Internet Regulation in India

From SI410
Jump to: navigation, search

Internet Regulation in India pertains to the passage of laws, both at the national and the state level, to regulate and control internet activity inside India. This includes definitions of cybercrimes, rules governing content on social media platforms, national security considerations, and data storage regulations on servers hosted inside the country.

India was home to more than 749 million internet users in 2020[1], with that number projected to double by 2040. The incredible large-scale internet operations within the country consequently face many challenges, including an increase in cybercrime occurrences [2], that require ample legislation to both define rules and rights for citizens.

As a result, governments at the federal level have drawn up numerous laws to provide frameworks to contextualize discourse around digital rights, national security, and privacy. Some of the laws have stringent compliance requirements for private sector operators, however, the government itself is not subject to many of the same oversight requirements. This has raised certain ethical concerns relating to governmental surveillance and internet freedoms.


Background

Information Technology Act

The Information Technology Act (IT Act) of 2000 established the Government of India’s primary rules on cybercrime and electronic commerce. In the wake of the 26/11 Mumbai terrorist attacks, a substantial amendment to the law was passed[3], introducing new sections giving the government the power of “interception or monitoring or decryption of any information through any computer resource,” penalizing “offensive messages,” and formally addressing pornography and cyber terrorism. Consequently, the IT Act provides a comprehensive legal framework to tackle vast swaths of online activity.

Subsequent Legislation

Social Media and OTT Legislation

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 is a piece of secondary legislation with roots in section 87 of the IT Act. This piece of legislation was geared towards providing guidelines for Over-The-Top (OTT) media platforms[4] and rules for social media intermediaries with a set of digital ethics. The government described the new rules as a “soft-touch oversight” aimed at dealing with issues like the proliferation of fake news, image morphing, and abuse of social platforms.

The new rules required social media intermediaries to help law enforcement in identifying and investigating the originators of “unlawful” messages, along with a new legal need for platforms to take down these messages (within 36 hours of receiving a request) and set up grievance redressal mechanisms. Notably, the IT Act’s Section 79 [5] previously provided “safe harbor” protections (where a social media intermediary was not legally liable for any information posted on their platform by a third party), which have now been diluted with the new regulatory framework. The new rules also introduced new classifications for intermediaries based on the number of users into social media intermediaries and significant social media intermediaries, with significant social media intermediaries that provide messaging services also required to comply with the new tracking rules for the origins of unlawful messages on their messaging platforms.

The IT Rules’ grievance redressal mechanism mandated [6] that social media intermediaries appoint a grievance officer, who would be responsible for acknowledging the receipt of a complaint within 24 hours and to resolve the complaint within 15 days. There are future amendments drafted to expand this mechanism, centered around creating a framework to appeal decisions made by grievance officers. The amendments would seek to set up Grievance Appellate Committees (GAC) to address any user complaints against a grievance officer’s decision. Each GAC is to be a panel of three individuals — one of whom would be a government officer while the other two are independent representatives.

CERT-In and VPN Legislation

The IT Act appointed an “Indian Computer Emergency Response Team (CERT-In)”[7] to serve as a national agency dealing with certain matters of cybersecurity with powers vested in it to both receive data from and direct internet service providers, data centers, and other bodies.

CERT-In posted a national directive in April 2022, requiring all virtual private network companies operating within India to store and maintain customer data — including their names, email addresses, and IP addresses — for a period of at least five years[8], even in cases where a customer ends their subscription. CERT-In cited national security concerns, with an eye to combatting cybersecurity threats including data breaches, along with assurances that data would only be sought on a case-by-case basis. Additionally, enforcement[9] of data collection requirements is to be done based on provider compliance when faced with an information request issued by the government.

Internet Shutdowns

Number of Internet Shutdowns in India from Jan. 2012 – Jun. 2022 [10]

In the last decade, India has enacted the most internet shutdowns of any country in the world. Between January 2012 and June 2022, India instituted 647 internet blocks. The Government of India also formally codified into law the power to direct telecom service providers to shut down internet services within any region inside India in 2017 due to matters of public safety or emergency[11]. Prior to this, the Government of India would apply the Indian Telegraph Act of 1885 to direct service providers to stop service.

