Difference between revisions of "Internet Regulation in India"

Revision as of 21:31, 27 January 2023

Internet Regulation in India pertains to the passage of laws, both at the national and the state level, to regulate and control internet activity inside India. This includes definitions of cybercrimes, rules governing content on social media platforms, national security considerations, and data storage regulations on servers hosted inside the country.

Background

Information Technology Act

The Information Technology Act (IT Act) of 2000 established the Government of India’s primary rules on cybercrime and electronic commerce. In the wake of the 26/11 Mumbai terrorist attacks, a substantial amendment to the law was passed^[1], introducing new sections giving the government the power of “interception or monitoring or decryption of any information through any computer resource,” penalizing “offensive messages,” and formally addressing pornography and cyber terrorism. Consequently, the IT Act provides a comprehensive legal framework to tackle vast swaths of online activity.

Subsequent Legislation

OTT Legislation

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 is a piece of secondary legislation with roots in section 87 of the IT Act. This piece of legislation was geared towards providing guidelines for Over-The-Top (OTT) media platforms^[2] and rules for social media intermediaries with a set of digital ethics. The government described the new rules as a “soft-touch oversight” aimed at dealing with issues like the proliferation of fake news, image morphing, and abuse of social platforms.

CERT-In and VPN Legislation

The IT Act appointed an “Indian Computer Emergency Response Team (CERT-In)”^[3] to serve as a national agency dealing with certain matters of cybersecurity with powers vested in it to both receive data from and direct internet service providers, data centers, and other bodies.

CERT-In posted a national directive in April 2022, requiring all virtual private network companies operating within India to store and maintain customer data — including their names, email addresses, and IP addresses — for a period of at least five years^[4], even in cases where a customer ends their subscription. CERT-In cited national security concerns, with an eye to combatting cybersecurity threats including data breaches, along with assurances that data would only be sought on a case-by-case basis.

Internet Shutdowns

In the last decade, India has enacted the most internet shutdowns of any country in the world^[5]. Between January 2012 and June 2022, India instituted 647 internet blocks. The Government of India also formally codified into law the power to direct telecom service providers to shut down internet services within any region inside India in 2017 due to matters of public safety or emergency^[6]. Prior to this, the Government of India would apply the Indian Telegraph Act of 1885 to direct service providers to stop service.

In 2020, the Supreme Court of India ruled^[7] that access to internet was a fundamental right, also adding that government-enacted internet shutdowns in the region of Jammu and Kashmir were illegal. India’s internet shutdowns have not abated with 100 shutdowns in 2021 alone, including one to curb cheating^[8] in examinations for civil service positions in the state of Rajasthan. Some shutdowns have been contested in court by industry groups opposed to the disruptions in service, with the Supreme Court ordering^[9] the Ministry of Electronics and Information Technology (MEITY) to reveal its criteria for approving shutdowns.

Proposed Legislation

Indian Data Privacy Legislation

India’s Supreme Court ruled, in 2017, that privacy was a fundamental right^[10] for all of its citizens. However, legislation outlining data privacy policies was missing at this time. In 2019, the Personal Data Protection Bill^[11] was introduced in Parliament, seeking to introduce wide-sweeping regulations about the flow and storage of personal data. It included provisions mandating that companies collect user consent for most uses of a person’s data and requiring companies to enact storage of certain forms of sensitive data within the country. It also proposed setting up a new entity, the Data Protection Authority, to make rules and oversee corporate compliance and conflicts.

But the Personal Data Protection Bill was withdrawn^[12] in 2022. The Bill was subject^[13] to multiple amendments and recommendations from a parliamentary panel after its unveiling, with many recommendations “falling outside the scope of a modern digital privacy law.” Citing the increasing complexity, the government withdrew the bill, with the goal of creating a legal framework and present a new bill to describe India’s data privacy policies.

Digital India Act

The proposed Digital India Act, expected to release in early 2023, is slated to replace the IT Act of 2000 to become the preeminent digital law within India. It is expected to introduce a dedicated regulatory body, similar in nature to the Telecom Regulatory Authority of India (TRAI), to oversee internet companies. The government has expressed^[14] a vision of a more principle-based piece of legislation as opposed to being overly prescriptive.

