Business setup

Key Takeaways for Businesses under the Proposed Digital India Act

The Ministry of Electronics and Information Technology (MeitY) has been discussing the Digital India Act (DIA) to replace the existing IT Act. In March 2023, MeitY published a presentation to inform stakeholders about the forthcoming legal framework, which will be known as the Digital India Act (DIA) for India’s growing digital technology ecosystem^[1]. The DIA aims to establish a comprehensive regulatory framework encompassing various aspects of India’s digital technologies and services. These areas include data protection, cybersecurity, e-commerce, digital payments, artificial intelligence, and more. While a draft of the DIA has yet to be made publicly available, the MeitY presentation provides valuable insights into the proposed framework of the upcoming legislation.

Sectors in Digital India Act

The Digital India Act will encompass the following sectors:

• Open Internet
• Online Safety and Trust
• Accountability and Quality of Service
• Adjudicatory mechanism
• New Technologies

Parts of Digital India Act

DIA will consist of 4 parts:

1. Digital Personal Data Protection Bill
2. DIA rules
3. National Data Governance Policy
4. Indian Penal Code amendments

Limitations of the IT Act

The current IT Act has the following limitations:

• Insufficient provisions on user rights, trust, and safety.
• Limited recognition of new forms of cybercrimes and a lack of institutional mechanisms for raising awareness.
• Inadequate regulatory approaches to address harmful and illegal content.
• Absence of appropriate regulations to handle the regulatory requirements of emerging technologies, high-risk automated decision-making systems, and modern digital businesses, including monopolies and duopolies.
• Inadequate principles for data privacy and protection.
• Lack of a unified, coordinated, and harmonized institutional regulatory body and a dedicated and influential investigatory and enforcement mechanism.
• Absence of a coordinated cyber security incident response mechanism.

The issue with the E-Waste Sector

The process of digitization brings forth the issue of electronic waste (e-waste), which poses a significant challenge for India. There are two main reasons why this is a pressing concern. Firstly, India’s track record of enforcing laws related to public hygiene, industrial pollution, and urban development must be more consistent, indicating better surveillance and compliance. Secondly, as India is expected to embrace digitization at a faster pace than many other nations in the next two decades, the generation of waste in the country is likely to surpass global levels.

Therefore, the Digital India initiative needs to include measures aimed at limiting the growth of e-waste. Alongside digitalization plans, India requires a proactive waste management strategy that focuses on prevention rather than a reactive approach. The first crucial step is acknowledging that the waste issue is currently being created and needs immediate attention.

Estimation of E-Waste generated

In 2014, India produced 1.7 million tonnes of waste, equating to approximately 1.3 kilograms of e-waste per capita. Suppose the penetration of electronic and electrical products in India by 2030 reaches today’s world’s average per capita levels, resulting in 6 kilograms of waste per capita. In that case, the total amount of waste generated in India will increase fivefold to 9 million tonnes by 2030. These statistics emphasize the urgency of addressing waste management to mitigate its environmental and health impacts in the future.

Objectives of Digital India Act

The key objectives of the Digital India Act (DIA) are as follows:

• Safeguarding user privacy and data: The DIA aims to establish clear guidelines for data protection and privacy, ensuring secure handling of user data and preventing misuse. It also intends to regulate wearable tech and spy camera glasses by implementing strict KYC requirements and appropriate legal sanctions.
• Strengthening cybersecurity: The DIA seeks to enhance cybersecurity measures to mitigate cyber threats and attacks. This includes provisions to prevent data breaches, combat cybercrime, and address other online threats.
• Promoting digital innovation: The DIA aims to foster a favourable environment for digital innovation by setting forth rules and guidelines for developing new technologies and services, such as autonomous systems/robotics, virtual reality/augmented reality, and real-time language translators.
• Boosting e-commerce: Recognizing the impact of influential internet giants, the DIA aims to regulate dominant ad-tech platforms and ensure non-discriminatory access to digital services and interoperable platforms. This promotes fair competition and creates a level playing field for all market players, ultimately fostering the growth of e-commerce in India.
• Enhancing digital literacy: The DIA includes measures to promote digital literacy and awareness among the general public, enabling everyone to benefit from digital technologies.
• Protecting minors: The DIA prioritizes protecting minors’ data, safety, and privacy on social media platforms, gaming, and betting apps. It introduces measures such as age-gating and Regulation of addictive technology, as well as a mandatory “do not track” requirement to prevent children from being targeted for advertising purposes.

