The upcoming Digital India Act (or Digital India Bill) is expected to be India’s newest legislation and legal framework for regulating the country’s online environment and digital data protection policies. The Digital India Act will fully replace the current Information Technology Act (IT Act) of 2000 by early 2023, which has faced criticisms for its outdated policies and inadequacies in dealing with modern-day technological issues.
Since IT Act of 2000 was enacted, there have been many revisions and amendments (IT Act Amendment of 2008, IT Rules 2011) in attempts to define the digital space in which it regulates while trying to put more emphasis on the data handling policies. However, because the IT Act was originally designed only to protect e-commerce transactions and define cybercrime offenses, it did not deal with the nuances of the current cybersecurity landscape adequately nor address data privacy rights.
Without a complete overhaul of the governing digital laws, the IT Act would fail to keep up with the growing sophistication and rate of cyber attacks. The goal of the new Digital India Act, according to the Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, is to “act as catalysts for Indian economy by enabling more innovation, more startups, and at the same time protecting the citizens of India in terms of safety, trust, and accountability.”
Why is the Digital India Act Important?
The Digital India Act will be the most significant piece of IT legislation to come out of India in its entire history and will potentially govern the entire country’s digital laws for the next decade or two. With this new law, the country hopes to future-proof its digital laws and and enable businesses to compete on a global scale. Additionally, the Indian government has attempted to involve and consult as many stakeholders (citizens) in the drafting of the Digital India Act to ensure that the rules and framework enable a comprehensive IT ecosystem within the country for at least the next decade.
However, the ultimate goal is not just to ensure stronger laws for citizen privacy rights and build trust in the government — the Digital India Act will be designed to stimulate the digital economy for Indian businesses and transform the nation into a worldwide digital powerhouse as the world’s most populous nation. Chandrasekhar believes India can achieve a trillion dollar digital economy by 2026, centered around the Digital India Act.
Digital Personal Data Protection Bill, 2022
The Indian parliament plans to implement the Digital India Act alongside the Digital Personal Data Protection Bill, 2022, initially proposed in November 2022. The two legislations will work in tandem with each other, with the Digital Personal Data Protection Bill focusing solely on the processing personal data in India.
According to the bill, the purpose is to address the “processing of digital personal data in a manner that recognizes both the right of the individuals to protect their personal data and the need to process personal data for lawful purposes.” The Digital Personal Data Protection Bill, 2022, which has drawn comparisons to the EU’s GDPR (General Data Protection Regulation), is focused on regulating user privacy, user consent, and data processing.
The Digital India Act is part of a much larger framework that regulates all aspects of the digital world and not restricted to just data processing policies. However, as both pieces of legislation continue to be revised, it represents a major step forward for India.
Learn more about the top cybersecurity regulations in India.
What are the Main Points in the Digital India Act?
In addition to a brand new legislative framework surrounding data and information security, the Digital India Act highlights the following areas:
1. Creating new regulations around newer technology, including 5G, IoT devices, cloud computing, metaverse, blockchain, and cryptocurrency
The IT Act of 2000 was significantly outdated and had almost no mentions of the “internet” during its inception. The Digital India Act aims to create new regulations surrounding the newest, most relevant technology in today’s society as India approaches the threshold of most-internet connected country in the world.
The IT Act also has no mention of cybersecurity and is not built to regulate the relatively new industry. With business-critical technologies like the cloud, IoT devices, and social media, the Digital India Act aims to address security and privacy concerns with new technology and not just regulate it for responsible use.
2. Reclassifying online intermediaries to separate categories instead of one general intermediary label, each one with its own set of regulations
Intermediaries was introduced as a new concept in the IT Rules of 2021, but only defined rules for social media platforms. Intermediaries are any company or platform that facilitates information sharing or provides online services. The other online platforms were classified as “pure intermediaries” and grouped together.
