The Government of India is considering developing a comprehensive set of new laws to bring the country’s tech rules in step with today’s digital economy. As a part of this exercise, the Ministry of Electronics and Information Technology (MeitY) plans to draft a Digital India Act (DIA) — a new law to replace the two-decades-old Information Technology Act, 2000 (IT Act).
The technology landscape has changed significantly since the IT Act came into force in 2000. In addition to hardware and software advances, India has witnessed a rapid acceleration in the use of emerging technologies across every aspect of digital life, spurred on by the COVID-19 pandemic. As digital transformation redefines business and society, it is especially timely for India to develop the DIA.
BSA welcomes a policy framework that encourages innovation, creates more job opportunities, facilitates the growth of emerging technologies, and addresses privacy and security risks. A revamped policy can help safeguard public interests and rights online. It can also help India meet its economic goals — that of becoming a trillion-dollar digital economy by 2025 – by shaping a competitive business landscape for years to come.
India plans to foster an open, safe, trusted, and accountable internet through the DIA. To contribute to this exercise, BSA has outlined five key principles to consider while developing the new law.
First, ensure policy predictability and regulatory accountability.
Policy predictability helps build trust among both businesses and consumers, and public consultation is an essential regulatory tool that can contribute to a predictable policy environment. A robust consultative process allows all affected stakeholders to contribute to the law-making process at every step — when framing the base law and developing subordinate legislation. An institutionalized consultation process also ensures that the regulator remains accountable while implementing the law.
The DIA should be developed through a robust and meaningful stakeholder consultation process that provides the time and opportunity for all interested parties to contribute to achieving the goals of greater policy certainty facilitating the digital ecosystem.
Second, adopt a coherent policy approach.
While developing the DIA, the Indian government should minimize or avoid overlapping or duplicative regulations. For instance, under the India Telecommunications Bill, 2022, given the wide scope of the term “telecommunication services,” the Department of Telecommunications (DoT) may effectively become a licensor for digital platforms — that are already regulated under the IT Act and could be regulated under the DIA. Overlapping rules exacerbate regulatory uncertainty, which deters businesses and economic growth. On the other hand, a whole-of-government approach which aims to integrate the collaborative efforts of the departments and agencies of a government will help ensure effective coordination between ministries and regulators.
Third, recognize the distinct roles different companies have in the digital ecosystem.
Intermediaries provide a variety of services in the digital medium. Internet service providers (ISPs), cloud service providers (CSPs) and Infrastructure-as-a-Service (IaaS) providers, consumer-facing social media platforms, and video sharing sites are a few examples of the different types of intermediaries in the digital ecosystem.
Enterprise technology service providers play a particular role in that ecosystem. They provide technologies that enable the operations of other companies. They help organizations of all sizes and across all industries operate more safely and efficiently. They will often not have a direct relationship with individual consumers or even have the right to look at a consumer’s personal data. Rather, B2B technology companies provide services to other organizations that have the direct relationship with the individual consumer. It is important when crafting laws to account for these differences.
This distinction has already been recognized by the Government of India in certain rules, notably by introducing a sub-set of “social media intermediaries” under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which are subject to a higher set of obligations than others.
We recommend that the DIA acknowledge the above distinctions by ensuring that enterprise technology service providers are not governed by an overly broad, one-size-fits-all regulation.
Fourth, identify policy priorities on cybersecurity.
Modern society is built on software. It connects people to their friends and family, enables governments and businesses to operate more efficiently and securely, and underpins the global economy. As India increasingly uses software and other digital technologies to improve people’s daily lives, lawmakers must consider cybersecurity from the outset as they draft the DIA to ensure that the products and services on which consumers rely on are secure.
BSA’s Global Cyber Agenda identifies several priorities for governments seeking to improve cybersecurity. We recommend that the Indian government consider these priorities in building the DIA framework:
- Encourage public-private collaboration to increase the likelihood that a law or policy achieves its intended outcome while minimizing unintended consequences.
- Manage cybersecurity risk for emerging technologies by building in risk-based cybersecurity from the beginning of the design process.
- Harmonize laws within and between governments by developing laws based on best practices and internationally recognized standards.
- Invest in modern IT infrastructure and cybersecurity, for example by migrating to cloud services and leveraging multi-cloud.
Finally, harmonize the upcoming data protection law with the DIA.
For the past five years, Indian policymakers have been on a path to creating a comprehensive personal data protection law through a robust consultative process. The Indian government is now finalizing a new Personal Data Protection (PDP) bill that will be aligned with global standards. According to IT Minister Ashwini Vaishnaw, the new bill will be one limb of India’s broader policy vision for the digital ecosystem — along with the DIA.
BSA supports the development of comprehensive privacy legislation instead of developing a fragmented framework, where privacy requirements are embedded in different sectoral regulations. We recommend that the DIA promote harmonization of the upcoming PDP bill with existing legislations, including sectoral laws.
BSA urges the Government of India to consider these principles as it refines its approach toward developing a future-ready DIA. This is a welcome opportunity for the Government of India to adopt a forward-leaning law that can help create a safe and secure internet while fostering innovation.
