THE PROPOSED IT ACT AMENDMENTS: A CRITICAL EVALUATION
17 Sep 2005 14:07 GMT
5, Jagriti Apartments, Sainik Vihar, Rani Bagh, Delhi-110034, India.
A work analysing the proposed IT Act, 2000 amendment and its impact on the Indian society.
PRAVEEN DALAL, CONSULTANT AND ADVOCATE, DELHI HIGH COURT, INDIA.
The aim of this work is to critically evaluate the proposed IT Act amendments. It is also accompanied with certain suggestion that will be relevant while drafting the ultimate IT Act, 2000.
The following amendments in the first chapter are worth noticing:
(a) Section 1(4): Section 1(4) now provides that nothing in this section shall apply to such class of documents or transactions as may be notified by the Central Government in the Official Gazette.
The proposed amendment has removed the express restrictions imposed on digitising the documents pertaining to negotiable instruments, power of attorney, a trust, a will, or any contract for the sale or conveyance of immovable property or any interest in such property. The same may, however, be imposed by the Central Government by notification in Official Gazette. It would not a good idea to “notify” these documents as outside the purview of the Act. This is so because to bridge the digital divide the Government must learn to digitalise the documents and it would be good for the growth of electronic governance and electronic commerce that digital documents along with a proper infrastructure must be established as soon as possible. In fact, negotiable instruments like Cheques have already been transformed and legalised in electronic form by the Negotiable Instrument Act amendment, 2002. These restrictions were originally imposed because at that time it was not deemed proper to deal in these documents in electronic form. Now after 5 years, it is high time that those restrictions must be removed. This is the reason why section 9 was incorporated in the Act. It provides that sections 6, 7, and 8 not to confer right to insist document should be accepted in electronic form. Thus, it would have been better if section 9 was amended as well keeping in mind the requirements of electronic governance and electronic commerce. The Government cannot postpone for an indefinite period the digitilisation of documents. The same may hamper electronic governance and electronic commerce.
Sub-section 1(4) has been amended to bring flexibility in respect of applicability of IT Act on certain specific class of documents or transactions. This commendable purpose deserves full support and any impediment in this regard must be removed as soon as possible. It is also important from the perspective of elimination and eradication of corruption and ensuring transparency in governmental functioning. The digitalise environment coupled with the “right to information” will remove red-tapism and corruption to a considerable extent.
Thus, the proposed amendment is a good suggestion, though it would have been better if section 9 was also amended keeping in mind the contemporary needs and globalisation and privitisation.
(b) Section 2(1) (j) (i): The proposed section provides that unless the context otherwise requires, "computer network" means the interconnection of one or more computers or computer systems through the use of satellite, microwave, terrestrial line, wireless or other communication media.
This has been done to include wireless communications explicitly which was previously dependant upon a purposive and updating interpretation deducible through implied construction of the words of the statute.
This is a welcome suggestion.
(c) Section 2 (1) (nn): The expression cyber café has been defined to means a place where access to electronic form is provided to the public.
The term “Cyber Café” has been included to address the issues relating to streamlining the functioning of cyber cafes. The same, however, is not properly described and lot of confusion is bound to happen in the distant future. Now wherever access to public in electronic form is provided, it may not necessarily be a cyber café. Further, cyber cafes may be, and must be, regulated by licensing procedure and there is a possibility that a place may be declared as cyber café even in the absence of a valid license in this regard.
It would be better if the expression cyber café is defined in a more appropriate manner.
(d) Section 2 (1) (v): The proposed amended section includes “messages” as well. It reads now that “information” includes data, messages, text, images, sound, voice, codes, computer programmes, softwares and data bases or micro film or computer generated micro fiche.
The impact of this change has been ignored totally and taken very lightly. Once messages are included in the definition of information, then even a local SMS or MMS may be included in this definition.
This is a welcome change.
(e) Section 2 (1) (w): The proposed amendment defines “intermediary”, with respect to any particular electronic record, as any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that electronic record.
