The long anticipated indirect tax uniform regime in India, namely, ‘The Goods and Services Tax’ (hereinafter referred to as GST), was introduced on 1st July 2017. This monumental event ushered a new era of transparency in our economic activities as regards to transactions in goods and services, as all such businesses are brought under one uniform taxation system, with a facility for all the stake holders to directly comply with the law, on voluntary basis, with no physical presence of tax administrators in conducting of the activities by them. The earlier existing multitude of tax systems gave way to the formation of a unique harmonized tax regime applicable to the whole of India. Due to a ‘digitally enabled, seamless, but automated credit distribution and settlement mechanisms’ to all the states, the Indian domestic trade market is freed of all barriers. As the standard and unfirm tax rates are made known in advance to all the stake holders, especially, the citizen (the consumer), being the actual tax payer / bearer, brought in the much required transparency to the entire self governed regime. As everyone knew the tax rates and procedures, use of tax as an arbitrage in the business is eliminated, resulting in reduction of prices of the goods and services. Similarly the intermediaries, who are the registered tax payers, collecting taxes as per the levy and forwarding the same to the Government, by use of GST Network (GSTN for brevity), could comply with all the legislative requirements, without any physical intervention or hindrance of the tax officials.
Introduction of uniform GST
Prior to introduction of GST, the powers to levy and collect the indirect taxes by the Centre and the States were mandated in the Constitution with little overlap as regards to taxable event between them. To establish the ‘one nation, one tax’ regime, an amendment to the Constitution was imperative. Accordingly, the Constitution (122nd Amendment) Bill was introduced in the parliament providing separate, but simultaneous legislative powers to both the centre and the States (including Union Territories) on the common taxable event viz., ‘the supply of all goods or services or both, except for Alcohol for human consumption’. The president of India gave his assent to the Bill on 8th September, 2016. As mandated, a Goods and Services Tax Council (GSTC), comprising the Union Finance Minister, the Minister of State (Revenue) and the State Finance Ministers was constituted with effect from 12th September, 2016. The Council is vested with powers to make recommendations on subjects like the GST rates, exemptions and thresholds, taxes to be subsumed and other features to ensure harmonization on different aspects of GST between the Centre and the States as well as across States. After due process of law based on GST council’s recommendations, GST was implemented all over India, with effect from 1.7.2017.
The GST, is a value added, destination based consumption tax, on all transactions involving ‘supply of goods or services or both’. It is a dual simultaneous levy on a common tax base, with levy on intra-State supplies of goods and services, by Centre called the Central GST (CGST) and by the States called as the State GST (SGST), and the Centre levy on inter-State supply called as Integrated GST (IGST). The GST has subsumed over 150 indirect tax laws into a single tax system, facilitating the formation of a common national market, with free flow of trade and commerce without any barriers possible.
Origin of GST Network
For effective execution, implementation and administration of the comprehensive GST law, from the expected sheer volumes of transactions, it is crucial that an efficient interface of the taxpayer with the tax authorities, largely technology driven is the principal requisite. The GSTN system interfaces with various stakeholders viz.,
- Registered Tax payers – expected to be consisting of over 1.2 crore intermediaries dealing in both domestic and international trade and commerce, dealing in transactions pertaining to supply of goods or service or both.
- All practicing Chartered accountants / Cost accountants / Company secretaries / Tax practitioner and Attorneys, Tax Return Preparers etc., This is also expected to be huge in number, which is yet to be quantified. This number is expected to be changing as new members have to be accommodated.
- Banks / RBI – almost all banks are dealing with the accounts of the intermediary and also as suppliers themselves. The numbers need to be estimated after full implementation of GST law.
- GST Council– the central decision making authority and their authorized persons for access.
- CBIC ( earlier called as CBEC) / all State / union territory Tax Authorities, their ‘Help-desks’ at all important locations across India, together with Controller and Auditor General, to enable audit of requisite tax compliance. And all governmental authorities such as UIDAI / MCA21/ CBDT / ICEGATE etc., who are coordinating on real time basis, for validation and exchanging of data. The number of users is expected to be over three lakh.
