For The Nonresident Shareholder Whose Income Is Reported: Fill & Download for Free

First, a quick but important clarification: I’m not your lawyer and this answer doesn’t establish a lawyer-client relationship. I’m giving a generic answer to a generic question to educate the users of this site. The information below is general in nature and should not be understood as a substitute for personal legal advice.Your question says that you want to “incorporate” in the U.S., but I’ll briefly discuss both corporations and limited liability companies (LLCs), on the assumption that you haven’t thought through which type of entity you want to use.The Simple AnswerThe quick and simple answer is that, your foreign citizenship and residency won’t affect the process of incorporating a startup in the U.S. You do it the same way you’d do it if you were a U.S. citizen and resident:Draw up the organizational papers. This is usually fairly simple unless you already have investors. For a corporation, the minimum is the certificate/articles of incorporation, bylaws and an action of the incorporator (naming the initial board and officers). For an LLC, the minimum is the certificate of formation and limited liability company agreement. It’s usually a good idea to add a few things to the basic documents, such as a form of confidentiality and invention assignment agreement (for officers, employees and contractors), and an option plan. If you have already developed some intellectual property (code, algorithms, business names and logos, url registrations etc.), the individuals involved should also sign an intellectual property assignment, to make sure everything is in the new entity from the beginning. If you’re forming a corporation, it’s also usually a good idea to enter into a shareholders’ agreement, dealing with voting rights, transfer of shares etc. (these matters should be addressed in the limited liability company agreement for an LLC).Make the necessary filings with the state in which you decide to form your company (usually Delaware)Pay some minor fees to the state of incorporationHire a service company (CSC and CT Corp are the most common, but there are many others) to serve as the company’s “agent for service of process” in the state in which you decide to form it.Depending on who is involved and whether anyone is investing, you might have some securities filings, too. None of this is incredibly complex, but there are lots of ways to mess up, some of which have very bad consequences. So it’s best not to do it as a DIY project. Find a lawyer and pay for a corporate filing service to handle the filings for you (again, CT Corp. and CSC are the best known but there are many others).ComplicationsAlthough there’s no reason you can’t form a corporation in the U.S. as a foreign resident, doing so can raise additional complications. I’ll discuss two major ones: U.S. regulations that may apply to activity abroad if the entity is formed in the U.S. and taxation. These are complex areas of law. I’m going to give a general description of the issues involved, but you’ll definitely need to retain competent tax counsel involved to help you think through the tax implications of your specific situation and plans. If specific U.S. regulations seem like they might be an issue, you should also hire a lawyer who specializes in them to help you think things through.U.S. RegulationsWhen you form a U.S. entity, you create a legal person in the U.S. That means that some activities abroad may come under U.S. regulations that wouldn’t apply if no U.S. person were involved. I’ll discuss a couple of areas where this is likely to raise issues – the Foreign Corrupt Practices Act and U.S. “export” regulations – but there are many more. So it’s probably worth having a U.S. lawyer (or an Indian lawyer familiar with U.S. laws) review your business plans, especially planned activities outside the U.S., to make sure you know what you’re getting into.Foreign Corrupt Practices Act (FCPA)The federal Foreign Corrupt Practices Act basically prohibits U.S. persons from bribing foreign officials, political parties and party officials to obtain or retain business, including bribes paid through intermediaries. It allows payments that merely “expedite” a routine official action (such as clearing a shipment through customs that is legally entitled to be cleared). If you form an entity in the U.S., both the entity and its directors, officers and employees, when acting on its behalf, are subject to the FCPA, even if all operations and personnel are located outside the U.S. So if you form a Delaware corporation and then bribe a local official to “overlook” some building code violations in your Gurgaon office, you’ve violated the FCPA. By contrast, if you formed your company in India and did the same thing, U.S. law would not apply. The FCPA is a criminal statute, so the consequences of violating it are potentially very serious. The federal government has enforced the FCPA very aggressively in recent years.“Export” RegulationsThe United States has a very complicated set of laws and regulations governing the “export” of certain technologies from the U.S., as well as other commercial dealings between U.S. persons and certain countries (especially Cuba, Iran and North Korea). These laws normally don’t apply to foreign nationals resident outside the United States, except to the extent they actually conduct business in the U.S. If you incorporate a company in the U.S., however, you’ve created a U.S. person that is subject to them.There are two major ways this can cause trouble:First, the “export” regulations can bite you, even if you aren’t exporting anything from the U.S. (or doing anything else in the U.S.). To put it simply, if your U.S. company does types of business the U.S. doesn’t like with people or countries the U.S. doesn’t like, you might be violating U.S. law. As with the FCPA, these rules would not apply to you if you formed your company in India and did business from outside the U.S. Some