It has hardly ever happened that two US political parties have reached an agreement on any legislation, be it immigration or birth right laws. The American Data Privacy and Protection Act is probably the only one that has united Republicans and Democrats in Congress and the Senate. The act is expected to radically alter how data protection and privacy are dealt with in the country.
The US is not the only country that is looking to regulate how big technology giants, like Meta, Alphabet and Amazon among others, operate. Big Tech is undergoing tremendous scrutiny worldwide for anti-competitive and anti-consumer behaviour. The European Union and China are trying aggressively to tame technology companies. The United Nations Conference on Trade and Development estimated that 80% of all countries either already have a privacy and data protection legislation or are in the process of putting it in place.
Different power blocks in the world are developing their own regulation regimes to manage an evolved technocratic world that has emerged in the second decade of this century. National governments are tweaking their laws around information technology to protect national interests while accommodating global tech companies. India has also made strides in creating a regulation regime not just for Big Tech but for smaller technological institutions, businesses and practices as well. Like the European Union or China, which have asserted themselves against their own and global tech companies, India too has created a regulatory mechanism way beyond how it was proposed in the Information Technology Act, 2000, the legislation that has controlled the IT-related businesses, institutions and crime.
Part Tech, Part Politics
In December, Alphabet CEO Sundar Pichai was in India meeting Prime Minister Narendra Modi, minister of electronics and IT Ashwini Vaishnaw and others. Pichai and Vaishnaw met at the Google for India event for a public discussion. Their respective concerns were on full display at the event. Pichai welcomed the legal framework the government is building with caution when he said, “It’s important to make sure you’re putting in safeguards for people, creating a framework so that companies can innovate on top of certainty within the legal framework. India has been an export economy and will benefit from an open and connected internet and getting the balance right is important.”
On the other hand, Vaishnaw explained how differently his task is cut out: “With each change in tech and the quantum jump that happens in the way we live, new challenges are emerging. How do we create a regulatory structure which is in tune with the times and matches India’s needs?” He added that Modi had set “a clear target of creating a comprehensive legal framework” that will define the tech regulation structure in India.
India’s emerging tech regime will stand on three pillars, involving three different pieces of legislation, which Vaishnaw calls “three horizontals”: the proposed data protection bill, which is reported to have been considerably diluted; the forthcoming telecom bill; and, the digital India act that is expected to replace the IT Act, 2000.
Lawyer Shreya Ramann, who is a consultant with law firm Trilegal in its technology, media and telecommunications practice, agrees with Vaishnaw on the need to adapt the tech legal framework to changing realities. She says, “The [digital] boom has been rapid globally and, more so, in India. We had regulations like the IT Act, 2000, which was suited for those times. But since then, regulation has struggled to keep up with the pace of the boom. This is not unique to India. Countries around the world are grappling with how to keep up with this boom.”
The most important of the three pillars is likely to be the digital India act, though data privacy should ideally be at the top of the government’s mind. Rajeev Chandrasekhar, the minister of state for IT, said in November that the draft framework for the new law is advancing fast and should be ready by early 2023.
Social and Compliant Media
Observers expect social media to be a site of contention among the government, the companies and users. Over the years, it has become a highly politicised space, which can mould public opinion for or against the government or political parties. It is not surprising, then, that the proposed digital India act will seek to create legal structures to regulate it.
So far, the government agencies rely on the provisions of the IT Act, 2000, and judicial interventions to extract information and order data removal on social media platforms. Meta, the holding company of Facebook and Instagram brands, periodically releases data about such requests made by government agencies all over the world. India mostly stays at the top of such lists in most years. In November, Meta said in its transparency report for the January–June 2022 period that Indian agencies made the second highest number of requests for data. India was behind only the US with 55,497 requests made on 91,159 users, while the latter made 69,363 requests. It also said that, in India, 51,602 requests were made as part of legal processes, while 3,895 were “emergency disclosure requests”, which are made directly by the government. The story is the same for other social media platforms as well, and this number increases exponentially every year.
The Modi government has shown alacrity in taking the law to the platform. Holding the intermediaries between the users who generate content and the users who consume it responsible has become a defining feature of the tech regulation regime under Modi. The enactment of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, has been the most decisive act on the part of the government to force social media platforms to do its bidding. Ironically, the journey of this law started in courts to counter child pornography, but by the time it reached Parliament, it had become a legal statement on social media.