- All third Party application developers selected and authorized by GSTN.
There is no proper estimation possible as to the number of users from all stake holders or the quantum of data expected to be generated, at the moment as the entire exercise of implementation of GST Law is work-in-progress. The legal provisions, the technological and administrative frame works for supporting such legislation are undergoing frequent modification and changes, at the suggestions from all the concerned stake holders. The entire process is in an evolving mode. However the above list sufficiently indicates the complications involved in transactions with multitude stake holders at the helm.
For handling such huge data in a secured way at one place and in real time, it is appropriate to possess a comprehensively designed and perfectly functioning common Information Technology (IT) infrastructure facility. To be ready for such a purpose, the Government of India initiated and established the GST System Project, viz., GSTN by incorporatin on 28 March 2013, as a non-Government, not-for-profit, limited company under Section 25 of the Companies Act, 1956, promoted jointly by Central and State governments. The share holding pattern of GSTN is, the Central Government (24.5%), State Governments & Empowering Committee (24.5%) and the financial institutions (51%), which made it to be privately owned establishment. The GSTN was formed with an intent to provide the shared IT infrastructure facility and service to both Central and State Governments and to all tax payers and other stakeholders at one place.
The salient features of GST Network
The GST Network, being the National Information Utility (NIU) / Special Purpose Vehicle (SPV) Project, is a unique and complex IT initiative as for the first time an attempt is made to establish a comprehensive interface for the tax payer and other stake holders with a common, shared IT infrastructure. The company states that, “currently, the Centre and State indirect tax administrations work under different laws, regulations, procedures and formats and consequently the IT systems work as independent sites. Integrating them for GST implementation would be complex since it would involve integrating the entire indirect tax ecosystem so as to bring all the tax administrations to the same level of IT maturity with uniform formats and interfaces for taxpayers and other external stakeholders. Besides, GST being a destination based tax, the inter-state trade of goods and services (IGST) would need a robust settlement mechanism amongst the States and the Centre. This is possible only when there is a strong IT Infrastructure and Service as the backbone which enables capture, process and exchange of information amongst all the stakeholders, including tax payers, States and Central Governments, Accounting Offices, Banks and RBI.” The above statement sufficiently explains the challenges involved in the creation of this huge utility, which needs to be secured as it deals with huge data pertaining to trade and commerce, its activities, tax and all related statutory compliances, investigation by various agencies and all such related matters. Any breach in security of data of any sort will cause irreparable damage to the whole of Indian economy as it will hamper all the national and international business of India.
Authority to handle GST business processes and data
The statutory authority for GSTN to be used as a SPV in complying with GST law and procedures emanates from Section 146 of the CGST Act, 2017, which stipulates that, “The Government may, on the recommendations of the Council, notify the Common Goods and Services Tax Electronic Portal for facilitating registration, payment of tax, furnishing of returns, computation and settlement of integrated tax, electronic way bill and for carrying out such other functions and for such purposes as may be prescribed.” The Union Government has notified www.gst.gov.in as the common GST electronic portal. As mandated, the common electronic portal shall facilitate all front end business processes & settlement of integrated tax, electronic way bill etc., to the registered tax payers and other authorized agencies / persons.
The vision of this SPV as stated in the company charter is, “To become a trusted National Information Utility (NIU) which provides reliable, efficient and robust IT backbone for the smooth functioning of the Goods & Services Tax regimen enabling economic agents to leverage the entire Nation as One Market with minimal Indirect Tax compliance cost.”
The core values have been listed as: Inclusiveness, Efficiency, Transparency, Commitment, Collaboration, Excellence, Innovation and Accountability. The GSTN is expected to be a trusted National Information Utility (NIU) providing reliable, efficient and robust IT infrastructure for the user friendly and reliable functioning of GST in India.
