The Bill set to replace the Information Technology Act, 2000, whose first draft is expected to be published in the first week of June, could contain provisions governing digital government, open internet, online safety and trust including user harm, intermediaries, accountability, regulatory framework, emerging technologies, risks and guardrails.
—
A draft of the Digital India Bill, which seeks to replace the Information Technology Act, 2000 (IT Act), is expected to be published in the first week of June. The Bill is a part of the Union government's larger plan to overhaul laws related to the internet in India.
After two rounds of public consultations by the Union Ministry of Electronics and Information Technology (MeitY), the general architecture of the proposed changes has become apparent.
Besides the Digital India Bill, other components of the new framework may include amendments to the Indian Penal Code (IPC) and the Code of Criminal Procedure (CrPC), the Digital Personal Data Protection Bill, a National Data Governance Policy, and Rules made under the Digital India Bill.
A potential index of the proposed Bill would comprise components such as digital government, open internet, online safety and trust including user harm, intermediaries, accountability, regulatory framework, emerging technologies, risks and guardrails, according to a presentation shown during the public consultations.
It has been submitted that the new digital law should be "evolvable and consistent with changing market trends, disruption in technologies, development in international jurisprudence, and global standards for qualitative service delivery framework," as per the presentation.
The proposal to have an "evolvable" law on the internet may be construed to mean that the Bill may leave significant details on implementation to be filled in later by Rules made under the Bill, without parliamentary scrutiny.
The provision on 'safe harbour', which protects intermediaries from content posted on their platform, is also expected to be substantially diluted.
The first pre-drafting consultation took place in Bengaluru on March 9, and the second one in Mumbai on May 23.
The proposal to replace the IT Act has been justified by the MeitY by noting that the Act was drafted 22 years ago when the internet was in its early days, and services such as social media and e-commerce platforms were absent.
While the government admits that the proliferation of technology has empowered citizens, it has expressed concerns relating to ambiguity in user rights, user security, safety of women and children, organised information wars, the radicalisation and circulation of hate speech, misinformation and fake news, and unfair trade practices.
The stated objective of the government is to "ensure Indian internet is open, safe, trusted and accountable, accelerate growth of innovation and technology ecosystem, manage rapid expansion of the types of intermediaries and protect citizens rights," as per the presentation.
In the government's view, there is an urgent need for a specialised and dedicated adjudicatory mechanism for online civil and criminal offences. This may be undertaken by amendments to the IPC and the CrPC, through which new cyber-crimes may be introduced. The particulars of that mechanism would only become apparent when the draft of the Digital India Bill is released.
Another objective of the government is to encourage competition in the internet market and choice for the consumers, which would need amendments to the Competition Act, 2002. This may be seen in the context of internet giants such as Alphabet and Meta acquiring market dominance, and attempts by the Competition Commission of India to check anti-competitive practices.
The position of the ministry, as stated in the presentation, is that an "open internet" should have choice, competition, diversity, fair market access, and ease of doing business and ease of compliance for start-ups. Though, it also believes that the internet should be "accountable", which implies changes to the safe harbour provisions as they exist in the IT Act.
With the proliferation of different types of intermediaries, the ministry is mulling separate rules for each class of intermediaries and the conditions that each must be subjected to.
The provision on 'safe harbour'— the principle that allows platforms to avoid liability for user generated content— may be substantially diluted. This would mean that intermediaries may face legal liability for content shared by their users if they don't provide user identification or traceability to the government when directed.
"Currently, those who are conducting illegalities are untraceable because they are anonymous, and the onus falls on the government to protect the citizen who has been aggrieved by the content or misinformation on the platform.
"I want to propose that we actively think through in the [Digital India Act] that we do away with Section 79 [of the IT Act] safe harbour completely and say that it is the responsibility of the platforms to do whatever due diligence they have on misinformation and toxic and illegal content," Minister of State for MeitY Rajeev Chandrasekhar told Business Standard.
The ministry has identified the following types of intermediaries: e-commerce, digital media, search engines, gaming, Artificial Intelligence (AI), over-the-top (OTT) services, Ad-tech, telecom service providers, and significant social media intermediaries (SSMIs).
Under Section 79 of the IT Act, the general rule prescribed is that an intermediary shall not be liable for any third-party information, data, or communication link made available or hosted by them.
'Safe harbour' is not available to an intermediary if it has conspired or abetted or induced the commission of an unlawful act, or if an intermediary fails to expeditiously remove certain material upon receiving actual knowledge or on being notified by the government that any information, data or communication link is being used to commit an unlawful act.
The proposal to overhaul the provisions on 'safe harbour' may also involve mandatory disclosure norms for intermediaries collecting data above a certain threshold, and standards for ownership of anonymised personal data collected by them.
The ministry has projected the above proposals as part of its plan to make the internet more "accountable".
It is possible that the Bill may include new offences addressing such issues as doxing, cyber-bullying and revenge-pornography, or for such acts to be made punishable with amendments to the IPC.
It was emphasised during the consultations that specific provisions for the protection of children online will be proposed.
This may include mandatory 'do not track' requirements to prevent data of children from being gathered to avoid ad-targeting, age-gating addictive technology and games, and tighter norms on protecting minors' data on social media platforms. Rules to limit the amount of time children can spend on a gaming app may also be made.
It was also indicated that "high risk" AI systems, such as those which create 'deep fakes' (hoax images and videos of people and events) may be regulated to ensure ethical use of AI tools.
The upcoming framework will have a chapter devoted to emerging technologies, particularly AI, and how to regulate them through the 'prism of user harm', Chandrasekhar had said at the second edition of the consultation.
To avoid monopolisation in the technology industry, the ministry plans to make changes to the competition regime to prevent anti-competitive practices. The stated goal is to prevent the concentration of market power and gatekeeping, while also safeguarding innovation to enable emerging technologies and protecting diversity on the internet.
Chandrasekhar admitted during the consultations that executing the above changes may require amendments to the Competition Act.
The need to make changes to prevent anti-competitive practices could be read in the context of the Competition Commission of India's imposition of two massive fines on Google.
A fine of ₹1,337 crore was imposed on Google in October last year by the commission for abusing its dominant position in multiple markets in the android mobile device ecosystem. Additionally, the company was directed to cease and desist from unfair business practices. A separate fine amounting to ₹936.44 crore was imposed on Google by the commission for "abusing its dominant position with respect to its 'play store' policies".
Meanwhile, on May 22, the European Union imposed a record fine of €1.2 billion (US $1.3 billion) on Meta for violating Global Data Protection Regulations on cross-border data transfers, a fact mentioned by Chandrasekhar in the second consultation.
The aim is to be able to respond quickly through regulations so that we don't have to go through the "painful process" of legislating every time, Chandrasekhar said during the consultation.
From what has emerged through the consultation process till now, the Union government may leave specific details on implementation and execution of the Bill to be decided later by the executive. This itself is not uncommon, since the Parliament is not expected to have the time or expertise to deal with technical and situational intricacies while enacting laws; and the notification of Rules in the official gazette is needed for the coming into operation of legislation.
However, since the executive holds discretion over subordinate legislation, the amount of detail laid down in the primary legislation, which has to go through parliamentary scrutiny, is significant. This is particularly concerning as the Union government has made controversial changes to cyber laws by introducing new Information Technology Rules twice in the recent past.
The devil may yet be in the details which the Digital India Bill leaves for later.