The Ministry of Electronics and Information Technology (“MeitY“) held a public consultation for the proposed Digital India Act (“DIA“) on March 09, 2023 and a presentation was released on the broad framework of the DIA 1. The current regulatory framework that governs the information technology ecosystem consists of the Information Technology Act, 2000 (“IT Act“) and the rules framed thereunder, including, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Information Technology (The Indian Computer Emergency Response Team and the Manner of Performing Functions and Duties) Rules, 2013 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
The presentation recognizes that the IT Act was designed for a nascent IT ecosystem in pre-digital India, in the absence of modern internet-based services such as e-commerce and social media platforms. It highlights the following limitations of the IT Act:
(a) Lack of comprehensive provisions on user rights, trust and safety;
(b) Limited recognition of harms and new forms of cybercrimes, without any institutional mechanism for awareness creation;
(c) Lack of distinct regulatory approaches for harmful and illegal content;
(d) Absence of adequate regulations to address the regulatory requirements of emerging technology, technology, assessments of high risk automated decision making systems, modern digital businesses including monopolies and duopolies;
(e) Lack of adequate principles for data / privacy protection;
(f) Lack of a converged, coordinated and harmonized institutional regulatory body, a dedicated and efficacious investigatory/ enforceability and a swift adjudicatory mechanism; and
(g) Lack of coordinated cyber security incident response mechanism.
Considering the above limitations of the IT Act, the DIA is set to overhaul the existing information technology framework. The new framework will consist of the DIA, the DIA rules, the Digital Personal Data Protection Act, National Data Governance Policy and amendments to the Indian Penal Code, 1860 for cybercrimes. The MeitY has already released the draft Digital Personal Data Protection Bill, 20222 and the draft National Data Governance Framework Policy3 in 2022.
The MeitY envisions that the new digital law would be adaptable and consistent with changing market trends, technological disruptions and developments in international jurisprudence and global standards for delivering qualitative services and products. In this regard, the presentation outlines certain key components of the DIA:
- Open Internet – The presentation describes an open internet as one that offers choice, competition, online diversity, fair market access, and ease of doing business. It should also have fair trade practices in place to prevent concentration of market power with dominant entities. The presentation suggests that an update to the Competition Act, 2002 may be required. Safeguarding innovation is also a key principle discussed in the presentation, which involves enabling technologies like AI/ML, web 3, autonomous systems, blockchain etc. The promotion of digital governance is another principle that has been emphasized as essential for ensuring an open internet.
- Online Safety and Trust – The presentation highlights that while the internet, devices, and information technology have empowered citizens, they have also created new challenges. These challenges include user harm, ambiguity in user rights, women and child safety, misinformation and fake news, and the circulation of hate speech. To address these issues, the DIA should incorporate a range of measures such as age-gating, mandatory ‘do not track’ requirements, the enforcement of digital user rights such as the right to be forgotten, and moderation of fake news. Additionally, the DIA should aim to regulate high-risk AI systems by introducing a legal and institutional quality testing framework. This framework should examine regulatory models, algorithmic accountability, zero-day threat and vulnerability assessment, AI-based ad-targeting, content moderation, and the like. Further, privacy-invasive devices, such as spy camera glasses and wearable tech, should be governed by stringent regulations that include KYC requirements for retail sales and appropriate criminal law sanctions.
- Accountable Internet – The presentation emphasizes the need for adjudicatory and appellate mechanisms to ensure that digital operators are held accountable. It also highlights the need to safeguard citizens’ constitutional rights, such as those enshrined in Articles 14, 19, and 21, while using digital platforms. Further, it mentions that the DIA should provide for deterrent, effective, proportionate and dissuasive penalties.
- Intermediaries – According to the presentation, it is necessary to update the intermediary framework and formulate separate rules for each class of intermediaries, including e-commerce, digital media, search engines, gaming, OTT platforms, Ad-tech, AI, and others. The presentation also recommends reconsidering the safe harbour provision enshrined in Section 79 of the IT Act, which currently protects intermediaries from any liability arising from third-party content posted on their platforms.
The MeitY will conduct a comparative study of all relevant global laws pertaining to internet and technology. It is expected that a draft bill for the DIA would be released soon for consultations with stakeholders. It remains to be seen how the components discussed in the presentation would be incorporated in the draft bill and if all these points would make the cut. At present, various new and emerging technologies such as AI, blockchain, augmented/virtual reality are inadequately regulated in India. The implementation of specific laws to govern these technologies would be a significant legal development and could benefit digital businesses in the country.