KEY TAKEAWAYS
→ Indian legislation on IT is based on Information Technology act 2000 modelled on UNCITRAL’s model law for E-commerce.
→ The government, under the Digital India Bill, authorizes the Ministry of Electronics and Information Technology, (MeitY) to prescribe some activities as criminal.” This can be actual cases of the deliberate spread of fake news, identity theft, cyberbullying of children, and other similar activities.
→ The Digital India Act (DIA) includes several significant clauses which inhibit the progressive shift of the digital regime, thus addressing most of the existing issues and opportunities related to it.
→ The Data Protection Bill, 2019 (DPDP Act) significantly deviates from the traditional model of an independent regulatory body, such as the Data Protection Authority (DPA), by eliminating the concept of such an entity.
1. HISTORICAL CONTEXT AND LEGISLATIVE BACKGROUND
Previously the ITA had very set formal rules and regulation concerning with the cybercafé and the ITA 2000 introduced many new provisions and amendments regarding cybercafé in Bangladesh. Based on the case, the ITA has directions in the concerned notification was issued for the cybercafé owner’s that they will have to maintained a record of internet café users. It consists of some following details such as price, username, phone number, address, system number and total working time. For the identification of the suspect to be smooth. However, the ITA did not. Such that with lot of loopholes a new ITA was passed and it is known as Information Technology Act 2000. Information Technology act was introduced from the month of October 2000. ITA 2000 consists 13 chapters and in each chapter law, punishment, penalties and other relative measures are explained. The 13 chapter has number of sections and sub-sections which effectively and elaborately give the rules and regulation on the subject. ITA 2000
The sections most of the time discuss E commerce and digital signature and crime and penalties pertaining to them. The following are some of the possibilities of variations that can be made: It should also be noted that terminologies as well as the ITA 2008 (amendment) were passed. That elaborates the terminologies and act that are regarded illegal more clearly.
Information Technology act 2000 does not explain the meaning of cybercrime rather it is merely depicting the crime associated with computer or crime that is carried out electronically to the desired amount or by transmitting the encoded message through a medium or electronic apparatus. On May 2000 computer information technology bill was approved by both the house of India’s parliament. Indian legislation on IT is based on Information Technology act 2000 modelled on UNCITRAL’s model law for E-commerce. Which essentially relates to E commerce, E business issues or activities that are legally considered unlawful. Information Technology Act, 2000 is divided in 13 chapters and Sub-Sections. That provides the procedure of making Digital signature, how it authenticates, the ways of rejecting / accepting a digital signature certificate, Role of a subscriber, Laws for service provider, some cyber-crimes including hacking, phishing, cyber stalking etc. cyber bullying, un-authorized access of system, tempering with computer source, identity theft and so on, punishment for related offence and fine.
The punishment for cyber terrorism is stipulated to be a lifetime of imprisonment accompanied by a fine. However, the majority of the Information Technology Act 2000 (ITA 2000) encompasses descriptions related to e-commerce. Consequently, the Information Technology Act 2008 (Amendment), after numerous modifications and the elimination of potential loopholes, was enacted. This amendment sought to clarify ambiguous terminologies such as access and network, and it extended the application of certain acts and sections to cover offenses not explicitly mentioned or described in the Information Technology Act 2000. For instance, the recently repealed Section 66(a) of the ITA 2000, which defined certain acts, will still be treated under the Indian Penal Code (IPC) or the Criminal Procedure Code (CrPC) for offenses not previously covered. It is important to recognize that every piece of legislation, including the Information Technology Act 2000, possesses both positive aspects and potential weaknesses that require further attention and implementation.
Limitations of the old Acts
In 1996, the United Nations Commission on International Trade Law approved a model law of e-commerce and complexities of digital nature. It also ensured that any country without local laws governing e-commerce and cybercrime would have to implement it. To safeguard the information of its citizen and government, ‘The Information Technology Act 2000’ was enacted making India the only twelfth country in the world to have cyber laws. Also known as the IT Act, it offers the legal basis for data relating to e-commerce and digital signatures. Subsequently, it has been revised in 2008 and 2018 to apt the needs of society. The Act also outlines the powers of the intermediaries and similarly the restrictions.
These convectional laws include IT Act 2000, Indian Telegraph Act, Copyright Act 1957 and so on have failed to some extent due to the rapid technological changes that were observed over the recent years. Unfortunately, the current legal framework does not seem sufficient to adequately protect all the users’ rights, build confidence in the use of the Internet and ensure security. Moreover, it has poor awareness of other emerging forms of cybercrimes and does not design a way for establishing awareness. This means that there are worrisome deficiencies regarding the methods on moderating dangerous, prohibited content as one is lacking an individual approach. The areas that are yet to be covered include the contemporary technologies and identification of high risk of ADS. Insufficient standards for privacy and data security expose people to risks to their right to privacy. Further, there is no mutual morphed stimulus for reporting such security breaches which only intensifies the problems of securing these technologies. These gaps become significant to navigate and fill, in order to build a stable and safe cybersphere for the end user of technology as well as other forms of business forms.
2. KEY PROVISIONS OF THE DIGITAL INDIA ACT
The Digital India Bill encompasses the following key provisions:
- Classification of intermediaries: Digital India Bill also brings in a concept of intermediary regulation which divides the intermediaries into different categories depending upon their risk profile and size. Some of these intermediaries are the social media platforms, e-commerce platforms, AI platforms and the fact-checking platforms. As provided in this classification, the bill ensures that laws suitable for each category of intermediaries are developed. This way, the right measures are targeted at the different classes of intermediaries, based on what kind of threat they pose to the digital environment in question.