The word “record” has been substituted for the word “message”. This is an attempt to dilute the liability of intermediaries to considerable extent. In a nation that is struggling with pornography and obscenity, this provisions may be a death knell to the deterrent effect of laws preventing the same.
The proposed amendment is not desirable at the moment.
(f) Section 2 (zaa): The expression “person” has been defined and it means any individual, company or body corporate or association or body of individuals, whether incorporated or not or artificial juridical person, whether domiciled or resident in India or outside India.
This is a welcome amendment as the definition of “person’ has a great significance in all laws, including cyber law.
Chapters II and III-No comments.
CHAPTER-III A: ELECTRONIC CONTRACTS
Section 10 A: Section 10 has been deleted as this is covered under section 87 and a new section 10A is added for “Formation and Validity of Electronic Contracts”
Section 10 A reads: Formation and Validity of Contracts
(a) In the context of contract formation, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be expressed by means of an electronic record.
(b) Where an electronic record is used in the formation of a contract, that contract shall not be denied or enforceable on the sole ground that an electronic record was used for this purpose.
An appraisal of some of the definitions in this regard is worth noticing. Section 2(1) provides that in this Act, unless the context otherwise requires,-
(b) "addressee" means a person who is intended by the originator to receive the electronic record but does not include any intermediary. Thus, the liability of the intermediary has been diluted significantly except where he/it was aware about the contravention or offence.
(q) “electronic form” with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device.
(s) “electronic record” means data, record, or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche.
(v) "information" includes data, message, text, images, sound, voice, codes, computer programmes, software and data bases or micro film or computer generated micro fiche;
(w) “intermediary” with respect to any particular electronic record means any person who on behalf of another person receives, stores or transmit that record or provides any service with respect to that electronic record.
(za) "originator" means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary. Again, the liability of intermediary has been reduced to significant extent.
Section 2 (2): Any reference in this Act to any enactment or any provision thereof shall, in relation to an area in which such enactment or such provision is not in force, be construed as a reference to the corresponding law or the relevant provision of the corresponding law, if any, in force in that area.
A close perusal of these definitions and section 10A reveals the following important concepts:
(a) An electronic contract is subject to the “contract to the contrary”. That means if the parties clearly contemplate that an “electronic contract” should not be formed, then even if the basic requirements have been fulfilled, there will be no valid contract.
(b) The offer and acceptance of the contract must satisfy the requirements of the Indian Contract Act.
(c) The requirements of a valid contract must be expressed by means of electronic record. Now there is a significance difference between the expressions “electronic form” and “electronic record” and the distinction though fine and thin is yet real and if ignored may bring absurd results.
(d) A bar or estoppel has been provided from denying an electronic contract merely because it has used an electronic record.
(e) Section 2(2) will provide strength to the analogous use of the provisions of various statutes including Criminal Procedure Code and Contract Act, if any corresponding provision in the IT Act is not in force.
The Objects and Reasons of the proposed Act provides that it is an Act to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce" which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.
Thus, the proposed section is a good provision and must be accepted to give strength and momentum to the electronic commerce provisions.
Chapter-IV to VIII-No comments
CHAPTER-IX: PENALTIES AND ADJUDICATION
Section 43(1): Section 43(1), as per the committee, covers two issues relating to “Data Protection and Privacy”: (1) unauthorized access to a computer system, (2) unauthorized downloading/copying of data. The other sections that deal with the “Data Protection and Privacy” are Section 65, Section 66, and Section 72 of IT Act 2000.
It is interesting to note that the “overall scheme” of the sections dealing with contraventions, offences and compounding of the offences shows the “concern” of the Committee to make IT Act a “tiger without teeth”. Firstly, there is a difference between the expressions “penalty” and “compensation”. The former is definitely more deterrent. It seems the Committee was already under the impression that the penal provisions of the Act must be eliminated completely. This exercise will never guarantee a sound electronic commerce and electronic governance. The Act will be a “safe harbour” for the criminals and given the nature of the Internet, India will be a favourite place for all cyber crimes and contraventions. In short, the IT Act will become “impotent” and loose it “deterrent effect” if these recommendations are accepted.
