Information Technology Technology (Amendment) (Amendment) Act, 2008: A new vision through a new change
Vikas Asawat
Intellectual Property Facilitation Centre for MSMEs Punjab State Council for Science & Technology, Chandigarh, 160019 India Corresponding author e-mail:-
[email protected]
Abstract:
The Information Technology Bill, 2008 has been passed both the houses of Parliament in the last week of December, 2008 and was signed by the President of India on February 5, 2009 and became the Amendment Act. The Amendment Act aims to make revolutionary changes in the existing Indian cyber law framework, including incorporation of Electronic Signature i.e. enable authentication of electronic records by any electronic signature technique. There are insertions of new express provisions to bring more cyber offences within the purview of the Information Technology Act, 2000. There are various provisions in the new amendment relating to data protection and privacy as well a provision to curb terrorism using the electronic and digital medium. The original Act i.e. Information Technology (IT) Act, 2000 is the legislation to provide legal recognition for e-commerce and e-transactions, to facilitate e-governance, to prevent computer based crimes and ensure security practices and procedures in the context of widest possible use of information technology worldwide. The amendment has defined “intermediary” so as to bring clarity in the legislation when it comes to deciding the onus of offence. Now, Intermediaries are required to remove unlawful data or content on receiving information about it. Definition of Communication Communicati on Device and Cyber Cafe has also been incorporated in the amendment act. The upper limit of compensation for damage to computer, computer system etc has now been removed and now it can go to any just compensation. In Section 43 two new offences have been added i.e. destroying, deleting or altering information in a computer resource to diminish its value and stealing concealing or destroying any computer source code with intention to cause damage. The responsibility of body corporate Data protection is greatly emphasized by inserting Section 43A in the Amendment Act whereby corporate bodies handling sensitive personal information in a computer resource are under an obligation to ensure adoption of reasonable security practices and procedure to maintain its secrecy. The failing in performing such obligation by such body corporate will make them liable to pay damages by way of compensation, to the person so affected. Sections 66A to 66F have been added to include 8 more offences as cyber crime. The offence includes sending offensive electronic message, identity theft, cheating by impersonation using computer resources, violation of privacy and cyber terrorism. Incorporation of Sections 67 A to 67 C i.e. publishing or transmitting material in electronic form containing sexually explicit act,
Electronic copy available at: http://ssrn.com/abstract=1680152 http://ssrn.com/abstract=1680152
Child pornography and obligation of intermediary to preserve and retain such information as may be specified by central government. Section 69 has been redrafted enabling Government agencies to intercept, monitor or decrypt any electronic information with the help of subscribers, intermediary or person incharge of computer resources. With amended section 79, Intermediaries are not liable for third party data if they can prove they have only limited function as access, do not initiate the transmission or do not select receiver and finally taken all due diligence. They are required to remove unlawful content on receiving “actual knowledge”. In section 81 of the principal Act, the following proviso has been inserted at the end, which provides that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 or the Patents Act, 1970. So, the rights under patents act and copyright act may always be exercised. Introduction:
The Information Technology Act, 2000, (“IT Act”), was enacted with a view to give legal recognition and hence, provide extra fillip to the concept of e- transactions, e- commerce and e- transactions, to prevent cyber crimes and ensure security practices. Due to the proliferation of information technology enabled services and the recent increase in cyber crimes, concerns of data security have assumed greater importance. With the above in mind and to bring the IT Act in line with the Model Law on Electronic Signatures adopted by the United Nations Commission on International Trade Law, the Information Technology (Amendment) Act, 2008 (“Amended Act”) was passed in December 2008, and has been made effective from 27th October, 2009. A review of the amendments indicates that there are several provisions relating to data protection and privacy as well as provisions to curb terrorism using the electronic and digital medium that have been introduced into the new Act. Incorporation of Electronic Signature
The term “digital signature” has been replaced with “electronic signature” to make the Act more technology neutral. The phrase “electronic signature” is the umbrella term to describe any type of digital marking used by a party to be bound or to authenticate a record. It is a very broad term, and could include markings as diverse as digitized images of paper signatures, typed notations such as "/s/Ram Prakash” at the bottom of an electronic document, or even addressing notations, such as electronic mail headers or footers “Digital signatures” are a specific type of “electronic signature.” A “digital signature” is legally more acceptable than other types of “electronic signatures,” as it offers both signer and document authentication. Signer authentication is the capability to identify the person who digitally signed the document. Document authentication ensures that the document or transaction (or the signature) cannot be easily altered. The process of creating a digital signature and verifying it accomplishes the essential effects that a handwritten signature does today for many legal purposes.
