After the withdrawal of the Data Protection Bill, 2021 (‘DPA’) from the Parliament, the Ministry of Electronics and Information Technology (‘MEITY’) is expected to usher a comprehensive framework for information technology law and regulation, apart from a separate data privacy law. It is widely reported that the Government is proposing to introduce a ‘Digital India’ Act (‘DIA’) that is expected to replace the Information Technology Act, 2000 (‘IT Act’).
The DIA is expected to be a comprehensive framework that would govern aspects such as regulation of intermediaries, provide for digital crimes such as deliberate propagation of misinformation, provide guidelines around women and children safety on the internet, and have a greater regulatory visibility and control over monitoring undesirable content on over-the-top service platforms.
Focal points of regulation
A) Privacy: The withdrawal of the DPA was with an intention to introduce a comprehensive framework of privacy rules and regulations to effectuate rights provided in the Puttaswamy It is unclear as to whether the DIA would include provisions dealing with privacy compliances, data principal rights, data sharing, confidentiality and other security standards, given that a separate data protection law may be introduced to regulate the same.
B) Social Media Platforms: Regulation of social media platforms is one of the key prerogatives of the DIA. The current framework of due diligence and prescriptions under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (‘Rules’) provide obligations around prompt action by intermediaries in responding to and removing unlawful content, disclosure of information to law enforcement authorities, reporting of cyber security incidents which are applicable to all intermediaries.
In addition to the above, significant social media intermediaries (‘SSMIs’) (those social media platforms which have over 50 lakh / five million registered users in India) are subject to enhanced obligations such as appointing resident officers, publishing periodic compliance reports, deploying automated tools or mechanisms for proactive identification of sensitive material.
Given that the nature of internet intermediaries has transformed since the enactment of the IT Act, beyond internet access providers and web hosting services, an appropriate regulatory framework is needed to govern the transformed nature of intermediaries, their interactions with users and other stakeholders and resulting concerns. Adequate care must be taken to architect the proposed framework factoring the existing legal framework and introduce harmonious regulations which would reduce compliance burden and avoid decisional control over content by social media platforms.
The role of intermediaries may also be recalibrated as impartial ‘platform providers’ and avoid obligations running contrary to such role, such as removal of user content based on user complaints (except in case of highly sensitive content such as child pornography) and proactive monitoring and identification of content. This may not only prejudice independence of such platforms and run contrary to the ruling in Shreya Singhal but also impact free speech on the internet. Regulators must be tasked with the responsibility of balancing content regulation and fundamental rights guaranteed to citizenry and such responsibility must not be devolved to platforms, which may not be well-suited to make such decisions.
C) Regulation of over-the-top platforms: It is reported that the DIA proposes regulation of over-the-top platforms, the regulation of which is not contemplated under the IT Act. Such regulation must take into account presence of dual regulators, i.e. MEITY and Ministry of Information & Broadcasting (‘MIB’) and reduce incidence of jurisdictional overlaps or conflict, apart from promoting self-regulation and governance by such platforms, with oversight by the ministries, in line with the provisions under the Rules.
Regulators may also adopt a consultative approach in engaging with stakeholders of the industry in developing appropriate self-regulatory methods, providing guidelines around classification of content, age verification mechanisms and other issues.
D) Categorizing Internet Intermediaries: The introduction of the DIA serves as an opportunity for the Government to recognize that internet intermediaries cannot be condensed into a ‘one-size-fits-all’ category and instead classify them and introduce differential obligations based on roles performed by them such as internet access providers and hosting providers which play a more passive role, as opposed to social media platforms or messaging services which are more actively engaged with users.
E) Introduction of additional contraventions or offences: While the introduction of contraventions such as doxing and deliberate spread of misinformation is a welcome step with changes in crime patterns of cyber threat actors, such provisions must be well-defined and must limit scope for misinterpretation or misuse. Such provisions, especially those surrounding misinformation, must also be drafted in such a manner as to uphold safe harbour for such platforms which do not exercise decisional control over content. A robust set of technical and legal requirements and a structure which ensures greater security and integrity of the digital space in India without adversely impacting citizen rights, digital economy or foreign relations should be cautiously made.
F) An opportunity for reimagining the IT Act: The DIA presents an opportunity to settle certain uncertainties and reimagine best practices in light of technological developments and innovation. This is in areas such as validity of electronic signatures, evidentiary standards for electronic records, developing more efficient mechanism for adjudication of contraventions, apart from offences.
G) Governance of new technologies: The DIA may also include provisions governing new technologies such as artificial intelligence, internet of things and address regulatory concerns surrounding them. It would also have to factor in the impact of emerging technologies in robotics, hyperautomation, decision-intelligence and internet of bodies and aim to set up a dynamic framework for governing such technologies with primary focus on preserving respect for individual rights and user autonomy, without impacting innovation and the growth of digital economy.
H) Harmony with sectoral regulations and other legislations: It is also worth mentioning that the proposed legislation should be harmonious with existing and future sectoral regulations which overlap on the digital aspect of electronics and information technology. For instance, regulations over crypto-assets and blockchains should be harmonious with the RBI notifications and circulars which are applicable to entities in the industry.
It is pertinent to understand that the government is looking forward to an omnibus legislation that aims to regulate entities in the digital space not just in governing electronic communications but also in areas like cyber security, cyber incidents, digital signatures, intermediary governance, social media regulation, content moderation and other aspects surrounding emerging technologies and criminal investigations in the digital space, many of which have been governed or at least were proposed to be governed under different statutes. It is likely to be a mammoth task for the Government to introduce such legislation covering everything in the digital space. Given that India lacks a comprehensive framework for data protection for about half-a-decade since the Puttaswamy verdict affirmed the right to privacy, there is a winding path to traverse in developing such a robust legal framework governing technologies of today and the future.
[The authors are Partner, Senior Associate and Associate respectively, in Data Protection practice team at Lakshmikumaran & Sridharan Attorneys, New Delhi]