It is a matter of speculation whether the proposed digital India act will subsume the provisions of the 2021 rules or create a more stringent regime afresh, but a report in The Economic Times suggests that it may contain an out-of-the-box proposal to oversee algorithms used by social media and other internet companies. If Parliament decides to include such a provision in the proposed act, it could be one of the first ones in the world, which could initiate a debate on the copyright law, as algorithms are proprietary codes, and business ethics of fair competition, since opening up the logic of algorithms could give an unfair advantage to competition.
In 2021, the Supreme Court made strong observations in a case involving Ajit Mohan, the then vice president and managing director of Meta India, and the Delhi assembly that could be construed as calling for an oversight on how Facebook manages content on its platform. The Delhi assembly had wanted to quiz Mohan on the role of the social media platform played in fanning riots in Delhi in 2020.
The apex court bench headed by Justice Sanjay Kishan Kaul had observed, “The algorithms select the content based on several factors including social connections, location, and past online activity of the user. These algorithms are often far from objective with biases capable of getting replicated and reinforced. The role played by Facebook is, thus, more active and not as innocuous as is often presented when dealing with third party content.” The court called for social media platforms to be held accountable.
It is not that such debates have not taken place in other countries. Ever since the Cambridge Analytica scandal broke, social media companies have come under pressure to open up to government and civil society scrutiny. The US and the UK legislatures are actively debating such an oversight. It is in this light that Pichai’s insistence on a balance between a national legal framework and export-led connected internet becomes important, since the pressure on opening algorithm is not exclusive to India.
EU or China: The Role Model?
“Artificial intelligence is the future, not only for Russia, but for all humankind,” Russian president Vladimir Putin said in 2017, adding, “Whoever becomes the leader in this sphere will become the ruler of the world.” The lifeline of an artificial intelligence model is, of course, data. In the last decade, data has become an important resource that has the potential to build new world powers, as Putin says, and governments have historically tried to own and control resources. Big tech companies long back discovered the value of data and have used it to build trillion-dollar companies.
India too has woken up to the power that tech companies wield on account of being data miners. It seems to have developed an approach to manage Big Tech which looks more like what the European Union does and less like what China does. The Chinese government has been targeting its techpreneurs for strict compliance and reducing dependence on the US capital. Its most famous entrepreneur and Alibaba Group founder Jack Ma has reportedly fled the country.
The European Union and India under Modi have a similar predicament on Big Tech, since both of them want to be seen as powerful geopolitical units but have no ownership of Big Tech, unlike the US and China, which have their own homegrown entities to manage. The best the European Union and India can do is to put a strong regulation mechanism in place. The relative success of the narratives around data localisation and data sovereignty in large parts of the world, including these two places, is likely to rest on the bargains sovereign governments can drive with the US-led Big Tech.
The Long Arm of Law
Of late, different arms of the government, the judiciary and the constitutional bodies—like Parliamentary panels and the Election Commission of India—have subjected Big Tech to close scrutiny. In August, Parliament’s Standing Committee on Finance questioned the representatives of Big Tech in India, including those of Microsoft, Alphabet, Apple, Amazon and Netflix, on their anti-competitive practices. The panel headed by Lok Sabha member Jayant Sinha reportedly questioned them on the charges of monopoly selling, tweaking algorithms to suit certain sellers and impact of their trade practices on smaller players. Earlier, the same panel had questioned the Indian unicorns like Flipkart, Ola, Zomato, etc.
In October, two months after the Parliamentary panel’s action, the Competition Commission of India (CCI) took on Google twice for allegedly abusing its dominant position in the Android mobile device ecosystem. In one case, the CCI ordered Google to pay a fine of Rs 936 crore for violating fair competition rules on Google Play, the Android app marketplace. In the other case, it imposed a penalty of Rs 1,337.76 crore on the Android operating system. Earlier in February 2018, the CCI had fined Google Rs 136 crore for unfair business practices in online search on a complaint brought forward by Matrimony.com, which was later stayed by the National Company Law Appellate Tribunal (NCLAT).
