General Anti-Avoidance Regulations: The Indian Journey so far

  1. Background

General Anti-Avoidance Regulations (‘GAAR’) are aimed to target complex and / or peculiar tax avoidance arrangements not dealt directly by the provisions of tax laws. Such tax avoidance arrangements which are artificial i.e. having no commercial substance entered with the main motive of abusing tax provisions.

GAAR has also been termed as codification of the doctrine of substance over form with the objective of deterring occurrence of tax avoidance arrangements rather than per se revenue generation.

GAAR regulations intend to deal with tax avoidance arrangements and not tax mitigation or instances of tax evasion considering that tax avoidance is distinct from tax mitigation and tax evasion. Where, on the one hand, tax evasion is illegal or forbidden by law, tax mitigation is where tax payer takes advantage of a fiscal incentive offered to him by the tax legislation.

The above can be explained by way of an illustration, let us take a situation where Company incorporates its manufacturing division in Special Economic Zone (SEZ) so that it can take benefit of tax holiday offered by the tax statute. It being a fiscal incentive and taking its advantage would amount to tax mitigation. In the same situation, if the company were to manufacture in non-SEZ zone but diverts the manufactured products to SEZ, where no value addition is done, it would be regarded as tax evasion, emanating due to misrepresentation of facts.

Having suggested so, it has been variedly held that tax avoidance arrangements do otherwise affect economic efficacy, fiscal justice and revenue productivity.

With this given conceptual background, the concept of GAAR was first introduced in India through draft Direct Tax Code (‘DTC’), 2009. DTC was introduced with a view to replace the Indian Income Tax Act, 1961, aiming to achieve simplification in terms of language and structure vis-à-vis the extant direct tax provisions. The same along with a discussion paper was released on August 12, 2009 for public comments.

Subsequently, a Revised Discussion Paper was released in June 2010, based upon the initial feedback received and was again made available for public comments.

Thereafter, the Draft of Direct Taxes Code, 2010 (‘DTC 2010’) was placed by the Government of India before the Parliament on 30 August 2010. In specie, DTC 2010 did retain most of the GAAR provisions proposed by DTC 2009. Also other certain enabling provisions were incorporated to effectuate the proposed GAAR provisions.

  1. GAAR-Evolution Process

The DTC 2009 introduced GAAR with a prime objective of its acting as a deterrent against tax avoidance practices. However, a reasonable distinction between legitimate tax minimization and abusive tax avoidance was conspicuously missing in DTC 2009.

The DTC 2009 proposals, inter-alia did suggest that an arrangement shall be presumed to have been entered into, or carried out, for the main purpose of obtaining a tax benefit unless the person obtaining the tax benefit proves that obtaining the tax benefit was not the main purpose of arrangement. The sweeping nature of such presumptive provision ought to have caused undue hardship to the taxpayers entering into genuine transactions and accordingly the entire scheme of GAAR was viewed as counterproductive vis-à-vis commercial efficiency. Also, such provisions would lead to a plethora of litigation, inconsistent with the objective of achieving deterrence of avoidance arrangements.

It was widely suggested that the initial burden of invoking GAAR should be shifted upon the tax authorities.

After receiving several representations from stakeholders, the revised draft DTC 2010 was issued. The 2010 version of DTC was, thereafter, referred to the Standing Committee on Finance headed by former Finance Minister, Yashwant Sinha, which gave its report on March 9, 2012 recommending amendments.

Eventually, the tax proposals for the year 2012 announced vide Finance Bill 2012 on March 16, 2012 introduced GAAR provisions in the existing scheme of Income Tax Act, 1961 (Act) effective April 1, 2012.

The said proposals enunciated vide Finance Bill 2012 were enacted on May 28, 2012.

  1. Salient Aspects of GAAR Proposal

Chapter X-A of the Income Tax Act, 1961, now encapsulates the scheme of GAAR.

The said scheme like in DTC 2009, 2010 does provide wide discretionary powers to the revenue authorities in taxing tax avoidance arrangements’ including the power to disregard entities in a structure, reallocate income and expenditure between parties to the arrangement, alter the tax residence of such entities and the legal situs of assets involved, treat debt as equity and vice versa, etc.

The legislated GAAR provisions were once again criticised for providing wide discretionary power to tax authorities resulting in excessive tax and compliance burden on the taxpayer. Also, the said proposal , along with the retrospective amendments on taxation of indirect transfers did become a subject of intense debate.

Considering the same, implementation of GAAR was deferred by one year.

Subsequently, a committee under the chairmanship of the Director General of Income Tax (International Taxation) was constituted to give recommendations for formulating the guidelines for proper implementation GAAR provisions and to provide clarity on the provisions so as to safeguard taxpayers against their indeterminate use and curb abuse thereof.

The Committee released its draft recommendations on 28 June 2012, the following suggestions/recommendations were made by the committee:

Shifting of initial burden to prove, if, an arrangement leads to “tax avoidance” on the revenue authorities from the taxpayer.

Also, in order to provide relief to small taxpayers, it was suggested to provide a monetary threshold for invoking GAAR provisions. For the sake of consistency and transparency in the procedures, the committee also prescribed statutory forms for making references within the tax departments and time limits for completion of various actions under the GAAR provisions.

Further, it was clarified that GAAR would cover cases not covered by Specific Anti Avoidance Rules (‘SAAR’). Guidelines clarified that in case only a part of the arrangement is impermissible, the tax consequences under GAAR will be limited to only that part of the arrangement.

Various illustrative cases were recommended by committee for sake of clarity as to whether an arrangement would attract GAAR provisions or not.

The said guidelines were issued when there was a change of guard at the office of the Finance Minister with the finance portfolio getting vested with the Hon’ble Prime Minister.

It was somewhat a surprise to observe the reaction of the Prime Minister’s Office to the circulation of the draft guidelines in the public domain, suggesting that the rules were merely “draft guidelines to seek wide ranging feedback and for discussion purpose”. Further, the finance ministry officials did state “Do not read too much into the release of PMO. The PM has not applied his mind on GAAR issues”.