Therefore the GSTN as a key technology supporter enable execution of processes such as registration, E-way bill generation, invoice uploading, tax return filing, tax payment system etc., under GST. “The GSTN is preparing to handle as many as 3 billion invoices a month under the new indirect tax regime, but will encourage entities that generate a large volume of invoices to upload them daily to lessen the burden on the system”, chief executive officer Mr. Prakash Kumar said. Addressing a trade Chamber event, Kumar assured the industry that GSTN is applying the “best available security systems for data”. “Security of your data is of prime importance because in invoice, the item cost is also included. We are cognizant of the fact that if your competitor comes to know of it, it will be a big setback for you. So all the information which will come to us, is always in encrypted mode and the best possible security systems we have provided from the perimeter to inside,” Kumar said. He stated that the database administrator has been designed in a way that no outsider can see the data. “Only two people can have access – the taxpayer himself or his tax officer who is responsible for that. We are applying the best available security systems for data, whether it is movement or in storage,” he said.
As stated by the company, the design of GST systems is based on role based access. The taxpayer can access his own data through identified applications like registration, return, view ledger etc. The tax official having jurisdiction and audit authorities, can access, as per GST law, such data for scrutiny. No other entity can have any access to data.
The Government with its shareholding of 49%, is far more than that of any single private institution, and therefore will have a strategic control over the GSTN. The Central Government will have control over the composition of the Board, mechanisms of Special Resolution and Shareholders Agreements, and agreements between the GSTN and other state Governments. Therefore it was expected that proper care will be taken to implement best practices in securing the data.
Security measures at GSTN
Further the GSTN in its declaration has stated that it has incorporated the state of art security framework as for as data and service securities are concerned. It is stated that high end firewalls have been used along with a view to detect any intrusion. The data are encrypted and also the complete audit trail, tamper proofing using consistent hashing, algorithms and host hardening have been used. The primary and the secondary Security Operations Command & Control center have been designed so as to proactively monitor and protect, in real time, any malicious attack on the Network. The GSTN is said to have ensured the secure coding practices to protect against all threats.
The data centers and disaster recovery data centers are placed in different seismic zones. GST Network CEO Mr. Prakash Kumar said, “We have one data center in Delhi, and one in Bengaluru. Although the data between two cities travel at the speed of light, it still takes a few milliseconds, so what happens if something breaks down at that time? To avoid that data loss, we have put one additional data centre next to our original data centers, so we have a spare data centre here in Delhi, another in Bengaluru. All these data centers are connected to each other. For connecting these data centers, GSTN chose two separate lines, and two different companies, so if system of one goes down, the other keeps working. Besides taking care of cyber security through the security operations centre housed in Chennai, GSTN has also set up a business continuity plan that will ensure data recovery and zero data loss in case of an emergency”.
Performance of GSTN – a matter of concern
The GSTN, which is expected to resolve all IT related issues, enabling smooth implementation and administration of GST, has a long way to go for fulfilling its goal, as the recent developments indicate.
In certain situations it is noticed that the TRAN-1 Form has been tampered. In this regard, a petition is before the Bombay High Court seeking a direction from the Court to file criminal complaint against the central Government and GSTN. The petitioner stated that records in in the hands of Private Company are properly secured. They asked the Government to takeover GSTN on priority. A prayer for a high level enquiry through independent IT Experts against GSTN for tampering of status returns filed have also been sought by the Petitioner. They alleged that the GSTN has not been managed properly as stipulated under IT Laws.
The GSTN, expected to play a major key role in effective implementation of GST laws, in reality has caused more harms than originally thought of. “A Sad Tale of GSTN & Ease of Doing Business gone!” observes Mr. Shailendra Kumar, founder Editor of Taxindiaonline. He further concludes, “Whether ease of doing business would degenerate into a ‘DISease of doing business’ “what with all the returns that are to be filed! By the way, when will the businesses have time to do business!!?”
“After demonetization and cashless economy, cyber security is becoming even more relevant,” said Mr Pawan Duggal, a cyber-law advocate. “India is thoroughly unprepared to deal with cyber security because, number one, India does not have a dedicated cyber-security law,” he added.
It is pertinent to mention here that changing over to new regime consists of various stages, which is one of the reasons for delays and interruptions in the performance of GSTN. Firstly the GST Council has to finalize the law, Rules, procedures and formats and recommend the same to respective Governments to be notified as statues. Later the GSTN has to develop the complying software, finalize the hardware requirements, i.e., has to provide the suitable technological frame work after due discussions with administration. Only later it can release the same for use by the tax payer and others. The non-finalization of return, e-way formats etc., rules, procedures and formats have further added to the precarious handling of the situation by GSTN.