Ethical Concerns

Privacy

While privacy was ruled a fundamental right, the lack of a comprehensive data privacy legal framework after the shelving of the Data Protection Bill has left a legal grey area. Experts have professed an urgent need to enact data privacy legislation to protect the privacy of citizens.

In addition, many pieces of digital law in India lend protections to the Indian Government. The directive from CERT-In mandating VPN providers to maintain and store users’ data for a period of at least 5 years, with the legal obligation to provide the data to the government on request, has concerned experts. In addition, many VPN providers have moved physical operations^[15] out of the country, removing physical servers to prevent undermining their security protocols.

References

1. ↑ Yes, snooping's allowed - Indian Express. Archive. (n.d.). Retrieved January 27, 2023, from http://archive.indianexpress.com/news/yes-snooping-s-allowed/419978/0
2. ↑ Correspondent, S. (2021, February 26). Govt announces new social media rules to curb its misuse. The Hindu. Retrieved January 27, 2023, from https://www.thehindu.com/news/national/govt-announces-new-social-media-rules/article33931290.ece
3. ↑ No. 20(3)/2022-CERT-in Government of India Ministry of Electronics and ... (n.d.). Retrieved January 27, 2023, from https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
4. ↑ Stokel-Walker, C. (2022, May 5). VPN providers threaten to quit India over New Data Law. Wired. Retrieved January 27, 2023, from https://www.wired.com/story/india-vpn-data-law/
5. ↑ Basuroy, T. (2022, June 9). India: Number of internet shutdowns 2022. Statista. Retrieved January 27, 2023, from https://www.statista.com/statistics/1095035/india-number-of-internet-shutdowns/
6. ↑ The Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017. (n.d.). Retrieved January 27, 2023, from https://thc.nic.in/Central%20Governmental%20Rules/Temporary%20Suspension%20Of%20Telecom%20Services%20Rules,%202017.pdf
7. ↑ Bhat, M., & Chandran, R. (2022, September 29). Feature-'living in the stone age': Offline for 18 months in Indian Kashmir. Reuters. Retrieved January 27, 2023, from https://www.reuters.com/article/india-internet-shutdown/feature-living-in-the-stone-age-offline-for-18-months-in-indian-kashmir-idINL8N2YZ245
8. ↑ Pannett, R. (2021, September 29). Indian state shuts down internet for millions to prevent cheating on teachers' exam. The Washington Post. Retrieved January 27, 2023, from https://www.washingtonpost.com/world/2021/09/29/india-exam-cheating-internet-shutdown/
9. ↑ Woollacott, E. (2022, September 26). India's Supreme Court demands clarity on internet shutdowns. Forbes. Retrieved January 27, 2023, from https://www.forbes.com/sites/emmawoollacott/2022/09/13/indias-supreme-court-demands-clarity-on-internet-shutdowns/?sh=77102d7f108e
10. ↑ Home | Supreme Court of India. (n.d.). Retrieved January 27, 2023, from https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf
11. ↑ Goel, V. (2019, December 10). On Data Privacy, India charts its own path. The New York Times. Retrieved January 27, 2023, from https://www.nytimes.com/2019/12/10/technology/on-data-privacy-india-charts-its-own-path.html?action=click&module=RelatedLinks&pgtype=Article
12. ↑ Yasir, S., & Singh, K. D. (2022, August 4). India withdraws a proposed law on data protection. The New York Times. Retrieved January 27, 2023, from https://www.nytimes.com/2022/08/04/business/india-data-privacy.html
13. ↑ Singh, M. (2022, August 4). India withdraws personal data bill that alarmed tech giants. TechCrunch. Retrieved January 27, 2023, from https://techcrunch.com/2022/08/03/india-government-to-withdraw-personal-data-protection-bill/
14. ↑ Lele, S. (2023, January 19). Digital India Act to be more principle-based: Mos it Chandrasekhar. Business Standard News. Retrieved January 27, 2023, from https://www.business-standard.com/article/economy-policy/digital-india-act-to-be-less-prescriptive-more-principle-based-mos-it-123011901348_1.html#:~:text=The%20government%20is%20close%20to,Authority%20of%20India%20(TRAI).
15. ↑ Bansal, V. (2022, September 25). VPN providers flee India as a new data law takes hold. WIRED UK. Retrieved January 27, 2023, from https://www.wired.co.uk/article/vpn-firms-flee-india-data-collection-law