On 10th March 2023, the Union Minister of State for Skill Development and Entrepreneurship and Electronics and Information Technology held public consultations with stakeholders on the architecture and framework of the proposed “Digital India Act 2023” (“DIA”) which is expected to replace the Information Technology Act, 2000 (“IT Act”). The Hon’ble Minister gave a presentation outlining the principles of the proposed DIA to the concerned stakeholders and subsequently published the same on the website of Ministry of Electronics and Information Technology (“MeitY”). Broadly, the proposed DIA is likely to adopt a ‘principles & rule-based approach’ and less prescriptive to rapidly create, modify, and enforce regulations. A principle-based regime, under the proposed DIA would provide a legislative framework to be governed by certain principles and effective measures would be prescribed for securing compliance with the ever-evolving rule of law.
Need for a new legislation to cover the Digital Sector -
The Hon’ble Minister outlined, in his presentation, the following lacunae in the extant law necessitating the introduction of the proposed DIA, namely:
Limitations of the IT Act: The IT Act lacks comprehensive provisions on user rights, trust & safety, emerging technology, high risk automated-decision decision making systems, a converged, coordinated & harmonized institutional regulatory body apart from having inadequate principles for data / privacy protection, absence of etc. Lastly, the IT Act recognises harms and new forms of cybercrimes only to a limited extent.
Challenges in the cyberspace: Multiple types of intermediaries have emerged in new age sectors such eCommerce, digital media, social media, AI, OTT, gaming etc. post the enactment of the IT Act and the same are inadequately regulated under the extant regime. Additionally, the proliferation of the internet has spawned new complex forms of user harms such as catfishing, cyber stalking, online gaslighting, etc. apart from a proliferation of hate speech, disinformation, and fake news which need to be adequately addressed through legislative measures.
Salient Features of the proposed DIA -
The Hon’ble Minister outlined the following features of the proposed DIA in his presentation before the stakeholders:
Principles governing DIA: The proposed DIA should evolve through rules that can be updated, and address the tenets of Digital India, such open internet, online safety and trust, accountability and quality of service, and new technologies. It will be modelled on global standard cyber laws in order to accelerate the growth of innovation and technology ecosystem and manage the complexities of the internet and rapid expansion of the types of intermediaries, thereby accelerating digitalization of Government, protecting citizens’ rights, addressing emerging technologies and risks and be future-proof and future-ready.
Open Internet: The proposed DIA seeks to ensure an “open internet” consisting of choice, competition, online diversity, fair market access and ensures ease of doing business as its core tenets.
Safeguard Innovation: The proposed DIA seeks to safeguard innovation to enable emerging technologies like AI/ML, Web 3.0.
Prevent anti-competitive practices: The proposed DIA should be able to ensure adherence to fair trade practices, prevent concentration of market power, regulate dominant Ad-tech platforms, app stores etc. However, there is also a recognition to amend the Competition Act, 2002 to address some of the above stated concerns.
Promote startups: The proposed DIA seeks to ensure that start-ups are promoted via non-discriminatory discriminatory access to digital services and interoperable platforms.
Digital governance: Ease of access to government, public utility services and delivery of public services through online and transparent platforms has also been proposed.
Curbing online specific harms and moderation of fake news: The proposed DIA seeks to curb online specific harms such as revenge porn, doxing, cyberbullying, cyber flashing, etc. and weaponization of disinformation in the name of free speech. It also seeks to critically examine the discretionary moderation of fake news by social media rights based on the constitutional right of freedom of speech and expression.
Ensuring safety and privacy of children: The proposed DIA seeks to ensure safety and privacy of children through age-gating through regulation of addictive tech and protection of minors’ data, prohibition on tracking of children as data subjects for ad targeting, etc.
Digital User Rights: The proposed DIA seeks to provide various digital user rights such as right to be forgotten, right to secured electronic means, right to redressal, right to digital inheritance, right against discrimination, rights against automated decision making, etc.
Safe and Secure Cyberspace: The proposed DIA seeks to empower agencies like CERT-In for cyber resilience apart from strengthening the penalty framework for non-compliance and issuing advisories on the information & data security practices, etc.
Regulation of Intermediaries: The proposed DIA is likely to introduce a new regime for intermediaries by categorizing them under different kinds based on their functionality and provide for differentiated obligations. It also seeks to generate a public debate on whether there should be a “safe harbour” for intermediaries or not. There are going to be obligations on “significant digital operators” through classification/ mandates. There would be disclosure norms for data collected by data intermediaries collecting data above a certain threshold along with standards for ownership of anonymized personal data collected by data intermediaries. Lastly, there will be accountability for not upholding Constitutional rights of the citizens, especially rights pertaining to equality before law (Article 14), protection of rights regarding freedom of speech, practicing any profession, trade etc. (Article 19) and protection of life and personal liberty (Article 21).