The Government of India constituted an Expert Committee on GAAR to undertake stakeholder consultation to finalize the guidelines for GAAR.

  1. Shome Committee

The expert committee under the chairmanship of Dr. Parthasarathi Shome, noted economist was constituted by Government to undertake consultations and suggestions from stakeholders and general public on the first draft guidelines for GAAR.

The committee did receive suggestions from the stakeholders, professionals in tax advisory, chambers of commerce and industry, foreign investor associations, industrialists, and policy makers in relation to the above recommendations and on based on the feedback issued second draft guidelines for GAAR.

The draft report submitted by Shome committee has suggested deferring the implementation of GAAR by 3 years on the administrative ground as it would require trained tax officers. The tax officers would be required to have specific knowledge since GAAR requires deterrence of avoidance arrangement rather than revenue generation.

Further, the committee in its draft report has emphasized on “investment approach” by suggesting abolishment of tax on gains arising from transfer of listed securities and tax on business income of foreign investors in India. And in order to make good of tax loss, the committee has recommended increasing the rate of security transaction tax.

It recommended that the tax officer would be required to give a detailed reasoning before invoking GAAR, as such the onus of proving shall be of tax authorities.

In order to avoid ambiguity and uncertainty the committee has further recommended that until the tax is abolished as mentioned in the above paragraph, in case a Tax Residency Certificate is issued by government of Mauritius, GAAR provisions shall not apply to examine the genuineness of the residency of an entity set up in Mauritius.

Similarly, where the treaty itself has anti-avoidance provisions, for instance under Indo – Singapore tax treaty, the treaty provisions ought not be substituted by GAAR provisions under the treaty override provisions.

As discussed, the provisions of GAAR envisaged provision of wide discretion & authority to tax authorities, as such it has been constantly feared that it might result in tax exploitation.

It was also felt that tax avoidance should be distinguished from tax mitigation. An exhaustive negative list for the purposes of GAAR should also be specified.

The committee has also recommended introduction of a negative list, not exhaustive, to include:

  • Amalgamations and demergers (as defined in the Act) as approved by the High Court.
  • Intra-group transactions (i.e. transactions between associated persons or enterprises) which may result in tax benefit to one person but overall tax revenue is not affected either by actual loss of revenue or deferral of revenue.
  • Selection of one option out of two or more options offered by law should not be considered to be tax avoidance. For instance:
  • payment of dividend or buy back of shares by a company,
  • setting up of a branch or subsidiary,
  • setting up of a business unit in SEZ or any other place,
  • funding through debt or equity, and
  • purchase or lease of a capital.
  • Timing of a transaction, for instance, sale of property in loss while having profit in other transactions.

To bring more clarity and fairness the committee has in its report has recommended that the investment made by residents or non-residents which are existing as on the date of commencement of GAAR should not brought under the scrutiny of GAAR provisions.

Other salient recommendations of the Shome committee inter alia are:

  • Monetary threshold of Rs. 3 crores (equivalent to USD 5,00,000 approximately) of tax benefit to check the applicability of GAAR provisions.
  • GAAR to cover only those arrangements which have the main purpose of obtaining tax benefit and not those whose one of the main objective is to obtain tax benefit.
  • An arrangement lacking “commercial substance” shall be deemed to include arrangement not having significant business risks or net cash flows apart from tax benefit.
  • In order to ensure high level of independence, the Approving Panel for the purposes of GAAR should have 5 members including chairman. The chairman should be retired judge of the High Court, two members from outside government and persons of eminence from the fields of accountancy, economics or business, two chief commissioner of income tax.
  • As per the existing legislated provisions of GAAR under Finance Act, 2012, whilst determining the commercial substance of an arrangement following factors are considered irrelevant:
  • Time period of existence of an arrangement,
  • Fact of payment of taxes, directly or indirectly, under the arrangement,
  • Fact that an exit route is provided by the arrangement.

The committee has recommended that these test should not discarded as totally irrelevant and may be considered in addition to the other aspects while evaluating the commercial substance of an arrangement.

  • GAAR provisions would not be invoked while processing application for lower tax deduction at source where the taxpayer gives an undertaking to pay taxes in case it is found that GAAR provisions are applicable in relation to remittance during the course of assessment proceedings.

Apart from the above, the committee has also recommended that tax avoidance schemes to be considered for reporting purposes as more likely than not as impermissible avoidance arrangement and be reported in the voluntary tax filing done by the taxpayer.

By and large the Industry and all the stakeholders have hailed the recommendations of the Shome Committee as a welcome relief.


The timing of introduction of GAAR regulations in the given international as well as domestic scenario is viewed regressive. Seemingly, there has been an instantaneous sense of realization that, in the present challenging times, sound tax competitiveness is required.

The policy makers are extremely conscious of flow of International Capital and perhaps have understood that the tax regime has to be conducive with the global environment and the need of the hour is to achieve increase of net Foreign Direct Investment flows into the country. When compared with the 2009 version, significant changes have taken place in the GAAR regulations, which itself suggests that tax policy is being correctly configured at this given juncture.

A variety of measures can be undertaken including initiating structural reforms in the tax system and administration, which can add to revenue productivity.




Social Security Agreements: Scope & Effects


Indian companies have been making aggressive inroads into foreign territories, whether in the form of joint ventures or outright buy-outs. To manage their operations abroad, Indian workers are being heavily deputed abroad by their companies. The payment of social security contributions by these deputed workers and their companies has become an increasingly contentious issue.

The deputation period of Indian workers may range from a few months to a few years, but is often not long enough to ensure that the contributions made by them towards social security funds is realizable when they have finished their deputation period to return home; nor do they become eligible for any benefits there under. In the United States, for example, where a significant number of Indian workers are deputed on a regular basis, a person is entitled to social security coverage only when there is a minimum period of contribution for 10 years. However, the current United States visa regime does not permit a worker to stay in the United States for a period beyond 6-7 years. Therefore, the Indian worker who has contributed towards the social security fund for several years, but for a period of less than 10 years, fails to derive any benefit from such contribution. Furthermore, in most other countries the social security benefits are not exportable. This inequity towards the deputed worker and the company deputing such persons has meant that many Indian workers and Indian companies have to incur an additional cost towards such deputation and receive no benefit in lieu thereof.


