Cyberlaw And Data Security

Proactive compliance with the parameters of Indian Cyberlaw is indeed the urgent necessity of today. Compliance, Compliance & Compliance is the only way to nirvana for all stakeholders in the digital ecosystem

Pavan DuggalPavan Duggal, Advocate, Supreme Court of India; Head, Pavan Duggal Associates

Earlier, the scope and ambit of the Information Technology Act, 2000 was  limited to use of computers, computer systems and computer networks.  However with the advent of the mobile revolution, it was felt that the applicability of the said law needs to be extended to all kinds of mobility related devices. As such the Information Technology (Amendment) Act, 2008 amended the Information Technology Act, 2000. These amendments came into effect from 27th October, 2009. Consequently, the Indian Cyberlaw is applicable to all mobile devices and communication devices whether it is cell phones, mobile phones, smart phones, personal digital assistants or combination of both or any other device which is used to communicate audio,
video, image or text.

By virtue of Section 4 of the Information Technology Act, 2000, electronic format has been granted legal validity. Prior to the coming into effect of the Indian Cyberlaw, there was no legislation that granted legal sanction and validity for the electronic format. However, Section 4 of the Information  Technology Act, 2000 has provided the framework for giving legal sanction  to electronic format. Section 4 stipulates that where any law provides that any   information or any other matter shall be in writing or in the typewritten or printed format, then notwithstanding anything contained in such law, such requirement shall be deemed to be satisfied if the information or matter is  rendered or made available in the electronic form and is further accessible so as to be usable for the subsequent reference. The net effect of this is that all the output of computers, computer systems, computer networks, computer  resources and communication devices is granted legal sanction and validity under the Indian Cyberlaw.

Concept of Intermediaries
The Indian Cyberlaw has also come up with a unique concept known as “intermediaries”. Intermediary is defined under Section 2(1)(w) of the amended Information Technology Act, 2000 in the widest possible terms. Any person who on behalf of another person receives, stores or transmits any particular electronic record or provides any service with respect to that  record becomes an intermediary in India. A perusal of the said definition  would clearly show that the definition is indeed very wide and includes within  its ambit vast number of legal entities doing business or activities in the  electronic ecosystem. These would include Telecom Service Providers,  Network Service Providers, Internet Service Providers, Web Hosting Service  Providers, Search Engines, Online Payment Sites, Online Auction Sites, Online Marketplaces and Cybercafés. Further the law has also stipulated the liability of  intermediaries for any third-party data, information or communication link  made available by them. Chapter XII of the Information Technology Act, 2000  details such liability.

This liability is applicable for all service providers who are providing services  pertaining to providing micro-payments in rural areas as also all m-banking  and m-commerce service providers and all online banking activities amongst other things. Any entity who is an intermediary in the context of electronic  governance ecosystem would have to ensure that it complies with the  parameters of the Information Technology Act, 2000.

Section 79 of the Information Technology Act, 2000 states that as a principle,  intermediary shall not be liable for any third party information, data or  communication link made available or hosted by him, provided certain conditions are fulfilled. These conditions include that an intermediary has to  observe due diligence while discharging its obligations under the Information  Technology Act, 2000 and also observe such other guidelines as the Central  Government may prescribe in this behalf. Intermediary is mandated not to  initiate the transmission, select the receiver of the transmission and select or  modify the information contained in the transmission. Further intermediaries  are required that on receiving actual knowledge or being notified by the  Government that any information, data or communication link residing in or  connected to a computer resource control by the intermediary  is being used to commit an unlawful act, then intermediary must expeditiously remove or disable access to that material on that resource. This needs to be done without vitiating the evidence in any manner whatsoever.

A watershed moment in cyberlegal
Section 79 represents a watershed in the history of cyber-legal jurisprudence  in India. All service providers will have to ensure compliance with the  parameters of Information Technology Act, 2000 including Section 79, so  long as they deal with the electronic format as also use of computer systems,  computer networks and computers resources.
Most of the service providers in the electronic governance ecosystem have no clue about the requirements of law. Most of the said service providers and  electronic projects are operating without ensuring compliance of the  parameters of the amended Information Technology Act, 2000 and rules and  regulations made there under.

With advent of the mobile revolution, it was felt that the applicability of Information Technology Act, 2000, needs to be extended to all kinds of mobility related devices

This presents a huge challenge as far as Indian nation is concerned.  Non-compliance with the parameters of the Information Technology Act,  2000 presents two major legal exposures for all service providers who are  providing any services in the electronic governance ecosystem or electronic  or mobile commerce or banking activities. Such service providers need to  appreciate that in case if they do not comply with the parameters of the Indian  Cyberlaw, they could potentially face both civil and criminal legal consequences. The civil consequences could consist of being sued for damages  by way of compensation upto 5 Crores INR per contravention under the  Information Technology Act, 2000 and beyond 5 Crores INR in a court of  competent jurisdiction. These are the summary proceedings and can be  initiated provided the parameters of Section 43 of the Information Technology  Act, 2000 are fulfilled. Section 43 prescribed various grounds of damages can  be sought including on the ground of unauthorized access, downloading,  copying and extracting data, introducing a computer contaminant, damaging  of computer system or diminishing value or utility of information residing  therein or affecting the same injuriously by any means as also other grounds.

Further the top management of such intermediary company could also be  exposed to criminal consequences which could consists of imprisonment for  the top management ranging from three years upto life imprisonment. Clearly,  the Information Technology Act, 2000 has a huge impact on compliances.

All relevant stakeholders who are providing any services of any kind  whatsoever in the electronic governance ecosystem have to wake up to the  new reality that they have to ensure compliance with the parameters of  Information Technology Act, 2000. If they do not do so, not only could their  business be impacted, but more significantly their exposure to unwanted  consequences could have a detrimental impact upon their standing,  reputation, goodwill and repute. The providers of m-banking and m-commerce as also other intermediaries have to specifically ensure that they not only  comply with the parameters of the Information Technology Act, 2000 but also  comply with the parameters of the Information Technology Rules, 2011. It is pertinent to point out that on 11th April, 2011, the Government of India  notified four distinct set of rules which are collectively known as Information  Technology Rules, 2011. These include the Information Technology  (Electronic Service Delivery) Rules, 2011, the Information Technology  (Reasonable Security Practices And Procedures And Sensitive Personal Data Or  Information) Rules, 2011, the Information Technology (Intermediaries  Guidelines) Rules, 2011 & the Information Technology (Guidelines for Cyber  Cafe) Rules, 2011. These Rules provide various parameters of compliance by the relevant stakeholders.