- Risk assessment for intermediaries: According to Section 79, placed in the Digital India Bill, it is the requirement of the intermediaries to conduct risk assessment, which is further employed for the purpose of their categorization concerning the degree of risk they pose. This classification system implies appropriate regulation of intermediaries, which, depending on the level of risk that they may pose in the digital environment, should be different. In order for the risks to be properly assessed and remedial measures to be implemented that would correspond to the nature of each type of intermediary and the circumstances, the Bill provides for the following risk assessments:
- Establishing a dedicated internet regulatory authority: That being said, the Bill brings provisions for creating an Internet regulator same as creating any new regulatory body like TRAI for telecommunications or SEBI for securities. It will act as the new, centralised regulator for all problems connected to the internet so that its management can be optimal, as well as the establishment of the necessary legal governance in the sphere of cyberspace. Similar to other regulatory authorities, the internet regulator’s chief purpose will be to manage and oversee different matters with regard to the Internet space while ensuring fair trade practices, consumer protection and a well-governed environment on the Internet.
- Penalties for violations and user harms in emerging technologies: With the Digital India Bill, accountabilities will be tendered for violations as well as user risks that may stem from new economy technologies, such as ChatGPT. They postures are meant to cover for any form of vices, violations of regulations or adverse implications that may arise in using these technologies.
- Designating punishable offences: The government, under the Digital India Bill, authorizes the Ministry of Electronics and Information Technology, (MeitY) to prescribe some activities as criminal.” This can be actual cases of the deliberate spread of fake news, identity theft, cyberbullying of children, and other similar activities. Thus, it is classified as offences in the Bill to address and prevent such misconduct’s adverse impacts in the online world. Consequently, this provision allows MeitY to prevent and take adequate actions against such questionable activities, besides fashioning laws that would discourage one or several persons or companies engaging in similar activities.
- Modifications to existing internet platform rules: Some of the basic laws that are currently operating under Internet firms and some of the guidelines of the digital India bill might alter or transform the proper procedures which are known as safe harbor norms. It is important to establish that these changes are intended to bring new rules that would match amorphous nature of the digital space and provided solutions for new problems concerning moderation, responsibilities, and safety of end-users.
- Ensuring platform accountability: The Digital India Bill passed in the parliament will make it legal for government to demand that platforms be made to take responsibility of hosting prohibited materials. This includes pornography, prohibited content for children, copyright violation, fake news/misinformation, identity theft, content that prejudicial to India’s unity and integrity, computer viruses and Trojans incitement to commit murder, banned online games and any other unlawful content.
New legal definitions and concepts introduced
Besides underlining a need for the ‘cyber standard’ of laws aimed at liberalizing the WWW safety and creating the Electronic World Wide Web that will be safe and trustful, it was stated that such law enhances the development of the technology and the digital environment, helps to solve the problems of intermediaries, protects the rights of citizens and addresses the threats of the new technologies. Equal importance was also placed on the value of having a framework that is future-proof, or as stated more positively, future-ready.
It was proposed that the comprehensive digital framework would comprise of four pillars: an main digital India act to encapsulate information technology law; a telecommunications law framework which was recently proposed in a draft format as the Draft Indian Telecommunications Bill, 2022 (‘Telecom Bill’) and the proposed personal data protection law for India being the Digital Personal Data Protection Bill 2022 or DPDP Bill which pertains to personal data, all of which are in the draft phase currently. Another, yet another recent proposal is the National Data Governance Framework Policy, or the Data Governance Policy, which concerns nonpersonal data.
- Open internet:
The Presentation was focused on the need to have an open internet that provides an option for consumers, competitiveness among the digital stakeholders, and furthering of diversity online to give fair opportunities to new players, start-ups, and other new forms or entities wishing to venture into the cyber world, ease of doing business online and compliances. Some of the key aspects proposed under the open internet objective include:
The DIA would protect innovation to foster and empower the advancement of innovation areas like artificial intelligence, machine learning, the Internet of things, and distributed accounting technology solutions and other recognized emerging technologies. But it is uncertain whether the DIA would also mention anonymization standards for the creation of the training data.
Such framework would also encourage the advancement of digital governance and provision of services via the website, mobile applications and other online mediums.
The proposed legislation might also understand ‘digital gatekeepers’ along with the workings of internet and effects of their actions such as in introducing or constraining the opportunities, in development of an ecosystem of services, in setting a level playing field.
- Online safety and trust:
This particular bill also enshrines several provisions with regard to safety or protection of online users and trusting the internet. As part of its objectives, the Bill aims to:As part of its objectives, the Bill aims to:
- safeguard the users from this kind of experiences by bringing in new offences that include cyber-flashing, offences against specific categories like women, cyber-bullying, doxing and salami-slicing attacks.
- Banning contents that are detrimental: age restricting some parts of the internet by implementing restrictions such as on the addictive technologies, websites that gather children’s data, Privacy, restriction on target advertising, which is also proposed in the DPDP Bill.
