection can be obtained under the Patent Act 1970 if the blockchain technology qualifies as an invention that has industrial application and involves technical advancement as compared to the existing knowledge, has economic significance or both, and is not obvious to a person skilled in art.
Blockchain technology can also be protected under the Copyright Act 1957. The Copyright Act defines a ‘computer program' as "a set of instructions expressed in words, codes, schemes or any form, including a machine readable medium, capable of causing a computer to perform a particular task or achieve a particular result". Given the breadth of this definition, blockchain technology is eligible for copyright protection.
7.3 What are the best open-source platforms that could be used to protect developers' innovations?
The Indian government has not specifically favoured or recognised any open source platforms as trusted platforms. Based on publicly available information, it appears that Ethereum is the most highly ranked and commonly used open source platform, as it allows users to develop many kinds of applications on it with zero licensing fees.
7.4 What potential advantages can blockchain offer in the IP context?
Blockchain technology has immense potential from an IP standpoint.
As discussed in question 2.2, the Indian Patent Office has issued an expression of interest to make use of blockchain in the patent processing system, given its potential to accelerate the examination of applications and facilitate reliable record management, smart licensing and contractual agreements.
Other potential advantages that blockchain could offer in the IP context include the following:
- As actions performed using blockchain are time stamped and immutable, the technology could help to determine prior use to establish proprietary rights under the IP laws.
- Where a copyright-protected work is licensed, smart contracts could be used to ensure that royalty payments are made to the licensor in real time whenever the work is used by the licensee. Blockchain and distributed ledger technology archives could also facilitate the licensing of copyrighted works and other IP rights.
- In a supply chain, if goods can be traced on an immutable blockchain and ledgers can show the relative ownership or authorised licensees of the goods, this will enable all persons in the supply chain – including consumers and authorities – to distinguish genuine products from counterfeit goods.
8 Trends and predictions
8.1 How do you think the regulatory landscape in your jurisdiction will evolve in the blockchain space over the next two years? Are any pending changes currently being considered?
In light of the Supreme Court of India judgment regarding virtual currencies (as discussed in question 1.4), entities regulated by the Reserve Bank of India are no longer restricted from providing banking services relating to the purchase or sale of virtual currencies. Such entities may therefore allow customers to link their bank accounts with the accounts of virtual currency exchanges and platforms to facilitate the purchase and sale of virtual currencies in India.
However, the virtual currency industry still faces hurdles: the draft Banning of Cryptocurrency and Regulation of Official Digital Currency Bill, 2019, if introduced and passed by Parliament (as discussed in question 1.1), could reinforce the stance taken by the government to prohibit dealings in virtual currencies in India.
8.2 What regulatory changes would you like your jurisdiction to implement to further advance the blockchain industry?
Most of the current laws and regulations place trust in centralised agencies or entities which are either licensed by the regulator or the regulators themselves. Increased adoption of blockchain will require large-scale amendments – not only to some of the central laws, but also to sector-specific laws and regulations, given the decentralised nature of the technology and the infrastructure.
8.3 What is the largest impediment within your jurisdiction to the adoption of blockchain technology?
Unless the regulatory framework is amended to expressly account for blockchain technology and address the uncertainty surrounding its use, organisations that develop or deploy blockchain technology-based products and solutions may face practical challenges in implementation from a legal, tax and contractual perspective.
9 Tips and traps
9.1 What are your top tips for effective use of blockchain technologies in your jurisdiction and what potential sticking points would you highlight?
Given the regulatory uncertainty in this space, it is essential that stakeholders in the public and private sectors collaborate to promote awareness of the potential benefits and applications of blockchain and lobby for a unified legal and regulatory framework that embraces the technology.
There are many unsolved problems to tackle before the full potential of blockchain-related technologies can be realised, including issues relating to privacy and cybersecurity. As well as ensuring that the technology is robust and scalable, the ethical and social implications of the different potential uses and the financial costs and benefits of adoption should be considered.
The government should be mindful that if it waits for ‘perfect' solutions without fully exploring the potential of blockchain technology, it could miss the opportunity to implement the unique applications that this has to offer and fall behind the rest of the world.
At the same time, blockchain developers should avail of the incentives offered to them to test and design blockchain protocols – especially in sectors where the regulators have taken a more liberal approach to innovation by allowing entities to undertake testing in a controlled environment, such as the regulatory sandbox.
Credit: Ms. Shagun Badhwar, Senior Associate & Mr. Shubham Parkhi, Associate
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.