In 2020, the Supreme Court of India ruled[12] that access to internet was a fundamental right, also adding that government-enacted internet shutdowns in the region of Jammu and Kashmir were illegal. India’s internet shutdowns have not abated with 100 shutdowns in 2021 alone, including one to curb cheating[13] in examinations for civil service positions in the state of Rajasthan. Some shutdowns have been contested in court by industry groups opposed to the disruptions in service, with the Supreme Court ordering[14] the Ministry of Electronics and Information Technology (MEITY) to reveal its criteria for approving shutdowns.

Proposed Legislation

Indian Data Privacy Legislation

India’s Supreme Court ruled, in 2017, that privacy was a fundamental right[15] for all of its citizens. However, legislation outlining data privacy policies was missing at this time. India’s government has also vocally outlined a need for data localization policies — requiring that “sensitive and super-sensitive data” [16] should not leave the nation’s borders, and instead, be stored in servers located within the country — with an eye on four major objectives[17]. The government contends that data localization will streamline law enforcement operations, prevent foreign surveillance, boost economic growth, and aid the enforcement of data privacy legislation.

In 2019, the Personal Data Protection Bill[18] was introduced in Parliament, seeking to introduce wide-sweeping regulations about the flow and storage of personal data. It included provisions mandating that companies collect user consent for most uses of a person’s data and requiring companies to enact storage of certain forms of sensitive data within the country. It also proposed setting up a new entity, the Data Protection Authority, to make rules and oversee corporate compliance and conflicts.

The Bill would also introduce data localization requirements [19], initially adding a “data mirroring” requirement — a stipulation that a copy of all data on Indian citizens be stored within India — that was later softened to requiring only certain forms of data to be stored locally. The new rules created two protected classes of data — “critical personal data” that must only be stored and processed locally and “sensitive personal data” that must be stored locally but could be copied elsewhere conditionally.

But the Personal Data Protection Bill was withdrawn[20] in 2022. The Bill was subject[21] to multiple amendments and recommendations from a parliamentary panel after its unveiling, with many recommendations “falling outside the scope of a modern digital privacy law.” Citing the increasing complexity, the government withdrew the bill, with the goal of creating a legal framework and present a new bill to describe India’s data privacy policies.

In 2022, the government also softened its stance on its data localization requirements [22]. The new drafted rules would now allow for the transfer and storage of data within “trusted geographies.” It also removed criminal penalties for companies involved in data breaches, opting to instead impose proportional financial penalties. These rules are part of the revision to the withdrawn Personal Data Protection Bill to form the Digital Data Protection Bill, which was introduced in the nation's parliament in 2022 [23]. This revision also follows extensive lobbying efforts from foreign governments and companies to reduce data localization requirements in service of strategic open cross-border data flows and added costs for additional local storage infrastructure.

Digital India Act

The proposed Digital India Act, expected to release in early 2023, is slated to replace the IT Act of 2000 to become the preeminent digital law within India. It is expected to introduce a dedicated regulatory body, similar in nature to the Telecom Regulatory Authority of India (TRAI), to oversee internet companies. The government has expressed[24] a vision of a more principle-based piece of legislation as opposed to being overly prescriptive.

Controversy

Social Media Regulation

Section 66A [25] of the IT Act — dedicated to outlining punishments for sending “offensive messages” including a fine and imprisonment for a term up to three years — caused controversy when applied to criticism of politicians. Notable cases include a cartoonist satirizing corruption [26], a businessman alleging corruption on Twitter [27], and a teenager with a Facebook post insulting a state politician [28], all arrested after complaints were filed with the police citing this section. The Supreme Court in 2015 [29] struck down the section, ruling it unconstitutional in spite of the government justifying the law citing the need to respect religious sentiments [30].