In October 2011, the Indian and the German governments signed a comprehensive Social Security Agreement (“SSA”), which subsumed the earlier agreement signed in October 2008. From the Indian perspective, this agreement would immediately benefit thousands of Indian workers working in Germany either as professionals or self employed. This is not the first SSA signed between India and a second state, and the government hopes that it will not be the last. The first such SSA was signed between India and Belgium in November 2006. Thereafter, India has entered into similar agreements with France, Switzerland, the Netherlands, Luxembourg, Hungary, Denmark, Czech Republic, the Republic of Korea and Norway. These countries may not have the largest diaspora of Indian workers, but the thinking is that as more and more countries agree to enter into an SSA with India, India would be able to convince countries such as the USA, UK, Canada and Australia to enter into similar comprehensive social security agreements benefitting the multitude of Indian workers deputed therein.

One reason behind this spurt of SSAs has been the Indian government’s increasingly aggressive stand on the issue of social security contributions made by foreign workers deputed to India. The Ministry of Labour and Employment through the Employees’ Provident Fund Organisation, amended the provisions of the Employees’ Provident Funds Scheme, 1952 (“Scheme”) on October 2008 and then again in November 2010 to impose stringent obligations and restrictions on workers deputed to India by foreign companies. The amendments were meant to ensure that the benefits availed in India by such foreign companies and their deputed workers under the then existent Scheme are curtailed so as to spur their respective governments to consider the inequities meted out to Indian companies and their deputed workers elsewhere.

Until October 2008, foreign nationals on deputation to India were required to contribute towards the Indian social security funds only if their salary was less than Rs.6500/- per month. However, since almost all such foreign nationals were drawing a salary in excess of the amount so prescribed, they did not have to make any social security contributions in India and continued to pay such contributions in their home country and accrue the benefit therefrom. The 2008 amendment introduced the concept of an International Worker (“IW”) and the limit of Rs.6500/- per month was done away with. The 2010 amendment imposed further restrictions on the withdrawal of pension funds vis-à-vis the IWs.


An ‘International Worker’ is defined in the Scheme as (1) an Indian employee who has worked or will work in a foreign country with which India has entered into a social security agreement and is eligible to avail the benefits under a social security programme of that country, or (2) an employee other than an Indian employee, holding something other than an Indian passport, working for an establishment in India to which the Employees’ Provident Funds and Miscellaneous Provisions Act, 1952 applies, which includes, any establishment employing 20 or more persons. Pursuant to the amendments, every IW, other than an Excluded Employee (explained below), employed as on the first day of October, 2008, in any establishment to which the Scheme applies shall be entitled and required to become a member of the fund with effect from the first day of November 2008.

An Excluded Employee is defined under the amended Scheme as an IW who is contributing to a social security programme, either as a citizen or resident, of his country of origin with which India has entered into a social security agreement on reciprocity basis, and such person is enjoying the status of detached worker for the period and terms as specified in such agreement. The Excluded Employees and the company employing such employees, when deputed to India, do not fall in the ambit of the Scheme and are therefore not required to become a member of any Indian social security fund for the time period as mentioned in the respective agreement. The benefits, in monetary terms, work out to be a saving of up to 24% of the annual salary drawn by such deputed workers, as both the IW and its employer are each required to contribute 12% of the salary towards the social security contributions in India. The Indian government is hoping that this will become the prime reason why other countries – especially those having significant deputations to India – will be encouraged to sign the SSAs and thereby provide similar reciprocal benefits to Indian companies deputing workers abroad.


The general benefits arising out of the majority of SSAs signed by India are that of detachability of employee, exportability of pension, and totalisation of insurance periods. Detachability relates to those employees who have been deputed abroad, and who continue, by virtue of an SSA, to contribute to the social security funds in their home country. Exportability means that the benefits accrued upon contributions made to social security fund are available to the employee irrespective of whether such employee is situated in the home country or elsewhere. Totalisation benefits account for the total period of service of the employee (irrespective of the territory where such services were rendered) to determine his eligibility for benefits.

Under most SSAs signed to date, workers who have been sent to India to work for a period of up to 60 months are exempt from making social security contributions in India provided they continue to make such contributions in the home country, and vice versa. In the case of the SSA signed with Germany this period stands as 48 months with an additional extension of 12 months, whereas with Switzerland, this period is for a total of 72 months. Furthermore, workers who are deputed to the host country for a period in excess of that prescribed in the respective SSAs and that therefore are required tomake social security contributions in the host country instead of the home country shall be entitled to export the benefits accruing from the same to their home country upon the completion of their assignment in the host country or on retirement. (Note, however, that this provision of export is not available in the SSA with Germany.) Additionally, the period of service rendered by the deputed worker in the host country shall be considered towards determining the eligibility of social security benefits in the event such periods are a determining factor in claiming such eligibility and benefits in the home country. Totalisation benefits are not available for IWs from Denmark, Germany, Netherlands and Switzerland. Moreover, only the SSAs with Germany, Belgium, Switzerland, Luxembourg and France are currently in effect, while agreements negotiated with other countries are awaiting ratification by their respective governments. Thereby, the companies and employees deputed from countries which haven’t signed the SSAs with India, or whose SSAs have not yet become effective continue to be bound by the contribution requirements under the Scheme.


-Before 2010, an IW could withdraw the contributions made by him to the Indian social security funds after attaining the age of 55 years, or at the time of termination of service or upon migration from India for permanent settlement/ taking of employment abroad. However, post the amendments, the IW may withdraw the contributions made by him to the Indian social security funds only under the following circumstances: (1) On retirement from service in the establishment at any time after the attainment of 58 years; (2) On retirement on account of permanent and total incapacity for work due to bodily or mental infirmity (3) On suffering from tuberculosis, leprosy, or cancer. The amount, in any of the aforesaid cases, shall be credited to the bank account maintained by the IW in India.