of the prohibitions are intuitive (if you’re thinking about it), but a significant number are almost random. So it’s best to have an expert review what you’re doing to determine if there are any compliance issues.Another thing to bear in mind is that if your company develops technology in the U.S. that is covered by export regulations, you may automatically have “export” issues. “Export” covers more than you might expect. If you are developing covered technology in the U.S., any disclosure to a nonresident foreign national (whether s/he happens to be in the U.S. or abroad at the time and whether or not s/he is an officer or employee of the company) will generally constitute an “export” of the technology. Depending on the technology and the country (yes, India is restricted), compliance may require nothing, reporting to the government or obtaining a license. Some of the categories of covered technology are obvious: If you’re dealing in weapons systems, missiles or nuclear technology, you’re probably restricted and need to pay a lot of attention. Other technology is not intuitive (e.g. some kinds of high-speed computers, “dual use” software and encryption algorithms). The regulations are so haphazard and complicated that it makes sense to find an expert to check if you’re covered. You won’t be able to figure it out yourself. By the way, the “export” part of these regulations will apply even if you form your company in India, so long as the technology is developed in the U.S.The consequences of violating U.S. export regulations are potentially dire (including criminal penalties), so it’s best not to mess around. Normally, a quick review will determine that there are no issues, but it’s worth undertaking the quick review.TaxThe two entities you would be most likely to use to “incorporate” a business in the U.S. are the corporation and the LLC. The equity holders in a corporation are called shareholders or stockholders and the equity holders in an LLC are called members. From a non-tax perspective, the LLC is generally preferable because it is more flexible. For example, an LLC can have a board of directors and officers if that makes sense, but it can also be managed directly by its members.The normal income tax treatment of corporations and LLCs is very different. Corporations are normally considered to be a separate taxpayer. That means that the corporation pays income tax on its income. When it pays dividends to its stockholders, they are taxed again on receiving the dividends. By contrast, LLCs are normally not taxed separately. Rather, they “pass through” all of their tax attributes (income, deductions, credits etc.) to their members, who then pay tax individually. A corporation can make an election to be taxed on a pass-through basis. This is called an “s” election and corporations that make it are referred to as “s” corporations. Nonresident foreigners are not allowed to hold stock in an “s” corporation, however, so it’s not an option for you. For a more detailed discussion of various kinds of U.S. business entities and tax elections.As a rule, venture backed startups (and startups that hope to be venture backed) form as taxable “c” corporations, rather than as pass-through LLCs. There are several reasons for this:Venture capital firms do not like “pass through” taxation because it can complicate life for them, particularly if they have pension funds or university endowments as investors (most of them do).Companies whose shares are publicly traded are almost always taxable corporations (there’s few advantages and some disadvantages to being anything else).People forming tech startups usually plan to profit from the endeavor by selling their equity in the business, either in a sale of the company or in a public market after an IPO. Since they never plan for the company to pay dividends, it doesn’t bother them that they would get taxed twice (the corporation pays tax on its income and then the shareholder pays tax on receiving the dividend) if it did.Now that we’ve reviewed the available entities, let’s review how the U.S. taxes nonresident foreign nationals. First, it taxes income that is “effectively connected” with a U.S. business roughly the same way it would tax a U.S. citizen or resident. If that income results from an interest in an LLC that “passes through” its tax items to its members, the LLC is required to make a “withholding” payment to the federal government to cover the member’s liability. Second, certain categories of “U.S. source” passive income (such as dividends, royalties and interest) are subject to a flat 30% tax. This tax is, again, enforced by a requirement that the U.S. payor withhold it at the source. On the other hand, capital gains (e.g. from the sale of stock) are generally not taxed.Both of these taxes are modified by a tax treaty between the U.S. and India. In particular, the rate of the flat tax on passive income is reduced to 15 or 25% (depending on corporate structure) for dividends, 10 or 15% (again, depending on corporate structure) for interest, and 15% for royalties. One unusual twist in the U.S. India tax treaty is that it gives particularly favorable treatment to income from consulting or technical services that are ancillary to the use of licensed technology. So it might be beneficial to develop the technology in India, license it to the U.S. entity, and then provide consulting/technical services (such as software maintenance and updates) for a fee. But it is worth reemphasizing that the U.S. doesn’t tax capital gains earned by nonresident foreign nationals. So if you’re not planning to move to U.S. at any point during the development of the business and your ultimate goal is a capital “exit” (i.e. a sale of the company or a sale of your stock in an IPO or a private secondary market), the best strategy might be to use a taxable corporation.By the way, if you form your company in India and conduct business in the U.S., the U.S. might tax those activities under separate “branch profits” tax rules. Those rules are very complicated (and modified in important ways by the U.S.