The “overall penal scheme” should not be changed and the deterrent aspect must be kept alive. It is the most precarious amendment that has been suggested. It would be better to scrap off the IT Act instead as that would be a better option in these circumstances.
Section 43(2): This section has been added to ensure reasonable security practices and procedures for sensitive information by any body corporate.
Section 43(2) read: If any body corporate, that owns or handles sensitive personal data or information in a computer resource that it owns or operates, is found to have been negligent in implementing and maintaining reasonable security practices and procedures, it shall be liable to pay damages by way of compensation not exceeding Rs. 1 crore to the person so affected.
The explanations to the section read:
Explanation- For the purposes of this section-
(oi) “body corporate” means any company and includes a firm or other association of individuals engaged in commercial or professional activities.
(v) “Reasonable security practices and procedures” means, in the absence of a contract between the parties or any special law for this purpose, such security practices and procedures as appropriate to the nature of the information to protect that information from unauthorized access, damage, use, modification, disclosure or impairment, as may be prescribed by the Central Government in consultation with the self-regulatory bodies of the industry, if any.
(vi) “Sensitive personal data or information” means such personal information, which is prescribed as “sensitive” by the Central Government in consultation with the self-regulatory bodies of the industry, if any.
(vii) “Without the permission of the owner” shall include access to information that exceeds the level of authorized permission to access.
These proposed amendments in section 43(2) are “superfluous” rather than serving any purpose. It seems they have been included to provide a “psychological boost” to the “uncertainties and anxiety” of the MNCs shown from time to time. It must be appreciated that it is not enactment but enforcement of law that is important. By restricting the powers of the enforcement agencies, the proposed penal scheme of the Act is a “remedy worst than malady”.
Section 46(1): The words “under this Chapter” have been deleted to handle contraventions under section 72.
This is again an absurd recommendation. First of all there was no need to mix the applicability of two Chapters involved. The answer to this can be found in the zeal of the Committee to ‘repeal” the penal scheme of the Act. For instance, the proposed section 80A, dealing with compounding of certain offenses, empowers the adjudicating officer to compound the offences. It is interesting to note that though the title of section 80A suggests “certain offences” but it deals with “all offences” under the Act. Thus, an adjudicating officer can compound all contraventions (u/s 44A) and offences (u/s 80A) under the Act. It seems the “sense of humour” has been added to the Act in the form of these sections.
Chapter-X- No comments.
Since this is the most important and core Chapter of the Act, I wish to deal with it section wise.
Section 66: Computer related offenses: If any person, dishonestly or fraudulently, without permission of the owner or of any other person who is incharge of a computer resource
(i) accesses or secures access to such computer resource;
(ii) downloads, copies or extracts any data, computer data base or information from such computer resource including information or data held or stored in any removable storage medium;
(iii) denies or causes the denial of access to any person authorised to access any computer resource;
he shall be punishable with imprisonment upto one year or a fine which may extend up to two lacs or with both;
(b) If any person, dishonestly or fraudulently, without permission of the owner or of any other person who is incharge of a computer resource
(i) introduces or causes to be introduced any computer contaminant or computer virus into any computer resource;
(ii) disrupts or causes disruption or impairment of electronic resource;
(iii) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer resource;
(iv) provides any assistance to any person to facilitate access to a computer resource in contravention of the provisions of this Act, rules or regulations made thereunder;
(v) damages or causes to be damaged any computer resource, date, computer databse, or other programmes residing in such computer resource;
he shall be punishable with imprisonment upto two years or a fine which may extend up to five lacs or with both;
The first amendment suggested by the committee in this section is to replace the words “intent to cause or knowing that he is likely to cause” with the expression “dishonestly and fraudulently”.
Explanation (a) to the section specifies dishonestly as “Whoever does anything with the intention of causing wrongful gain to one person, wrongful loss or harm to another person, is said to do this thing dishonestly”. It must be noted that the addition of the word “harm” has significantly improved the existing definition of dishonestly as provided in the IPC.
