The draft of the Digital India Bill is set to undergo public consultation this month. 

The need for a new regulatory landscape arises from India’s digital revolution—which has rendered the current regulation outdated. The existing IT Act has limitations in terms of recognising electronic records, transactions, and electronic signatures. While the internet, devices, and information technology have empowered citizens, they have also brought challenges such as user harm, ambiguity in user rights, security concerns, women and child safety issues, information wars, radicalisation, hate speech circulation, misinformation, fake news, and unfair trade practices.

In response to the evolving nature of cybercrime, the new bill may introduce provisions for criminal offenses, including possession and distribution of child sexual abuse material, improper use of government-issued identity cards, and misinformation. The goal is to establish clear guidelines and deterrence measures for such cases. Instead of making amendments, the Digital India Act seeks to replace the outdated Information Technology Act, 2000 in its entirety.

Here’s what you can expect:

Data Privacy & Data Localisation

The local ecosystem also has certain expectations and tussles over certain sections of the Act, like data localisation. India’s largest telecommunication companies, Reliance Jio and Bharti Airtel, along with digital payments major Paytm, had opposed the government’s proposal to allow the transfer of personal data of Indians to “trusted geographies.” arguing that Indian user data should be stored within the country rather than being transferred abroad. 

The disagreement arose after the government put out the draft of the Digital Personal Data Protection Bill, 2022, which introduced the concept of “trusted geographies” where personal data may be transferred from India. 

They raised concerns about law enforcement agencies accessing Indian citizens’ data processed overseas, citing risks of data breaches and misuse. 

The government, however, supports cross-border data flow for user choice and diversity and aims to protect privacy rights and create a less compliance-intensive environment for startups.The government’s objective is to safeguard privacy rights by implementing the Digital Personal Data Protection Bill and establish trust corridors with other countries. No country blacklist will be created, and economic groupings like OECD or ASEAN will determine trusted geographies. The government seeks a balance between privacy, economic growth, and global technological advancements.

MoS, Chandrasekhar also encouraged data centers to view cross-border data flow from a broader perspective, suggesting that if India becomes a trusted location for data storage, it will attract expansion of the Indian cloud and data center businesses.

In contrast to its move for extreme data localisation a few years ago, as it blocked several apps.

A New Framework for AI Policy 

During the consultation in Mumbai, a stakeholder expressed the need for model clauses or a separate law to regulate AI, highlighting that a code of ethics alone would not be sufficient for India given its rapid advancements in the field. The stakeholder suggested the adoption of something similar to the standard contractual clauses in the GDPR. This is important due to concerns surrounding deep fakes, misinformation, and the potential impact on innovation if the government eliminates safe harbor provisions without clear AI regulations. 

Despite the government’s reluctance to address AI regulation during the consultation, stakeholders are eagerly awaiting the draft Bill expected to be released soon. In response to the query, Union Minister Chandrasekhar mentioned that the Digital India Act includes a dedicated chapter focusing on emerging technologies, including AI.

The DIA presentation put out by Meity also suggested that the upcoming Act recognises the importance of regulating artificial intelligence due to its widespread use in critical sectors such as healthcare, banking, and aviation. It proposes to subject AI development and deployment to rigorous requirements, which may impact the regulation and safeguarding of emerging technologies like machine learning, Web 3.0, wearable technology, autonomous systems, blockchain, and virtual reality.

In June, MoS Chandrasekhar stated that the Draft DIA aims to regulate these emerging technologies. The act seeks to protect digital citizens and harmonise laws in India. 

“Our approach towards AI regulation is fairly simple. We will regulate AI as we will regulate Web3 or any emerging technologies to ensure that they do not harm digital nagriks (citizens),” Chandrasekhar said

However, drafting an effective AI policy poses several challenges. According to Mariagrazia Squicciarini, the Chief of Executive Office and Director of AI at UNESCO, one challenge is the different terminology used by companies implementing AI, which makes it difficult to translate into policy language. Additionally, implementing AI policies requires coordination across different government departments, which often operate in silos. Coordinating and aligning the efforts of multiple ministries can be complex and time-consuming.

To address these challenges, Squicciarini suggests leveraging existing initiatives and sharing best practices rather than reinventing the wheel. Collaboration among countries within the same region can be particularly beneficial, as they often share commonalities. By learning from one another and sharing experiences, countries can save time, reduce costs, and enhance the efficiency of their AI policy implementation.

Furthermore, Squicciarini believes that involving younger generations is crucial. The increasing demand for solutions from young people and their active participation in initiatives, including ethical considerations of AI, can bring valuable perspectives to the table. 

It will be interesting to see how the new Digital India Act would address and tackle the issues arising from the rapidly changing digital landscape and foster growth.

Industry Consultation:

The draft of the new Digital India Act (DIA) was delayed to gather feedback and address various issues, including fact-checking, misinformation, and establishing a comprehensive framework for emerging technologies. Previous consultations during the pre-drafting stage led to provisions targeting the influence of Big Tech companies like Google, Apple, and Meta to prevent potential misuse of market dominance. The Ministry of Electronics and Information Technology is considering implementing strict “no-go areas” for companies using AI and machine learning, particularly in consumer-facing businesses. These areas would protect users from potential harm and ensure companies inform users about data usage and processing through proprietary algorithms, with violations attracting severe penalties. The proposed regulations also aim to require companies to disclose their data processing practices.

The government’s efforts align with GDPR regulations, which require user consent for data processing, anonymisation of collected data to protect privacy, data breach notifications, and secure data transfer across borders. However, concerns have been raised about certain aspects of the rules that may infringe on user privacy and contradict the principle of “data minimisation” outlined in the data protection law.

The government’s proposal to retain user information for 180 days, even after account deletion, has also drawn criticism. In response, experts like Gurshabad Grover have expressed concerns about potential privacy violations. 

The government intends to address these concerns by passing the Digital Personal Data Protection Bill alongside the DIA, which aims to provide solutions and establish a balance between individuals’ right to protect their personal data and lawful data processing. This approach draws comparisons to the EU’s GDPR and has been recommended by experts like Squicciarini, who emphasised the need for a harmonised policy that can have a global impact.