The issues plaguing IWs from non-SSA countries are manifold. Obligations towards dual-payment of social security contributions – in the home as well as host country – restrictions on withdrawal of accumulated contributions, maintenance of bank account in India are some of the issues haunting IWs and companies alike. Furthermore with effect from April 2011, a Provident Fund account becomes inoperative after 36 months from the date it becomes payable where no request for withdrawal or transfer has been made. Since the contributions are eligible to be withdrawn only after the IW has completed 58 years of age, such accounts will become inoperative and no further interest on such amounts in the account will be payable. In the event a divided payroll is being provided to the IW – where the salary is being paid both in the home and the host country – the calculation of contribution towards Provident Fund shall be made on the total salary earned by the IW. Also, in case the IW has multiple country tasks, and the IW spends some part of his deputation abroad, his full salary shall be considered for computation for the contribution for Provident Fund.


Depending upon the terms and conditions contained in individual SSAs already signed, and those that are under negotiation, the limitations imposed upon the IWs and the companies deputing them may differ. However, broadly, the benefits of detachment, exportability, and totalisation are available in the majority of SSAs signed till date. And as more and more countries opt to sign the SSAs – as per the available information, negotiations with the governments of Sweden, Australia, Canada and the USA are currently on – the loss due to unclaimed benefits on social security contributions made by Indian workers deputed abroad is expected to decline, and with that, the cost incurred by companies making such deputations. On a reciprocal basis, the cost incurred by foreign companies deputing IWs in India will also decline.

The global workforce pool is a significant asset that requires careful management and assimilation, and isessential for achieving economic integration. Cross-border movement of workers has seen a gradual increase in the past few years, and it appears that this increase is not of a temporary nature. Lately, it has been observed that workers are being deputed abroad for relatively short periods of time – mostly for project-specific assignments. In this arena of globalised workforce movement, it is therefore increasingly necessary to have globally harmonized social security laws, and specific international treaties aimed at making it easier for companies to depute workers abroad.

It is therefore important that the governments of respective countries who have a significant number of its citizens deputed to India make an urgent effort to negotiate and execute the SSAs with India and thereby ensure that an equitable and mutually beneficial environment of cross-border worker deputation is put in place. The mantle should, however, be taken up by companies, who will benefit the most from reduced worker deputation costs, to lobby vigorously with their respective governments to negotiate and arrive at an equitable consensus on social security laws.

Sunil Tyagi is a Senior Partner and Sayanhya Roy is an Associate at ZEUS Law Associates (‘‘ZEUS’’). ZEUS is a corporate commercial law firm based in India. One of its areas of specialization is employment law related transactional and litigation work. The authors can be contacted on



By Sunil Tyagi and Sayanhya Roy



Indian Data Privacy Framework In The Context Of Cross-Border Transfer Of Data

Despite a global economic downturn, India has remained an‘attractive’ destination for inbound investment ( Based onextant foreign direct investment policy, released by the Ministry of Commerce & Industry, foreign entities may either invest in Indian entities upto a permissible percentage or may establish 100% wholly- owned subsidiaries. Typically, forease of administration,such foreign investor companies prefer to retain certain data pertaining to their local companies on a common server located in the said foreign parent/investorcompany’s jurisdiction. Such data may, inter alia, range from employee related details to customer databases.For clarity, hereinafter persons who have provided bodies corporate with data pertaining to themselves have been referred to as “data subjects”). The local company collects relevant data from data subjects and transfers the same to the foreign parent/groupcompany.

Given the lack of a data protection regime in India till mid-2011, such collection and/or transfer of data from India to an overseasjurisdiction did not throw up a major challenge. While Indian Parliament did enact a legislation, particularly the Information Technology Act, 2000 (the “Act”), the same did not provide for a structured data protection framework.

In April 2011, the Ministry of Communications and Information Technology (“Ministry”) notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Rules”) under section 43-A of the IT Act. Section 43-A, inter alia, states that:

where a body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

It defines a ‘body corporate’ to mean “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”.However, Section 43-A failed to provide watertight definitions of either of the terms of ‘sensitive personal data’ or ‘reasonable security practices and procedures’, thereby making its implementation ineffective. The Rules delineate certain practices and procedures that an Indian company must adhere to, in orderto, inter alia, collect and/ortransfer certain categories of data.

This article attempts to discussprovisions of the Rules regardingcollection of data by an Indian company and subsequent transfer of such data to its parent/group company in a foreign jurisdiction. However, before we delve into the details regarding the steps a company must implement to be in consonance with the requirements of the Rules in this regard, it would be interesting to note the applicability of the Rules.

Applicability of the Rules

A common question that arises in situations of cross-border data transfer is regarding the applicability of the Rules.If data is being transferred to or retained by the foreign company, would such foreign companybe required to be in compliancewith the Rules?

The Rules, read with Section 43-A of the IT Act, seem to be applicable to any company possessing, handling or dealing with ‘sensitive personal data’ (as has been defined and discussed hereafter). A subsequent press note dated August 24, 2011 (the “Press Note”) released by the Ministry clarified the situation: the Rules are applicable only to Indian body corporates. In other words, foreign companies do not fall within the ambit of the Rules and therefore do not necessarily have to be compliant with the Rules.

Kinds of data

The Rules deal with two categories of data viz. sensitive personal data and personal data. The Rules define these categories of data, as has been discussed hereafter.

(i) personal data, being data which by itself, or in conjunction with other data is capable of identifying a person (“personal data”) (Rule 2 (1) (i) of the Rules); and

(ii) sensitive personal data, such as data relating to passwords; financial information such as bank account . credit card, or debit card details ; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information i.e. technologies that measure and analyse human body characteristics, such as ‘fingerprints’, ‘eye retinas and irises’, ‘voice patterns’, “facial patterns’, ‘hand measurements’ and ‘DNA’ for authentication purposes; and any detail relating to the above as provided to a company for providing service: provided that, any data that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force is not be regarded as sensitive personal data) (“sensitive personal data”, Rule 3 of the Rules).

There are compliance requirements that are common to both personal and sensitive personal data. However, in the case of sensitive personal data, there are additional compliance requirements. Therefore, determining the category of data being handled would be the first step towards compliance with provisions of the Rules.