It is expanding other digital user rights like right to be forgotten which has been excepted from the recent version of the DPDP Bill; right to secured electronic means right to redressal; right of digital inheritance (which appears to be an enhancement of the right to nominate); rights against discrimination; and rights in respect of automated decision making. Supervision and imputing of already published fake news and other unverified information shared on social networks, websites, and other Internet resources
On high-risk AI systems, measures such as quality testing, algorithms, threats, vulnerabilities, abuses, moderations, and so on are established. Educating agencies such as the Indian Computer Emergency Response Team (‘CERT-IN’) for cyber readiness, providing guidelines on information and data protection in media houses and business establishments and enhancing the criminal ramifications in case of violation.
The proposed control of spy cameras, wearable devices and other gadgets; This, together with the Report of the Joint Committee.
Rules on how revenue is generated from the contents created by the users and the contents created directly by the platform.
In addition, it was suggested that provisions should also be made in the form of an accountability mechanism which consists of an adjudicatory and appellate body, digital contraventions or offences, algorithmic regulation or readability and systematic risk assessment for a number of participants.
- Revisiting the intermediary framework:
To begin with, it was appreciated that although the type of intermediaries and their role has changed to a great extent, what they basically do is functionally different. This can be intermediaries of the conduit kind, which are technical providers of Internet access or transmission services; or hosts which provide content or platform services or of any other sort. They could also be categorized by and large by way and extent of participation in the dissemination of content, by the type of work these entities perform, by the content of the platform vis-a-vis that of the user generated content, or by their function in terms of peer to peer sharing of information and so on, which is diametrically opposite to the homogenized approach that the IT Act adopts.
Thus, there is awareness that various forms of intermediaries exist today in the digital environment and it is only poised to expand in the future. These may consist of electronic commerce or business-to-Consumer or business-to-business sites, search engines, social media sites and related media entities, game playing sites, and full-intermediary web entities including such as Telecom Service Providers, Internet Service Providers. To meet these requirements, it is necessary to regard each of them as different in terms of the role played by them and apply adjusted and new regulations and rules for each class of the aforementioned items.
The new questions were also raised regarding the applicability of safe harbour for all types of intermediaries because the IT Act also plans to deal with the questions related to this issue. However, novelty could be approached differently at the DIA and intermediary regulation. There was information that the Minister spoke on the kinds of stakeholders in the internet space and the sorts of restraints and rules that would have to be designed for each type of players.
Although, broad mandatory measures for due diligence and regulation of content, and grievance redress mechanisms will likely stay the same, the new approach may open up for new strict guidelines connected with certain specific penalties, unlike the current IT Act according to which liability exists only for third party content.
This may include a proposal to restrict the application of safe harbour to some forms of intermediaries that are purely engaged in business of the nature as described, for instance Transport and Service Providers, Internet Providers, hosts and cloud providers. What remains somewhat uncertain is whether intermediaries which might have a role in moderation or selective promotion (or sponsoring or otherwise) of legal or otherwise material (or otherwise) would be able to benefit from the safe harbour provisions. This may also have a blanket impact on many other players like the social media, online content hosting services, search engines, e-commerce platforms and any other players that host sponsored content for upload by the various clients. Categorization might have to be made between contents created/platform sponsored and contents created by users’ Further understandings might then have to be developed regarding the decisional interference that intermediaries might have on the latter.
- Addressing of Challenges and Harnessing Opportunities
When Digital India Act is put to operate, several issues are bound to arise at the same time as we grab several opportunities for development. Huge efforts in terms of cooperation and integrated working among the government departments, businesses, and the public will be required to deal with these challenges. Infrastructure development, enhancing the digital literacy levels, and addressing cybersecurity concerns will continue to be some of the priorities that require focus to enhance the implementation of digitalization. Data protection and privacy provisions, when formulated, will also prove to be tricky to implement and enforce – the effective protection of the citizens’ data privacy rights will need to be balanced against the ability to harness big data for public good. However, with all the commitment and appropriate solutions to the indicated challenges, they will be solved and a society with equal opportunities and increased use of digital technologies will be created.
- Possible Advantages of the Solution in the Future
Bill to set up a new framework for Digital India shall have a great promise in relation to triggering the growth for Socio Economic Rights by extending the access to ICTs, reducing the digital divide and empowering the deprived section of the society. The positive impact is that it will automate e-governance and services, thus eliminate bureaucracy and increase citizens’ access to service and information. Due to The Act construction of sound digital structures, this shall spur innovations and entrepreneurship hence leading to large investment, creation of many employment opportunities hence leading to desirable economic growth.
As seen above, when there lacks proposed regulation at a general level to give the necessary homogeneity at a high level of specificity to existing Rules such as Intermediary Guidelines, Digital Media Ethics Code Rules 2021, amendments to these in 2023 and the Sensitive Personnel Data and Information Rules 2011, there is bound to be legal confusion and over-regulation. This new comprehensive law will also help in supporting the innovation and offer needed precautions to the upcoming legislations like the Draft National Strategy on Blockchain and AI/ML etc.
3. ONLINE CONTENT REGULATION
The Digital India Act (DIA) includes several significant clauses which inhibit the progressive shift of the digital regime, thus addressing most of the existing issues and opportunities related to it. Such provisions demonstrate how the law seamlessly applies itself within the ever-changing digital context.
I. Online safety and trust: Digital India act also emphasizes on the aspect of security and trust in the use of the internet while focusing on the rights of the citizens in the cyberspace. The elements are:
- Choice
- Competition
- Online diversity
- Fair market access
Evaluating the Ease of Doing Business and Ease of Business Compliance for Start-ups
Aligns with other laws: The Digital India Act will interact with other related data relating laws and policies inclusive of Digital Personal Data Protection act, rules for Digital India Act, National data Governance policy and amendments to the Indian penal code concerning cybercrime.