Electronic copy available at: http://ssrn.com/abstract=1680152
Insertion of new Section to define Communication Device:
Communication device means cell phones, personal digital assistance or combination of both or any other device used to communicate, send or transmit any text, video, audio or image. It became imperative as the current law is quiet on what kind of devices can be included under this category. The amended IT Act has clarified that a cellphone or a personal digital assistance can be termed as a communication device and action can be initiated accordingly. Inclusion of definition of Cyber Cafe:
There have been many instances in last few years in India where Cyber Cafes have been used either for real or false communication. Various Cyber Crimes like acquiring net banking password through wrong ways and then withdrawing money from the concerned bank account have been done at Cyber Cafes. It has been a common practice where Cyber Cafes have also been used to send unwanted obscene e- mails to harass the recipients. So, in order to resort the above said problem, Cyber Cafes have been considered as one of the key intermediaries which need to be regulated. There was no explicit definition of Cyber Cafes in the Information Technology Act, 2000 and one had to interpret them as “Network Service Providers” as interpreted from Section 79 which imposed on them a responsibility for “Due Diligence” failing which they would be liable for the offences committed in their network. The New Amendments Act has however provided an explicit definition for “Cyber Cafe” and also included them under the term “Intermediaries”. Several aspects of the act therefore become applicable to Cyber Cafes and there is a need to take a fresh look at what Cyber Cafes are expected to do for Cyber Law Compliance. “Cyber cafe”, as defined in section 2 (na) means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public. Broadening the definition of Intermediary:
Now as per the amendment act. 2008 “intermediary”, with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;’.
Enforceability of Contract:
After section 10 of the principal Act, a new section shall be inserted, which reads as”Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose”. So we can interpret that in contracts, the communication of proposals/ acceptance/ revocation of proposals and acceptances concluded electronically, shall henceforth, be recognized and be enforceable.
Heavy Compensation to affected user (Section 43 A):
A new section 43A has been inserted to protect sensitive personal data or information possessed, dealt or handled by a body corporate in a computer resource which such body corporate owns, controls or operates. If such body corporate is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, it shall be liable to pay damages by way of compensation to the person so affected. Reasonable security practices and procedures
With the incorporation of section 43, the IT Act now requires corporates to maintain reasonable security practices, and procedures as to sensitive personal data or information. At the same time there is a gap that the act does not define the phrase reasonable security practices, and procedures. Referring to section 43A, Reasonable Security Practice and Procedures can be determined as a) As defined between the parties by mutual agreement or b) As specified in any law for the time being in force or c) To be specified by the Central Government in consultation with such professional bodies or associations as it may deem fit. But the bitter fact is that till now there is no law specifying security practice nor has the Central government defined the security practices to be implemented in order to securing vital data. So, the contracting parties have freedom to decide their own procedures of protecting their confidential information. In addition to that the parties are free to put provision regarding penalizing for any breach of such contractual obligations. So, as long as the term is not defined, the companies can enter into their own contracts and lay down minimum standards for protecting data. If we see the practice followed, then it can be realized that initially Indian companies primarily comply with BS 7799, a global standard that covers all domains of security.
Now, ISO 27001 is the replacement for BS7799. Basically, ISO 27001 is Information Security Management mandated for Public Companies and critical sectors. In addition, companies make Service Level Agreements (SLA) having very strict confidentiality and security clauses.