Google made some noise about how the CCI’s October 2022 orders were “a major setback for Indian consumers and businesses”. However, for weeks it did not legally challenge the orders in NCLAT, and, when it did, it challenged only the one imposed for “unfair business practices in Android devices”. Meanwhile, Pichai received his Padma Bhushan award in San Francisco, flew to India and congratulated Modi for leading technological change in India. He tweeted: “Inspiring to see the rapid pace of technological change under your leadership. Look forward to continuing our strong partnership and supporting India’s G20 presidency to advance an open, connected internet that works for all.”
Clouds of Privacy and Sovereignty
India and China are possibly the only two countries among big nations where digitisation and data generation have grown as exponentially as their population. However, the difference between them, and even the West, is that in India the growth in data generation has been caused by large government interventions and the spurt in social media activity, while in the case of China and the West, it is more widespread across economic segments and largely led by private enterprises. A large part of the Indian digitisation story is about the scale of citizen data about public services and documents. Digital public identification programme like Aadhaar, payments infrastructure like the UPI and the upcoming National Health Stack and the Open Network for Digital Commerce have been created on India stack, which will continue to produce large amount of data in future.
Saurabh Srivastava, founder of the Indian Angel Network and co-founder and former chairman of the National Association of Software and Service Companies, feels that India has the right approach to regulate Big Tech. “China’s regulations are opaque and autocratic. Its rationale is not always logical. Its regulation of Big Tech has been driven by political considerations. Big Tech was becoming a power centre there. India has approached it more rationally. It may be more bureaucratic, but there is a logic and discussions [in it],” he says.
The aggression with which the government wants Big Tech to open data centres in India and subject their India-centric activities to local laws probably comes out of the way India generates data. Though, like other aspects of tech regulation, data regulation and localisation are also global concerns, Big Tech gets uncomfortable with the idea of excessive localisation. In December 2021, Rahul Sharma, president, AWS India & South Asia worldwide public sector, told Outlook Business how data localisation impacts leveraging cloud technology negatively. He said, “Data localisation comes with overheads. Inhibiting cross-border data flow and data sharing can deny access and benefits of the cloud technology, including big data processing, machine learning, etc. to Indian companies.”
The government’s relentless pressure and AWS sensing local opportunity, though, has resulted in AWS opening two big data regions in India, the second of them going live in Hyderabad in November. Similarly, Google launched its second data region in India in the National Capital Region in 2021.
The data economy has evolved over the years, but its regulation has not been handled with utmost care. Big Tech platforms store sensitive user data, from phone records and medical history to financial statements. The government wants to regulate it through the proposed data protection bill, whose many versions seem to have a central theme that certain kind of user data should be stored only in India. The policymakers are reportedly thinking of offering incentives worth up to Rs 15,000 crore under a national policy framework for data centres.
Ramann says that the governments around the world are caught between ensuring user rights to privacy and using “data and technology to maximise public benefit and drive innovation” and exploring multiple regulation regimes. She says, “What is happening now globally is definitely a balancing act. But, different countries are doing different things. Europe has adopted a rights-based approach, but now slowly the government is also saying that we need to use this data. The US, on the other hand, is softer on the market and Big Tech, but there too, there have been anti-trust decisions recently. China is much more protectionist.”
Srivastava does not support the way the European Union is approaching the tech regulation issue. He says that its regulation regime has taken tech innovation back by at least a couple of decades and India could not afford such a thing. He says, “In terms of data protection and privacy, India has done well. The earlier draft that was being considered was probably inspired by the European Union. Had we opted for it, it would have been bad for India. The new draft bill has struck a balance among the needs of various sectors, the country and innovation. We are looking to be an innovation hub. Our approach should be different [from the European Union’s].”
India’s evolving tech regulation—to which Modi wants to impart his nationalist and strongarm imprint but without offending global players—can at best be a balancing act, in which the country is able to extract some concessions from Big Tech but does not take the sovereignty debate as far as China has done while making noises about citizens’ privacy based on the European Union’s General Data Protection Regulation (GDPR).
Ramann explains how India’s approach works. “India is a leader in things like Aadhaar and UPI and at the forefront of creating digital infrastructure. But, it is happening so fast that India is grappling with which way to go. Many versions of the data protection bill have mimicked the GDPR. We also see the China-Russia influence in terms of sovereignty concerns in our data localisation issues,” she says.