Flexibility: The flexibility to adapt to the change in existing market forces principles and international laws is what has infused the Digital India Act thus making it accommodating.
Concern for new technologies: The Digital India Act seeks to create innovation in new technologies front while at the same time seeks to control them. This is a guideline provided by the DIA on the responsible use of new technologies such as blockchain, AI etc It gives a principle on the right use of artificial intelligence, protection of data in blockchain. Adjudicatory Mechanism: The act called Digital India Act categorically states for a separate and exclusive a redressal mechanism for online civil and criminal wrong-doing.
Open Internet: This has led to the enactment of the Digital India Act that has the goal of achieving concern on the internet’s organization and protection while also being liberal.
Review of the “safe harbor” principle: The ‘safe harbour’ principle is in fact a rule of law which was formulated to cover protection or immunity to certain contingencies. In this regard, the bill seeks to institute accountability standards necessary to address the issues of the modern society.
Concerning deep-fakes, those technology goliaths and social media platforms must adhere with the IT intermediary rules informing the grievance officers which will afford users an appropriate forum through which to report cases pertaining to the same. According to the jurisprudence of polluters pays principle, the platforms that are nurtured and assisting in the generation of more deep fakes and their distribution shall be penalized.
Likewise, a digital code of laws and rules are to be notified. It may include telecom laws, internet laws, data protection laws and laws corresponding to Artificial Intelligence. New areas such as the digital laws to cover e-commerce, crypto, OTT, drones, fintech, online gaming etc should be well catered by the laws proposed. Regulations on the provision of Know Your Customer (KYC) for wearables.
4. DIGITAL MARKETS AND COMPETITION LAW
The Digital India Bill also seeks to control and establish standards concerning the artificial intelligence systems and wearables non-compliance and data security measures as well. It will also control trade reinforcement by large organizations to enhance rivalry. For instance, the Competition Commission of India imposed a penalty of Rs 2,200 crore on Google in October for abusing the former’s dominance of the Play Store and the Android operating system.
Safe harbour protection
Another area of reform that the government desires is the ‘safe harbour’ protection which is provided to intermediaries like the social media firms, e-commerce firms, and the web-hosting companies regarding the content uploaded on its website. Currently, there is no legal obligation that makes intermediaries legally responsible for material posted by other people on their website.
However, the types of intermediaries have changed since then with emergence of organisations like Netflix that regulate the content delivered on their platforms. I note that the presentation claims this ministry will ask whether all such intermediaries should have safe harbour protection. Well-known IT specialists have sounded the alarms about such actions.
5. DIGITAL FORENSICS & EXEMPTIONS FROM OBLIGATIONS UNDER THE LAW
The law provides exemptions from consent and notice requirements as well as most obligations of data fiduciaries and related requirements in certain cases: Processing is obligatory in the following instances: (a) where it is required for the purpose of exercising any legal right or claiming any legal benefits; (b) where the data has to be processed for the purposes of either courts or tribunals, or for the prevention, detection, investigation, or prosecution of any offenses or offences; (c) where the person to whom the personal data relates is not an Indian resident and the processing of the data
In addition, the law exempts certain purposes and entities completely from its purview. These include:
→ Working in the cause of the sovereignty and integrity of India, the security of the state, the friendly relations with foreign, the maintenance of public order or for preventing incitement to any cognizable offence. This will help investigative and security agencies to remain out of the ambit of this law.
→ Processing of data which is required for historical, scientific or statistical purposes if such data is not to be used for reaching a decision in relation to the individual.
→ They can exclude some classes of data fiduciaries entirely, or partially—from some aspects: notice, completeness, accuracy, consistency, and erasure.
→ One of the extraordinary measures permits the government to, before expiry of five years from the date of commencement of this Act, make a notification that any provision of this law shall not apply to such data fiduciary or classes of data fiduciaries for such period as it may specify in the notification. This is really broad discretion and is not accompanied by instructions concerning the rationale for granting such exemption, the kinds of cases that can be exempted, and the time that such exemptions may be valid for.
6. DISPUTE RESOLUTION MECHANISM VIS-À-VIS DOMESTIC & CROSS-BORDER
The 2023 law completely replaces the envisaged regulatory institutional structure in the proposed law. The 2019 bill envisioned a new independent regulatory agency. The DPA was proposed on similar lines of other government agencies in many of the EU nations which work more or less independently of the government and help in implementing the GDPR. The proposed Indian DPA was perhaps more powerful since the bill was drafted to give it far more extensive regulation-making power than DPAs as under the GDPR. Besides framing regulations, the DPA would also have framed codes of conduct for businesses, conducting investigations in cases of violation of codes, collecting supervisory information and levying penalties on business organisations.
Thus, according to the 2023 law, it is created the DPB. The board is not a regulatory organization and is in fact very distinct from the DPA. In contrast, the board’s role is somewhat more restricted to the prevention of data breaches as well as management of compliance and ability to remediate – in addition to overseeing inquiries and issuing penalties for non-compliance with the law. The board does not have any powers to frame regulations or codes of conduct or to call for information to supervise the workings of business. It can only do so in the course of executing inquiries.