Bans on Chinese apps

In June 2020, the government banned [31] TikTok and nearly 60 other Chinese apps using powers bestowed by section 69A of the IT Act [32], justifying the decision by citing national security concerns. In the following months and years, additional bans were also placed on more Chinese apps, with an estimated 224 apps banned by February 2022 [33]. Experts cite China’s National Intelligence Law, [34] which requires Chinese companies to cooperate with China’s intelligence gathering apparatus, as a concern that data collected by Chinese apps could be used by the Chinese government. The Chinese government has opposed the move [35] with expressions of concern about the impact on Chinese businesses.

These measures have followed a breakdown in diplomatic relations between the two nations, and a border dispute in 2020 that resulted in 20 Indian casualties [36].

Ethical Concerns

Privacy and Governmental Surveillance

While privacy was ruled a fundamental right, the lack of a comprehensive data privacy legal framework after the shelving of the Data Protection Bill has left a legal grey area. Experts have professed an urgent need to enact data privacy legislation to protect the privacy of citizens.

In addition, many pieces of digital law in India lend protection to the Indian Government. The directive from CERT-In mandating VPN providers to maintain and store users’ data for a period of at least 5 years, with the legal obligation to provide the data to the government on request, has concerned experts. In addition, many VPN providers have moved physical operations[37] out of the country, removing physical servers to prevent undermining their security protocols. However, the data collection requirements go beyond[38] VPN providers — affecting all cloud service providers operating servers within India.

In the case of the VPN legislation, the government has stated that it wouldn’t infringe on its citizens’ privacy, assuring the use of their authority only on a “case-by-case basis” in matters concerning security. However, critics of the new policy cite the Indian government’s history of surveillance, including accusations that it used Pegasus spyware [39] to snoop on certain citizens and the confirmation of malware on some devices connected to that case by special judicial committee [40], as a cause for concern, especially with increased legal authority.

This poses ethical concerns about user privacy and governmental surveillance. On the one hand, increases in cybercrime incidences in recent years and an increasingly vocal need for data localization for more streamlined law enforcement operations and preventing foreign surveillance are cited as justifications for the legislative direction. On another, the elevation of privacy to be a fundamental right and growing suspicion over governmental surveillance poses a need to balance the current powers of the state.

Freedom of Speech

The amended IT Act included a controversial new section — section 66A. Section 66A, added in 2008, specified that individuals found to send “offensive messages” through any communication service could be subject to a punishment of a fine and even imprisonment of up to three years. This brought great concerns about the infringement of the constitutional right to freedom of expression, with the Supreme Court repealing the section in 2015, however many arrests were made until that point quoting the section.

However, after the striking down of these laws, the new IT Rules introduced in 2021 added regulations on social media, requiring platforms to acquiesce to requests for the removal of posts and aid in identifying posters. These new rules have been subject to criticism from experts [41] who express fears of over-compliance leading to lawful speech being suppressed. Platforms like Whatsapp, which released a public statement about the traceability of messages [42], have expressed concerns about the viability of tracing with the presence of end-to-end encryption obscuring messages from even the platforms. Removing such encryption protocols would severely undermine security according to experts. Additionally, the Editors Guild of India issued [43] a statement stating that the new law would “fundamentally alter how publishers of news operate over the internet,” with fears that this could undermine the freedom of the press.

Notably, the judiciary has also penalized citizens that have posted criticisms of the court online. Prominent lawyer, Prashant Bhushan was found [44] to be in contempt of the court because of his tweets criticizing the some of the judges. This raises concerns about the judiciary policing posts online that aren’t agreeable to it.

In a draft proposal of new internet rules, the government recently proposed[45] that any information identified as "fake or false" by the Press Information Bureau (PIB) or other governmentally-approved fact checking agency would be prohibited. Social media providers would then have to ensure that such content, once identified, must not be shared or posted by users on their platforms.

Governments, both at the state and federal levels, have also continued to exercise their power to direct internet service providers to shut down access to the web in large parts of the country. All of these measures raise ethical concerns about the restrictions placed on the freedom of speech and expression in the country. The government has justified these measures as necessary to support law enforcement and prevent the proliferation of “fake” news or rumors.

