The government has recently announced a series of four Rules under the Information Technology Act, 2000 (as amended in 2008). These pertain to safeguard of sensitive personal information by intermediaries; due diligence by intermediaries; operation of cybercafes; and electronic delivery of services such as applications, certificates and licenses. The Rules raise some important issues related to privacy and implementation.
In general, many Acts delegate the power to make Rules on specific issues. This enables a quick response to changing circumstances. If these provisions were in the Act, any change would require an Amendment to be passed by Parliament, which could take significant amount of time and resources.
Sensitive Personal Information
The Act requires every company holding any sensitive personal information in a computer resource to take reasonable security practices and procedures. It authorises the government to frame Rules to define “sensitive personal information”, and to lay down “reasonable security practices and procedures”.
The Rules define sensitive personal information to include passwords and information related to biometrics, health, finances and sexual orientation. They require corporates to disclose a privacy policy, which should meet certain minimum standards. The information shall not be disclosed to any third party without prior permission from the person providing the information. There is an exception clause to this requirement. The information has to be shared with government agencies which are mandated by law to obtain such information for the purpose of verifying identity or preventing, detecting, investigation or prosecuting offences. The agency has to give a written request for the information, and may not share the information with any other person.
This exception clause raises issues related to the sanctity of private information. The Supreme Court has read the right to privacy as part of the fundamental right to life, and said that this right is subject to reasonable restrictions. For example, for the government to tap telephones, it needs to meet certain conditions, requires written sanction from the home secretary, and each case is reviewed by a high level committee. An investigating officer needs to get a warrant from a magistrate before seizing any document. These IT Rules, on the other hand, permit access without such a check. Thus, an investigating officer needs a warrant to obtain access to a physical record, but can access the same information without a warrant if it is kept on a computer database.
Due Diligence by Intermediaries
The Act exempts intermediaries from liability for information transmitted and stored by them. This protects entities which provide internet access or host blogs, websites, auction platforms, transmit emails, or permit user comments on their websites from liability arising from information being stored or transmitted by their users. The intermediaries have to follow certain due diligence guidelines. If they are informed of any material on their computer resources that are being used for unlawful purposes, they have to remove such material. The guidelines to be observed by the intermediaries are to be prescribed in the Rules.
The Rules require all intermediaries to publish certain minimum terms and conditions for users. These include, among other conditions, that the user shall not post content that is “grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner”. If any contravention is brought to the knowledge of the intermediary, the content has to be blocked. The Rules require the intermediary take action within 36 hours, if they are so informed in writing or by an electronically signed email.
There are three issues with these Rules. First, many of the terms are not defined and open to interpretation. Second, many of these items are not illegal and a restriction may impinge on the right to free speech. For example, it is not illegal to be an atheist (and therefore blasphemous), or to disparage a government rule (such as this one) or to write an analytical piece on gambling. Third, the onus of interpreting any content will be on the intermediary if someone writes about a violation. Note that the intimation of violation is not necessarily from a government agency or regulator but can be from any person. Given the costs involved in monitoring and responding to complaints, this Rule could lead to lower levels of openness and access to content on the internet (including unmoderated comments on websites and blog hosting).
Cybercafe Rules
Using the power to form due diligence guidelines for intermediaries, the government has framed Rules for cybercafes. The Rules require all cybercafes to be registered with a registration agency. Cybercafes need to check identity documents of every user, and keep a photocopy or scanned copy of such documents. They may also take and store a photograph of every user. They shall also maintain a log of all websites accessed by each user, and store this information for one year.
The Rules also mandate certain layout for cybercafes. Any partition should be less than 4½ feet high, and all terminals should face a common space (and be visible to others). There should be a board that informs users not to access pornographic sites or download information prohibited by the law.
These Rules raise both privacy and implementation issues. The history of all websites accessed by a person, as well as personal details (name, address, photograph) are available to the cybercafe owners. This information could be misused to profile persons, and in some cases even harass them.
Second, the Rules are difficult to implement in several cases. Cybercafe is defined as any facility that offers access to the internet in the ordinary course of business to members of the public. This would include coffee shops, airport lounges etc., that offer wi-fi access. Requirements of identity verification, maintenance of usage history and layout prescriptions would likely lead to such facilities being withdrawn.
Electronic Service Delivery
These Rules enable the government to deliver certain services through secure electronic transmission, with electronic signature. These services could include filing forms and applications, granting licences, permits and certificates, and payment of money. This process could lead to increased efficiency in service delivery. Also, by removing human contact with officials, there could be a reduction of corruption and harassment.
The Ball is now in Parliament’s Court
All Rules have to be tabled in Parliament. A Parliamentary Committee is mandated to examine these to see that they are in consonance with the spirit of the Act. Any Member of Parliament may also demand a discussion, and Parliament may amend the Rules. We believe that the IT Rules deserve close scrutiny by Parliament given the privacy, access and implementation issues.