Difference between revisions of "Internet Regulation in India"

Revision as of 21:08, 27 January 2023

Internet Regulation in India pertains to the passage of laws, both at the national and the state level, to regulate and control internet activity inside India. This includes definitions of cybercrimes, rules governing content on social media platforms, national security considerations, and data storage regulations on servers hosted inside the country.

Background

Information Technology Act

The Information Technology Act (IT Act) of 2000 established the Government of India’s primary rules on cybercrime and electronic commerce. In the wake of the 26/11 Mumbai terrorist attacks, a substantial amendment to the law was passed^[1], introducing new sections giving the government the power of “interception or monitoring or decryption of any information through any computer resource,” penalizing “offensive messages,” and formally addressing pornography and cyber terrorism. Consequently, the IT Act provides a comprehensive legal framework to tackle vast swaths of online activity.

Subsequent Legislation

OTT Legislation

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 is a piece of secondary legislation with roots in section 87 of the IT Act. This piece of legislation was geared towards providing guidelines for Over-The-Top (OTT) media platforms^[2] and rules for social media intermediaries with a set of digital ethics. The government described the new rules as a “soft-touch oversight” aimed at dealing with issues like the proliferation of fake news, image morphing, and abuse of social platforms.

CERT-In and VPN Legislation

The IT Act appointed an “Indian Computer Emergency Response Team (CERT-In)”[] to serve as a national agency dealing with certain matters of cybersecurity with powers vested in it to both receive data from and direct internet service providers, data centers, and other bodies.

CERT-In posted a national directive^[3] in April 2022, requiring all virtual private network companies operating within India to store and maintain customer data — including their names, email addresses, and IP addresses — for a period of at least five years, even in cases where a customer ends their subscription. CERT cited national security concerns, with an eye to combatting cybersecurity threats including data breaches, along with assurances that data would only be sought on a case-by-case basis.

Internet Shutdowns

In the last decade, India has enacted the most internet shutdowns of any country in the world. Between January 2012 and June 2022, India instituted 647[] internet blocks. The Government of India also formally codified into law the power to direct telecom service providers to shut down internet services within any region inside India in 2017 due to matters of public safety or emergency.[] Prior to this, the Government of India would apply the Indian Telegraph Act of 1885 to direct service providers to stop service.

In 2020, the Supreme Court of India ruled that access to internet was a fundamental right[], also adding that government-enacted internet shutdowns in the region of Jammu and Kashmir were illegal.[] India’s internet shutdowns have not abated with 100 shutdowns in 2021 alone, including one to curb cheating in examinations for civil service positions in the state of Rajasthan.[] Some shutdowns have been contested in court by industry groups opposed to the disruptions in service, with the Supreme Court ordering the Ministry of Electronics and Information Technology (MEITY) to reveal its criteria for approving shutdowns.[]

Proposed Legislation

Indian Data Privacy Legislation

India’s Supreme Court ruled, in 2017, that privacy was a fundamental right[] for all of its citizens. However, legislation outlining data privacy policies was missing at this time. In 2019, the Personal Data Protection Bill[] was introduced in Parliament, seeking to introduce wide-sweeping regulations about the flow and storage of personal data. It included provisions mandating that companies collect user consent for most uses of a person’s data and requiring companies to enact storage of certain forms of sensitive data within the country. It also proposed setting up a new entity, the Data Protection Authority, to make rules and oversee corporate compliance and conflicts.[]

But the Personal Data Protection Bill was withdrawn in 2022.[] The Bill was subject to multiple amendments and recommendations from a parliamentary panel after its unveiling, with many recommendations “falling outside the scope of a modern digital privacy law.” Citing the increasing complexity, the government withdrew the bill, with the goal of creating a legal framework and present a new bill to describe India’s data privacy policies.

Digital India Act

The proposed Digital India Act, expected to release in early 2023, is slated to replace the IT Act of 2000 to become the preeminent digital law within India. It is expected to introduce a dedicated regulatory body, similar in nature to the Telecom Regulatory Authority of India (TRAI), to oversee internet companies. The government has expressed a vision of a more principle-based piece of legislation as opposed to being overly prescriptive.[]

Ethical Concerns

Privacy

References

1. ↑ Yes, snooping's allowed - Indian Express. Archive. (n.d.). Retrieved January 27, 2023, from http://archive.indianexpress.com/news/yes-snooping-s-allowed/419978/0
2. ↑ Correspondent, S. (2021, February 26). Govt announces new social media rules to curb its misuse. The Hindu. Retrieved January 27, 2023, from https://www.thehindu.com/news/national/govt-announces-new-social-media-rules/article33931290.ece
3. ↑ No. 20(3)/2022-CERT-in Government of India Ministry of Electronics and ... (n.d.). Retrieved January 27, 2023, from https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf