Decoding Digital India Act: A critical analysis of India’s proposed legislative framework for the digital era
Aiswarya YK,
Associate, Dispute Resolution practice
Introduction:
The digital landscape is rapidly evolving, necessitating the establishment of comprehensive legal frameworks to safeguard the rights and interests of individuals and entities. The proposed Digital India Act aims to address the emerging challenges of the digital age, providing a regulatory framework for various aspects of cyberspace. In this article, we will critically analyse the proposed act, examining its inclusions, exclusions, regulations, and the potential impact it may have on the market and intermediaries. On March 9, 2023, representatives from the legal and technology industries, among others, were invited to a consultation hosted by the Ministry of Electronics and Information Technology to learn more about the DIA’s overarching structure and fundamental principles.[1] According to the consultation’s briefing, the DIA will likely have guiding principles and will capture the broad framework of certain key constituents of the DIA, such as protecting users’ right to free speech online, guaranteeing their security while using the internet, and holding those in power accountable. In a recent discussion held at Mumbai, it has been stated that the full-fledged draft of the Bill is likely to be released this month.[2] While the draft Bill is yet to be released, this blog attempts to analyse the proposed framework with the resources available online.
Inclusions and Scope of the Act:
The Digital India Act, 2023 encompasses a wide range of subjects, reflecting the intention to comprehensively regulate cyberspace activities[3]. Some notable inclusions are:
1. Open internet: The proposed Act aims to facilitate an open internet where consumers and businesses alike have more freedom of action and access to more resources. It is anticipated that provisions will be made to ensure nondiscriminatory access to digital services and to mandate interoperability of digital services like ad-tech platforms and mobile application stores in this principle. An open internet is deemed to encompass choice, competition, online diversity, fair market access and ease of doing business and ease of compliance for startups. However, enabling an open internet is an aspiration that will require updating the provisions of legislations like the Competition Act, 2002.
2. Data Protection and Privacy: The act lays down provisions for the protection of personal data and privacy of individuals, aiming to establish a robust data protection regime. It emphasises the need for consent, data minimization, purpose limitation, and the rights of data subjects.
3. Cybersecurity and Critical Infrastructure: The act recognizes the importance of safeguarding critical infrastructure and establishes measures to strengthen cybersecurity. It introduces mandatory cybersecurity practices for entities handling sensitive data and sets up mechanisms to respond to cyber threats effectively.
4. E-commerce and Consumer Protection: The act seeks to regulate e-commerce activities, addressing issues such as unfair trade practices, counterfeit products, consumer data protection, and dispute resolution. It aims to promote transparency, trust, and consumer confidence in online transactions.
5. Digital Payments and Financial Technology: Recognizing the growth of digital payments and fintech, the act introduces regulations for ensuring secure and reliable digital transactions, protecting consumers from fraudulent activities, and promoting innovation in the financial sector.
The ominous question of “Should there be a safe harbour at all for all intermediaries?”
The DIA is anticipated to revise the safe harbour principle established for intermediaries under Section 79 of the IT Act. Compliance with ongoing specific duties relating to hosting third party information for various sets of intermediaries is likely to be a prerequisite for any protection from liability under the DIA regime. However, caution must be exercised to prevent requirements on intermediaries from becoming unduly onerous and punitive, which also undermines the safe harbour concept. It is noteworthy to mention that the U.S. Constitution and, more specifically, Section 230 of The Communications Decency Act of 1996, which shielded websites from liability for user-generated material, was a major factor in propelling the Internet forward. The Internet’s new form necessitates updated regulations to address issues like false information, harmful content, and unintended consequences; however, these regulations shouldn’t water down the original concept of safe harbour.
Since the introduction of stringent legislation to circumvent the safe harbour principle in various jurisdictions across different countries to hold companies liable for not regulating user data and imposing excessive self-regulation duties upon such intermediaries, the safe harbour principle has gradually become irrelevant. For instance, Facebook is being forced to admit guilt in many court cases for facilitating the spread of disinformation on its platform, which may have had an impact on the outcomes of elections in several nations.[4] After years of apathy, government enforcement of social media regulation has arrived at a watershed moment, sparking a heated debate over the extent to which a private company should regulate conversations taking place on its platform, especially in the wake of politically significant events like riots or elections.
This instantly reminds me of when twitter’s safe harbour status was revoked in the past due to a dispute between India and the social networking business for violations of social media guidelines. [5]This laid down that Twitter might be held responsible for the content posted by Indian users. Since then, the government has tried to broaden the scope of what constitutes an intermediary, extending the phrase into the gaming industry.
Exclusions and Potential Gaps:
While the proposed act covers several important areas, there are notable grey areas, exclusions and potential gaps that merit attention:
1. Freedom of Expression: The act must strike a delicate balance between regulating harmful content and safeguarding the fundamental right to freedom of expression. Care should be taken to avoid overreach, ensuring that legitimate speech is not unduly restricted.
2. Intermediary Liability: The act should clarify the liability of intermediaries, such as social media platforms and online marketplaces, to strike a fair balance between protecting user rights and holding platforms accountable for illegal content. Ambiguities may lead to unnecessary censorship or unjust burdens on intermediaries. The DIA tries to differentiate different types of intermediaries such as e-commerce, digital media, AI, OTT platforms, Ad Tech etc. The Act calls for a separate rule for each of these intermediaries. This paves way to ponder upon questions like whether obligations may be expected from internet-based entities that are not necessarily performing intermediary functions and whether intermediaries performing and facilitating different functions will be under pressure to abide by multiple regulations.