References

  1. Basuroy, T. (2022, July 27). India: Number of internet users 2040. Statista. Retrieved February 2, 2023, from https://www.statista.com/statistics/255146/number-of-internet-users-in-india/
  2. Basuroy, T. (2022, October 13). India: Number of cyber crimes 2021. Statista. Retrieved February 2, 2023, from https://www.statista.com/statistics/309435/india-cyber-crime-it-act/
  3. Yes, snooping's allowed - Indian Express. Archive. (n.d.). Retrieved January 27, 2023, from http://archive.indianexpress.com/news/yes-snooping-s-allowed/419978/0
  4. Correspondent, S. (2021, February 26). Govt announces new social media rules to curb its misuse. The Hindu. Retrieved January 27, 2023, from https://www.thehindu.com/news/national/govt-announces-new-social-media-rules/article33931290.ece
  5. IT Act (Amendment, 2008). (n.d.).
  6. Goyal, T. (2022, November 6). Explained: The amendments to the IT rules, 2021. The Hindu. Retrieved February 2, 2023, from https://www.thehindu.com/sci-tech/technology/explained-the-amendments-to-the-it-rules-2021/article66079214.ece
  7. No. 20(3)/2022-CERT-in Government of India Ministry of Electronics and ... (n.d.). Retrieved January 27, 2023, from https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
  8. Stokel-Walker, C. (2022, May 5). VPN providers threaten to quit India over New Data Law. Wired. Retrieved January 27, 2023, from https://www.wired.com/story/india-vpn-data-law/
  9. VPN service providers to be held liable if violated CERT-in directives: Official. Hindustan Times. (2022, June 25). Retrieved February 2, 2023, from https://www.hindustantimes.com/india-news/vpn-service-providers-to-be-held-liable-if-violated-cert-in-directives-official-101656182734752.html
  10. Basuroy, T. (2022, June 9). India: Number of internet shutdowns 2022. Statista. Retrieved January 27, 2023, from https://www.statista.com/statistics/1095035/india-number-of-internet-shutdowns/
  11. The Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017. (n.d.). Retrieved January 27, 2023, from https://thc.nic.in/Central%20Governmental%20Rules/Temporary%20Suspension%20Of%20Telecom%20Services%20Rules,%202017.pdf
  12. Bhat, M., & Chandran, R. (2022, September 29). Feature-'living in the stone age': Offline for 18 months in Indian Kashmir. Reuters. Retrieved January 27, 2023, from https://www.reuters.com/article/india-internet-shutdown/feature-living-in-the-stone-age-offline-for-18-months-in-indian-kashmir-idINL8N2YZ245
  13. Pannett, R. (2021, September 29). Indian state shuts down internet for millions to prevent cheating on teachers' exam. The Washington Post. Retrieved January 27, 2023, from https://www.washingtonpost.com/world/2021/09/29/india-exam-cheating-internet-shutdown/
  14. Woollacott, E. (2022, September 26). India's Supreme Court demands clarity on internet shutdowns. Forbes. Retrieved January 27, 2023, from https://www.forbes.com/sites/emmawoollacott/2022/09/13/indias-supreme-court-demands-clarity-on-internet-shutdowns/?sh=77102d7f108e
  15. Home | Supreme Court of India. (n.d.). Retrieved January 27, 2023, from https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf
  16. Bhalla, K. (2019, September 23). Data sovereignty cannot be compromised: Ravi Shankar Prasad. Inc42 Media. Retrieved February 10, 2023, from https://inc42.com/buzz/countrys-data-sovereignty-cannot-be-compromised-ravi-shankar-prasad-on-data-localisation/
  17. Anirudh Burman, U. S. (n.d.). How would data localization benefit India? Carnegie India. Retrieved February 10, 2023, from https://carnegieindia.org/2021/04/14/how-would-data-localization-benefit-india-pub-84291
  18. Goel, V. (2019, December 10). On Data Privacy, India charts its own path. The New York Times. Retrieved January 27, 2023, from https://www.nytimes.com/2019/12/10/technology/on-data-privacy-india-charts-its-own-path.html?action=click&module=RelatedLinks&pgtype=Article