-India tax treaty). So if you decide to form in India but still plan to conduct business in the U.S., you’ll need to hire a tax lawyer familiar with those rules.The discussion above should give you some general ideas, but bear in mind that it only covers U.S. treatment. I’m just not competent to discuss how the taxes will play out in India. It should also be apparent that the right structuring decision is going to depend on multiple factors (your personal situation, your investors’ situations, your business plans etc.) and will often involve difficult tradeoffs based on guesses as to uncertain future events. So you really need to get expert advice from someone familiar with U.S. and Indian taxes before you make any structuring decisions. That’s not just a boilerplate caveat. If you don’t get someone to review your particular situation and help you think through your best strategy, you could easily get things wrong in ways that will be difficult or impossible to fix later and could cost you astounding amounts of money, especially if things turn out really well for the business.

yes it is valid document if someone argue with then tell them some facthttps://digilocker.gov.in/assets/img/Controller-of-Digital-Locker-Rules-2016.pdfThe Information Technology (Controller of Digital Locker) Rules, 2016 In exercise of the powers conferred by clause (x) of sub-section (2) of section 87 read with sections 67C and section 6A of the Information Technology Act, 2000 (21 of 2000), the central Government hereby makes the following rules regulating the applications and other guidelines for DigiLocker service providers, namely: 1. Short Title and Commencement: (1) These rules may be called the Information Technology (Controller of Digital Locker) Rules, 2016. (2) They shall come into force on the date of their publication in the Official Gazette. 2. Definitions: (1) In these rules, unless the context otherwise requires, - a) “Act” means the Information Technology Act, 2000 (21 of 2000); b) “access gateway” means licensed system to provide access to repositories under Digital Locker System; c) “application program interface (API)”, means a set of routines, protocols, and tools for building software applications; d) “appropriate government” means appropriate government as defined in clause (e) of sub-section (1) of section 2 of the Act; e) “body corporate” means any company and includes a firm, Limited Liability Partnership, sole proprietorship or other association of individuals engaged in commercial or professional activities; f) “controller of digital locker” means the officer of the Government notified as the Controller of Digital Locker; g) “DeitY” means Department of Electronics & Information Technology, Government of India. The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 2 of 62 h) “digital locker”, means a service of preservation, retention and delivery of electronic records to the user; i) “DigiLocker Practise Statement” means a statement by the DigiLocker service provider describing the services and flow of the services being offered by the provider. j) “DigiLocker service provider” means an agency including a body corporate or an Agency of the Government, licensed by the Controller of Digital Locker, to establish and manage digital locker system electronically, in accordance with these rules; k) “document Uniform Resource Identifier (URI)”, means documents or records issued complying with prescribed technical specifications; l) “Government” means the Government of India; m) “Issuer” means any department or agency of the appropriate Government issuing digitally signed or equivalently authenticated electronic records to the subscriber under Digital Locker System; n) “License” means binding agreement between/among the Controller of Digital Locker and any service provider; o) “Digital Locker Portal” means a web and mobile based system to provide access to documents under Digital Locker System; p) “National Digital Locker Portal” means DeitY owned and operated webbased hosting Digital Locker System; q) “repository” means an electronic repository of digitally signed as well as digitised electronic records, maintained by any DigiLocker service provider for the purpose of accessing such records and delivering them to the users. r) “Requester” means any department or agency of the appropriate Government requesting access to subscribers digitally signed or equivalently authenticated electronic records preserved and retained in the repository created and managed under Digital Locker System; The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 3 of 62 s) “subscriber” means subscriber to a digital locker under the Digital Locker Portal; t) “user” means a subscriber, issuer or requester of the Digital Locker System. (2) Words and expressions used and not defined in these rules but defined in the Act and Rules shall have the same meanings assigned to them in the Act and the Rules made thereunder. 3. Digital Locker System: (1) For the purpose of providing preservation and retention of machine readable, printable, shareable, verifiable and secure appropriate Government and private agency issued electronic records, the Government and other service providers to provide a digital locker system of limited electronic storage to all users. Explanation. – It is hereby clarified that the present rules provide for the administration of digital locker system by Controller of Digital Locker through DigiLocker Service Providers in accordance with the technical standards as laid down by controller from time to time. (2) Subject to the sub-rule (1), the digital locker system shall act as web and mobile based portal, to be a Digital Locker Portal for appropriate Government and private agency issued electronic records maintained in a prescribed format. 