Board members will be appointed by the government and the terms and conditions of service shall be as set out in rules made under the proposed government rules on the subject. A statutory requirement is that these terms and conditions shall not be changed to the prejudice of a member while they are serving their term.
The law provides power to the board to penalise up to 250 crore rupees. Appeals from the board’s orders will lie to an existing tribunal – the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Other remedies include the possibility of monetary penalties, and it will also include allowing data fiduciaries to submit voluntary undertakings to the board to form part of the remedy of any complaints against them. Hence, the board is a very different institution in design to the DPA, and this paper is mainly concerned with that difference.
Last of all, the 2023 law has a new provision that has not been incorporated or analyzed in any prior version. This is Section 37, which permits the government to, on a reference from the board, prevent the public from accessing any data that allows a data fiduciary to supply goods or services in India.
The following conditions have been prescribed for identifying data fiduciaries as ‘eligible’:
(a) The board has previously imposed penalties against such data fiduciaries at least twice and
(b) The board has made a recommendation to blockage. Before the government takes such an action, it has to afford the data fiduciary an opportunity to state its side of the story.
Evolution of digital laws in India in accordance with the global standards
In general, the DPDP Act is a radically different approach to the data protection legislation compared to the 2018 draft bill and the bill presented in the Parliament in 2019. This transition was most clearly observable in the November 2022 draft bill and is now even reflected in the 2023 law. Three basic dimensions through which this shift can be identified are there.
- Reductions in rights and obligations, and compliance: While the bills of 2018 and 2019 also attempted at enacting data protection legislation, it made a wider and more inclusive attempt at doing so. As the previous sections of this paper described, many of these rights and obligations have been either weakened or negated – data portability right, for instance, has been entirely struck off the list of enforceable rights while the others have been simplified thereby reducing the strength of the actual right to be forgotten right to what can now be more aptly described as a right to erasure.
The prescriptions as to the specifics of contents of notices and individual privacy by design requirements, inter alia, have been dismissed, and it now remains for businesses to ‘decode’ these requirements. This is a much better and more innovation-friendly way of thinking about the issue. Since there is no prior data protection law and jurisprudence, these are new and firms will try and error when trying to implement them into business formulations. Such practices will be addressed in the DPB, the TDSAT and in other courts of law as provided in the DPDP Act. This process will ensure step-by-step growth of good practice appropriate for the Indian environment.
This reduction in prescriptive requirements and overall compliance should also be seen in the context of the shift away from criminalisation. The 2018 bill introduced various criminal offenses Some of them include the following: Since the 2013 bill, this had dropped to just one type: deanonymization. In this regard, the 2022 draft and the 2023 version do not present any of the criminal offenses and establish only monetary penalties to be administered by the DPB. - A sharper focus on data privacy: Some of the provisions contained in the 2018 draft, and even more so in the 2019 draft, had minimal connection with data privacy. For instance, the requirements as to the provision of non-identifying information did not advance privacy rights in any manner. Likewise, the ‘data localization’ rules have been cited to bear more remoteness to the data privacy and there exist superior substitutes for the achievement of the same goals. It was the case in the 2018 and the 2019 bills where their presence was viewed as a source of volatility. Besides data localization emerged as a pretext to discussions in connection with such subjects as data sovereignty, which once again is quite irrelevant to the question of privacy.
- The abandonment of a “regulatory” law: The 2018 and 2019 bills set a legal structure that had substantial regulatory activity – it gave birth to the fully-fledged independent regulator, the DPA, enabling to regulate and unilaterally codify many of the provisions in the said bills by notice and consent, security measurements, ways of storing data, etc. Also, the DPA would have had authority to acquire data that would be basic for compliance with the law and punish noncompliance. The DPA was therefore proposed to interact with the economy several more times than the other agencies and its mandate, by virtue of definition, had to make it relatively more activist. These legislative proposals placed the DPA at the centre of the legal architecture, and the organisation was assumed to operate like other Indian independent regulators, including the SEBI and the TRAI, among others. These powers were anticipated to be used by the DPA across the different sectors of the Indian economy.
The Data Protection Bill, 2019 (DPDP Act) significantly deviates from the traditional model of an independent regulatory body, such as the Data Protection Authority (DPA), by eliminating the concept of such an entity. Furthermore, the Data Protection Bureau (DPB) is granted limited regulatory powers under this legislation. Its authority is confined to overseeing corrective measures in the event of data breaches and to issuing directives to businesses mandating compliance with data protection laws. Additionally, the DPB is empowered to impose penalties or facilitate voluntary settlements for violations of these laws. This approach marks a departure from the regulatory framework proposed in the 2018 and 2019 iterations of the Data Protection Bill, which was more akin to the expansive model of the Data Protection Authority. This shift represents a significant departure from the traditional regulatory approach.
These modifications have been implemented gradually over the past few years. The initial version of the bill in 2018 was expansive, mirroring the structure of the General Data Protection Regulation (GDPR). The subsequent version in 2019 sought to refine certain provisions while retaining the majority of them, thereby expanding the regulatory scope. This expansion occasionally included provisions that were somewhat at odds with privacy concerns. However, the 2022 bill and the 2023 act represent a substantial departure from this broad regulatory framework. This evolution reflects a shift in the perspective of the Indian Parliament and the government regarding the importance of data protection laws to the Indian economy.