However, one of the main problems with IT Rules is that digital intermediaries have been grouped by company size and user base rather than the features or services they provide. A single company can offer multiple services, making it hard to regulate as a whole.
The Digital India Act will begin to categorize all online intermediaries into different buckets, such as cloud service providers (CSPs), social media platforms, internet service providers (ISPs), metaverse, OTT providers, online gaming, and more. The act also aims to appoint a regulating body to hand out penalties for violations of rules.
3. Removing “safe harbour” immunity for online intermediaries for purposeful misinformation or other content violations from third parties
In the past, online intermediaries, such as social media platforms, were given a “safe harbour” legal immunity, effectively protecting them from third-party content posted on their respective platforms because they had no control over it. However, because the intermediaries were given immunity, they lacked moderation of third-party content, often leading to a lack of fact-checking and non-removal of content violations.
Under the Digital India Act, each intermediary category will be subject to new regulations with a heavy focus on fact-checking to prevent misinformation or misuse of data. Additionally, these platforms will now instead be held accountable for any content violations or cybercrimes that occur on their websites. Instead of relying on the government to flag these violations, the legal obligation now falls on these platforms to moderate and remove disallowed content, including major social media companies such as Facebook and Twitter.
4. Creating digital standards and laws regarding artificial intelligence (AI) and machine learning (ML) technology
With the inevitable takeover of AI and ML technology permeating through businesses, the Digital India Act wants to get ahead of the wave by focusing on one major aspect: accountability.
With India leading the Global Partnership on Artificial Intelligence (GPAI) in 2023 and Chandrasekhar sitting as the chairman, India is poised to become a world leader in establishing international initiatives to support responsible use of AI technology. Although AI has boundless opportunities to build and innovate, it also represents new avenues for misuse and harm.
Protecting user safety and privacy will continue to be the center of the Digital India Act, which hopes to adequately address and monitor the use of AI in today’s world.
5. Criminalizing cyberbullying, identity theft, and unauthorized sharing of personal information without consent
The Ministry of Electronics and IT (MeitY) plans to classify new forms cybercrime, such as cyberbullying, impersonation, identity theft, identify fraud, doxxing, and malicious unauthorized sharing of personal information, as new criminal offenses under the Digital India Act. Previously, these offenses were penalized through fines and not criminalized through the IT Act.
In fact, the IT Act of 2000 borrowed many of the cybercrime penalties through real-world experiences, which are no longer applicable through the evolution of online-facing experiences such as online dating or online gaming. By centering the laws around protecting the user and criminalizing user harm, the Digital India Act can future-proof itself against any innovation and technological developments that may come in the following years.
6. Regulating monetization of content creation and its creators by advertising technology (adtech) companies
To help build up Indian content creators and their digital platforms, the Digital India Act wants to reexamine the disproportionate relationship between big adtech companies and their control over monetization and revenue sharing. With global adtech companies like Amazon and Google dominating the ad space, it has become extremely difficult for Indian content creators to negotiate revenue sharing and become visible on a global scale.
Chandrasekhar follows in the steps of former Australian communications minister Paul Fletcher, who challenged big tech companies and got companies like Facebook and Google to sign more significant commercial deals with Australian content creators. However, content creators will now also be penalized for spreading false information, much like online intermediaries.
7. Removing monopolies of the digital space (big tech) and allowing fair competition from local startups and more choices for users
In a similar context of regulating big adtech companies, the Digital India Act wants to prevent domination of the digital space by big tech companies. Because India has largely been unregulated regarding their digital policies, many local and foreign startups have been discouraged from entering the Indian tech space.
The Indian government wants to challenge big tech control and allow smaller businesses to begin building up the infrastructure and small e-commerce space. This also allows Indian citizens to choose the best service for them rather than defaulting to one or two options of the major companies.
Part of the goal, says Chandrasekhar, is to increase India’s cyber resiliency and sovereignty so that the country will have the ability and access to all technology and platforms without relying so heavily on foreign services.