4. Operation of Digital Locker System: (1) Any individual who is resident of India shall be able to open and gain access to digital locker after submitting duly prescribed application form to the Controller of Digital Locker after due authentication manner prescribed by the Controller of Digital Locker. (2) Subject to the sub-rule (1), citizen may obtain the services of the licensed DigiLocker Service Providers for the purpose of access The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 4 of 62 Locker, gateways and repository services using web or mobile based Digital Locker Portal. (3) Digital Locker Portal shall provide access to repositories and access gateway for issuers to issue and requesters to access digitally signed or equivalently authenticated electronic records respectively in a uniform way in real-time by making available Digital Locker Directory to the users. (4) Digital Locker Directory shall provide following details: (a) issuer ID (name, ID, registration date), Requester ID (name, URL, date of empanelment, contact details), Gateway ID (name, URL, date of empanelment, contact details) and empanelled repositories (name, URL, date of empanelment, contact details); (b) repository and gateway empanelment guidelines, standards, application form, and other particulars; (c) electronic workflow to request, approve, and publish new ID for new issuers, gateways & repositories, as the case may be; and (d) any other information as prescribed by the Controller of Digital Locker. 5. DigiLocker Standards: Standards for DigiLocker eco system will be notified by the Department of Electronics & Information Technology (DeitY), Government of India. 6. Appointment of Controller and other officers: 1) The Central Government may, by notification in the Official Gazette, appoint a Controller of Digital Locker for the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy Controllers and Assistant Controllers, other officers and employees as it deems fit. The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 5 of 62 2) The Controller shall discharge his functions under this Act subject to the general control and directions of DeitY. 3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. 4) The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers other officers and employees shall be such as may be prescribed by the Central Government. 5) The Head Office and Branch Office of the Office of the Controller shall be at such places as DeitY may specify, and these may be established at such places as DeitY may think fit. 6) There shall be a seal of the Office of the Controller. 7. The Controller may perform all or any of the following functions, namely: 1) Grant licenses to DigiLocker service providers; 2) exercising supervision over the activities of the DigiLocker Service Providers; 3) specifying the conditions subject to which the DigiLocker Service Providers shall conduct their business; 4) specify the conditions under which documents from issuers are made available to DigiLocker service providers. 5) specify the conditions under which documents accessed by requesters are made available to DigiLocker service providers 6) specifying the content of written, printed or visual material and advertisements that may be distributed or used in respect of DigiLocker Services; The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 6 of 62 7) specifying the form and manner in which accounts shall be maintained by the DigiLocker service provider; 8) specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them; 9) facilitating the establishment of any electronic system by a Service Provider either solely or jointly with other Service Providers and regulation of such systems; 10)specifying the manner in which the Service Providers shall conduct their dealings with the subscribers; 11)resolving any conflict of interests between the Service Providers and the subscribers; 12)laying down the duties of the Service Providers; 13) maintaining a data-base containing the disclosure record of every DigiLocker Service Providers containing such particulars as may be specified by regulations, which shall be accessible to public. 8. Licensing of DigiLocker Service Providers: (1) The following may apply for grant of a licence to become a DigiLocker Service Provider, namely:- (a) an individual , being a citizen of India and having a capital of five crores of rupees or more in his business or profession. (b) a company having– i. paid up capital of not less than five crores of rupees; and ii. net worth of not less than fifty crores of rupees: Provided that no company in which the equity share capital held in aggregate by the Nonresident Indians, Foreign Institutional Investors, or foreign companies, exceeds forty-nine per cent of its capital, shall be eligible for grant of licence: Provided further that in a case where the company has been The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 7 of 62 registered under the Companies Act, 1956 (1 of 1956) during the preceding financial year or in the financial year during which it applies for grant of licence under the Act and whose main object is to act as DigiLocker Service Provider, the net worth referred to in sub-clause (ii) of this clause shall be the aggregate net worth of its majority shareholders holding at least 51% of paid equity capital, being the Hindu Undivided Family, firm or company: Provided also that the majority shareholders referred to in the second proviso shall not include Non-resident Indian, foreign national, Foreign Institutional Investor and foreign company: Provided also that the majority shareholders of a company referred to in the second proviso whose net worth has been determined on the basis of such majority shareholders, shall not sell or transfer its equity shares held in such company- (i) unless such a company acquires or has its own net worth of not less than fifty crores of rupees; (ii) without prior approval of the Controller of Digital Locker; (c) a firm having – i. capital subscribed by all partners of not less than five crores of rupees; and ii. net worth of not less than fifty crores of rupees: Provided