Indian Computer Emergency Response Team (Cert-In) – securing the National Cyber Space
Indian Computer Emergency Response Team (CERT-In) was established by the Department of Information Technology, Govt. of India in January 2004 with a specific mandate to respond to computer security incidents. With the passage of Information Technology (Amendment) Act 2008, CERT-In has been designated as Nodal agency for coordinating all matters related to cyber security and emergency response. It is now assigned with the task of oversight of the Indian cyber space for enhancing cyber protection, enabling security compliance and assurance in Government and critical sectors and facilitating early warning & response as well as information sharing and cooperation. Additions in Section 66:
The amendment act defines the concept of cyber terrorism and has made it a abominable crime. As an offence, Cyber terrorism has been made punishable with life term imprisonment and fine in the amendment act. This is really a welcoming amendment keeping in mind the sovereignty, integrity and security of India. We can see this amendment as highly qualifies strategy after Mumbai 26/11 Attacks. Section 66 expands the definition of cybercrime to include identity theft and makes it punishable by up to three years of imprisonment. Sections 66A – 66F define and impose penalties for other cyber crimes, including cyber-terrorism. These sections are Spoofing and SPAM (Section 66A), Identity theft (Section 66C), E-Commerce Frauds (Section 66 C and D), Phishing (Section 66D), Violation of Privacy (Section 66 E) Cyber Terrorism (Section 66F). Clearly, this addition in section 66 is one of the most important changes that have been brought about pertains to cyber terrorism, with Section 66 F of the amended legislation prescribing life imprisonment for such offences. This assumes significance as the recent terror attacks have demonstrated just how tech-savvy militants can be.
Amendment in Section 67:
Section 67 of the old Act is amended to reduce the term of imprisonment for publishing or transmitting obscene material in electronic form to three years from five years and increase the fine thereof from Indian Rupees 100,000 (approximately USD 2000) to Indian Rupees 500,000 (approximately USD 10,000). A host of new sections have been inserted as Sections 67 A to 67C. While Sections 67 A and B insert penal provisions in
respect of offenses of publishing or transmitting of material containing sexually explicit act and child pornography in electronic form, section 67C deals with the obligation of an intermediary to preserve and retain such information as may be specified for such duration and in such manner and format as the central government may prescribe. The Chennai Police cyber cell has became the first agency to apply the Section 67amended act. The Section 67-B of the amended act firmly deal with the offence of publishing or transmitting Child pornography material through electronic medium. A Dutch national residing in Chennai was arrested by the cyber crime police who was found indulged in the felonious act of uploading child pornographic materials on the internet. The Chennai police got the tip off of the crime from the Child Exploitation Online Protection Centre in Germany through Interpol that led to the arrest of Heum. The amended act has considered the offence of child pornography as a heinous one and has made it cognizable and non-bailable. It is equally a positive sign that cyber crime cell is enforcing the Information Technology Amendment Act, 2008 with the help from their foreign counterparts. Revision of Section 69
Revision of existing Section 69 to empower Central Government to designate agencies and issue direction for interception and safeguards for monitoring and decryption. The provision of Blocking of Information for public access is mentioned in Section 69A. The provision of Monitoring of Traffic Data and Information for Cyber Security is mentioned in Section 69B. So, the new amendments have strengthened the hands of the administration by increasing the ambit of the powers of interception of the Government. Breach of confidentiality and privacy
The new amended section 72A implies that an intermediary is required to act as per the terms of its lawful contract and not to disclose any personal information to cause wrongful loss or wrongful gain to any other person. It states that except as otherwise provided in the IT Act or any other law in force, if any person, including an intermediary, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, and with intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, discloses the material to another person without the consent of the person concerned or in breach of a contract, then the person disclosing such information can be punished with imprisonment for up to three years and/or can be fined up to INR 5 lakh. While the existing provision, section 72 of the IT Act, which provides penalty in the form of fine and/or imprisonment if information obtained by virtue of a power granted under the IT Act is disclosed to a third party without the consent of the person concerned. So, the section 72 has a limiting factor of the phrase “power granted under the IT Act”. At the same time the ambit of section 72A, is wider than the existing section 72 and extends to disclosure of personal information of a person (without consent) while providing services under a lawful contract and not merely disclosure of information obtained by virtue of “powers granted under the IT Act”.
A confidence giving legislation to Internet Service Providers
With the increasing use of internet technology the issue of liability of internet service providers (ISPs) for third party content is one of the most controversial issues in the world cyber law. Different jurisdictions around the world have dealt with the issue either through legislative provisions or judicial pronouncements. Till now, position in India was indefinite with respect to liability for copyright infringing third party content. With the advent of IT (Amendment) Act, 2008 there is a significant clarification regarding the scope of immunities available to intermediaries. Unlike the immunities under the old IT Act, these immunities are not only available with respect to offences under the IT Act, 2000 but even for the liabilities arising under any law. Amended Section 79 states that subject to the exceptions, an intermediary shall not be liable for any third party information, data, or communication link made available or hasted by him. The exception to the above are: the intermediary has conspired or abetted in the commission of the unlawful act; or 2. upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner. 1.