The Confederation of All India Traders (CAIT) claimed that the GST portal is not functioning to the desirable level. They further stated to have faced mental agony by its poor performance. They claimed that this is a major barrier in implementation of transparent taxation system like GST.
Legal compliance under IT Act 2008
GSTN is a computer utility of paramount importance as it is authorized to collect, receive, retain, store, handle, process and transfer the trade transaction data of the entire country and therefore it is mandatory for the them to put in place all the cyber security related measures in operation as required under IT Act 2000.
On being questioned on security concerns, “What have you put in place as a security architecture to ensure that the data, at no point of time, can be compromised by just the sheer ownership of this organization?”, the GSTN Chairman Mr. Navin Kumar had replied, “Right from day one this has been uppermost in our mind. When we drafted the RFP (Request for Proposal) for this project for selection of our IT partner, we put a specific section on this and we made our requirements very clear; that security of our system is an important requirement and we are doing everything that is possible today; that technology or equipments, the best that are available for security in the world, we are going to use; We are using ISO 27001 which is the highest standard for information security management in the world; Our system will be certified; So we are doing everything that is required to make sure that the data is secured; we are using various kinds of security; various steps like perimeter security, which is the physical security, security at the network level, at the application level, at the data level, even during the development of software; We are going to have a Security Operation Centre which will run 24×7 that will watch the security aspects and see if there are any attacks; they’ll try to contain that attack or take on the mitigation measures; We are also having a separate organization, which we call the Security Management and Analytics Company, which will keep a tab/watch on the all the ongoing security operations; We are taking all possible steps to ensure the security of the data.”
“The GSTN will be handling a very large project which will need quick-footed work on the part of the organization, and therefore such a company must have independence of management. It should be allowed to structure the organization according to its requirements and not be bound by government rules. It should have flexibility in decision making, should be able to hire and retain professionals from the market at market salaries. That could happen only if this was a non-government, private company”, this was accepted by the Empowered Committee of State Finance Ministers and the central government. The private entities agreed to join and thereby GSTN was established.
Secured access system
As per the GSTN, the GST System has been designed to have the five layers, so that there is secured accessibility:
- GST Core System layer, wherein the business and functional services reside. This interacts with the external world through the surrounded API layer.
- API Layer not exposed to internet with no threat of DDOS attack. API layer validates each data / request that comes i.e. License key of the caller (organization, features, expiry, etc.), Structure, Size, Digital signature of the API calling entity, Integrity of data to ensure that the data is not changed in between.
- Access to IT Infrastructure layer inside Data Centre through stringent network and security infrastructure.
- Access Layer for GSP community.
- Access to all end users including tax agency employees, banks, taxpayers, state authorities against authentication and authorizations granted on GST services as per the system. This layer is used by users of the apps and portal providers.
Data is protected by extensive network and security monitoring systems. Security measures include- distributed denial of service (DDoS) protection, password brute-force detection, secure access, Built-in-firewalls, Encrypted data storage and Periodic Backups. The convenience of a tax payer is of utmost importance for the success of GST measures and facilitations. For this purpose, the taxpayers have been offered to choose the services from a approved third party, Known as GSPs. The applications developed by GSPs will connect the GST system via secure GST system APIs so that the Business to Government communication eases the difficulties of traders in use of digital means to comply with the requirements of GST law.
Security requirement according to IT Act 2008
Now let us discuss the security requirement under information technology act 2000 and examine with the information available in public domain, to elucidate the security protocols the GSTN have to comply. Here it is important to note that GSTN is a body corporate providing services together with a function of an intermediary also. Therefore they have to follow security norms stipulated under IT Act, in respect of both roles and functions, i.e.as a body corporate as well as an intermediary.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 deal with Reasonable Security Practices by a service provider and the protection of Sensitive personal data or information of a person.
