Technology and Related Provisions
Technology and Related Provisions
Technology and Related Provisions
provisions
Dr. Kumaraswamy. C
Information Technology (Amendment) Act,
2008
President of India signed into law the Information Technology (Amendment)
Act, 2008 (the “ITAA”), a robust amendment to the country’s Information
Technology Act, 2000 (the “IT Act”).
The IT Act was enacted primarily to promote e-commerce and give effect to e-
commerce transactions, with provisions for the legal recognition of electronic
documents and digital signatures.
It also included provisions for the identification of, and establishment of
penalties for, certain cybercrimes.
Established by NASSCOM
The Indian government ministries charged with
establishing these rules have sought input from the
Data Security Council of India (DSCI), a self-regulatory
body established by NASSCOM, on several key data
security-related terms and provisions left undefined by
the ITAA.
The Catalyst for Change:
Increases in cybercrimes generally, coupled with the terrorist attack in
Mumbai (largely effected through coordinated technology efforts), were
likely a contributing factor in the recent passage of the ITAA, which had
previously been stalled in India’s parliament since 2006.
Where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and;
Maintaining reasonable security practices and procedures and thereby causes wrongful
loss or wrongful gain to any person, such body corporate shall be liable to pay damages by
way of compensation to the person so affected.
Establishes Corporate Reasonable Standard:
Prior to its amendment, the IT Act focused more on individual hackers
than on systematic data protection.
Section 66 expands the definition of cybercrime to include identity theft and makes it punishable
by up to three years in jail.
Sections 66A – 66F define and impose penalties for other cybercrimes, Sections 69 through 69B
grant the Central Government the authority to intercept, monitor and block access to electronic
information in the interest of national security, and to monitor and collect “traffic data” (data
identifying a person, computer system, or location to or from which the communication was
transmitted, including origin, destination and other details) for purposes of enhancing cyber
security, all in accordance with procedures and safeguards “as may be prescribed.”
Section 70B
Creates a government agency, dubbed the “Indian Computer
Emergency Response Team,” with responsibility over the analysis and
dissemination of information and alerts regarding cyber incidents, the
coordination of responses to cyber incidents and the issuance of
guidelines regarding information security practices and the prevention,
response and reporting of cyber incidents.
Consequences for Outsourcing to India:
While the ITAA is an important first step for India in promoting and requiring
appropriate data security protections, until it is formally adopted (via
publication in the Official Gazette) and fully implemented, with “sensitive
personal data” defined, “reasonable security practices and procedures”
specified, and the corresponding rules promulgated, companies
contemplating outsourcing operations or processes to an Indian provider
should take care both in making the decision to move operations involving
critical data offshore and in selecting and contracting with a provider.
Practice Pointers:
• Diligence Your Provider’s Data Security Practices.
• Document Compliance Obligations.
• Address Security Breaches.
• Obtain Robust Audit Rights.
• Negotiate Appropriate Remedies.
• Consider Liability Implications
Key Features of the Rules:
The Intermediary Guidelines Rules, 2011 require intermediaries to prohibit
users from hosting certain content on its platform (e.g. obscene content).
The Draft Rules prohibit a new category of information, i.e., content which
threatens ‘public health or safety’. Intermediaries must, within 72 hours,
provide assistance to any government agency.
Further, they must enable tracing of the originator of the information on
their platform.
Intermediaries must deploy technology-based automated tools to identify
and remove public access to unlawful information.
Further, intermediaries with more than fifty lakh users must incorporate a
company in India.
Key Issues and Analysis:
Intermediaries are required to prohibit publication of content that
threatens public health or safety. This may violate the right to free
speech under Article 19(1).
Intermediaries are required to deploy automated tools for removing
access to unlawful content.
This may be contrary to the reasoning of a recent Supreme Court
judgement.
Intermediaries with more than fifty lakh users must incorporate a
company in India. It is unclear as to how this number will be calculated.
Therefore, an intermediary will find it difficult to determine if it is
required to set up a company in India under this provision.