Means in the above two situation, the ISPs will be made liable. Also, we have to remember that “third party information” means any information dealt with by an intermediary in his capacity as an intermediary. Also it is interesting to note that the requirement of knowledge has now been expressly changed to receiving actual knowledge. Actual knowledge here may mean the receipt of information from a third party, but not necessarily from own inquiry upon the content of the information. This has been combined with a “notice and take down” duty. Preventive due diligence has been done away with and the ISP is only required to prove that it did not conspire or abet the commission of the unlawful act. These changes seem advantageous to ISPs as they set more lenient parameters for qualifying for safe harbour. The ISP shall not be liable only in cases where intermediary has limited themselves to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or the intermediary does not— ( i) initiate the transmission,( ii) select the receiver of the transmission, and ( iii) select or modify the information contained in the transmission; and the intermediary observes due diligence
while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf. The amendments to Section 79 of the IT Act contains non obstanate clause i.e. “Notwithstanding anything contained in any law for the time being in force” and accordingly it gives a protective shield to ISP against liability arising due to some other legislation. At the same time the amended section 81 has a proviso- “Provided that nothing contained in this Act shall restrict any person from exercising any right conferred under the Copyright Act, 1957 or the Patents Act, 1970.” The interpretation of this section is that it is to keep the primacy of the Patent Act and the Copyright Act over the Information Technology Act. We can correlate the section 79 and 81 by inferring that other legislation is Copyright Act. Both the section counter each other but a careful and finer study will justify that the section 79 has been amended to give more relaxation to ISPs. Basically, section 79 of the amended act has been framed in accordance with EU Directives on E- Commerce to determine the extent of responsibility of intermediaries for third party data or content. The objective of the directive is to promote free flow of information between the member states. The EU Directive provides for the liability of the intermediaries in a very detailed manner, which includes not only intellectual property rights and associated liabilities but also general content liability. The motivation behind the EU Directive on electronic commerce is to develop information society services (ISS), ensure legal certainty and consumer confidence through the coordination of national laws, and clarify legal concepts for the proper functioning of the internal market, in order to create a legal framework to ensure the free movement of ISS between Member States. This specific “free movement of services” is part of a general principle of law in the European Economic Community, namely freedom of expression, as enshrined in Article 10(1) of the European Convention on Human Rights and Fundamental Freedoms. This principle is subject only to restrictions expressed in paragraph 2 of that Article and in Article 56 (1) of the EC Treaty.
Under the E-Commerce Directive, an ISP is exempt from liability when it serves as a "mere conduit" (Article 12) or provides "temporary caching" (Article 13) for the sole purpose of making the transmission of content more efficient, is of a mere technical, automatic and passive nature, and where the ISP has neither knowledge nor control over the content being transmitted or stored. The conditions under which a hosting provider is exempted from liability, as stated at Article 14(1)(b) form the basis for the development of "notice and take down" procedures by copyright owners to ISPs to remedy instances of infringement. However, the EU does not recommend legislative initiative in this regard; it prefers that ISPs, in consultation with rights holders, develop their own notice and take down procedures.
Conclusion:
Though, Information Technology Act, 2000, itself is a comprehensive legislation but it has had some inherent shortcomings. With the new amendment act now in force, we can hope that various difficulties and issues in real cyber world will be resolved. The amended act is a welcoming attempt to fill gaps in old act in India, for instance, introducing legal recognition to electronic signatures, data protection obligations and mechanisms, provisions to combat emerging cyber security threats such as cyber terrorism, identity theft, spamming, video voyeurism, pornography on internet, and other crimes. It paved the way for removing the implementation of the IT Act by removing certain undesirable wordings in some sections. It can be expected that the lacuna may also be filled with the time as and when more problems will be encountered by the Judiciary. Basically we cannot say that this amendment is an end itself but it is a beginning as the IT act may require amendments as and when the technology advances more and more. As it is evident that the dimension of the technology is increasing both vertically as well as, more amendments may be made to make it full proof. Reference:
Information Technology Act with Amendments Act 2008. Computer Contracts & Information Technology Law: Joga Rao S: Wadhwa and Company, 2005. A handbook on Information technology: Cyber law and E-Commerce Syed Shakil Ahmed: Rajiv Raheja, Capital Law House. Network Security Essentials: Applications and Standards W. Stallings: Pearson Education.