Amidst all the furore on the data protection law’s various iterations making their way in and out of the Parliament, a commonly overlooked aspect is the proposed overhaul of the Information Technology Act, 2000 which is reportedly in the works. The existent IT Act predates most modern IT giants, streaming, mobile OS platforms such as Android and iOS, essentials such as Uber and even 3G, 4G and 5G networks. While no draft bills or stakeholder consultation in this regard is available in the public domain, it has been apparent for a while now that the law needs to evolve to keep up with progress in technology.
Minor legislative changes in the recent past have indicated that the Government is taking strides in pushing for adoption of more digital frontiers. For instance, the Central Government in 2022 amended the First Schedule of the IT Act, which specifies documents / transactions excluded from the purview of the law, to delete contracts for sale or conveyance of immoveable property. This has significant implications for digitization of the real estate sector, as real estate transactions can now be carried out through electronic medium. Separately, the Ministry of Electronics & Information Technology (MeitY) was designated as the nodal ministry for regulating online gaming and the government has initiated public consultation for regulations on online gaming intermediaries.
There is a pressing need to facilitate (and also regulate) digitisation of various cyber spaces and technologies, while recognising that the IT Act cannot be a one size fits all solution for modern forms of information technology. After all, a law made before the advent of modern cellular phones may not be best suited to regulate the metaverse, for instance.
The metaverse is not the only new frontier of technology that has to be accounted for by data laws. In the past few years, impressive advancements have been made in the field of blockchain and crypto tokens, and more recently, “Generative AI”, i.e., AI that can produce text and images based on human prompts, with next to no human intervention. ChatGPT, for instance, can converse at a near-human level and draft complex code and documents which would have been unthinkable a mere few years ago. With companies scrambling to put front ends on such software and disrupt the market, lawyers must consider the legal implications of all such technology. The IP implications, for instance, on intellectual ownership of AI-generated art trained on original artwork, has already ignited serious debate.
Similarly, in an age of machine learning and neural networks trained on unfathomable volumes of data, much of which could be personal or sensitive personal data, lawmakers will have to proactively chart a roadmap for legislative amendments, which strike a balance between regulation of new technology and allowing innovation in unconventional forms. Elon Musk’s Neuralink claims to implant a controllable chip in human brains by the end of the decade, promising a revolution in biomechanics that could fix problems such as blindness and paralysis. Regardless of if and when any such technology comes to fruition, the legal framework must not be caught lacking.
If the Government’s comments to media are to be believed, 2023 may be the most significant year for tech laws in India since 2000. We may see the IT Act replaced by a Digital India Act and a Digital Personal Data Act being passed into existence. There may also be additional clarity on the contentious 2022 CERT-In Directions, and introduction of specific regulations for online gaming, hopefully accompanying various other legislative and regulatory changes. Lacunae in some of these are inevitable, and to be expected, given the breadth of revision of existing laws and the introduction of various new ones.While global discourse in this arena has, for the past decade, been shaped by the GDPR, there is growing consensus that the GDPR may be too restrictive amidst calls for increased flexibility in the law. India therefore has an opportunity to set a global benchmark in data and technology laws. However, existing legislations do not share a coherent underlying base – for instance, the Digital Personal Data Protection Bill, which cuts out non-personal data and various other provisions is in stark contrast to the CERT-In Directions of 2022 which impose additional compliance requirements on all entities. It would therefore be prudent for the Government to make this a largely dialectical process and accommodate drivers of innovation and change, facilitating data flows and commercialisation of technology, while also ensuring that the rights of citizens are protected.
Given the multi-fold increase in the CERT-In’s role and operations, the government, in the upcoming annual budget, is likely to increase the budgetary allocation to the agency as well as to ministries and authorities that enable or regulate tech and IT, such as the MeitY. Similarly, for proposed bodies such as the Data Protection Board under the draft Digital Personal Data Protection Bill, there will have to be specific allocation to fund its various proposed functions and powers. The dedicated budgetary allocation for Digital India project is likely to continue along with a push for digitisation of records and consolidations of portals and processes.
In a nutshell, the Government should focus on an enabling law, that promotes and incentivizes innovation, experimentation and growth and not make laws that simply act as extended compliance checklists. In doing so, we can set the course and define the information technology landscape for the next decade and beyond. This should be backed with adequate infrastructure support and the budget to empower regulators and state level agencies.
Rupinder Malik is Partner and Sriram SL is Senior Associate, JSA.