Algorithmic Transparency and regulation of Artificial Intelligence (“AI”): The proposed DIA may also require that Digital Entities will have to ensure algorithmic transparency and undergo periodic risk assessments. Hi-risk AI systems will be defined and regulated through legal, institutional quality testing framework, algorithmic accountability, vulnerability assessment, provision of deterrent, effective, proportionate, and dissuasive penalties, etc.
Governance and Adjudicatory Architecture: A responsive governance and adjudicatory architecture will be setup through a dedicated “inquiry agency” and a specialised “dispute resolution/adjudication framework” which would include an adjudicatory and appellate mechanisms for holding digital operators accountable. Such an adjudicatory mechanism for online civil and criminal offences should be easily accessible, deliver timely remedies to citizens, resolve cyber disputes, develop a unified cyber jurisprudence and enforce the rule of law online.
Responsible and Ethical Use of Online Technologies: The proposed DIA may require that Privacy invasive devices such as spy camera glasses, wearable tech, etc. should be mandated under stringent regulation before market entry with strict KYC requirements for retail sales with appropriate criminal law sanctions.
Pre-Legislative Consultation Process: MeitY will first undertake a comparative study of all relevant global laws pertaining to internet and technology to draft the Draft Digital India Bill. Subsequently, it will hold public consultation with stakeholders to finalise the Draft Bill and then draft a cabinet note for seeking cabinet approval to introduce the finalised DIA in Parliament.
We welcome the public consultations being held under the aegis of MeitY even before the proposed DIA has been drafted. The presentation made by the Hon’ble Minister seems to be the first step in engaging various stakeholders in broad based consultations on the proposed DIA. This is a laudable initiative to generate public inputs on a law that is likely to govern the burgeoning digital sector in India.
The proposed DIA seeks to penalise online specific user harms like doxing, cyberbullying, cyber flashing, gaslighting, etc. Consequently, the proposed DIA will have to ensure that it provides reasonable standards to define guilt under these sections. Any provisions under the proposed DIA which are completely open ended, vague and undefined are likely to be open to challenge before courts.
The platform specific regulation of different types of intermediaries will also have to be carefully assessed and should ideally be modelled on a risk-based approach wherein regulation imposed on the relevant intermediaries is based on factors such as number of users, functionality of the platform, ability to cause harm to its users, etc. For e.g., enterprise software providers such as cloud service providers should not be subjected to the same set of regulations as that of significant social media intermediaries.
The proposed DIA does not provide any guidance with respect to its conflict or overlap with other laws and sectoral regulations. For e.g. The Draft Digital Personal Data Protection Bill 2022 mandates Data Fiduciaries to not undertake any processing of personal data that is likely to cause harm to a children addition to not undertake tracking or behavioural monitoring or targeted advertising directed at children. Similarly, the proposed DIA also talks about the need for imposing a prohibition on tracking of children as data subjects for ad targeting, etc. Although, it is trite law that provisions of new legislation will prevail over that of the extant law, it is recommended that in order to ensure regulatory clarity, the MeitY should clearly specify as to whether the provisions of the proposed DIA and rules/regulations made thereunder will prevail or override other laws or regulations currently in force.
The proposed DIA talks about the need to establish a specialised dispute resolution/adjudication framework which would include an adjudicatory and appellate mechanisms for holding digital operators accountable. It is worth noting that any such adjudicatory mechanism for dispute resolution, established under the DIA, must conform with the standards set by the Supreme Court where in the members of the tribunals discharging judicial functions could only be drawn from sources possessed of expertise in law, and competent to discharge judicial functions. Accordingly, the committee to appoint members of adjudicatory and appellate mechanism would have to include judicial members as well.
Lastly, the proposed DIA seeks to provide standards for ownership of anonymized personal data collected by data intermediaries. However, there should be no mandate for mandatory sharing of such anonymized personal data with the Government of India. In compliance with their requirements under extant laws, business enterprises share business confidential information, including information related to registrations under various acts, information sought through notices, etc. with relevant Government agencies. In view of the same, it would be important to ensure that that such proprietary data is not released in the public domain by Government departments/ministries/agencies, in pursuance of any mandate under the proposed DIA.
Presentation made during the Digital India Dialogues on the proposed Digital India Act on 9th March in Bengaluru, Karnataka – https://www.meity.gov.in/writereaddata/files/DIA_Presentation%2009.03.2023%20Final.pdf