The addition of the word “harm” is a welcome step.
Explanation (b) to the section describes fraudulently as “A person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise.
The important points to be noted here is that the “deterrent effect” has been diluted to considerable limit. The words “likely to cause” was supporting the test of a “reasonable person” while dealing with the requirements of “due diligence” under the IT Act. The expression “intent to cause or knowing that he is likely to cause” was talking about two types of liability. The first category of “with the intent to cause” is dealing with “actual knowledge” whereas the category “likely to cause” is dealing with “constructive knowledge” as well, besides actual knowledge. The later category was taking care of “constructive knowledge” and “due diligence requirements” that unfortunately have been deleted. The expression wrongful gain and loss are talking about “property” if we analyse them under section 23 of the IPC, which assumes significance due to section 2(2) of the IT Act.
The Committee, however, has also put the first two clauses of section 66(1) in section 43(1) as well. Thus, if a person hacks another computer, then either he is “criminally liable” under section 66(1) or a “civil liability”, that may extend upto rupees one crore as compensation, can be imposed. Now this may cause a lot of problem. The moment hacking is committed, either he will be send to jail or he has to pay compensation.
Further, the expression “without the permission of the owner” shall include access to information that exceeds the level of authorised permission to access by virtue of Explanation (c) to section 66. Thus if a person exceeds his authority to access, then he can be held liable for:
(ii) Data property violations, and
(ii) Denial of service attacks (DOSAs).
As far as the hacking and data property violations are concerned, they fit in section 66(1), but it would be better if DOSAs be inserted in section 66(2). It must be noted that even in case of DOSA either the accused is criminally liable or he is civilly liable.
The punishment has been reduced to one year in cases of hacking which was three years. There seems to be no rationale in reducing this punishment.
Section 66(2): This sub-section also recognises both criminal liability and civil liability.
This is a welcome provision and one of the most significant amendments needed in the contemporary society. It must be accepted by adding DOSAs to it.
Section 67: Publishing in electronic form of information which is obscene
(1) Save as provided in this Act under Section 79 which exempts intermediaries from liability in certain cases, whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.
(2) Whoever intentionally and knowingly publishes or transmits through electronic form any material which relates to child pornography, shall be punished with imprisonment for a term not less than three years and with a fine which may extend to ten lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.
Explanation: - For the purposes of this section “child pornography” means material that features a child engaged in sexually explicit conduct.
Exception – This sub-section (1) does not extent to –
(a) any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form –
(i) the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or other objects of general concern, or
(ii) which is kept or used bon fide for religious purposes;
Unlike its predecessor section, i.e. section 66, section 67 does not involve any “overlapping” between criminal and civil liability. The problem with section 66 is that its contents are also finding place in section 43. Thus, even if a case for “criminal liability” cannot be made out, the civil liability will be there. The civil liability seems to be a “strict liability” provision because to escape the clutches of “exemplary compensation” the accused has to prove that he has not “performed” the alleged act at all. This is so because the operating part of section 43(1) nowhere talks about any “damage or injury” as the essential requirement for its application and the moment any specified act is “committed” the rigours of section 43(1) may come into picture. For instance, X is charged for “hacking” by the prosecution agencies. Now if he has not committed the act of hacking “dishonestly or fraudulently” then he cannot be held liable under section 66 but he can still be liable for giving “exemplary compensation” under section 43 as the provisions of these two sections are overlapping. It seems in the zeal of reducing the “punitive sting” of the Act, the Committee has created a chaos. Section 43 provides no safeguard to escape the “exemplary compensation” and if an accused even admits that he committed the act of hacking, even innocently, he will be liable for giving compensation. The same holds true about others offences under section 66.
It would be better to specify the circumstances when liability under section 43(1) will arise “independently” of section 66. It would be better if the words “damage or injury” also find a place in the operating part of section 43(1) and are not limited to the title alone. In the proposed form it may appear as a “strict liability” action. Thus, to remove any doubt the words damage or injury must be added in the operating part of section 43(1) and explained through explanations. That is the only way to justify the expression “person so affected” mentioned in section 43(1). For instance, a person’s privacy is violated the moment someone gains illegal access. He is definitely the person affected by the illegal access. Thus, in the given circumstances section 43(1) may operate by fixing the “strict liability”. It needs further clarification.