Compliance vis-a-vis collection, transfer, retention or use of personal or sensitive personal data

In this section we, we will deal with various stipulations to be adhered to by an Indian company with regard to collection and/or transfer of personal or sensitive personal data to a foreign company.

Maintenance of Privacy Policy (Rule 4 of the Rules)

If the Indian company determines that it is handling either personal or sensitive personal data, it must drafta privacy policy, which is to be amdeavaialbe to all. For ease of administration, it is advisable to post the said privacy policy on the Indian company’s website.

The Rules clearly set out the contents of the said privacy policy. Among other items, the following has to be addressed in the privacy policy:

  • purpose of data collection/receipt/retention/use;
  • category of data being handled;
  • security procedures maintained to secure suchdata from wrongful dissemination; and
  • circumstances under which such data may be disclosed to third parties (together with such third party’s details).

Below, we shall highlight the other important contents of a privacy policy.

Reasonable Security Practices and Procedures

This is probably the most important highlight of the Rules. , The international arena has time and again expressed concern over the lack of security standards in India for security of data. The Rules specifythat a company collecting/using/storing/transferring personal or sensitive personal data must adopt reasonable security practices and procedures not lower than standards of IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System- Requirements”.

In order to establish compliance with such security requirements, it is recommended that the Indian company maintainscomprehensive documentation highlighting the security programmeand policies implemented by it. Such documents may contain details on managerial, technical, operational and physical security control measures.

Referring back to the privacy policy, it is recommended that it address the issue of data security, stating that security procedures implemented by it are not lower than the IS/ISO/IEC 27001 standards.

Transfer of Information(Rule 7 of the Rules)

There may arise a situation where the personal or sensitive data may require to be transferred to a foreign jurisdiction.The Rules provide for specific conditions, upon the satisfaction of which, a company may transfer personal or sensitive personal data. An Indian company proposing to transfer personal or sensitive personal data to a foreign company may proceed with such transfer, provided:

  • the transferee entity maintains the same level of data protection as is stipulated in the Rules i.e. not lower than the standards of IS/ISO/IEC 27001; and
  • the transfer is necessary for the performance of any lawful contract between the said Indian company and data subject

However, an exception from the above conditions has been carved out for transfer of personal or sensitive personal data with prior consent of data subject. Therefore, the aforementioned privacy policy of the Indian company should ideally state that it is compliant with the above provisions vis-a-vis transfer of personal or sensitive personal data.

Additional compliance with regard to sensitive personal data

Let us assume a situation when the Indian company determines that it handles sensitive personal data. The following are additional measures that would be required to be undertaken in such a scenario:

Collection of Sensitive Personal Data and Mode of Obtaining Consent

If the Indian company determines that it is collecting and/or transferring sensitive personal data from data subjects, it will be under the obligation to obtain prior consent of such data subjects for the same (Rule 5(1) of the Rules). Such consent may be obtained through letter or fax or email. Electronic consent vide tick box or ‘I Agree’ tab is also permitted. In order to make the process of obtaining consent easier, the privacy policy of each body corporate may contain an ‘I Agree’ tab at the end of the text. A click on the tab by data subject would constitute valid consent.

However, prior to such collectionof sensitive personal data, the Indian company must ensure that:

  • itinformsdata subjects of the purpose for which data is being collected, that the data so collected may be transferred, the intended recipients of the data and names/addresses of the agencies collecting and retaining this data (Rule 5 (3) of the Rules).
  • thatsensitive personal data is beingso collected for lawful purposes, connected with an integral activity of the company (Rule 5(2) of the Rules).

Right to Opt Out

A practical concern that hasbeen raised with regard to collection of data is the availability of an option to withdraw consent. As per the Rules, the Indianentity collecting/using/transferring/retaining sensitive personal data must be provided an option to opt-out of the consent so given at any point in time (Rule 5 (7) of the Rules).

While seeking consent of data subject, the privacy policy of the Indian company must also mention data subject’s right to opt-out of such consent. In terms of procedure, the right to opt-out must be exercised through a written requisition to that effect, duly submitted to the Indian company.

Disclosure and Transfer of Data

Since the concerned data is sensitive personal in nature, the Indian company is precluded from disclosingit to any third party (including group companies), without prior permission of data subject (Rule 6 of the Rules). However, if data subject has provided the Indian company with prior permission for suchdisclosure by executinga contract between the Indian company and data subject, then the same acts as exception to the above rule. To further protect sensitive personal data, the third party is restricted from further transferring sensitive personal data.

A practical way to address this stipulation would be to include sufficient language in the privacy policy stating that data subject consents, not only to collection, but also disclosure of his sensitive personal data to a third party However, the onus remains on the Indian company to ensure that such third party implements reasonablesecurity practices and procedures, as explained above.

Retention and Use

The Indian company must ensure that sensitive personal data collected by a company from a data subject is not retained for longer than is required to fulfill the purpose for which such data was collected or is otherwise required under law to be retained. The data so collected must be used only for the purpose(s) for which is has been collected.

The privacy policy of the Indian company may be drafted in a manner to assert that sensitive personal data is collected for valid purpose and the same will not be abused by retaining it for longer than required.

In order to provide data subject with sufficient control over his sensitive personal data, the Rulesmandate that a data subject be provided with a right to access and review his sensitive personal data (Rule 5(6) of the Rules). However, the Rules have not provided a structured procedure to be adopted for review of databy data subject. Apart from being compliant with the Rules, provision of this right would also ensure that a companyis not held responsible for the authenticity of data supplied by data subject.

Grievance Officer (Rule 5(9) of the Rules)

Every company dealing with sensitive personal data must appoint a grievance officer to address complaints/queries regarding data subjects’ sensitive personal data. The name and contact details of such grievance officer must be made available to data subjects. The intent is to have a designated person to address any issues that may arise with regard to sensitive personal data, within one months’ time. Given the absence of any directive from the Ministry regarding qualificationsfor the position of grievance officer, the Indian company may designate one of their existing employees as the ‘grievance officer’.