Between 2017 and 2018, several factors contributed to the formulation of the early versions of the bill. Notably, the Supreme Court's recognition of privacy as a fundamental right, pending its ruling on the constitutionality of India's biometric identification project, Aadhaar, and the global discourse on data protection regulations, particularly in light of the GDPR's enactment in 2016 and its implementation in 2018, were pivotal. The GDPR, viewed as a successful model, influenced the discussions on the Indian legislation.
By 2022, the GDPR had been in effect for four years, during which numerous criticisms of its design and implementation had emerged. The Supreme Court had affirmed the utility of Aadhaar for specific purposes, and the potential constitutional issues related to it had been addressed. This period of deliberation also allowed for the articulation of concerns regarding the proposed framework, notably in the context of data localization. The extensive period of discussion and refinement culminated in the enactment of a more pragmatic version of the data protection law.
7. MAIN PROVISIONS WE SHOULD LOOK OUT FOR
- 1. Establishing new guidelines concerning newer technology, such as 5G, IoT devices, and cloud computation, the metaverse, blockchains, and cryptocurrencies.
This law called the IT Act of 2000 was rather archaic and during the time of its birth this word “internet” was used sparingly nearly with no references to it. Hailed as the Digital India Act, the intention is to devise new rules with regards to the newest, most relevant technology in today’s society – Internet, as India is set to become the country with highest Internet access.
With regards to cybersecurity, it can also be seen that the IT Act does not contain provisions on this field and was not crafted to control what is a comparatively young industry. Unlike regulating appropriate usage of the new technologies such as cloud, IoT devices and social media, the Digital India Act is intended to address security and privacy issues with new technologies. - Instead of having one general category of the intermediary sites, they are best to be reclassified to different categories whereby each will have its set regulations.
Intermediaries was defined for the first time in section 79 related to the IT Rules of 2021 but rules were provided only for social media companies. Third parties refer to any firm or organization that acts as a go between or gives out and receives information as well as performs other online services. The other web-based media were categorized as ‘‘pure channels’’ and bundled together.
But one of the major issues here is that IT Rules categorize digital intermediaries based on their business scale and users instead of the offering’s attributes. What makes it difficult to regulate is that one company can provide many services, so it is impossible to address simultaneously as one body.
The Digital India Act will start putting all the Intermediaries into different containers like cloud service or CSP’s, Social media platform, Internet service or ISP’s, Metaxia, OTR providers, online gaming, and more. The act also has the intention of assigning an authoritative body for the purpose of providing penalties for regs violations. - Disallowing “safe harbour” protection to tech platforms for purposeful disinformation or other content violations from third parties
In the past, internet service providers especially social media platforms were let off the hock legally by being granted a ‘safe harbour’ law that shielded them from third party content that was posted in their various platforms because they did not have control over what their users posted. Still, because the intermediaries were granted immunity, they themselves did not have moderation of third-party material, and many of the cases were devoid of checks of the facts and non-deletion of the content violations.
Each category of the intermediary will be falling under new rules under the Digital India Act with a preference of fact-checking to deal with possible misinformation or risky data utilization. furthermore, these platforms will be legally liable for any content violations, or cyber-crime that happens in the platforms they are attached to. It shifts the government responsibility of identifying these violations to these particular platforms through the act making it mandatory for them to censor and remove prohibited content and the large social media platforms like Facebook and Twitter. - Formulating rules and regulations concerning the use of artificial intelligence, ‘AI’, and machine learning, ‘ML’ technology
With the inevitable takeover of AI and ML technology permeating through businesses, the Digital India Act wants to get ahead of the wave by focusing on one major aspect: That brings responsibility, accountability.
Forecasting to become a world leader in setting international initiatives to support the responsible deployment of the new-age technology in AI, India enters 2023 at the head of the GPAI, with Chandrasekhar sitting on GPAI chair. While AI is virtually limitless in terms of creating and enhancing, it is also a practically limitless way of causing problems and harm.
Preserving user safety and privacy will remain at the core of the Digital India Act that is expected to sufficiently respond to and regulate the use of AI in today’s world. - It entails making offenses of cyber bullying, identity fraud, and disclosing other’s information without permission.
Some of these are Cyberbullying, Impersonation, Identity theft, Identity fraud, Doxxing and malicious unauthorized sharing of personal information new age cybercrimes that MeitY plans to define and recognize as criminal offences under the Digital India Act. Earlier, these offenses were regnant in the form of fines and not made criminal through IT Act.
Indeed, the IT Act of 2000 adopted many of the cybercrime penalties through real-life experiences that are not tenable with regard to virtual experiences like online dating or online gaming. Thus, positioning the laws around the user to be protected and making any user harm a criminal act, the Digital India Act can guard itself against any innovations and technological advancements that will take place in the following years. - Governing monetisation of the content creation and its creators through advertising technology (adtech) firms
So, in order to foster the further development of Indian content creators and their channels, the Digital India Act aims to rebalance the current relationship between these large adtech conglomerates and content creators when it comes to adtech’s control and management of monetization and associated revenue streams. Most of the ad spaces are occupied by international adtech companies namely amazon, google et cetera and thus for the Indian content makers it has become hard to be negotiated in the share of the commissions and being visible across the globe.
Chandrasekhar is emulating former Australian communications minister Paul Fletcher who struggled with the tech-giants and organizations like Facebook and Google to push them for doing larger commercial agreements with the crested content in Australia. However, the content creators will also be held responsible for disseminating fake news like online intermediaries are. - Elimination of dominance of the internet (major tech companies) and giving fairness competition to local budding start-ups and more options for consumers.
