Update the IT Act 2000: India needs a reboot!

Tl;dr

The Information Technology Act, 2000 serves as the de facto framework for digital governance in India. However, it is far removed from the modern technological realities and necessitates a reboot to reassess the social impacts of digitisation and to make sure that the governance framework is based on rule of law and protects the fundamental rights of the people. We wrote to the Parliamentary Standing Committee urging them to include the revision of the IT Act in its agenda for the upcoming parliamentary session.

Background

Conceived as a legislation to regulate the paradigm shift in the IT ecosystem, the Information Technology Act, 2000 (IT Act) oversees almost every facet of online activities. Yet, the rapid transformation of the digital space in recent times has rendered even this legislation inadequate and inappropriate on several counts. In January 2021, we came across reports which highlighted the Government’s plans to update the IT Act. On February 3rd an answer to a Lok Sabha question stated that “MeitY has initiated work on amendment to the Information Technology Act, 2000 which, inter alia, includes strengthening the provisions for intermediaries for making them more responsive and accountable to Indian users.” Furthermore, in response to our RTI application, the Ministry of Electronics and Information Technology (MEITY) informed us that discussions with relevant stakeholders have begun regarding revamping the Act. On this basis, we wrote to MEITY on 16th February, emphasizing how the overarching framework of the Act required significant updating in light of several policy and legal developments that have taken place since its enactment and recommended that extensive public consultations be held to usher in the necessary changes.

Since then, this issue seems to have gone under the radar. However, as Parliament returns to session and Parliamentary committees return to full functioning, We believe this is an apt time to once again consider potential pathways for the future of the IT Act. 21 years ago, the Act was promulgated to govern e-commerce in India, and define penalties therein. However, in the milieu of burgeoning social media platforms, and in light of the dynamic complications that come with the exponential growth in technology, the current regulatory framework falls short. Such complications include the collection of personal data, the right to privacy of users, freedom of speech and expression, and surveillance of citizens.

Hence, while the Act is currently the primary facilitator in terms of the law on e-commerce and e-governance, tailoring the Act to also address human rights issues with technology is welcomed. With the absence of applying a rights-friendly approach to the IT Act, neither is it possible to successfully achieve the distant dream of reasonable e-governance nor does it create an effective legal mechanism to safeguard the fundamental rights of citizens in the digital age.

Thus, this may be an opportune time for the Parliamentary Standing Committee to take up the task of considering updates to the IT Act in order to enable the Act to be an effective enactment in the contemporary context. Since the Act was last amended in 2008, the ubiquity and intricacies of technology have grown exponentially. Subsequent amendments and corresponding Rules have largely failed to respond to such changes appropriately, resulting in either excessive restrictions on free speech and mass surveillance or inadequate regulations against cybercrimes like data breaches, disinformation or malware attacks.

Here, we highlight some of the main issues with the Act and draw attention to some of the key areas that require a ‘reboot’.

Outdated provisions which fail to safeguard the right to privacy of the people

The ever-expanding scope of technology with the advent of artificial intelligence (AI) and machine learning has made it expedient for the regulatory framework to be more specific and effective which a 21-year-old legislation is unable to adequately capture. Not only do the provisions lack a defined data storage policy but also the metric for data retention do not adhere to the principles of data minimisation and purpose limitation.

Further, section 76 facilitates confiscation of an impugned computer resource by the authorities without delineating safeguards against any potential loss or tampering of data, further enhancing the risks of data breach and false implications. Even the penal framework defined under sections 65 and 66 are limited to the tampering of “computer source code” and prove to be inadequate defences against AI fuelled attacks as was evident in the 2019 Pegasus software attack. Further, This magnifies the threat to the right to privacy as envisioned by the honourable Supreme Court in the KS Puttaswamy v. Union of India (2019) 1 SCC 1 judgment.

Vague and arbitrary provisions which lead to a chilling effect on free speech

The regulatory framework of the IT Act suffers from vagueness and is susceptible to engendering excessive restrictions on the freedom of speech and expression. In the context of the emergent and expansive uses of social media platforms, arbitrary regulations can assert a chilling effect on the freedom of speech and expression. Be it the power to retain the information or intercept the data to trace the originator under section 7 or the obligation to provide access to computer data to the authorities under section 29, ambiguous vocabulary like “reasonable cause” or “satisfaction of the controller” creates an overreach of state censorship and promotes mass surveillance.

Moreover, sections 69 and 69A empower the authorities to intercept computer resources and issue blocking orders to network providers in the “interest of sovereignty and integrity of India”. These categories are overbroad and fail to strike a proper balance between the freedom of speech and proportional social control. Similarly, under section 79, network providers stand to lose their ‘safe harbour’ on failing to conduct “due diligence” or to remove “unlawful” content”. Here again, the provisions preclude a conclusive understanding of such requirements and fostered unwarranted restrictions on the fundamental rights as is evident from the recent bans on social media accounts. This largely defies the observations of the honourable Supreme Court in Shreya Singhal v. Union of India (2015) 5 SCC 1 and undermines the Santa Clara Principles.

Inadequate measures for data breaches

Another significant concern is the increasing number of data breaches that have plagued the country. The average data breach in India in 2020 cost Rs 14 crore an increase of 9.4% from 2019. The per-unit data cost increased by 10% to Rs 5,522. The report also noted that the average time to both detect and contain a breach went up from 221 days to 230 days and from 77 to 83 days respectively. This indicates a significant amount of information and data loss for users.

Existing mechanisms under the IT Act may be inadequate. For example, section 43A of the Act only provides compensation to users for negligent handling of sensitive personal data (and so not in the case of a breach of personal data). The use of such a narrow metric precludes any compensation for the vast amounts of data (such as a home address, passport details, etc) that have been leaked. Furthermore, no proactive measures for ensuring the security of data have been specified.

Recommendations

The IT Act serves as the de facto framework for digital governance in India. However, the fact of the matter is that it was enacted in 2000. For context, only 0.5% of the population (around 55 lakh people at that time) actually used the internet in 2000. BSNL was also incorporated 4 months after the passing of the Act. Clearly, there is a dire need to update the Act to reflect policy and legal developments as well as modern technological realities.

In addition, it is necessary to provide statutory measures for data security through the IT Act, 2000. A framework for determining liability and penalties with respect to data breaches and statutory measures for data security is recommended. This may be complemented by strengthening the powers of the Indian Computer Emergency Response Team to ensure proactive action against data breaches.

As we have detailed above, such an endeavour is of paramount importance and requires great scrutiny. It would involve examining the Act from multifarious perspectives and with respect to various issues, while ensuring that any forthcoming governance framework is constituted within the rule of law and duly safeguards the fundamental rights of the people. Given that the Parliamentary Standing Committee on Information Technology has expertise in the matters of digital technology (especially its governance), we believe it is important that the Committee take up this issue for consideration and add it to its agenda (the present list of subjects does not include a discussion on the IT Act).

Important Documents

1. IFF’s letter to the Parliamentary Standing Committee on Information Technology regarding ‘Updating the Information Technology Act, 2000 as a probable issue for consideration’ (link)
2. Previous blogpost ‘The Times Are A-Changing: Ensuring IT Act amendments are progressive’ dated 16th February, 2021 (link)
3. IFF’s Letter to the Parliamentary Standing Committee on Information Technology regarding , ‘Potential amendments to the Information Technology Act, 2000’ (link)
4. Response to RTI request to MeitY, dated February 4th, 2021 (link)

We were assisted in the drafting of this blogpost by Deepika Nandagudi Srinivasa who is a fourth-year law student at the National Law University and Judicial Academy, Assam.