While the move to induce a stricter data privacy framework by means ofthe notification of the Rules has been appreciated, various industry bodies are skeptical about the implementation of the same: for example, while the Rules provide for an audit of data protection practices prevalent in a company, there is no clarity as to who should perform this audit and based on what parameters. In the absence of any clarification from the Ministry regarding implementation of the Rules, the privacy policy of an Indian company is of utmost importance. In the event of an investigation, it is one document which may form strong evidence of the Indian company being compliant with the Rules. Therefore, until the Ministry releases further notifications regarding the implementation of the Rules, it is recommended that Indian companies frame their privacy policies wisely and generally, adhere to the Rules.

Ankita Ray is an Associate with J. Sagar Associates, Bangalore, India. She can be contacted



By Ankita Ray


Paradigm Shift in Service July 1, 2012 – A Meaningful Step Towards Introduction of GST in India Tax, Laws, effective

A constitutional amendment bill for the introduction of a harmonized GST in India at the federal level and its 28 provinces and 7 centrally administered territories was introduced in the parliament in March, 2011. The bill is now before a parliamentary committee for detailed examination. The procedure requires passing of the Bill by special majority in both houses of parliament and ratification by at least half the states, making it necessary to achieve some broad-based consensus.

While the stakeholder consultations by the parliamentary committee are not yet concluded, there are some indications that the Bill may not see passage in the present form. Practically, all states are pitching for explicit autonomy in the fixation of tax rates within a reasonable band. Some states have argued the need to protect their existing revenues from origin-based taxation on inter-state movement of goods that has already been reduced from 4% to 2% and is expected to be completely eliminated in the GST. Many sections of the business are advocating a more comprehensive GST by including petroleum, electricity and alcohol, which presently are left out.

While these discussions are underway, the central government has been moving fast to bring its own legislation as close as possible to the impending GST. This is expected to reduce the lead time after the constitutional bill is passed as well as acclimatize both the businesses as well as tax administrators to the impending changes.

An important component of these changes has been some path-breaking changes in service tax, introduced during the budget presented by the Union Finance Minister, which have come into effect from July this year.


The foremost amongst these changes has been the introduction of negative list of services, replacing the selective taxation of specified services that were being incrementally added year-after-year since the introduction of service tax in 1994.

Many fiscal experts believed that despite a fairly long positive list of nearly 120 heads at the last count, service sector contributed only about 25% to the consumption taxes, far less than its potential evident from its close to 60% contribution to GDP. The innumerable legal disputes due to possible overlaps and conflicting interpretations between various taxable services had accentuated the problem to a level where a one-time streamlining appeared to be the only sensible solution.

The negative list comprises seventeen heads capturing both the services that are beyond the taxing powers of the Union under the present constitution and a variety of other services justified on socio-economic or administrative grounds. The list covers formal education, public transport, renting of a residential dwelling, services related to cultivation of agriculture (which includes animal husbandry) or marketing of agricultural produce, margin-based financial services, core activities of government and funeral or burial services. Though the list may appear a little unwieldy, it will stand pruned once the constitution is amended allowing both the centre and states to levy tax on all services at the time of GST.

The negative list is supplemented by a list of exempted services. This list comprises mainly such services that are presently outside the tax net but may need a closer look at the time of introducing GST. The list covers transportation of essential items of mass consumption, construction services in the areas of basic infrastructure or low-cost housing, and services by intermediaries that do not make any net contribution to revenue but add significantly to administrative burden. Additionally it includes many social sector services such as health and animal care, recognized sports, classical and folk arts, activities of charities and public libraries.

The relative long list of exemptions needs to be seen in the light that the government still does not have a comprehensive data base of the national identity of a vast majority of its poor, together with the problem of their financial inclusion, to be able to offset the burden of taxes as is commonly prevalent in many developed countries.

Of greater concern at this stage are exemptions at intermediate stage that break the tax credit chain and add to cascading. The GST will be backed with very advanced IT, making it possible to reduce the cost of compliance and phase out many such exemptions.


The introduction of negative list required elimination of service-specific provisions in a number of areas. Two such areas relating to import and export of services have now been replaced with the place of provision of services rules, which determine the geographical location where a service will be deemed to be provided.

As the service tax is today entirely handled by the federal government, the rules for the present will mainly address cross border services and to a minor extent transactions with the State of Jammu and Kashmir, where the present statue does not apply. However they provide the required setting for GST where the distribution of revenue from services amongst states will depend on the place of their consumption.

The rules are aligned largely with international best practices. The default rule, which covers a large majority of B2B transactions, is entirely based on OECD guideline that the place of supply is the location of the recipient. The transactions under global arrangements are all well explained in the Education Guide that was released together with these changes making the task of understanding the mammoth changes quite easy.

One major difference from similar rules elsewhere is contained in rule 7 which applies to performance and location-specific services when provided in multiple locations within India and outside. This rule retains the place of performance in taxable territory even when the portion performed outside outweighs the former. Primarily the rule is aimed as an anti-avoidance provision in location-specific services, where there could be a tendency to reflect invoicing from establishments located in non-taxable territories even though it would be desirable to issue independent invoices for services rendered from different locations.

The other significant deviation from global practice is rule 8 which holds that the service will be provided at the location of the recipient where both the service provider and service receiver are located in the taxable jurisdiction even when the service could otherwise fall elsewhere under another rule. As a mirror image an exemption has also been granted where both the parties to the transaction are located outside India.

The rules may undergo some changes at the time of GST in the light of suggestions from the states but principally provide the basic framework for taking the discussion further.


Point of Taxation Rules were introduced in 2011 to align the time of taxation of services with international practices and to a considerable extent with accrual based taxation in the case of goods.

Put in simple words, the rules provide that the time of taxation of services will be the time of issue of invoice or time of payment, whichever is earlier. A period of 30 days (45 days for banking industry) is provided to issue an invoice from the date of completion of service, failing which the date of completion of service will reckon as the time of taxation.

Budget 2012 has further streamlined the provisions to remove some of the irritants that industry had pointed out. Here again the rules are aligned with global practices making the task of adaptation to the new changes quite easy.


OECD guidelines relating to neutrality advise that the burden of taxes should not be borne by business but recovered from the end consumer. Failure to do so distorts business practices in a variety of ways.