Section 67(1): Section 67(1) is subject to section 79 which exempts intermediaries from liability in certain cases. This was originally not there and the recent MMS episode is the guiding factor for this provision. A more detailed analysis will be done while dealing with section 79.
What is disturbing is the unnecessary reduction in the quantum of imprisonment, though fine has been raised at one place.
The Committee must be praised for introducing exceptions in “public interest” by attaching the exception to section 67(1).
Section 67(2): Section 67(2) is dealing with “child pornography”. It is interesting to note that a person can be held liable under section 67(2) only if he “intentionally and knowingly” publishes or transmits through electronic form such child pornography.
Now it is not advisable to use the expression “and” here. Instead the expression “or” is more appropriate. Otherwise, it would be a Herculean task to prove both intention and knowledge at the same time.
Secondly, the protection available to NSPs, etc under section 67(1) cannot be claimed under section 67(2).
Thus, except substituting the word “and” with “or”, section 67(2) is a very good provision that has been suggested.
Section 68: Power of Controller to give directions
(1) The Controller may, by order, direct a Certifying Authority or any employee of such Authority to take such measures or cease carrying on such activities as specified in the order if those are necessary to ensure compliance with the provisions of this Act, rules or any regulations made thereunder.
(2) Any person who intentionally or knowingly fails to comply with any order under sub-section (1) shall be guilty of an offence and shall be liable on conviction to imprisonment for a term not exceeding three years or to a fine not exceeding two lakh rupees or to both.
It seems the difference between the expression “and” as well as the word “as” is clear as far as this section is concerned. By introducing the “mens rea” in this section, the section has been strengthened. The only requirement is that the appropriate Government, while exercising its rules making powers or by way of explanation, must add the “guidelines” for the proper exercise of such power to avoid the sword of “excessive delegation”.
Section 68A: Encryption and other technologies for security of data: The Central Government may, for secure use of the electronic medium and the promotion of e-governance and e-commerce by rules provide for one or more modes or methods for encryption. Section 68A has been added for providing one or more modes and methods for encryption.
This is a welcome suggestion as it will improve the condition of e-commerce and e-governance in India.
Section 69: Power to issue directions for interception or monitoring or decryption of any information through any computer.
(1) If the (Controller-deleted) Central Government is satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, security of the State, friendly relations with foreign States or public order ( or for preventing incitement to the commission of any cognizable offence-deleted), it may subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the government to intercept or decrypt or cause to be monitored any information transmitted through any computer resource.
(2) The Central Government shall prescribe safeguards subject to which such interceptions or monitoring may be done.
(3) The subscriber or any person in-charge of the computer resource shall, when called upon by any agency which has been directed under sub-section (1), extend all facilities and technical assistance
(a) to decrypt the information;
(b) or provide access to the computer resource containing such information
(4) The subscriber or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years.
The entire section is amended in respect of power to issue directions for interception or monitoring or decryption of any information through any computer resource. (Earlier this power was only with the Controller).
An analysis of the section reveals:
The proposed Section 69 is a combination of both good and bad recommendations.
The good part about it is that it has taken away the powers from the Controller under section 69 that were prone to misuse. Further, the exercise of power by any agency empowered by the Central Government in this behalf is subject to the “safeguards” provided by section 69(2).
The bad part about it is that once again the “quest” for the elimination of the “penal scheme” from the Act pre-occupied the committee concerns and it deleted the provision for preventing incitement to the commission of any cognizable offence. There is no fixed criterion to distinguish between cognizable and non-cognizable offences unlike summons and warrant cases. Cognizable offences are those “serious offences” where the police can arrest the accused “without a warrant” from the court. On the other hand, “non-cognizable offences” are those “minor offences” for which the police cannot take an action without a warrant from the court. Interestingly, the imprisonment provided for refusal to assist the agency is seven years. Now keeping in mind the inhibition of the Committee from “penal impositions”, it seems absurd and unreasonable to provide that much quantum of imprisonment. It must also be at most 2 years.