A body corporate i.e. GSTN (or a person on its behalf) is considered to have complied with reasonable security practices and procedures, if they have implemented prescribed security practices, and have also documented the information security programme and policies that contain managerial, technical, operational and physical security control measures that commensurate with the information assets being protected with the nature of business, in a comprehensive way. For any facility hosting or carrying out any activity relating to electronic documents or generating electronic information, directly or indirectly involving commercial or related activity, with the aid of electronic gadgets, i.e., any Computer, Computer System or Computer Network, has to adhere to certain reasonable Security Practices such as: Site certification, Security initiatives, Awareness Training, Conformance to Standards certification, Policies and adherence to policies, Policies like password policy, Access Control, email Policy etc, Periodic monitoring and review.
There are three basic security concepts / aspects of data security viz., Confidentiality, Integrity and Availability:
Confidentiality: this refers to protection of information from unauthorized disclosure.
Integrity: this refers to protecting information from unauthorized modification, and ensuring accurate and complete data to the user.
Availability: this refers to ensuring the information available readily to the authorized, whenever required. Cyber security measure taken by GSTN should meet the requirements of the international Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”. All the above have to be regularly and periodically certified to the effect that the facility is cyber secured utility.
It is informed that the GSTN is following all the security principles as prescribed in Information Technology (IT) Security Guidelines.
Damages for violations
The Section 43A of the Information Technology Act, 2000 provides that any ‘body corporate’ engaged in acquiring, dealing or handling any personal data or information that are sensitive in nature, is unconcerned in implementing the ‘reasonable security practices’ resulting in wrongful loss or gain to any one, then such body corporate could be liable to pay damages to the affected person. Therefore GSTN has to mandatorily implement and continue the reasonable security practices, failing which substantial damage (no upper limit specified for the compensation) can be claimed by the affected person from the company in cases of any breach. Therefore it is very much important to know the reasonable security practices to be adhered to by the GSTN, so that the tax administrations as well as the tax payers and all other stake holders secure their data and activities.
Data privacy concerns
Data privacy is another important element of data security leading to overall cyber security. The various persons involved viz., GSTN or Provider of information have to adhere to privacy norms.
In respect of any Sensitive Data of any person collected and processed or stored in India by use of the computer resources by any entity, either established in India or elsewhere, the Data Privacy Rules are to be followed. It is to be noted that the said Rules is not limited to Sensitive Data belonging to residents of India. As per the Data Privacy Rules, the responsibility in relation to consent requirements and provider access requests lie not only with the corporation but extends to the Data Processor also. Therefore we can conclude that both the body corporate and the Data Processor performing the said functions relating to the sensitive data are legally responsible for compliance under the Privacy Rules.
The personal information viz., Passwords, Financial information such as bank account or credit card or debit card or other payment instrument details, the Physical, physiological and mental health condition, the Sexual orientation, the Medical records and history and Biometric information are treated as the sensitive personal data. The said rules provide the reasonable security practices and procedures to be followed by such body corporate i.e. GSTN in the instant case. In case of any breach, the GSTN or any other person acting on their behalf, the GSTN may be held liable to pay damages to the affected person.
The Data Privacy Rules further require the GSTN practice and comprehensively document such information security program, and security policies. Therefore the GSTN shall implement the International Standard IS/ISO/IEC 27001.
Audit by a government approved auditor
The security standards as implemented by GSTN should be periodically, say at least once a year, audited by an auditor, duly approved by the Government of India. Such audits should also be initiated whenever the GSTN undertakes a significant upgradation of its processes or resources. In instances of data security breach, GSTN will be required, to demonstrate that it has implemented the reasonable security practices and control measures as documented in its manuals and security policies.
As could be seen from the GSTN infrastructure, purpose, application and usage, a huge number of private players are involved in management of the facility. For smooth working of GSTN it is necessary to have all such intermediaries, work in tandem. All such establishments are bound to have robust cyber security measures so that their activities are in a secured environment. Any lapses on the part of such intermediary will result in public – private partnering breaking and e-governance efforts becomes futile.
