Internet Regulation in India

From SI410
Revision as of 21:51, 2 February 2023 by Sidpar (Talk | contribs) (Adding more content describing ethical concerns)

Jump to: navigation, search

Internet Regulation in India pertains to the passage of laws, both at the national and the state level, to regulate and control internet activity inside India. This includes definitions of cybercrimes, rules governing content on social media platforms, national security considerations, and data storage regulations on servers hosted inside the country.

India was home to more than 749 million internet users in 2020[1], with that number projected to double by 2040. The incredible large-scale internet operations within the country consequently face many challenges, including an increase in cybercrime occurrences [2], that require ample legislation to both define rules and rights for citizens.

As a result, governments at the federal level have drawn up numerous laws to provide frameworks to contextualize discourse around digital rights, national security, and privacy. Some of the laws have stringent compliance requirements for private sector operators, however, the government itself is not subject to many of the same oversight requirements. This has raised certain ethical concerns relating to governmental surveillance and internet freedoms.


Background

Information Technology Act

The Information Technology Act (IT Act) of 2000 established the Government of India’s primary rules on cybercrime and electronic commerce. In the wake of the 26/11 Mumbai terrorist attacks, a substantial amendment to the law was passed[3], introducing new sections giving the government the power of “interception or monitoring or decryption of any information through any computer resource,” penalizing “offensive messages,” and formally addressing pornography and cyber terrorism. Consequently, the IT Act provides a comprehensive legal framework to tackle vast swaths of online activity.

Subsequent Legislation

OTT Legislation

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 is a piece of secondary legislation with roots in section 87 of the IT Act. This piece of legislation was geared towards providing guidelines for Over-The-Top (OTT) media platforms[4] and rules for social media intermediaries with a set of digital ethics. The government described the new rules as a “soft-touch oversight” aimed at dealing with issues like the proliferation of fake news, image morphing, and abuse of social platforms.

CERT-In and VPN Legislation

The IT Act appointed an “Indian Computer Emergency Response Team (CERT-In)”[5] to serve as a national agency dealing with certain matters of cybersecurity with powers vested in it to both receive data from and direct internet service providers, data centers, and other bodies.

CERT-In posted a national directive in April 2022, requiring all virtual private network companies operating within India to store and maintain customer data — including their names, email addresses, and IP addresses — for a period of at least five years[6], even in cases where a customer ends their subscription. CERT-In cited national security concerns, with an eye to combatting cybersecurity threats including data breaches, along with assurances that data would only be sought on a case-by-case basis. Additionally, enforcement[7] of data collection requirements is to be done based on provider compliance when faced with an information request issued by the government.

Internet Shutdowns

Number of Internet Shutdowns in India from Jan. 2012 – Jun. 2022 [8]

In the last decade, India has enacted the most internet shutdowns of any country in the world. Between January 2012 and June 2022, India instituted 647 internet blocks. The Government of India also formally codified into law the power to direct telecom service providers to shut down internet services within any region inside India in 2017 due to matters of public safety or emergency[9]. Prior to this, the Government of India would apply the Indian Telegraph Act of 1885 to direct service providers to stop service.

In 2020, the Supreme Court of India ruled[10] that access to internet was a fundamental right, also adding that government-enacted internet shutdowns in the region of Jammu and Kashmir were illegal. India’s internet shutdowns have not abated with 100 shutdowns in 2021 alone, including one to curb cheating[11] in examinations for civil service positions in the state of Rajasthan. Some shutdowns have been contested in court by industry groups opposed to the disruptions in service, with the Supreme Court ordering[12] the Ministry of Electronics and Information Technology (MEITY) to reveal its criteria for approving shutdowns.

Proposed Legislation

Indian Data Privacy Legislation

India’s Supreme Court ruled, in 2017, that privacy was a fundamental right[13] for all of its citizens. However, legislation outlining data privacy policies was missing at this time. In 2019, the Personal Data Protection Bill[14] was introduced in Parliament, seeking to introduce wide-sweeping regulations about the flow and storage of personal data. It included provisions mandating that companies collect user consent for most uses of a person’s data and requiring companies to enact storage of certain forms of sensitive data within the country. It also proposed setting up a new entity, the Data Protection Authority, to make rules and oversee corporate compliance and conflicts.

But the Personal Data Protection Bill was withdrawn[15] in 2022. The Bill was subject[16] to multiple amendments and recommendations from a parliamentary panel after its unveiling, with many recommendations “falling outside the scope of a modern digital privacy law.” Citing the increasing complexity, the government withdrew the bill, with the goal of creating a legal framework and present a new bill to describe India’s data privacy policies.

Digital India Act

The proposed Digital India Act, expected to release in early 2023, is slated to replace the IT Act of 2000 to become the preeminent digital law within India. It is expected to introduce a dedicated regulatory body, similar in nature to the Telecom Regulatory Authority of India (TRAI), to oversee internet companies. The government has expressed[17] a vision of a more principle-based piece of legislation as opposed to being overly prescriptive.

Ethical Concerns

Privacy

While privacy was ruled a fundamental right, the lack of a comprehensive data privacy legal framework after the shelving of the Data Protection Bill has left a legal grey area. Experts have professed an urgent need to enact data privacy legislation to protect the privacy of citizens.

In addition, many pieces of digital law in India lend protection to the Indian Government. The directive from CERT-In mandating VPN providers to maintain and store users’ data for a period of at least 5 years, with the legal obligation to provide the data to the government on request, has concerned experts. In addition, many VPN providers have moved physical operations[18] out of the country, removing physical servers to prevent undermining their security protocols. However, the data collection requirements go beyond[19] VPN providers — affecting all cloud service providers operating servers within India.