  19. Key global takeaways from India's revised Personal data protection bill. Lawfare. (2020, January 28). Retrieved February 10, 2023, from https://www.lawfareblog.com/key-global-takeaways-indias-revised-personal-data-protection-bill
  20. Yasir, S., & Singh, K. D. (2022, August 4). India withdraws a proposed law on data protection. The New York Times. Retrieved January 27, 2023, from https://www.nytimes.com/2022/08/04/business/india-data-privacy.html
  21. Singh, M. (2022, August 4). India withdraws personal data bill that alarmed tech giants. TechCrunch. Retrieved January 27, 2023, from https://techcrunch.com/2022/08/03/india-government-to-withdraw-personal-data-protection-bill/
  22. New data bill draft to allow storage in trusted nations. The Economic Times. (n.d.). Retrieved February 10, 2023, from https://economictimes.indiatimes.com/tech/technology/new-data-bill-draft-to-allow-storage-in-trusted-nations/articleshow/95543491.cms?from=mdr
  23. Miqbal. (2022, November 23). India's new Data Bill is a mixed bag for privacy. Atlantic Council. Retrieved February 10, 2023, from https://www.atlanticcouncil.org/blogs/southasiasource/indias-new-data-bill-is-a-mixed-bag-for-privacy/
  24. Lele, S. (2023, January 19). Digital India Act to be more principle-based: Mos it Chandrasekhar. Business Standard News. Retrieved January 27, 2023, from https://www.business-standard.com/article/economy-policy/digital-india-act-to-be-less-prescriptive-more-principle-based-mos-it-123011901348_1.html#:~:text=The%20government%20is%20close%20to,Authority%20of%20India%20(TRAI).
  25. Lawyer, C. (2020, October 24). Section 66A of information technology act: Punishment for sending offensive messages. Info. Technology Law. Retrieved February 10, 2023, from https://www.itlaw.in/section-66a-punishment-for-sending-offensive-messages-through-communication-service-etc/
  26. Guardian News and Media. (2012, September 10). Indian cartoonist Aseem Trivedi jailed after arrest on sedition charges. The Guardian. Retrieved February 10, 2023, from https://www.theguardian.com/world/2012/sep/10/indian-cartoonist-jailed-sedition
  27. India Today. (2012, November 2). Arrest over tweet against Chidambaram's son propels 'mango man' Ravi Srinivasan into limelight. India Today. Retrieved February 10, 2023, from https://www.indiatoday.in/india/north/story/arrest-tweet-chidambaram-son-karti-ravi-srinivasan-120419-2012-11-02
  28. Abbas, N. (2015, March 19). Teen arrested for Facebook post attributed to Azam Khan gets bail: India News - Times of India. The Times of India. Retrieved February 10, 2023, from https://timesofindia.indiatimes.com/india/Teen-arrested-for-Facebook-post-attributed-to-Azam-Khan-gets-bail/articleshow/46620033.cms
  29. SC strikes down 'draconian' section 66A. The Hindu. (2021, December 4). Retrieved February 10, 2023, from https://www.thehindu.com/news/national/supreme-court-strikes-down-section-66-a-of-the-it-act-finds-it-unconstitutional/article61470585.ece
  30. Choudhary, A. (2015, February 5). Sec 66a Draconian, but is needed: Govt: India news - times of India. The Times of India. Retrieved February 10, 2023, from https://timesofindia.indiatimes.com/india/Sec-66A-draconian-but-is-needed-Govt/articleshow/46125733.cms
  31. Abi-habib, M. (2020, June 29). India bans nearly 60 Chinese apps, including TikTok and WeChat. The New York Times. Retrieved February 10, 2023, from https://www.nytimes.com/2020/06/29/world/asia/tik-tok-banned-india-china.html
