The Minister of State of Electronics & Information Technology presented a glimpse into the Digital India Act, 2023 (‘DIA’) on March 9 (‘Presentation’), as part of ongoing consultations[1]. The DIA is set to replace the Information Technology Act, 2000 (‘IT Act’) on account of the transformed internet landscape today, with significant internet penetration, multiple intermediaries operating across the internet and complex forms of user harms. As part of said presentation, many clarifications regarding the nature, scope and extent of DIA were given by the Minister.
Apart from highlighting the need for ‘global standard’ cyber laws to secure an open, safe and trusted internet, it was also emphasized that such law acts as a catalyst for innovation and growth of the technology and digital ecosystem, for managing complexities of intermediaries, for protecting citizen rights and addressing risks associated with emerging technologies. Considerable importance was also accorded to the importance of a framework that would be future-proof and future-ready.
It was proposed that the comprehensive digital framework would comprise of four pillars: an overarching Digital India Act, which would govern information technology law, a telecommunications law framework, a draft of which was released for public consultations recently i.e., the Draft Indian Telecommunications Bill, 2022[2] (‘Telecom Bill’); and the proposed personal data protection law, being the Digital Personal Data Protection Bill, 2022[3] (‘DPDP Bill’) which deals with personal data, all of which laws are currently in the draft stage. A separate framework regarding regulation of non-personal data, being the National Data Governance Framework Policy[4] (‘Data Governance Policy’), was also proposed recently.
Open internet:
The Presentation emphasized on the importance of an open internet which presents choice to consumers, promotes competition among digital players, furthers online diversity, facilitates fair market access for start-ups and new entities, and extends ease of doing business and compliance. Some of the key aspects proposed under the open internet objective include:
- The DIA would safeguard innovation to enable growth and development of emerging technologies such as artificial intelligence, machine learning, internet-of-things, distributed ledger technology, and other prominent emerging technologies. However, it is unclear if the DIA would include anonymization standards for facilitating generation of training data.
- Such framework would also fuel the promotion of digital governance and delivery of public services through online platforms, mobile applications and other digital means alike.
- It is likely that the proposed legislation may recognize the role of ‘digital gatekeepers’ in the functioning of internet and impact of their actions, for example in creating or limiting entry barriers, creating an ecosystem of services and in establishing a level-playing ground.
Online safety and trust:
The proposed legislation also includes several aspects concerning protection of online safety and trust of internet users. As part of its objectives, the Bill aims to:
- Protect users from online harm by introducing offences such as cyber-flashing, offences against protected groups such as women, cyber-bullying, doxing and salami-slicing attacks
- Age-gating certain sections of the internet to protect children, such as addictive technologies, platforms collecting children’s data, privacy, placing restrictions on targeted advertising (also covered under the DPDP Bill[5]) to protect privacy of children
- Extending digital user rights such as the right to be forgotten (which has been excepted from the recent version of the DPDP Bill), right to secured electronic means, right to redressal, right to digital inheritance (ostensibly, an expanded version of the right to nominate[6]), rights against discrimination and rights in respect of automated decision making
- Moderation of fake news and other false online content published on social media platforms, websites and other forums
- Regulation of high-risk AI systems through quality testing frameworks, algorithmic accountability, threat and vulnerability assessments, content moderation, etc.
- Empowering agencies like Indian Computer Emergency Response Team (‘CERT-IN’) for cyber resilience, issuing advisories on information and data security practices and strengthening penal consequences for non-compliance
- Regulation of privacy-invasive devices such as spy cameras, wearable technologies and other hardware (which was also provided in the Report of the Joint Committee[7]); and
- Content monetization rules for user-generated and platform-generated content.
It was also proposed to introduce an accountability framework which includes adjudicatory and appellate mechanisms for digital operators, digital contraventions or offences, algorithmic transparency, and periodic risk assessments applicable to certain players.