In a similar vein of putting checks on big adtech, the Digital India Act aims at non-domestication of digital space by big tech incumbents. For this reason, several local and international startups have been forced out of the Indian technological market due to India’s largely unguarded stance on digital policies. The Indian government desires to regulate the domination of big tech and enable smaller enterprises to start recreating the foundation and small online marketplace. This also independently gives Indian citizens the opportunity to select the proper service for them instead of being limited to one or two big companies.
One of the aims, according to Chandrasekhar, is to enhance cyber defense and independence in India so that it possesses the means plus full and open access to every content and application throughout the internet without regarding the services from foreign countries.
8. CRITICAL ANALYSIS OF THE DIGITAL INDIA ACT, 2023
It is a novelty that the 2023 act establishes for the first time a data privacy law in India. Consent has to be obtained for the processing of personal data and the law only allows a limited number of circumstances, which are spelt out in the law. It gives to consumers expressly the right of access, rectification, updating and cancellation of the data, as well as a right of designation. This adds further protection for the processing of data of children. For business, it creates purposed limitations and liability to give notice of the collection and processing of data as well as imposing the requirement of security measures. Businesses are supposed to provide grievance redress mechanisms by virtue of the law. The DPB will also entertain complaints and grievances, and has the authority to impose sanctions as provided for in this law.
Regarding data protection, therefore, India now for the first time has a statutory basis. The presence of the law will therefore over time bring about acceptable levels of decency and adherence to the law among businesses that engage in the collection of data. In this regard, the actions of the government with regard to the execution and enforcement of the law will be the key factor – for example, whether enforcement will centre on data intensive industries or spread right across the economy would be an important variable.
However, there are some issues with some provisions of the law and the potential for it to erode the rights they appear to be guaranteed in the law apart from the open questions about how it will be implemented.
First, the exceptions made to consent fully liberate the state and puts state interests on a higher plane relative to private interests. Although it may well be quite genuine on occasion, such as disaster or emergency situations, the law expands the definition of such circumstances. For instance, Section 7(b) of the law allows the government to go round the consent provision when a beneficiary under a government service has at one time consented to receive any other gain from the state. While it may enable efficiency of personal data of the beneficiaries in receiving government services, it opens a possibility for the growth of governmental databases. This is because, to make effective usage of this provision which has the significance of the potential, the government agencies would have to be excluded from purpose limitation provisions that demand the erasure of the personal data following the achievement of the purpose for which the data had been processed. An example of this is the set of exemptions for investigative, prosecutorial and national security purposes to the state. Among the exemptions listed in Section 17(1)(c) the law does not require notification and consent, among others for the purposes of processing for “prevention, detection, investigation or prosecution of any offence or contravention of any law”.
All this is understandable, but Section 17(2)(a) then offers an omnibus exclusion from the entire law to any government department which the government may notify, in the name of sovereignty, security, integrity, order, and non-incitement. This is perhaps because Section 17(1)(c) already provides for the partial restriction of the application of the data protection law in relation to certain state agencies, while Section 17(2)(a) indicates Parliament’s desire for a complete exclusion of the data protection law in relation to such agencies.
Measures such as these provide for an entirely distinct type of activity that cannot be accounted for under data protection laws and regulations. What is also alarming is that Indian state does not have to adhere to most of such restraints as a private entity would in circumstances when there is no compelling need to make such an allowance.
Second, the discretionary powers of the government to make rules under the law are somewhat erosive of the protections afforded under the law in some circumstances. For instance, the government exercising its powers under Section 17(5) can make a declaration that any or some provisions of this law shall not be applicable to any business or class of businesses for the first five years of this law coming into operation. This exemption can easily be operated and, to the best of my knowledge, there is no time frame on the use of this exemption or any template on how one should go about using this provision. Certainly, as a literal interpretation one could infer that this could be used to give sunrise industries or start-ups some time to the law. But provision for this has already been made in section 17(3) of the act where only startups and other industries the government may notify qualify for limited exemptions. As a result, the so-called protection under Section 17(5) of the Act can be used in a way that negates the objectives of the law. What is important to insist here is that the law restricts the government’s possibility to grant these exemptions only for five initial years. It does not include provisions on the time periods that such exceptions may last for.
Likewise, the government has some raw rule-making powers for relieving businesses from some obligations relating to the handling of children’s data. Sections 9(1) to 9(3) set out some conditions as to the same—they include the need for consent from the parent and the prohibition of profiling among others. The government can, under Section 9(4) exempt any business or class of businesses from Sections 9(1) to 9(3) “subject to such conditions, as may be prescribed” Without information on the kind of circumstances under which this exemption is going to be granted, how these conditions are going to be set, and so on, this provision too violates the principle of legal certainty. Like the above provision, there is also no sufficient guidance and as such may be abused.
As much as there are other provisions where the government has powers to prescribe conditions and make the substantive rules there are few directions given in the example provisions above. This is also not good when the laws are evaluated using the principles of Indian administrative law because it violates the rule that no law should give uncontrolled and unreasonable discretions to the implementing agency of law. Such uses of laws are legally unlawful according to the constitution of India.
Third, the problem is the design of the DPB. The board is autonomous and performs a narrow set of functions; the government will establish procedures for selecting and appointing the members of the board. Though the law states qualifications of members, it does not provide how many members are to constitute the board and only one of them needs to be a lawyer. The last of these provisions is particularly questionable as the board is supposed to serve penalties, and directions for noncompliance.