that no firm, in which the capital held in aggregate by any Non-resident Indian, and foreign national, exceeds forty-nine per cent of its capital, shall be eligible for grant of licence: Provided further that in a case where the firm has been registered under the Indian Partnership Act, 1932 (9 of 1932) during the preceding financial year or in the financial year during which it applies for grant of licence under the Act and whose main object is to act as DigiLocker service provider, the net worth referred to in sub-clause (ii) of this clause shall be the aggregate net worth of all of its partners: Provided also that the partners referred to in the second proviso shall not include Non-resident Indian and foreign national: Provided also that the partners of a firm referred to in the second proviso whose net worth has been determined on the basis of such partners, shall not sell or transfer its capital held in such firm- (i) unless such firm has acquired or has its own The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 8 of 62 net worth of not less than fifty crores of rupees; (ii) without prior approval of the Controller; (d) Central Government or a State Government or any of the Ministries or Departments, Agencies or Authorities of such Governments. Explanation.- For the purpose of this rule,- i. "company" shall have the meaning assigned to it in clause 17 of section 2 of the Income-tax Act, 1961 (43 of 1961); ii. "firm", "partner" and "partnership" shall have the meanings respectively assigned to them in the Indian Partnership Act, 1932 (9 of 1932); but the expression "partner" shall also include any person who, being a minor has been admitted to the benefits of partnership; iii. "foreign company" shall have the meaning assigned to it in clause (23A) of section 2 of the Income-tax Act, 1961 (43 of 1961); iv. "net worth" shall have the meaning assigned to it in clause (ga) of subsection (1) of section 3 of the Sick Industrial Companies (Special Provisions) Act, 1985 (1 of 1986); v. "Non-resident" shall have the meaning assigned to it as in clause 26 of section 2 of the Income-tax Act, 1961 (43 of 1961). (2) The applicant being an individual, or a company, or a firm under sub-rule (1), shall submit a performance bond or furnish a banker's guarantee from a scheduled bank in favour of the Controller in such form and in such manner as may be approved by the Controller for an amount of not less than five crores of rupees and the performance bond or banker's guarantee shall remain valid for a period of six years from the date of its submission: Provided that the company and firm referred to in the second proviso to clause (b) and the second proviso to clause (c) of sub-rule (1) shall submit a performance bond or furnish a banker's guarantee for ten crores of rupees: Provided further that nothing in the first proviso shall apply to the company or firm after it has acquired or has its net worth of fifty crores of rupees. The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 9 of 62 (3) Without prejudice to any penalty which may be imposed or prosecution may be initiated for any offence under the Act or any other law for the time being in force, the performance bond or banker's guarantee may be invoked– a) when the Controller has suspended the licence under sub-section (2) of section 25 of the Act; or b) for payment of an offer of compensation made by the Controller; or c) for payment of liabilities and rectification costs attributed to the negligence of the DigiLocker service provider, its officers or employees; or d) for payment of the costs incurred in the discontinuation or transfer of operations of the licensed DigiLocker service provider, if the DigiLocker service provider's licence or operations is discontinued; or e) any other default made by the DigiLocker service provider in complying with the provisions of the Act or rules made thereunder. Explanation.- "transfer of operation" shall have the meaning assigned to it in clause (47) of section 2 of the Income-tax Act, 1961 (43 of 1961). 9. Location of the Facilities: The infrastructure associated with all functions of DigiLocker system as well as maintenance of Directories containing information about the status of DigiLocker system shall be installed at any location in India. 10. Submission of Application: (1) Every application for a licensed DigiLocker service provider shall be made to the Controller,- a) in the form given at Schedule-l; and The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 10 of 62 b) in such manner as the Controller may, from time to time, determine, supported by such documents and information as the Controller may require and it shall inter alia includei. a DigiLocker Practice Statement (DPS); ii. a statement including the procedures with respect to identification of the applicant; iii. a statement for the purpose and scope of DigiLocker technology, management, or operations to be outsourced; iv. certified copies of the business registration documents of DigiLocker service provider that intends to be licensed; v. a description of any event, particularly current or past insolvency, that could materially affect the applicant's ability to act as a DigiLocker service provider; vi. an undertaking by the applicant that to its best knowledge and belief it can and will comply with the requirements of its DigiLocker Practice Statement; vii. an undertaking that the DigiLocker service provider's operation would not commence until its operation and facilities associated with the functions of generation, issue and management of DigiLocker system are audited by the auditors and approved by the Controller in accordance with rule 31; viii. an undertaking to submit a performance bond or banker's guarantee in accordance with sub-rule (2) of rule 8 within one month of Controller indicating his approval for the grant of licence to operate as a DigiLocker service provider; c) any other information required by the Controller. (2) Every application for issue of a license shall be accompanied bya) a DigiLocker practice statement; The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 11 of 62 b) a statement including the procedures with respect to identification of the applicant; c) payment of such fees, not exceeding one lac rupees as may be prescribed by the Central Government; d) such other documents, as may be prescribed by the Central Government. 