Revising the Information Technology Act, 2000

by Rishab Bailey, Vrinda Bhandari, Renuka Sane and Karthik Suresh.

The Information Technology Act, 2000 (‘IT Act’) is a comprehensive law enacted to build trust in the digital ecosystem by regulating e-commerce, e-filing of documents, and by creating criminal offences applicable to the digital ecosystem. Despite amendments in 2009, it is widely considered that the IT Act is outdated, not least due to the proliferation of the Internet and a range of new technologies (e.g. Bahl, Rahman and Bailey 2020; Nappinai 2017; Nigam et al 2020). Recently, the government has proposed replacing the IT Act with a new legislation known as the ‘Digital India Act’.

In a new report, Revisiting the Information Technology Act, 2000, we attempt to contribute to the process of revision of the IT Act, by examining four critical issues pertaining to the online ecosystem. These are:

1. Censorship: The provisions in the IT Act pertaining to censorship and blocking were framed in an era when the digital ecosystem was not as pervasive as today and before the use of social media platforms exploded. The provisions in the IT Act that empower the government to block content from public access are largely based on Article 19(2) of the Constitution. However, the institutional framework for carrying out blocking suffers from significant lacunae, including a lack of accountability of the relevant oversight institutions. We recommend that appropriate procedural safeguards be introduced through statute, to ensure greater transparency and neutrality in the blocking processes.
2. Intermediary liability: The IT Act protects intermediaries from prosecution for content posted or transmitted by third parties upon the following three conditions: (a) that they act as passive agents (or distributors) of content, (b) they disable access to unlawful content upon receiving ‘actual knowledge’ thereof, and (c) they observe ‘due diligence’ conditions laid down by the government. The ‘safe harbour” provision was introduced at a time when the digital ecosystem was still nascent. The variety of online harms that have since proliferated raise questions about whether such a system is required. We find that there is value in retaining a safe harbour for intermediaries in contexts where they have played a passive role in the ecosystem. Removing safe harbour is likely to incentivise greater private censorship, a role that intermediaries are not well positioned to undertake. However, this does not mean that intermediaries should not be responsible for ensuring the safety of the digital ecosystem. Any further obligations (such as greater transparency, the introduction of grievance redress mechanisms, etc.) ought to be implemented outside the safe harbour framework and certainly not as part of amorphous ‘due diligence’ obligations. We point to how new intermediary rules introduced in 2021 and 2022 have imposed a variety of new and onerous obligations on intermediaries. Many of these obligations, such as the obligation to enable traceability of the originator of information on messaging platforms and the obligation or the need to practically police a host of proscribed content, should be done away with. Any new obligations must be introduced based on evidence of harm in a proportionate manner.
3. Surveillance: The current framework pertaining to interception and monitoring of digital communications was established before the seminal decision of the Supreme Court in Justice K Puttaswamy vs. Union of India which recognized privacy as a fundamental right. Our report builds on the literature on surveillance reform in India to suggest that significant revision is required in our legal framework. Currently, the executive is provided extremely broad powers with insufficient safeguards to mitigate abuse. Certain surveillance programs such as the Centralised Monitoring System are per se disproportionate as they conduct mass surveillance. Our primary recommendation is therefore to enact a new stand-alone surveillance-related legislation, which could harmonise surveillance processes while ensuring that appropriate procedural and institutional safeguards are implemented. In the alternative, the revised IT Act should narrow the scope of powers given to the executive, while also implementing workable oversight and accountability mechanisms, not least ensuring judicial review, legislative oversight, and greater accountability of relevant bodies involved in the surveillance apparatus.
4. Cybersecurity: While the IT Act lays down various offences pertaining to cybersecurity that are broadly in accordance with international standards, we find that there is a significant need for reform of the institutional mechanisms that manage incident reporting and response. We recommend that the revised IT Act clarify the role and powers of CERT-in and NCIIPC — the two primar cybersecurity-related agencies in India. In particular, their rule-making powers should be clarified/limited. The law should also avoid duplicating functions of each agency while limiting incident reporting requirements to large and systemically important systems and entities — this avoids imposing disproportionate costs.

As we move towards an economy that is ever more dependent on the digital ecosystem, it is vital that the law promotes trust in the online ecosystem. This involves finding an appropriate balance between a range of competing interests — national security and public order, the need to protect fundamental rights, and the need to promote innovation in and development of the digital ecosystem. Finding such a balance will require the government to take a considered stance on several thorny issues. Carrying out detailed and inclusive consultations will also be a vital part of the process towards establishing the digital ecosystem on a sound legal footing.

References

Varun Sen Bahl, Faiza Rahman and Rishab Bailey, Internet intermediaries and online harms: Regulatory Responses in India, Data Governance Network Working Paper no. 6, March 2020.

N S Napinnai, Cyber security and challenges: Why India needs to change IT Act, February 2017.

Aniruddh Nigam, Kadambari Agarwal, Trishi Jindal, Jaai Vipra, Primer for an Information Technology Framework Law, Vidhi Center for Legal Policy, September 2020.

Rishab Bailey, Vrinda Bhandari, Renuka Sane, Karthik Suresh, Revisiting the Information Technology Act, 2000, XKDR Forum, March 2023.

Rishab Bailey and Karthik Suresh are researchers at XKDR Forum. Vrinda Bhandari is a practising advocate. Renuka Sane is a researcher at TrustBridge.