Regulatory Framework and Challenges:
The proposed act lays down a regulatory framework, but challenges lie ahead in its implementation:
1. Enforcement Mechanisms: The act should establish robust enforcement mechanisms to ensure compliance. This includes the creation of specialised cybercrime investigation units, training programs for law enforcement agencies, and cooperation with international entities to tackle cross-border cyber threats effectively.
2. Technological Advancements: The evolving nature of technology necessitates a flexible regulatory framework that can adapt to emerging challenges. The act should incorporate provisions to address future advancements, ensuring its relevance and effectiveness over time.
3. Amendments to relevant provisions for practical implementation: The Act tries to provide a safe-online environment which can only be done when crimes like doxing, deep fakes are brought under the purview of crimes by making amendments to the IPC. Further, since the Act will replace the IT Act, 2000, there is a need for the proposed Act to fill the gaps that already exist with the earlier act like inclusion of means to facilitate digital evidence and digital forensic across the country.
Criticism and Concerns:
The Digital India Act 2023 has faced criticism on several fronts:
1. Surveillance and Privacy Concerns: Critics argue that certain provisions of the act may grant excessive surveillance powers to the government, potentially compromising privacy rights. Robust safeguards should be incorporated to protect against abuse of power and violations of privacy.
2. Burdensome Compliance Requirements: The act’s regulations may place a significant burden on businesses, particularly small and medium-sized enterprises (SMEs). Simplified compliance procedures and provisions for capacity-building programs should be considered to alleviate these concerns.
Impact on the Market and Intermediaries:
The proposed act is likely to have a substantial impact on the market and intermediaries:
1. Market Growth and Trust: The Digital India Act 2023 can foster market growth by instilling trust and confidence among consumers and businesses. Clear regulations on e-commerce, consumer protection, and data privacy will enhance transparency, leading to increased consumer participation and higher levels of trust in online transactions. This, in turn, can stimulate market expansion and attract foreign investments in the digital economy.
2. Compliance Costs and Burdens on Intermediaries: While the act aims to protect user rights and curb illegal activities, it may impose significant compliance costs on intermediaries. Online platforms and service providers may face the challenge of implementing complex systems and procedures to ensure adherence to regulatory requirements. This could disproportionately impact small intermediaries, hindering their growth and innovation potential.
3. Intermediary Liability and Censorship Concerns: The act’s provisions on intermediary liability need careful consideration. Striking a balance between holding intermediaries accountable for illegal content and safeguarding freedom of expression is crucial. If the liability framework is overly strict, intermediaries may resort to excessive content censorship to avoid legal risks. This could stifle free speech and hinder the vibrancy of online platforms as spaces for diverse opinions and public discourse.
4. Data Localization and Cross-Border Data Flows: The act’s approach to data localization is a point of contention. While localization can enhance data protection and security, it may also disrupt cross-border data flows, impacting global businesses that rely on efficient data transfers. Striking a balance between protecting data and facilitating cross-border data flows is essential to ensure the act does not hinder innovation and international collaborations.
5. Impact on Startups and Innovation: The act’s regulatory requirements may pose challenges for startups and innovative businesses. Compliance with stringent data protection and cybersecurity provisions can be resource-intensive, potentially impeding the growth of new entrants. Encouraging a supportive environment for startups, including exemptions or streamlined procedures for small businesses, is vital to foster innovation and entrepreneurship.
Conclusion:
The proposed Digital India Act 2023 represents a significant step towards regulating cyberspace activities in India. While it incorporates important provisions on data protection, cybersecurity, e-commerce, and consumer protection, there are concerns that need to be addressed. Striking a balance between regulations and preserving fundamental rights, particularly freedom of expression, is crucial. The act’s impact on the market and intermediaries will depend on effective implementation, addressing compliance burdens, safeguarding privacy rights, and promoting an environment conducive to innovation and growth. By addressing these considerations, the act can contribute to a thriving digital ecosystem that benefits individuals, businesses, and the nation as a whole.
[1] The Economic Times, ‘Rules for invasive gadgets likely under Digital India Act: Rajeev Chandrasekhar (2023) The Economic Times’ <https://economictimes.indiatimes.com/tech/technology/rules-for-invasive-gadgets-likely-under-digital-india-act-rajeev chandrasekhar/ articleshow/ 98525005.cms> accessed on 2nd June 2023.
[2] The Hindu, ‘DigitaL India Bill Draft to be released in June: Centre’, <https://www.thehindu.com/sci-tech/technology/digital-india-bill-draft-to-be-released-in-june-mos-chandrasekhar/article66884586.ece> accessed on 2nd June 2023.
[3] Ministry of Electronics and Information Technology. ‘Proposed Digital India Act, 2023’<https://www.meity.gov.in/writereaddata/files/DIA_Presentation%2009.03.2023%20Final.pdf> accessed on 2nd June 2023.
[4] Economic Times, ‘Facebook storm makes govt ‘rethink’ safe harbour for social media platforms’ <https://economictimes.indiatimes.com/tech/technology/facebook-storm-makes-govt-rethink-safe-harbour-for-social-media-platforms/articleshow/86954469.cms>2nd June 2023.
[5] Hindustan Times, ‘Twitter loses intermediary status: What does it mean for Twitter and its users?’, <https://www.hindustantimes.com/india-news/twitter-loses-intermediary-status-what-does-it-mean-for-twitter-and-its-users-101623824196154.html> accessed on 2nd June 2023.