~Madhavi Singh*
Introduction
Following in the footsteps of other jurisdictions, India is contemplating a plethora of laws to regulate different aspects of technology. While some of these such as the Intermediary Guidelines, 2022 and the E-Commerce Rules, 2020 have already been notified, many others are in the pipeline like the Digital India Act (DIA), the Digital Competition Act (DCA), the Digital Personal Data Protection Bill (DPDP Bill), the Non-Personal Data Governance Framework and the Online (Gaming) Regulation Bill. For all of its tech laws, the government is preparing to adopt a ‘principle-based’ rather than a prescriptive legal framework. Under the ‘principle-based’ approach, the parent statute contains only the governing principles, foundational rights and obligations and procedures for securing compliance. The specific prescriptions, i.e., the detailed do’s and don’ts would either be outlined through subsequent rules and regulations or decided by the regulator/ adjudicator at the time of execution on a case-to-case basis. This essay argues that the principle-based approach to tech regulation is not an improvement over the traditional legislative approach – it is at best ineffectual and at worst susceptible to abuse.
The rationale for principle-based tech regulation
The preference for a principle-based approach has been justified on the ground that it creates a regulatory framework which can adapt more easily to rapid strides in innovation. Traditional legislative and enforcement processes have proven slow and inefficient in responding to technology issues. By the time laws are enacted, both the underlying technology and the business models, are rendered obsolete by natural cycles of innovation. The Information Technology Act, 2000 serves as one such cautionary tale. Similarly, deliberations have already begun for another amendment to the recently amended Competition Act, 2002 to build in special provisions for digital markets. Thus, so far, regulation has not only lagged far behind technology but also the process of making new laws and amending old ones has been endless.
The government’s principle-based regulatory approach is ostensibly geared at avoiding this problem and future-proofing laws by basing them on (almost) universal but overly simplistic and general principles. A law which contains only foundational principles (for example, transparency, fairness, accountability) and a basic formulation of rights and obligations is expected to have enduring value even as technology evolves. Moreover, it might be easier to build political consensus around such a general statute in contradistinction to a text that contains a complex matrix of specific prescriptions whose various components might be opposed by different stakeholder factions. The DPDP Bill is a good example of the form that such a principle-based regulatory approach could take. It is based on seven principles such as purpose limitation, data minimization, storage limitation, etc. Unlike its bulky prescriptive predecessor, the 2022 Bill contains only the basic foundational principles and the drafting of substantive rules has been delegated to the Centre. Despite the touted promise of such principle-based regulation having enduring value, some argue that the DPDP Bill already seems dated in the face of privacy and data protection issues of emerging technologies like AI. The government seems poised to follow a principle-based approach for its entire gamut of tech laws including the Digital India Act.
Criticisms of Principle-Based Regulation
1. Ambiguity and difficulty in implementation
While the objective of future-proofing tech laws might seem like a worthy one, we need to be aware of the trade-offs that this approach entails. Broadly-worded legislations carry the risk of ambiguity and arbitrariness. Many of the modern tech laws around the world (including proposed laws in the US such as the American Innovation and Choice Online Act, the Platform Competition and Opportunity Act, the Ending Platform Monopolies Act, etc.) lay down detailed specific expectations. This allows companies to self-regulate. Examples include the EU’s General Data Protection Regulation (GDPR), the Digital Markets Act (DMA), the Digital Services Act (DSA), etc. These laws rely on self-compliance with the clearly outlined statutory directions for widespread implementation rather than lengthy rule-making or adjudicatory processes. In contrast, India’s DPDP Bill is so bare-bones that implementation seems difficult and in the absence of enforcement, it risks becoming a dead-letter law. For instance, the DPDP Bill is vague about what kinds of personal data of data principals are protected and to what extent; the duties of data fiduciaries are also minimal and vague. Vagueness of the statute makes enforcement difficult and susceptible to legal challenges, delays, and uncertainty, especially in a multi-level appellate structure.
2. Potential for executive overreach and political misuse
Further, the constitutionality of a skeletal statute that delegates power without providing policy guidance on how such power should be exercised remains doubtful. Delegation of these powers (often to the Central government) raises concerns about excessive delegation. For instance, the Intermediary Guidelines which authorize a “fact check unit of the central government” to identify, “fake or false or misleading” information has been criticized for creating unaccountable draconian systems that threaten free speech and dissent. Similarly, the sweeping powers of the government under the DPDP Bill including its power of exemption have been condemned and have raised concerns of inadequate privacy protection, state surveillance and crackdown. India already has an ignominious history of using its internet and tech laws to further political ends and crush digital dissent including raids on Big Tech’s offices, internet shutdowns, takedown notices, etc. Against this backdrop, a regulatory approach which de-emphasizes law-making and instead bestows sweeping powers on the executive with few statutory guardrails does not inspire trust.