Moreover, according to the provisions of the DPB the chairperson is permitted to do anything on behalf of the board and conduct any of its proceeding, thus it is not out of the realm of possibilities that the chairperson does not allow the legal member of the board to conduct the proceedings leading up to the issuance of the penalty. This design also does not keep internal coherence of functions that are required for the members conducting inquiries and for the chairperson. Since the chairperson appoints members to conduct inquiries, he may not discharge this function objectively in all instances.
Thus, whilst the DPDP Act for the first time enshrine data privacy rights and protections in law, certain provisions of the law form a mechanism for negation of the very principles should the government operates under them with anything less than accurate and stringent conduct possible.
9. CONCLUSION
The DIA still has a lot to prove, and it is entering a scene as a bill that replaced a crucial, integrated and general information technology act. The first draft of the DIA is planned to be published after the completion of the consultation of the stakeholders on the matter. However, it would be engaging to see additional advancement related to the Digital India Act and to assess its application based on certain increments in a different type of business.
The DIA will facilitate the expansion of digital India’s economy, which also signifies the emergence of newer forms of issues sourced with digital technologies such as data protection and cyber security. However, abolishing the safe harbour principle will be disparaged by Bigtechs. Furthermore, it will entail professionals and proper setting for law enforcement and countering the by-definition novelty of such things as the Internet, artificial intelligence, deep fake, and many countries proposing legislation resolutions for such concerns. To understand territorial jurisdiction, one has to introduce it as information and interaction over the Internet are borderless. Even though the values of transparency and accountability are the tools upon which the act has been built it will still have to work for the benefit of key stakeholders like users, big techs, government business and civil society.
Indeed, it shall be one of the most significant enactments in the tradition of law of the nation since it enshrines the freedom of speech as well as other civil liberties of the people of the nation on the social networking sites. As well as increasing privacy, safety and security, it will also protect citizen’s data. That will promote the innovation, development of advanced technologies and will have significance importance in the field of education, health and administration. It will be worthwhile to observe the process of construction of this proposed legislation in the near future.
10. FAQs
Q. What is the contemporary scope of digital laws?
A. It consists of:
- Information Technology Act, 2000
- IT (Amendment) Act, 2008
- Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- Establishment of Grievance Appellate Committees under Rule 3A of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
- Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
- Direction No. 20(3)/2022-CERT-In Consumer Protection Act, 2019 ('CPA') and Consumer Protection (E-Commerce) Rules, 2020
- Information Technology (Certifying Authorities) Rules, 2000
- Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015
- Information Technology (The Indian Computer Emergency Response Team and the Manner of Performing Functions and Duties) Rules, 2013 ('CERT-In Rules')
- Information Technology (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009
- Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
o In particular the important notifications include
- Notification No. S.O.1581(E) dated 26.4.16 regarding Authorisation of CERT- In to monitor and collect traffic data or information in any computer resources u/s 69B
- Notification No. S.O. 6062(E) dated 23.12.2022 regarding 370th Amendment to the Allocation of Business Rules 1961 relating to Online Gaming and e- Sports
- Notification No. GSR 520(E) dated 2.05.16 Powers and Functions of Chairperson, CyAT
- Notification No.G.S.R 446(E) dated 27.4.16 regarding Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2016
- Notification No.993(E) dated 11.12.2015 regarding declaration of UIDAI-CIDR critical information under section 70A of IT Act
Q. What is Open Internet?
A. Open Internet is the internet which we commonly use and includes the following components without any variables:A. Open Internet is the internet which we commonly use and includes the following components without any variables:
- choice
- competition
- online diversity
- fair market access
The assessment plan includes the analysis of the ease of doing business in a given country and the ease of compliance for start-ups. It is for the reason of fair-trade practices, to prevent market power and gate keeping, by regulating the Ad-tech platforms, the App stores etc.
It protects innovation to provide growing technologies, including AI/ML, Web 3. 0, Robotics & Automation, IoT, Distributed Ledger Technology/Blockchain, Quantum Computing, Virtual & Augmented Reality, Tele-Interpreters / Real-time language translation, NLP applications etc.
It also enhances convenience to ministries or departments in the provision of GO & other public utilities, delivers GO services through online/mobile solutions in a convenient, integrated and user-friendly way.
Q. What has to be met in the case of data processing by means of minors?
A. The new bill in India called the Digital India Act will also contain the provisions of the mandatory ‘do not track’ for protection of the data of the minors, the safety and the privacy of the minors on the social media platforms, the games and the betting apps and so on and particularly to avoid the exploitation of the data of the minors for ad targeting and so on.
Q. What are the rules that must be followed by the client in order to be identified?
A. Products that are invasive to individual privacy like spy camera glasses, wearable technology would be allowed only under strict regulation before they are sold and any accessibility for the public sale would require a strict ID check similar to OTC markets with the appropriate criminal law consequences.
Q. Under the new classification of intermediaries what are the distinct classes of intermediaries?
A. Following are the new classes of intermediaries under the proposed framework:
- eCommerce
- Digital Media
- Search Engines
- Gaming
- AI
- Over-the-top (OTT) Platforms
- TSPs
- Ad-Tech
- SSMIs
Join LAWyersClubIndia's network for daily News Updates, Judgment Summaries, Articles, Forum Threads, Online Law Courses, and MUCH MORE!!"
Tags :Others