11. Procedure for grant or rejection of license : The Controller may, on receipt of an application under sub-section (1) of section 4, after considering the documents accompanying the application and such other factors, as he deems fit, grant the license or reject the application: Provided that no application shall be rejected under this section unless the applicant has been given a reasonable opportunity of presenting his case. 12. Fee: (1) The application for the grant of a licence shall be accompanied by a nonrefundable fee of one lac rupees payable by a bank draft or by a pay order drawn in the name of the Controller. (2) The application submitted to the Controller for renewal of DigiLocker service provider's licence shall be accompanied by a non-refundable fee of twenty five thousand rupees payable by a bank draft or by a pay order drawn in the name of the Controller. (3) Fee or any part thereof shall not be refunded if the licence is suspended or revoked during its validity period. 13. Cross Certification: The licensed DigiLocker service provider shall have arrangement for cross certification with other licensed DigiLocker service providers within India which shall be submitted to the Controller before the commencement of their The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 12 of 62 operations as per rule 30: Provided that any dispute arising as a result of any such arrangement between the DigiLocker service providers; or between DigiLocker service providers or DigiLocker service provider and the Subscriber, shall be referred to the Controller for arbitration or resolution. 14. Validity of licence: (1) A licence shall be valid for a period of ten years from the date of its issue. (2) The licence shall not be transferable or heritable. 15. Suspension of Licence: (1) The Controller may by order suspend the licence in accordance with the provisions contained in subrule (3). (2) The licence granted to the persons referred to in clauses (a) to (c) of subrule (1) of rule 8 shall stand suspended when the performance bond submitted or the banker's guarantee furnished by such persons is invoked under sub-rule (2) of that rule. (3) The Controller may, if he/she is satisfied after making such inquiry, as he/she may think fit, that a DigiLocker service Provider has – (a) made a statement in, or in relation to, the application for the issue or renewal of the license, which is incorrect or false in material particulars; (b) failed to comply with the terms and conditions subject to which the license was granted; (c) failed to maintain the standards specified in rule (5); (d) contravened any provisions of this Act, rule, regulation or order made there under, revoke the license: Provided that no license shall be revoked unless the DigiLocker service provider has been given a The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 13 of 62 reasonable opportunity of showing cause against the proposed revocation. (4) The Controller may, if he/she has reasonable cause to believe that there is any ground for revoking a license under subrule (3) by order suspend such license pending the completion of any enquiry ordered by him/her: Provided that no license shall be suspended for a period exceeding ten days unless the DigiLocker service provider has been given a reasonable opportunity of showing cause against the proposed suspension. (5) No DigiLocker service provider whose license has been suspended shall provide any access or sharing of documents and shall as per procedure, make provisions for transfer of repository / documents to another service provider/Receiver as specified by the Controller. 16. Renewal of licence: (1) The provisions of rule 8 to rule 14, shall apply in the case of an application for renewal of a licence as it applies to a fresh application for licensed DigiLocker service provider. (2) A DigiLocker service provider shall submit an application for the renewal of its licence not less than ninety days before the date of expiry of the period of validity of licence. (3) The application for renewal of licence may be submitted in the form of electronic record subject to such requirements as the Controller may deem fit. (4) An application for renewal of a license shall be – a) in such form; b) accompanied by such fees, not exceeding twenty five thousand rupees, as may be prescribed by the Central Government and shall be made not less than forty-five days before the date of expiry of the period of validity of the license: 17. Issuance of Licence: The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 14 of 62 (1) The Controller may, within four weeks from the date of receipt of the application, after considering the documents accompanying the application and such other factors, as he/she may deem fit, grant or renew the licence or reject the application: Provided that in exceptional circumstances and for reasons to be recorded in writing, the period of four weeks may be extended to such period, not exceeding eight weeks in all as the Controller may deem fit. (2) If the application for licensed DigiLocker service provider is approved, the applicant shall- (a) submit a performance bond or furnish a banker's guarantee within one month from the date of such approval to the Controller in accordance with subrule (2) of rule 8; and (b) execute an agreement with the Controller binding him/her self to comply with the terms and conditions of the licence and the provisions of the Act and the rules made thereunder. 