  32. Lawyer, C. (2019, October 7). Section 69A: Power to issue directions for blocking for public access of any information through any computer resource - information technology act. Info. Technology Law. Retrieved February 10, 2023, from https://www.itlaw.in/section-69a-power-to-issue-directions-for-blocking-for-public-access-of-any-information-through-any-computer-resource/
  33. TIMESOFINDIA.COM / Feb 14, 2022. (n.d.). India bans Chinese apps: Number and names of apps banned, why and more - times of India. The Times of India. Retrieved February 10, 2023, from https://timesofindia.indiatimes.com/gadgets-news/india-bans-chinese-apps-number-and-names-of-apps-banned-why-and-more/articleshow/89563101.cms
  34. Beijing's new National Intelligence Law: From defense to offense. Lawfare. (2019, October 31). Retrieved February 10, 2023, from https://www.lawfareblog.com/beijings-new-national-intelligence-law-defense-offense
  35. Madhok, D. (2022, February 18). Beijing says it is 'seriously concerned' as India cracks down on Chinese companies | CNN business. CNN. Retrieved February 10, 2023, from https://www.cnn.com/2022/02/18/business/india-app-ban-china-reaction-intl-hnk/index.html
  36. Gettleman, J., Kumar, H., & Yasir, S. (2020, June 16). Worst Clash in decades on disputed India-china border kills 20 Indian troops. The New York Times. Retrieved February 10, 2023, from https://www.nytimes.com/2020/06/16/world/asia/indian-china-border-clash.html
  37. Bansal, V. (2022, September 25). VPN providers flee India as a new data law takes hold. WIRED UK. Retrieved January 27, 2023, from https://www.wired.co.uk/article/vpn-firms-flee-india-data-collection-law
  38. Watts, R. (2022, September 8). VPN shutdowns in India: How new laws can affect your privacy. Forbes. Retrieved January 27, 2023, from https://www.forbes.com/advisor/business/software/vpn-shutdowns-in-india/
  39. Pegasus project: 174 individuals revealed by the Wire on snoop list so far. The Wire. (2021, August 4). Retrieved February 2, 2023, from https://thewire.in/rights/project-pegasus-list-of-names-uncovered-spyware-surveillance
  40. Explained: The findings of the Pegasus Committee, and what we know about the use of the Israeli malware. The Indian Express. (2022, August 26). Retrieved February 10, 2023, from https://indianexpress.com/article/explained/explained-sci-tech/supreme-court-verdict-pegasus-spyware-case-explained-8110710/
  41. Keller, D. (2020, January 17). Shreya Singhal case was one of the defining rulings of modern internet law. The Indian Express. Retrieved February 10, 2023, from https://indianexpress.com/article/opinion/columns/filtering-out-free-speech-shreya-singhal-case-supreme-court-6220277/
  42. What is traceability and why does WhatsApp oppose it? What is traceability and why does WhatsApp oppose it? | WhatsApp Help Center. (n.d.). Retrieved February 10, 2023, from https://faq.whatsapp.com/1206094619954598/?locale=en_US
  43. Panjiar, T. (2022, July 5). An indian code of conduct is not a solution for "de-platforming". Internet Freedom Foundation. Retrieved February 10, 2023, from https://internetfreedom.in/indian-code-of-conduct-is-not-a-solution-for-de-platforming/#:~:text=The%20Editors%20Guild%20of%20India,undermine%20media%20freedom%20in%20India%E2%80%9D.
  44. In re Prashant Bhushan, Twitter Communications India Pvt. ltd.. Global Freedom of Expression. (2021, July 11). Retrieved February 10, 2023, from https://globalfreedomofexpression.columbia.edu/cases/in-re-prashant-bhushan-twitter-communications-india-pvt-ltd/
  45. Person. (2023, January 18). India considers banning news identified as 'fake' by govt on social media. Reuters. Retrieved February 10, 2023, from https://www.reuters.com/world/india/india-considers-banning-news-identified-fake-by-govt-on-social-media-2023-01-18/
Retrieved from "http://si410wiki.sites.uofmhosting.net/index.php?title=Internet_Regulation_in_India&oldid=116439"