Budget 2012 has removed cascading in a number of services like hotel accommodation, restaurants, construction, life insurance, transportation by railways by permitting utilization of tax credits that were earlier blocked by a rather complex system of taxation of partial values of such services.


Besides the above changes, there are some changes which are meant to send a strong signal about the federal government’s seriousness to move towards the GST at a quick pace. A common goods and service tax return: a one page return replacing the nearly 15 pages of the two separate returns earlier, alignment of registration formalities and appellate remedies between goods and services are some of the specific measures that have been taken in this area.


Another change relates to streamlining the system of refunds relating to export of both goods and services.

The new method provides for refunds of services electronically at a specified rate on the export of goods, which are automatically credited to the account of the exporter on the lines of drawback.

The other procedure allows refunds of input services used in export goods or services in the ratio of export turnover to total turnover, doing away with the earlier system of establishing nexus between the exports and such input services.


While considerable convergence has been achieved in the tax law relating to goods and services, there remain many areas where the two provisions can be further aligned. Many tax experts have been advocating that the Central Government could consider one common law for goods or services or a Central GST that could lead the journey for the eventual introduction of GST on a nationwide basis.

As the situation stands the Excise Act 1944, which applies to goods, is applicable for the whole of India, whereas the Finance Act 1994, which deals with service tax, cannot be made applicable to the State of Jammu and Kashmir unless ratified by the legislature of that State.

Complete convergence between the two taxes will therefore have to await the introduction of a comprehensive GST. But at the same the Central Government has set up a working group to suggest a common tax code that could form basis for maximum possible convergence under the existing constitutional constraints. The report of this group is awaited by the end of September, 2012.

On the whole, despite some delay in meeting the deadline to usher GST, India is much closer to the eventual GST and the both the business and tax administrators far more confident to handle it whenever it finally arrives. By the recent indications that date does not appear to be too far.



The author is Joint Secretary with the Ministry of Finance, Government of India and heads its Tax Research Unit (“TRU”). He is also a key member of the team assigned with the task of implementing GST in India. An officer of the Indian Revenue Services, he has nearly 30 years of experience in the design and implementation of indirect tax laws in India and is the recipient of the President of India Award for distinguished record of service. The views expressed are personal.



By Mr V K Garg



Forensics In The Social Media Space

History of Social Media

Contrary to popular perception, social media networks are by no means a recent phenomenon;they trace their origin to an idea of Duke University graduate students Tom Truscott and Jim Ellis in 1979, which was thenlaunchedas Usenet in 1980, over a decade before the World Wide Web was established and the general public got access to the Internet.Usenet offered a place for scientists and academia working on computer and related technologies to converge and thrash out ideas and work out possible solutions to their individual problems. The earlyUsenet had bulletin board services, newsgroups and other online fora – precursors to some of the same services that are available on today’s social networks albeit in a more refined and advanced manner. In those days the World Wide Web did not exist and the Internet was not part of the common vocabulary. It took some time for the Internet to develop and enter the mainstream;interestingly the launch of the World Wide Web(W3) was first announced on Usenet When on August 6, 1991, Sir Tim Berners-Lee posted a short summary of the World Wide Web project on the “alt.hypertext newsgroup.” This date also marked the debut of the Web as a publicly available service on the Internet.

The change that brought the W3 out of the hands of scientists and academics and into the mainstream was the introduction of the Mosaic Browser by Marc Lowell Andreesen, whocame up with the idea of putting images onto the endless reams of text on the Internet with the ability to tag an image on to a HTML page.The internet suddenly became graphic and that gave a totally new meaning to a webpage, dramatically changing the way in which information could be presented. Usenet unfortunately stuck to the old text based system and over a period of time started to lose users and popularity.

After the decline of Usenet, the first social networking site was actually designed around the concept of ‘six degrees of separation‘ (FrigyesKarinthy (25 June 1887 – 29 August 1938), Chains (Láncszemek)1929). This site was based on the web of contacts model as opposed to the circle of friends model used by most social networking sites today. The site was aptly named when it was launched in 1997.Unfortunately, over time its use declined and the site closed down in 2001. In the intervening years, numerous other sites came and went until Google launched Orkut in 2004, which took hold and was a staggering success. Thereafter a number of social networking sites have been launched with varying degrees of success. Today the global mainstay appears to be Facebook.

The rise and popularity of social networking sites can be attributed to the growth of bandwidth availability from a technological perspective. Socially, it probably could be explained through a combination of social theories: the Aristotelian theory of humans being social animals and coupled with the practice of coming together encouraged by most religions. Ultimately as humans we are inherently conditioned to search for others like us. Social networking, byoffering an interest-based segregation of individuals, serves this purpose. Another aspect of humans that social networking sites exploit is our indulgence in nostalgia. Social networking sites are inherently structured to create a web-like linking of people. So, if we manage to trace an old school friend of ours, chances of us discoveringsome more increases exponentially.

Today social networking sites have taken a strong hold and established a social networking environment or a“social economy,” which is valued at a staggering US$1.3 trillion, (see, McKinsey Global Institute, July 2012, The social economy: Unlocking value and productivity through social technologies), with over 1.5 billion users globally. Social networking sites have suddenly transformed from merely an online meeting space to an online market place.

But not everything about social networkingis good.The UK Police have reported that crime involving social media has increased by 540% in the last 3 years.Closer home to India, the Mumbai police have published guidelines on what information to disclose on a social networking site. Cases of cyber-stalking have increased with horrific consequences like social media-induced suicides.Take the case of a teenage girl Megan Meierwho committed suicide when it was revealed that a boy she admired on MySpace was actually a classmate’s mother antagonizing the teenager for being different. The mother, Lori Drew, allegedly communicated with Megan as “Josh” for over one month and then abruptly ended the relationship. Megan committed suicide the same day. Lori Drew was convicted of computer fraud and abuse, but was acquitted for Meier’s death. (See

Over the last two decades the Internet has become a huge repository of information and with the advent of social networks that repository has grown manifold. With such rich information about individuals ready for the taking at your fingertips, the internet and all that it encompasses will always be a very good foraging ground for both law enforcers and for “agents of opportunity.”