Security measures as an intermediary
Under section 79 of IT Act exemption from liability of intermediary has been extended in certain cases provided such intermediary adheres to the conditions of that provision. An intermediary shall not be liable for any third party information, data, or communication link hosted by him provided –
‘‘(a) the function is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored; or
(b) The intermediary doesn’t- (i) initiate the transmission, (ii) Select the receiver of the transmission, and (iii) Select or modify the information contained in the transmission;
(c) The intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf’’.
As per Notification issued on 11th April, 2011 by GOI introducing the duties to be performed to indicate following of the due diligence by intermediaries are listed in Rule 3 of the Information Technology (Intermediaries guidelines) Rules, 2011. The duties to be performed by the intermediaries in a nutshell are:-
(2) inform all the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that violates the provisions of IT Act such as –
a) information or data where user has no ownership rights;
b) information that are grossly harmful, harassing, blasphemous defamatory, obscene, pornographic and similar information about unlawful activities for the time being in force;
c) information that is harmful to minors;
d) information involving IPR infringements;
e) violates any law for the time being in force;
f) deceives or misleads the addressee about the origin of such messages;
g)information impersonating another person;
h) information that contains software viruses or any other computer programs designed to interrupt, destroy or limit the functionality of cyber resource;
i)the information that threatens the unity, integrity, defense, security or sovereignty of India, etc.,.
The intermediary, upon receipt of petition by any affected person, about objectionable information as mentioned above, shall act within thirty six hours and wherever applicable, work with user or owner of such information to disable such information that is in contravention.
Further the intermediary under IT law has been mandated to preserve such information for at least ninety days for any purposes, including for investigations. He should implement all the prescribed reasonable security practices and procedures as per the IT (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011. The company should publish the name of the Grievance Officer and his contact details as well as mechanism by which users or any victims can contact for necessary redressal, in their web facility.
There is no information about the best practices of security are adhered and reviewed periodically by GSTN. There is no disclosure of security audit being conducted on a regular basis. Also findings of any such reports are made known in their publications. The stake holders are expressing their displeasure as the GSTN has not yet met with the assured requirements. The filing of returns, the uploading of invoices is being interrupted by frequent inadequacy on technological front by GSTN. Therefore it is important for GSTN to come out with the detailed publication on security measures they have taken so that the trust and confidence of the stake holders are restored.
As GSTN is one of the most important utility of India, it is imperative for them to adhere to all the stipulated security requirements as per law, without any room for deviations. There is need for GSTN to come out with a comprehensive and clear communication as regards to the best practices it has undertaken so that all the stake holders use the SPV with confidence for making GST implementation a success. The formation of GSTN is with a vision to provide a reliable, and robust digital utility for the smooth working of the GST system. It should play a vital role to leverage the entire Nation to evolve itself into One Market with minimum cost for compliance. Then alone it can evolve into a trusted, secured, transparent and efficient National Information Utility.
This Article has been written by Shri M. G. Kodandaram, IRS, Former Assistant Director, NACIN, Bengaluru & Consultant and Master Trainer – GST, CBIC, GOI, NACIN.
 See for details: https://www.gstn.org/about-us/
 Art. 246A read with Schedule VII of Indian Constitution.
 101 Constitution (Amendment) Act, 2016.
 Art. 279A, Indian Constitution of India.
 Taxable event, Sec. 9, The Central Goods and Services Act 2017.
 Art.246A, Indian Constitution.
 Art. 269A, Indian Constitution.
 Sec 116, CGST Act.
 Article 279A, Indian Constitution.
 Sec. 58 of the Finance Act, 2018.
 Currently Section.8, Companies Act, 2013.
 HDFC10%, HDFC Bank10%, ICICI bank10%,NSE strategic Investment company10%, LIC housing finance11 %.
 See: https://www.gstn.org/
 GST Council formed under Art.279A of Indian Constitution
 Notification No.4/2017 Central Tax dated 19.06.2017
 See: https://www.gstn.org/
 GST Suvidha providers licensed by GSTN
 Rule 8, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
 Shailendra Singh, E-governance: Information Security Issues, International Conference on Computer Science and Information Technology [Proceedings], Dec.201, pg120