Regulating Indian cyberspace: the battle for control
By Rodney D. Ryder, Partner, Scriboard
Traditional legal systems have had great difficulty in keeping pace with the rapid growth of the internet and its impact throughout the world. While laws have been enacted and a few cases have been decided that affect the internet, they have left most of the difficult legal issues to the future.
In spite of the recent proliferation of legislation worldwide, it is unlikely that courts and legislators will be able to provide sufficient guidance in a timely fashion to enable organisations to take advantage of the internet in a manner that avoids or minimises unexpected consequences or liabilities.
India’s approach
The rationale for India’s Information Technology Act, 2000 (the Act) was “functional equivalence” that electronic records and transactions be accorded an equal weight in evidence law as traditional paper records.
The recent amendments to the Act are, to a measurable extent, a reaction to recent developments such as service provider liability issues.
Data privacy and security
In view of concerns about the operating provisions related to data protection and privacy, the Act (i.e. sections 43, 65, 66 and 72A) has been recently revisited and more stringent provisions provided for. Notable among these are the following.
-
The addition of a set of rules on the handling of sensitive personal information with reasonable security practices and procedures.
-
The amendment of the grading of severity of computer-related offences. If an offence is committed dishonestly or fraudulently, it will now be punishable with up to two years’ imprisonment and/or a fine.
-
The addition of section 72A for breach of confidentiality with the intent to cause injury to a subscriber. This is recognised as providing sufficient protection under the EC Directive 2002/58/EC on the processing of personal data and the protection of privacy in electronic communications.
Cyber crime, evidence and punishment
The Act provides for essentially economic offences or crimes in the medium that are linked to economic loss or detriment. The government has done well to take a proverbial leaf from the OECD’s guidelines for the security of information systems and networks and the Council of Europe’s convention on cybercrime.
Section 69 has been amended to attend to the concerns of the Ministry of Home Affairs regarding the safety, sovereignty, integrity and defence of India, and its wishes to maintain friendly relations with other nations and prevent incitement to the commission of any cognisable offence.
Section 79 has been revised to explicitly bring out the extent of liability of intermediaries in certain cases. The EU Directive on E-Commerce 2000/31/EC, issued on 8 June 2000, has been used as a guiding document.
The Act now provides for an Indian computer emergency response team to act as a central agency in respect of critical information infrastructure for coordinating all actions relating to information security.
Protecting Indian cyberspace
The central government recently provided new rules under sections 43A and 79 of the Information Technology Act, 2000 to further empower the stringent sections amended earlier. The new rules broadly define the following:
-
sensitive personal data and information;
-
the manner in which information must be collected;
-
reasonable security practices and procedures provided for;
-
mandatory privacy policies;
-
the extent to which information can be disclosed;
-
methodology for legible disclosure of information to third parties;
-
due diligence to be observed by an intermediary; and
-
guidelines for cyber cafes.
rodney@scriboard.com