18. Refusal of Licence: (1)The Controller may refuse to grant or renew a licence ifa) the applicant has not provided the Controller with such information relating to its business, and to any circumstances likely to affect its method of conducting business, as the Controller may require; or b) the applicant is in the course of being wound up or liquidated; or c) a receiver has, or a receiver and manager have, been appointed by the court in respect of the applicant; or d) the applicant or any trusted person has been convicted, whether in India or out of India, of an offence the conviction for which involved a finding that it or such trusted person acted fraudulently or dishonestly, or has been convicted of an offence under the Act or these rules; or the Controller has invoked performance bond or banker's guarantee; or The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 15 of 62 e) a DigiLocker service provider commits breach of, or fails to observe and comply with, the procedures and practices as per the DigiLocker Practice Statement; or f) a DigiLocker service provider fails to conduct, or does not submit, the returns of the audit in accordance with rule 41; or g) the audit report recommends that the DigiLocker service provider is not worthy of continuing DigiLocker service provider's operation; or h) a DigiLocker service provider fails to comply with the directions of the Controller. 19. Representations upon opening of DigiLocker account A DigiLocker service provider while opening a DigiLocker account shall certify that – (a) it has complied with the provisions of this Act and the rules and regulations made there under; 20. Notice of suspension or revocation of license: (1) Where the license of the DigiLocker service provider is suspended or revoked, the Controller shall publish notice of such suspension or revocation, as the case may be, in the data-base maintained by him/her. (2) Where one or more repositories are specified, the Controller shall publish notices of such suspension or revocation, as the case may be, in all such repositories. Provided that the data-base containing the notice of such suspension or revocation, as the case may be, shall be made available through a web site which shall be accessible round the clock Provided further that the Controller may, if he/she considers necessary, publicize the contents of the data-base in such electronic or other media, as he/she may consider appropriate. 21. Power to delegate: The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 16 of 62 The Controller may, in writing, authorize the Deputy Controller, Assistant Controller or any officer to exercise any of the powers of the Controller under this Chapter. 22. Power to investigate contraventions: (1) The Controller or any officer authorized by him/her in this behalf shall take up for investigation any contravention of the provisions of this Act, rules or regulations made there under. (2) The Controller or any officer authorized by him/her in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act. 23. Access to computers and data: (1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person authorized by him/her shall, if he/she has reasonable cause to suspect that any contravention of the provisions of this chapter made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system, for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. (2) For the purposes of sub-section (1), the Controller or any person authorized by him/her may, by order, direct any person in charge of, or otherwise concerned with the operation of the computer system, data apparatus or material, to provide him/her with such reasonable technical and other assistant as he/she may consider necessary. 24. DigiLocker service providers to follow certain procedures: Every DigiLocker service provider shall- The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 17 of 62 a) ensure that the document URI and other data provided by issuers and requesters is stored and/or transferred in its original state without any tampering. b) make use of hardware, software, and procedures that are secure from intrusion and misuse: c) provide a reasonable level of reliability in its services which arc reasonably suited to the performance of intended functions; d) adhere to security procedures to ensure that the secrecy and privacy of the documents are assured. e) publish information regarding its practices and current status of such procedures; and f) observe such other standards as may be specified by regulations. 25. DigiLocker service provider to ensure compliance of the Act, etc: Every DigiLocker service provider shall ensure that every person employed or otherwise engaged by it complies, in the course of his employment or engagement, with the provisions of this Act, rules, regulations and orders made there under. 26. Display of license: Every DigiLocker service provider shall display its license at a conspicuous place of the premises in which it carries on its business. 27. Surrender of license: (1) Every DigiLocker service provider whose license is suspended or revoked shall immediately after such suspension or revocation, surrender the license to the Controller. The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 18 of 62 (2) Where any DigiLocker service provider fails to surrender a license under sub-section (1), the person in whose favour a license is issued, shall be guilty of an offense and shall be punished with imprisonment which may extend up to six months or a fine which may extend up to ten thousand rupees or with both. 28 Disclosure: (1) Every DigiLocker service provider shall disclose in the manner specified by regulations (a) its DigiLocker Certificate (b) any DigiLocker practice statement relevant thereto; (c) notice of revocation or suspension of its DigiLocker certificate, if any; and (2) Where in the opinion of the DigiLocker service provider any event has occurred or any situation has arisen which may materially and adversely affect the integrity of its computer system or the conditions subject to which access to a document was granted, then, the DigiLocker service provider shall- (a) use reasonable efforts to notify any person who is likely to be affected by that occurrence; or (b) act in accordance with the procedure specified in its certification practice statement to deal with such event or situation. 