Digital India Act: Unravelling regulatory tangles in e-commerce space

Ambitious proposal for an overarching Digital India Act that aims to improve ease of doing business for rapidly expanding sector likely to face challenges of overlapping ministerial responsibilities

There are 11 sets of laws and rules hovering over the information technology business landscape in India, excluding media laws. Together they can be maddening for the fast-growing business of e-commerce, which is why Minister of State for Information Technology Rajeev Chandrashekhar has proposed combining them into one, the Digital India Act (DIA).

In a presentation to the stakeholders on March 24, the minister suggested that once this law was in place, DIA would be part of a four-pillar landscape of which the other three will be the Indian Telecommunication Bill, the Digital Personal Data Protection Bill and the National Data Governance Framework Policy.

The DIA will be a sort of overarching framework. The telecom and data protection Bills were put up as drafts in 2022, and DIA is expected to come out as a draft this year. The draft telecom Bill is expected to update and amalgamate three ancient Acts — the Indian Telegraph Act of 1885, the Indian Wireless Telegraphy Act of 1933 and finally the Telegraph Wires (Unlawful Possession) Act of 1950.

To understand why India needs a harmonised regulatory framework, consider the plight of e-commerce companies. The nearly dozen Acts and laws have often run at cross purposes. For instance, there are two sets of rules, both issued in 2009, that govern the procedure and safeguards for internet data. One of them instructs companies on the rules regarding decryption, the other on collecting internet data. They are unwieldy for any business aspiring to be nimble as any e-commerce outfit has to be.

Complicating this is the fact that e-commerce is guarded zealously by the Ministry of Commerce and Industry under Piyush Goyal. As an example, the action taken by the government on the report of the standing committee of commerce on e-commerce (issued in March) shows that most of the ministry’s attention focuses on tax and e-commerce companies’ ongoing turf war with brick-and-mortar retailers. Yet the IT minister may find himself stymied if he tries to expand the ambit of DIA to cover this sector because e-commerce companies are classified as intermediaries like telecom service providers, or gaming platforms or ISPs (internet service providers). Each has claimed a safe harbour provision to protect themselves from charges of what sort of content they allow on their space, much of which is user-generated. The regulatory regime for them will have to be aligned, cutting across ministries. The Bharatiya Janata Party-led government under Prime Minister Vajpayee had proposed an e-commerce Act in 1998 that came to nothing.

The e-commerce regime

• Information Technology Act, 2000
• IT (Amendment) Act, 2008
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• Direction 20(3)/2022-CERT-In Consumer Protection Act, 2019 (CPA) and Consumer Protection (E-Commerce) Rules, 2020
• Information Technology (Certifying Authorities) Rules, 2000
• Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015
• Information Technology (The Indian Computer Emergency Response Team and the Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules)
• Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009
• Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
• Notification S.O.1581(E) dated 26.4.16 regarding authorisation of CERT-In to monitor and collect traffic data or information in any computer resources under Section 69B of the Information Technology Act, 2000
• Notification 993(E) dated 11.12.2015 regarding declaration of UIDAI-CIDR critical information under Section 70A of IT Act

Now after more than two decades, Chandrashekhar has said he means to introduce a light-touch regulatory framework. His aim is to drive “an open internet which presents choice to consumers, promotes competition among digital players, furthers online diversity, facilitates fair market access for start-ups and new entities, and extends ease of doing business and compliance”. He said this will be possible if the DIA clauses “standardise cyber laws and bring Indian regulatory framework at par with the global standards”.

The problem here is that regulators are created by Parliament to operate in tandem with the respective ministries — the National Health Authority, the Central Electricity Regulatory Commission or the Securities and Exchange Board of India, being examples. Regulators with overlapping ambit are rare, except one like the Competition Commission of India (CCI). The congruence in the digital space is, however, likely to bring overlapping responsibility.

At present, the telecom sector is mostly under Telecom Regulatory Authority of India, and for the internet there are a slew of regulators including a proposed Data Protection Authority under the Ministry of Electronics and Information Technology. For e-commerce companies other than the Ministry of Commerce and Industry, there is CCI and payment issues around the e-commerce space are guarded by the Reserve Bank of India.

This is where harmonising the regulatory frameworks will become significant. “The Act may help in the creation of a national digital commerce policy that will hopefully simplify the regulatory environment for e-commerce companies,” said Anand Ramanathan, partner at Deloitte India.

Will this mean everything will be subsumed under the proposed DIA, for the regime of “one internet, one regulation”? Chandrashekhar has made it clear he does not intend to go down this route. His presentation has assured that issues around blockchain, emerging technologies and content regulation will be regulated by their sectoral regulators and the IT ministry will only look at aspects and intermediaries that fall within its scope of work.

“It is recognised that different types of intermediaries exist in the digital space today, which is only expected to increase in the future. These may include e-commerce platforms, search engines, social media platforms, digital media entities, gaming platforms, and pure-play intermediaries such as telecom service providers and ISPs. There is a need to treat each of them distinctly in terms of the role played by them and introduce a nuanced regulatory approach and separate rules for each class,” wrote Sameer Avasarala and Prashant Phillips of Lakshmikumaran & Sridharan, New Delhi, in a commentary.

As Ramanathan notes, though the Act will be expected to lay out a more predictable and structured regulatory environment, this is just a draft. “The final impact on the regulatory environment is yet to be seen. Additionally, the Act may have some unintended consequences.” At present, that is about the best that can be said about it.