India: Clarifications on Condonation of Delay Scheme

Source: www.mca.gov.in

Condonation of Delay Scheme, 2018

The Condonation of Delay Scheme, 2018 (hereinafter referred to as the “Scheme”) was introduced by the Ministry of Corporate Affairs (hereinafter referred to as “MCA”) vide General Circular 16/2017, dated December 29, 2017, wherein defaulting companies, i.e., companies which had not filed financial statements or annual returns under the Companies Act, 1956/2013 for a continuous period of three years, were permitted to file their overdue documents. It is to be noted that companies whose names have been struck off from the Register of Companies are not included as defaulting companies under the Scheme.

Under the Scheme, the DINs of disqualified directors would be temporarily activated to enable them to file documents. The defaulting companies would file the overdue documents in the respective prescribed e-forms and thereafter would seek condonation of delay by filing form e-CODS by paying a fee of INR 30,000.

Discrepancy with respect to e-CODS

MCA has received various representations from stakeholders wherein they raised doubts regarding filing of e-CODS in cases where petitions had been filed before NCLT under Section 252 of the Companies Act, 2013, and orders were pending from NCLT. Section 252 deals with filing of appeal by a company for unjustified removal of name from the Register of Companies. The issue was whether such companies could file for CODS upon obtaining orders even after May 1, 2018.

Clarification by MCA

The issue was examined by MCA and thereafter MCA issued clarifications vide General Circular no. 05/2018 dated May 17, 2018 ^[1]. MCA clarified that in such cases, the Registrar(s) of Companies shall raise a ticket through Change Requirement Form (hereinafter referred to as “CRF”) on MCA21 portal along with copy of NCLT order and E-governance shall activate DIN of the Directors of such struck off companies that have been revived through NCLT to file e-CODS, 2018.

It was further stated that the directors whose DINs are proposed to be activated through CRF should not be directors of any other company which has been stuck off other than the one revived through NCLT order as mentioned in CRF. The same may be ensured by the Registrar(s) of Companies before raising CRF with E-governance.

MCA has also stated that the Registrar(s) of Companies are directed to ensure that CRFs are raised in such cases only after thorough scrutiny of the NCLT orders and ensuring that such struck off companies had filed overdue documents before filing e-CODS, 2018, and had filed petitions before the NCLT during the validity of CODS.

______________________________

[1] Available at http://www.mca.gov.in/Ministry/pdf/CODSCircular_17052018.pdf 

Data protection and right to privacy are in the midst of the media firestorm since the Cambridge Analytica scandal. The saga is significant for unraveling ways in which data can be mined and used for purposes other than the one originally consented for by the user. Alongside tackling the issue of potential third party abuse of the users’ personal data, internet giants like Facebook and Google are now facing the challenge of complying with EU’s new and stricter privacy policy, the General Data Protection Regulation (GDPR), which came into force on May 25, 2018. As remarked by Jeffrey Chester, the founder of the Center for Digital Democracy, “It’s changing the balance of power from the giant digital marketing companies to focus on the needs of individuals and democratic society.”^[1] On one hand, the policy is gaining popularity as an incredible breakthrough in the realm of right to privacy, on the other hand the companies are finding it difficult to develop a fitting model that fully complies with the policy majorly due to the uncertain nature of possible claims under the terms of the policy.

Under GDPR, the definition of personal data has been constructed broadly to include “any information related to a person that can be used to identify them, including their name, photo, email address, IP address, bank details, posts on a social networking site, medical information, biometric data and sexual orientation.” Further, all companies that process the personal data of people residing in EU would have to comply with the regulation even if they do not fall within the territorial limits of an EU state. Due to this, all the companies, irrespective of their field of operation, are facing difficulties in having full compliance with the regulation. The huge costs involved in initiating an extensive mapping exercise to understand the data flow and type of data, which is important to ascertain one’s role as a “data processor” or “controller” under GDPR definitions, are discouraging the companies from continuing their services in the EU region. A website called GDPR associates, in their article “Understanding GDPR Fines”, highlighted the fact that complying with GDPR may be a little onerous for companies that don’t have the engineering resources of Facebook or Google and estimated the expected expenditure to be between $1m and $10m.^[2] Even more, GDPR relies on two different tiers of fine, the lower tier comes in at up to €10 million or 2% of the company’s annual global turnover, while the higher tier comes in at up to €20 million or 4% of the annual global turnover.^[3] The steep penalties including massive fines have convinced firms to choose the safer road and not take risks. Some examples are online businesses such as Unroll.me and gaming company Ragnarok Online that have blocked EU users from their sites and the U.S. retailer Pottery Barn that has also stopped shipping to EU addresses.

Furthermore, for the internet giants the “consent” provision is undoubtedly the trickiest parts of the General Data Processing Regulation (GDPR). Under GDPR, to use any data for business, the user is required to give an affirmative consent to the privacy policies written in a clear and straightforward language. After such consent is rendered, the businesses will be allowed to collect and process data only for the well-defined purpose agreed to by the user. Further, the EU citizens are also granted the right to obtain the data that a company has collected about them i.e., they have the right to be forgotten” and get their data deleted if they withdraw their consent for it to be held by a company. In an effort to comply with the policy, companies worldwide have been sending their customers notices about their updated privacy policies and have been asking them for their consent.

The most important and contentious element of the consent factor, however, is that the consent must be freely rendered by the user. The provision states that “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” On the basis of this requirement, just within a week of the policies coming into force, a group that campaigns for data protection rights in Europe filed legal complaints against Google, Facebook, Instagram and WhatsApp over their infringement of data protection rights. The main contention was that the companies are forcing the users to consent to their new terms of service in order to continue using their services. Facebook, for instance, lets the users decline enrolling in certain features like face recognition, but on the other hand forces them to accept the overall terms of service in order to continue using their accounts. They also cited instances where Facebook would tempt consumers to accept its terms and conditions by planting misleading notification messages, like the little red bubbles in the icons at the top of the Facebook home screen that pop up when someone has a direct message, to lure users into accepting the policy to get the access—even if the user did not have such notifications or messages in reality. This has been marked as violation of the Article 5(1)(a) of the GDPR by the advocacy group as it neither amounts to ‘fair,’ nor ‘transparent’ practice of obtaining consent. Similarly, Google also sending obligatory notices on Android phones without agreeing to which the android users are not able to use their devices.

For these internet giants, the expected argument in opposition to the allegations would mostly be that GDPR does allow companies to collect and use data if it is essential to the operation of their businesses. However, what actually has to be assessed is whether the data sought to be collected and processed by a company essential for the working for the company and its delivery of services. If not, consent is essential to utilize the collected data for any other purpose under the GDPR norms. Such a provision would bring under scrutiny the profitable practice of targeted advertising carried out by the internet-based companies. The determination of the case would depend upon the characterization of the policy as essential and non-essential by the respective businesses.

_________________

[1]Available at
https://www.gdpr.associates/what-is-gdpr/understanding-gdpr-fines/
[2]https://www.gdpr.associates/what-is-gdpr/understanding-gdpr-fines/.
[3]Available at
https://www.gdpr.associates/what-is-gdpr/understanding-gdpr-fines/.