Revisiting the intermediary framework:
At the outset, it was recognized that the nature of intermediaries and role played by them have transformed significantly and are functionally different. Intermediaries may be conduits (or technical providers of internet access or transmission services) or hosts (which provide content or platform services) or of any other nature[8]. They may also be classified based on nature and extent of involvement in content transmission, type of work undertaken by them, platform content vis-à-vis user generated content, role in peer-to-peer sharing of information etc. This is in stark contrast to the one-size-fits-all approach adopted under the IT Act[9].
It is recognized that different types of intermediaries exist in the digital space today, which is only expected to increase in the future. These may include e-Commerce platforms, search engines, social media platforms, digital media entities, gaming platforms, and pure-play intermediaries such as Telecom Service Providers, Internet Service Providers. There is a need to treat each of them distinctly in terms of the role played by them and introduce a nuanced regulatory approach and separate rules for each class thereof.
Significant questions were also raised as to the suitability of safe harbour for all intermediaries, given that the IT Act approaches this issue with extending safe harbour to all intermediaries[10]. In contrast, the DIA may witness novelty in approaching intermediary regulation. It was reported[11] that the Minister spoke on the multiple types of participants in the internet ecosystem and the different types of guardrails and regulatory requirements that would have to be developed for each of them.
While some broad obligations around due diligence, content restrictions, and grievance redressal are likely to remain, the new approach may invite certain new requirements linked with definitive penalties for non-compliance, unlike the IT Act in which liability only accrues for third-party content[12].
This may include a proposal to limit safe harbour to certain types of ‘pure-play’ intermediaries such as Telecom Service Providers, Internet Service Providers and hosting or cloud providers. However, it is unclear if intermediaries which have a role in content moderation or selectively propagating (sponsored or other) content would be able to take advantage of the safe harbour provisions. This may also have a wide-ranging effect on many intermediaries such as online content platforms, social media, search engines, e-commerce portals and other intermediaries facilitating uploading of sponsored content. Distinction may have to be drawn between platform-generated, user-generated content and further inquiry may have to be made into the (decisional) role that intermediaries may exercise with regard to the latter.
Conclusion:
The DIA has big shoes to fill, as it sets to replace a vital, comprehensive and overarching information technology legislation. The first draft of the DIA is expected to release after the conclusion of stakeholder consultations on the issue[13]. In any case, it would be interesting to track incremental developments on the Digital India Act and analyze its impact across various industries.
[The authors are Senior Associate and Partner, respectively, in Data Protection and TMT practice at Lakshmikumaran & Sridharan Attorneys, New Delhi]
[1] Presentation on Digital India Act, available at https://www.meity.gov.in/writereaddata/files/DIA_Presentation%2009.03.2023%20Final.pdf
[2] Draft Indian Telecommunication Bill, 2022 available at https://dot.gov.in/sites/default/files/Draft%20Indian%20Telecommunication%20Bill%2C%202022.pdf
[3] Digital Personal Data Protection Bill, 2022, available at https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf
[4] National Data Governance Framework Policy, available at https://www.meity.gov.in/writereaddata/files/National-Data-Governance-Framework-Policy.pdf
[5] Section 10(3), Digital Personal Data Protection Bill, 2022.
[6] Section 15, Digital Personal Data Protection Bill, 2022.
[7] Para 1.15.16, Report of the Joint Committee on Personal Data Protection Bill.
[8] Frequently Asked Questions on Internet Intermediary Liability, Association for Progressive Communications, available at https://www.apc.org/en/pubs/apc%E2%80%99s-frequently-asked-questions-internet-intermed
[9] Section 2(1)(w), Information Technology Act, 2000.
[10] Section 79, Information Technology Act, 2000.
[11] Safe Harbour Clause and Why the Government want it Gone, available at https://www.ndtv.com/india-news/government-may-remove-safe-harbour-provision-in-it-act-2000-what-is-the-clause-3848752
[12] Section 79(1), Information Technology Act, 2000.
[13] Govt to Table Digital India Act in July Post Consultations, available at https://inc42.com/buzz/govt-to-table-digital-india-act-in-july-post-consultations/
