Information Technology Laws
In May 2000, both the houses of the Indian Parliament passed the Information Technology Bill. The Bill received the assent of the President in August 2000 and came to be known as the Information Technology Act, 2000. Cyber laws are contained in the IT Act, 2000.
This Act aims to provide the legal infrastructure for e-commerce in India. And the cyber laws have a major impact for e-businesses and the new economy in India. So, it is important to understand what are the various perspectives of the IT Act, 2000 and what it offers.
The Information Technology Act, 2000 also aims to provide for the legal framework so that legal sanctity is accorded to all electronic records and other activities carried out by electronic means. The Act states that unless otherwise agreed, an acceptance of contract may be expressed by electronic means of communication and the same shall have legal validity and enforceability.
From the perspective of e-commerce in India, the IT Act 2000 and its provisions contain many positive aspects. Firstly, the implications of these provisions for the e-businesses would be that email would now be a valid and legal form of communication in our country that can be duly produced and approved in a court of law. Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by the Act. Digital signatures have been given legal validity and sanction in the Act. The Act throws open the doors for the entry of corporate companies in the business of being Certifying Authorities for issuing Digital Signatures Certificates. The Act now allows Government to issue notification on the web thus heralding e-governance. The Act enables the companies to file any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in electronic form by means of such electronic form as may be prescribed by the appropriate Government. The IT Act also addresses the important issues of security, which are so critical to the success of electronic transactions. The Act has given a legal definition to the concept of secure digital signatures that would be required to have been passed through a system of a security procedure, as stipulated by the Government at a later date. Under the IT Act, 2000, it shall now be possible for corporates to have a statutory remedy in case if anyone breaks into their computer systems or network and causes damages or copies data. The remedy provided by the Act is in the form of monetary damages, not exceeding Rs. 1 crore.
Data protection, Theft and Privacy Law
Right to privacy has long been read into Article 21 (right to life and personal liberty) of the Constitution of India. However, with the proliferating use of the internet and the exorbitant rise in transfer of data through multiple technologies, the concepts of ‘data privacy’ and ‘data protection’ have started demanding greater attention than ever before. Therefore, such concepts were introduced in the Information Technology Act, 2000 (Act) through Section 43-A (Compensation for failure to protect data) and Section 72-A (Punishment for disclosure of information in breach of lawful contract).
Section 43-A primarily deals with compensation for negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information (“SPDI”). Section 72-A deals with personal information and provides punishment for disclosure of information in breach of lawful contract or without the information provider’s consent.
On 13 April 2011, the Ministry of Communications and Information Technology (MCIT), Government of India, notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules). Further, on 24 August 2011, the MCIT released a press note (Press Note) which clarified a number of provisions of the Rules. Amongst others, the Press Note clarified that the Rules relate to SPDI and are applicable to body corporate (i.e. organisation) or any person located in India. The Press Note exempts outsourcing companies in India from the provisions of collection and disclosure, as set out under the Rules.
Essentially, SPDI consists of the following:
– Financial information such as bank account or credit card or debit card or other payment instrument details;
– Physical, physiological and mental health condition;
– Sexual orientation;
– Medical records and history;
– Biometric information.
Section 43-A of the Act defines ‘reasonable security practices and procedures’ to mean security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force…
In light of the above, the Rules now stipulate that the requirement of ‘Reasonable Security Practices and Procedures’ will be satisfied if a body corporate has implemented such security practices and standards and have comprehensive documented information security programmes and policies that are commensurate with the information assets being protected.
The Rules also set out that International Standards (IS / ISO / IEC 27001) is one such standard (Standards) which could be implemented by a body corporate. If any industry association, etc are following standards other than IS / ISO / IEC 27001 for data protection, they need to get their codes (Codes) approved and notified by the Central Government.
The Rules state that the bodies corporate who have implemented the Standards or Codes need to get the same certified or audited by independent auditors approved by the Central Government. The audit is required to be carried out by the auditor at least once a year or as and when there is a significant upgradation of processes and computer resources.
The Rules provide that a body corporate should obtain prior consent from the information provider regarding purpose of usage of the SPDI. The information should be collected only if required for a lawful purpose connected with functioning of the body corporate and if collection of such information is necessary.
The body corporate is required to take reasonable steps to ensure that the information provider knows that the information is being collected, the purpose of collecting such information, the intended recipients and the name and address of the agency collecting and retaining the information. The information should be used only for the purpose for which it is collected and should not be retained for a longer period than is required.
The Rules further provide that a body corporate is required to permit the information provider to review / amend the SPDI and give an option to withdraw consent at any time, in relation to the information so provided. In case of withdrawal of consent, the body corporate has the option not to provide the goods or services for which the concerned information was sought.
The Rules give a body corporate the liberty to transfer SPDI to those body corporate(s), located anywhere, who ensure(s) the same / equal level of data protection that is adhered to by the body corporate as per the Rules. However, the transfer may be permitted only if the same is necessary for the performance of lawful contract between the body corporate and information provider or where such information provider has consented to the transfer.
Apart from applicable legal obligations or information sought by Government agencies, a body corporate is required to obtain permission from the information provider prior to disclosure of such information to a third party, unless such disclosure has been agreed to in a contract between the parties.
According to the Rules, a body corporate is required to designate a Grievance Officer to address grievances of its information providers and should publish the name and contact details of such Grievance Officer on its website. The Grievance Officer is required to redress the grievances within one month.
Undoubtedly, the concept of data privacy and protection is at a nascent stage in India. Framers of the Rules have attempted to adopt ideas from jurisdictions which have long standing and mature data protection regulations. These Rules are only therefore a first step. Stringent implementation of the law and healthy development of the data privacy and protection jurisprudence in the long run is what one needs to watch out for.
Domain Name Dispute
Internet domain names, in a common man’s language, are used as an easy-to-remember alias which point to a specific IP address. Since it is not possible to remember each and every numerical value of an IP address, the system of domain names evolved. The dominant purpose of the domain name is simply to provide an easy method for remembering another’s electronic address. It’s a unique name used to identify, among other things, a specific Web site. Thus a typical domain name would be http://www.indiainfoline.com.
The unique feature of domain names is that the said domain names are given on “first come, first served” basis. This feature of domain names gives rise to numerous legal issues and disputes. Thus the important thing in domain names registration is speed. To take an example, the domain name www.microsoft.org was available and was registered by Amit Mehrotra much before Microsoft Corporation could think of it. This led to numerous ticklish legal issues. Microsoft Corporation, despite having the trademark Microsoft, could not get the domain name www.microsoft.org because of the “first come, first served” criteria of domain name registration.
Any domain name consist of two components, namely the top level domain name(TLD) and a second level domain name. Thus in the said example, http://www.indiainfoline.com, “.com” would be the top level domain name while “indiainfoline” would be second level domain name.