In the case of the VPN legislation, the government has stated that it wouldn’t infringe on its citizens’ privacy, assuring the use of their authority only on a “case-by-case basis” in matters concerning security. However, critics of the new policy cite the Indian government’s history of surveillance, including revelations that it used Pegasus spyware [20] to snoop on journalists, activists, and opposition politicians, as a cause for concern, especially with increased legal authority.

This poses ethical concerns about user privacy and governmental surveillance. On the one hand, increases in cybercrime incidences in recent years and an increasingly vocal need for data localization for more streamlined law enforcement operations and preventing foreign surveillance are cited as justifications for the legislative direction. On another, the elevation of privacy to be a fundamental right and growing suspicion over governmental surveillance poses a need to balance the current powers of the state.

References

  1. Basuroy, T. (2022, July 27). India: Number of internet users 2040. Statista. Retrieved February 2, 2023, from https://www.statista.com/statistics/255146/number-of-internet-users-in-india/
  2. Basuroy, T. (2022, October 13). India: Number of cyber crimes 2021. Statista. Retrieved February 2, 2023, from https://www.statista.com/statistics/309435/india-cyber-crime-it-act/
  3. Yes, snooping's allowed - Indian Express. Archive. (n.d.). Retrieved January 27, 2023, from http://archive.indianexpress.com/news/yes-snooping-s-allowed/419978/0
  4. Correspondent, S. (2021, February 26). Govt announces new social media rules to curb its misuse. The Hindu. Retrieved January 27, 2023, from https://www.thehindu.com/news/national/govt-announces-new-social-media-rules/article33931290.ece
  5. No. 20(3)/2022-CERT-in Government of India Ministry of Electronics and ... (n.d.). Retrieved January 27, 2023, from https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
  6. Stokel-Walker, C. (2022, May 5). VPN providers threaten to quit India over New Data Law. Wired. Retrieved January 27, 2023, from https://www.wired.com/story/india-vpn-data-law/
  7. VPN service providers to be held liable if violated CERT-in directives: Official. Hindustan Times. (2022, June 25). Retrieved February 2, 2023, from https://www.hindustantimes.com/india-news/vpn-service-providers-to-be-held-liable-if-violated-cert-in-directives-official-101656182734752.html
  8. Basuroy, T. (2022, June 9). India: Number of internet shutdowns 2022. Statista. Retrieved January 27, 2023, from https://www.statista.com/statistics/1095035/india-number-of-internet-shutdowns/
  9. The Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules, 2017. (n.d.). Retrieved January 27, 2023, from https://thc.nic.in/Central%20Governmental%20Rules/Temporary%20Suspension%20Of%20Telecom%20Services%20Rules,%202017.pdf
  10. Bhat, M., & Chandran, R. (2022, September 29). Feature-'living in the stone age': Offline for 18 months in Indian Kashmir. Reuters. Retrieved January 27, 2023, from https://www.reuters.com/article/india-internet-shutdown/feature-living-in-the-stone-age-offline-for-18-months-in-indian-kashmir-idINL8N2YZ245
  11. Pannett, R. (2021, September 29). Indian state shuts down internet for millions to prevent cheating on teachers' exam. The Washington Post. Retrieved January 27, 2023, from https://www.washingtonpost.com/world/2021/09/29/india-exam-cheating-internet-shutdown/
  12. Woollacott, E. (2022, September 26). India's Supreme Court demands clarity on internet shutdowns. Forbes. Retrieved January 27, 2023, from https://www.forbes.com/sites/emmawoollacott/2022/09/13/indias-supreme-court-demands-clarity-on-internet-shutdowns/?sh=77102d7f108e
  13. Home | Supreme Court of India. (n.d.). Retrieved January 27, 2023, from https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_26-Sep-2018.pdf
  14. Goel, V. (2019, December 10). On Data Privacy, India charts its own path. The New York Times. Retrieved January 27, 2023, from https://www.nytimes.com/2019/12/10/technology/on-data-privacy-india-charts-its-own-path.html?action=click&module=RelatedLinks&pgtype=Article
  15. Yasir, S., & Singh, K. D. (2022, August 4). India withdraws a proposed law on data protection. The New York Times. Retrieved January 27, 2023, from https://www.nytimes.com/2022/08/04/business/india-data-privacy.html
  16. Singh, M. (2022, August 4). India withdraws personal data bill that alarmed tech giants. TechCrunch. Retrieved January 27, 2023, from https://techcrunch.com/2022/08/03/india-government-to-withdraw-personal-data-protection-bill/
  17. Lele, S. (2023, January 19). Digital India Act to be more principle-based: Mos it Chandrasekhar. Business Standard News. Retrieved January 27, 2023, from https://www.business-standard.com/article/economy-policy/digital-india-act-to-be-less-prescriptive-more-principle-based-mos-it-123011901348_1.html#:~:text=The%20government%20is%20close%20to,Authority%20of%20India%20(TRAI).
  18. Bansal, V. (2022, September 25). VPN providers flee India as a new data law takes hold. WIRED UK. Retrieved January 27, 2023, from https://www.wired.co.uk/article/vpn-firms-flee-india-data-collection-law
  19. Watts, R. (2022, September 8). VPN shutdowns in India: How new laws can affect your privacy. Forbes. Retrieved January 27, 2023, from https://www.forbes.com/advisor/business/software/vpn-shutdowns-in-india/
  20. Pegasus project: 174 individuals revealed by the Wire on snoop list so far. The Wire. (2021, August 4). Retrieved February 2, 2023, from https://thewire.in/rights/project-pegasus-list-of-names-uncovered-spyware-surveillance
Retrieved from "http://si410wiki.sites.uofmhosting.net/index.php?title=Internet_Regulation_in_India&oldid=113783"