Forensics in Social Media

Digital forensics is the application of forensic science methodologies for the recovery and investigation of materials found in the digital world, often in relation to a crime related to computers. The advent of social networks has presented unique challenges to digital forensic experts, as one of the chief concerns in digital forensics is the authenticity of theevidence together with the challenges with establishing the chain of causation. In a typical process of collecting evidence in digital forensicsone would have to go through the following steps:

  1. Collection of data;
  2. Classification of the data;
  3. Authentication of the data; and,
  4. Presentation of the data.

From a forensic point of view, social networks have a very unique architecture.They are a web of connections as opposed to linear connections in for instance online service providers, which makes them amenable to data collection with relative ease.The data (information) on a typical social network is dynamic in natureand even populardigital forensic tools like Xplico (Xplico- Internet Traffic Decoder. Network Forensic Analysis Tool,nline at,for instance, simply cannot see or access all the data, as they are passive in their data acquisition methodology and not designed for a dynamically changing environment of a social network.

Social network forensics as of now has to rely on a limited set of data sources in many cases. Gaining access to a social network’s server’s hard drives is just not feasible, and leveraging the service operator’s data directly requires the service operator’s cooperation.Insome countries it is possible to obtain orders from courts to demand that the service provider directly hand over the data.

A forensic investigator can submit requests to the operator but may or may not receive all the relevant dataor may receive only selective or partial data which compromises its purity and neutrality according to the established international guidelines for digital evidence collection (D. Brezinski and T. Killalea. RFC 3227: Guidelines for evidence collection and archiving, The Internet Society, may be accessed at, the investigator is unable to show that the evidence is authentic, complete, and reliable. Hence gathering reliable data for forensic analysis is the first hurdle.

While traditional forensic methods can be used to extract information from local web browser cache, there are numerous possibilities on the communication layer (in network terminology, the layer which is just on top of the physical layer (wire) and which breaks down all communication into packets). These range from passive sniffing on the network to active attacks like sniffing on unencrypted WiFisand crawling with a social networking component. Crawling however is limited, as metadata and accurate timestamps are not shown on web pages. They are only available by using the social network’s APIs(application programming interface). Even though it would be possible to collect data passively on the communication layer, this approach is limited and it would take a tremendous amount of time for collecting information, and completeness is hardly possible. Furthermore, many social networks offer the possibility to encrypt data on the communication layer by using HTTPS, rendering passive attacks useless. The above extraction methods can be exercised only after orders are obtained from courts or other competent authorities, in the absence of which the steps would be open to challenge as being violative of privacy laws and technology laws, such as, in the Indian context, this would violate the IT Act on account of the methods involving unauthorised access and intrusion into computer systems and networks.

Ways and means are being developed to extract data from social networking sites for meaningful forensic analysis. An interesting feature recently announced is Facebook Timeline, which encourages users to never delete anything from the social network, and to use it as an historic archive. This opens up interesting possibilities for forensic examinations as it would make historical and archival data readily available, which already would be categorised in a timeline.

Once a forensic investigator has access to the relevant data from the social networking site he/she can then set down to assign the data into the following datasets for a better interpretation of the incident at hand.

  • The social footprint: What is the social graph of the user, with whom is he/ she connected “friends” with?
  • Communications pattern: How is the social network used for communicating, what method is used, and with whom is the user communicating?
  • Pictures and videos: What pictures and videos were uploaded by the user, on which other peoples pictures is he /she tagged?
  • Times of activity: When is a specific user connected to the social network, when exactly did a specific activity of interest take place?
  • Apps: What apps is the user using, what is their purpose, and what information can be inferred in their social context?
  • Groups: What groupsis the specific user a member of and what activities does the group endorse or undertake?
  • Pages: What pages/ organisations and viewpoints does the user endorse?

Information related to the above data pools cannot be found on a suspect’s hard drive, as it is solely stored with the social network’s operator. Especially for people that use the social network on a daily basis, a plethora of information is stored at the social network operator’s servers.

Sometimes information is cached locally, but this is not a reliable source of information as it is neither complete nor stored persistently. Depending on the implementation of the social network, the availability of data itself and the possibility to retrieve the data via API calls can vary among different social networks. However, most of this data can be extracted either directly, or inferred without the collaboration of the social networkoperator. Once the data is available to the investigator, the full spectrum ofsocial network data analysis can be conducted.

The easiest way for obtainingthe data is of course with the consent of the user, who can provide the usernameand password. To a forensic investigator data from all sources is important; in the case of a non-cooperative user an analysis on the user’s computer using traditional digital forensic techniques will lead to the various personas that user uses in the digital world – take for example the case of Justin Brown who was arrested for impersonating a model named Bree Condon on the dating site Ms.Bree ultimately alerted police to the fraud that her name, likeness, and professional photographs were being used in a scam until Mr. Brown was arrested. Investigators later learned that Mr. Brown had phone conversations with wealthy men in exchange for money and gifts. On questioning Mr. Brown said that he created a plausible biography of Ms. Condon by using her online biographical information. In countries like the United States where personality rights and privacy laws are well developed, fact situations such as this can be actionable under laws other than information technology laws.

While the data can be easily analyzed manually afterwards toanswer specific questions, the massive amount of data that is collected from all the sources requires automatedtools for a forensic investigator to see the full picture.If you add multiple social networking sites with different feature sets the correlation of this data can be quite tiresome. Despite the ongoing process of developing tools to extract data, the correlation and analysis of this data still remains a very human task.

Ultimately the legal and technical objectives of digital forensics have to be streamlined particularly in countries like ours where often white collar criminals are able to slip through the cracks merely on account of either the data gathering process being impeached or the neutrality and purity of the data collected is called into question under the Evidence Act in court on account of the existence of the possibility of tampering. With little or no digital forensics training, evidence gathering and solving crimes by law enforcers at least in our geography is a far cry from the seamless process of investigation and booking criminals that CSI and other crime shows have popularised.

Gurjot Singh is a Chief Technologist with Fidus Law Chambers. He can be contacted at



By Gurjot Singh