New norms of the Digital India Act

The new norms that would be applicable are: –

• Adjudicating user harm: The DIA will address various forms of user harm, including revenge porn, cyber-flashing, activities on the dark web, protection of women and children, defamation, cyber-bullying, doxing, and salami slicing, among others.
• Age-gating and protection of minors: The DIA will regulate addictive technologies and ensure the safety and privacy of children on social media platforms, gaming and betting apps. It will introduce measures such as age-gating and a mandatory “do not track” requirement to prevent children from being targeted for advertising.
• Digital user rights: The DIA will encompass digital user rights such as the right to be forgotten, the right to secure electronic means, the right to redressal, the right to digital inheritance, the right against discrimination, and rights against automated decision-making.
• Moderation of fake news: The discretionary moderation of fake news by social media platforms will be examined and regulated under the constitutional rights of freedom of speech and expression.
• Regulation of high-risk AI systems: The DIA will define and regulate high-risk AI systems through a legal framework, including the establishment of quality testing mechanisms to assess regulatory models, algorithmic accountability, zero-day threat and vulnerability assessment, and the examination of AI-based ad-targeting and content moderation.
• Regulation of privacy-invasive devices: Privacy-invasive devices such as spy camera glasses and wearable tech will be mandated under stringent regulations before entering the market. Strict KYC requirements will be imposed for retail sales, and appropriate criminal law sanctions will be in place.
• Cybersecurity measures: The DIA will enhance cybersecurity by empowering agencies like CERT-In for cyber resilience. It will strengthen the penalty framework for non-compliance, provide advisories on information and data security practices, and promote a secure cyberspace.
• Content monetization rules: The DIA will establish rules for monetising platform-generated and user-generated content to ensure fair practices and appropriate compensation for content creators.

Data protection Laws in other nation

European Union Model:

• The General Data Protection Regulation (GDPR) aims to provide comprehensive data protection laws for processing personal data.
• Privacy is considered a fundamental right in the EU, safeguarding an individual’s dignity and their control over the data they generate.

US Model:

• Unlike the EU’s GDPR, the United States does not have a comprehensive set of privacy rights or principles that address data use, collection, and disclosure.
• Instead, there are limited sector-specific regulations, and the approach to data protection differs between the public and private sectors.
• The government’s activities and powers regarding personal information are governed by broad legislation such as the Privacy Act and the Electronic Communications Privacy Act.
• The private sector has certain sector-specific norms.

China Model:

• China has introduced new data privacy and security laws in the past year, including the Personal Information Protection Law (PIPL), which came into effect in November 2021.
• The PIPL grants new rights to Chinese data subjects and aims to prevent the misuse of personal data.
• The Data Security Law (DSL), effective in September 2021, requires the classification of business data based on importance levels and imposes restrictions on cross-border data transfers.

Conclusion

In terms of sectors, the highest number of cybercrimes are reported in the financial services sector, followed by the healthcare sector and incidents related to social media platforms. These sectors are particularly vulnerable to data breaches, which result in economic costs and damage consumer trust and business reputation. Security threats such as ransomware, data breaches, phishing attacks, and denial-of-service attacks pose risks to individuals, businesses, and governments alike. The proposed Digital India Act aims to establish a cohesive legal framework, regulating emerging technologies like Artificial Intelligence (AI) and incorporating industry input on blockchain and Web 3.0 regulations to safeguard digital citizens. This act will substantially transform how data is managed, particularly in the Waste Electrical and Electronic Equipment (Waste EEE) sector, and the E-Waste sector will need to adapt to this.

FAQ