3. Loss of crucial advantages associated with the legislative process
Regulating cyberspace is a very technical and complex exercise. Conventional law-making entails consultation with stakeholders and experts which makes the law more robust. Bereft of these processes, it will be challenging for a non-specialist executive or regulator to draft effective rules. Under such circumstances, there is a chance that the drafter will blindly follow foreign legislative drafts or precedents- recently, the Indian competition regulator was called out for ‘copying’ the actions and decisions of its European counterpart without any application of mind. Additionally, delegating such important rule-setting powers to the regulator or the executive creates a risk of regulatory capture by industry incumbents. The democratic law-making process albeit lengthy is more transparent and consultative and mitigates the risk of regulatory capture, lack of expertise, etc.
4. Ineffectiveness of broad prescriptions and effects analysis
Even if we were to perceive this regulatory model in a more benign light, it is likely to be ineffective. Several of the foundational principles that tech laws seek to achieve (such as competitive and contestable digital markets, protection of privacy, fairness, protection of consumer interests, etc.) are also in principle protected through other legal regimes including antitrust, consumer protection, intellectual property and even fundamental rights. And yet these conventional laws failed to protect these overarching interests in the digital space. It is unclear why a tech law that outlines only broad principles and leaves the actual effects-based adjudication to the future would be any more effective in protecting these interests than its existing counterparts. While outlining broad objectives, principles and rights which underlie a legal regime is essential, it is by no means sufficient. There is a need to build more specific granular prescriptions into the parent statute otherwise we risk being left with overtly broad and meaningless prescriptions. In a quest to equip the law for unforeseeable future innovations, we will impede its effectiveness to regulate existing technology.
Old soft regulation in a new wrapper
In reality, principle-based regulation is essentially a proxy for soft regulation. Indeed, the government has also acknowledged its preference for soft regulation of tech. Instead of using exacting standards and clear prescriptions, the government wants to rely on broad-brush ideals which enjoy wide acceptability. As it enters its ‘techade’, India is faced with critical policy choices. The country is eyeing to substitute China in the global tech supply chain, foster innovation and spur technological growth. There are apprehensions that stringent tech regulation could chill innovation and drive away foreign investment to other countries with lax regulations.
However, global experience has shown the risks associated with soft regulation. Recent antitrust (Neo-Brandeisian) jurisprudence has revealed that under-regulation backed by neo-classical laissez-faire economics and neo-liberal ideology allowed Big Tech to accumulate unprecedented monopoly power and gave an unfair advantage to a handful of tech companies. The effects aren’t limited to the economic realm but also affect the socialand democratic fabric. Unsurprisingly, market players in all digital sectors including online gaming, streaming, etc. are pushing for ‘light-touch’ regulation. Most countries now realize that soft regulation of technology does too little too late. Moreover, the negative externalities of under-regulation are inequitably distributed. As tech companies become more powerful and acquire greater monopolies, the individual citizen’s bargaining position becomes weaker and choices more limited. Under-regulation has exacerbated economic inequalities.
India’s ‘techade’ cannot afford to be so economically inequitable. Even if India manages to successfully dangle the carrot of soft regulation and attract foreign investment, such technological growth will benefit the privileged minority. Regular citizens who do not have economic resources or bargaining power rely on regulation and threat of enforcement to secure their digital rights. When the state does its part and holds tech players to stringent standards and demands compliance with clearly laid out specific prescriptions, the ordinary citizen reaps the benefit. The cost of light-touch regulation is not worth paying, even if it comes with the promise of overall technological growth, since such cost will be distributed unequally.
Conclusion
Law-making is a complex and messy process (especially for tech laws). As our recent experience with generative AI has shown, despite our best efforts we cannot accurately predict the direction or exact contours of innovation. Regulation is thus doomed to lag behind innovation and play catch-up. We can only strive to reduce the lag and create the institutional capacity and expertise which allows us to understand and respond to these complex issues faster and better. The promise of principle-based regulation in ‘future-proofing’ laws and creating adaptable legal frameworks is elusive. It not only results in ambiguity and low levels of self-regulation but also threatens to create a tool for executive overreach and political misuse. Principle-based regulation is essentially ‘light-touch’ regulation or under regulation in disguise. Turning a blind eye to the externalities of technology and opting for soft regulation in return for rapid technological development is a precarious trade-off whose costs will potentially be distributed inequitable.
*Madhavi Singh is a Research Associate at the National University of Singapore ('NUS'). She holds a B.A., L.L.B (Hons.) from the National Law School of India University, a BCL from the University of Oxford, and is a LLM candidate at the Harvard University.