29. Governing Laws: The DigiLocker Practice Statement of the DigiLocker service provider shall comply with, and be governed by, the laws of the country. 30. Security Guidelines for DigiLocker service provider: The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 19 of 62 (1) The DigiLocker service provider shall have the sole responsibility of integrity, confidentiality and protection of information and information assets employed in its operation, considering classification, declassification, labeling, storage, access and destruction of information assets according to their value, sensitivity and importance of operation. (2) Information Technology Security Guidelines and Security Guidelines for DigiLocker service provider aimed at protecting the integrity, confidentiality and availability of service of DigiLocker service provider are given in ScheduleII and Schedule-III respectively. (3) The DigiLocker service provider shall formulate its Information Technology and Security Policy for operation complying with these guidelines and submit it to the Controller before commencement of operation: Provided that any change made by the DigiLocker service provider in the Information Technology and Security Policy shall be submitted by it within two weeks to the Controller. 31. Commencement of Operation by Licensed DigiLocker service provider: (1) The licensed DigiLocker service provider shall commence its commercial operation only after (a) it has confirmed to the Controller the adoption of DigiLocker Practice Statement; (b) the installed facilities and infrastructure associated with all functions of management of DigiLocker system have been audited by the accredited auditor in accordance with the provisions of rule 41; and (c) it has submitted the arrangement for cross certification with other licensed DigiLocker service provider within India to the Controller. 32. Requirements Prior to Cessation as DigiLocker service provider: The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 20 of 62 (1) Before ceasing to act as a DigiLocker service provider, a DigiLocker service provider shall, a) give notice to the Controller of its intention to cease acting as a DigiLocker service provider: Provided that the notice shall be made one hundred eighty days before ceasing to act as a DigiLocker service provider or ninety days before the date of expiry of licence; b) will follow the data retention and data migration guidelines notified by DeitY. c) advertise one hundred twenty days before the expiry of licence or ceasing to act as DigiLocker service provider, as the case may be, the intention in such daily newspaper or newspapers and in such manner as the Controller may determine; d) notify its intention to cease acting as a DigiLocker service provider to the subscriber, issuers and requesters of each documents available in its system: e) the notice shall be sent to the Controller, affected subscribers, issuers and requesters by digitally signed e-mail and registered post; f) make a reasonable effort to ensure that discontinuing its DigiLocker services causes minimal disruption to its subscribers; g) make reasonable arrangements for preserving the records for a period of seven years; h) pay reasonable restitution (not exceeding the cost involved in opening a DigiLocker account) to subscribers for ceasing DigiLocker services;. 33. Database of DigiLocker Service Providers: (1) The Controller shall maintain a database of the disclosure record of every DigiLocker service provider, containing inter alia the following details: a) the name of the person/names of the Directors, nature of business, Income tax Permanent Account Number, web address, if any, office and residential The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 21 of 62 address, location of facilities associated with functions of DigiLocker system, voice and facsimile telephone numbers, electronic mail address(es), administrative contacts and authorized representatives; b) current and past versions of DigiLocker Practice Statement of DigiLocker service provider; c) time stamps indicating the date and time ofi. grant of licence; ii. confirmation of adoption of DigiLocker Practice Statement and its earlier versions by DigiLocker service provider; iii. commencement of commercial operations of DigiLocker system by the DigiLocker service provider; iv. revocation or suspension of licence of DigiLocker service provider; 34. The manner in which Digital Locker System be used by Subscriber: (1) A Digital Locker shall be used by the subscriber in the following manner: (a) accesses and registers for Digital Locker on the web or mobile based Digital Locker Portal; (b) uploads document, digitally signs the documents in the digital locker as provided by the DigiLocker Service Provider; (c) accesses documents from issuers using the document URI’s available in the DigiLocker account. (d) grants access to the requester to access appropriate Government issued records by providing unique document URI; (e) provides access to the issuer to deposit document URI’s; and (f) as prescribed by the Controller of Digital Locker from time to time. 35. The manner in which Digital Locker System be used by Requester: (1) A Digital Locker shall be used by the requester in the following manner: The Information Technology (Controller of Digital Locker) Rules, 2016 _______________________________________________________________________________________________________ Page 22 of 62 (a) registers itself with the Controller of Digital Locker specified web portal; (b) accesses subscriber’s appropriate issued documents based on the URI; and (c) uses licensed gateway providers to access documents stored across certified repositories; (d) as prescribed by the Controller of Digital Locker from time to time.