It is also not possible to contend that “public interest” and “national interest” is dependent upon and flowing from this section only and not the entire Act. The entire Act is in national and public interest and uniformity and reasonableness must permeate it while imposing punishment. The Government, Intermediaries, MNCs etc cannot stand on a higher footing in these circumstances as compared to ordinary citizens of India. The punishment must be reasonable for all keeping in mind the imprisonment provisions suggested by the Committee in other sections.
Section 72: Breach of confidentiality and privacy
(1) Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned intentionally discloses such (electronic record, book, register, correspondence, information, document or other-Deleted) material to any other person shall be punished with imprisonment for a term which may extend upto two years, or with fine which may extend to five lakh rupees, or with both.
(2) Save as otherwise provided under this Act, if any intermediary who by virtue of any subscriber availing his services has secured access to any material or other information relating to such subscriber, discloses such information or material to any other person, without the consent of such subscriber and with intent to cause injury to him, such intermediary shall be liable to pay damages by way of compensation not exceeding Rs. 25 lakhs to the subscriber so affected.;
(3) Whoever intentionally captures or broadcasts an image of a private area of an individual without his consent, and knowingly does so under circumstances violating the privacy of that individual, shall be liable to pay compensation not exceeding Rs. 25 lakhs to the person so affected, and shall also be liable for imprisonment for a term not exceeding one year or with fine not exceeding Rs 2 Lakhs, or with both on the complaint of the person so affected.
(4) No court shall take cognizance of any offense punishable under sub-section (3) except upon a complaint filed by the aggrieved person in writing before a Magistrate
Explanation: For the purpose of this section
(a) “capture” with respect to an image, means to videotape, photograph, film, record by any means;
(b) “broadcast” means to electronically transmit a visual image with the intent that it be viewed by a person or persons;
(c) “a private area of the individual” means the naked or undergarment clad genitals, pubic area, buttocks, or female breast of that individual;
(d) “female breast” means any portion of the female breast below the top of the areola; and
(e) “under circumstances violating the privacy of that individual” means –
(i) circumstances in which a reasonable person would believe that he or she could disrobe in privacy, without being concerned that an image of a private area of the individual was being captured; or
(ii) circumstances in which a reasonable person would believe that a private area of the individual would not be visible to the public, regardless of whether that person is in a public or private place.
(f) “Intermediary” as defined in Section 79;
(g) Injury as defined in IPC.
A perusal of the section reveals the following:
(a) Section 72(1): Section 72(1) is subject to the provisions of this Act or any other law for the time being in force. From the very reading of section 72(1) it is clear that its application comes into picture where:
(i) An “authority” having powers under the Act, Rules or Regulations to gain access,
(ii) has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, and
(iii) intentionally discloses such material to any other person.
All these conditions must be fulfilled simultaneously to make section 72(1) applicable.
Now the expression “intentionally” has drastically reduced the “accountability and liability” of the authorities violating privacy rights under the Act. There is nothing wrong in asking for the “mens rea” element but taking “half of it” to suit specific requirements cannot be a reasonable proposal. For instance, what will happen when there is“negligence” on the part of any such authority that results in privacy violation? The IPC recognises both “act and omission” as the guiding criterion for fixing liability. If the authorities are either negligent or had knowledge about the privacy violation at the time of its commission, they must be held liable. The concept of “due diligence” is not a sword for few and luxury for others. The due diligence requirements and accountability is missing from this sub-section. It would be better if the expression “intentionally or knowingly” is used for section 72(1).
(b) Section 72(2): Section 72(2), subject to the ‘gigantic protection” to intermediaries guaranteed by the Act, will come into operation if:
(i) The disclosure in question is arising due to availing of services of the intermediary that has provided him/it access to the information,
(ii) Such intermediary “disclosed” that information to any person, and
(iii) Such disclosure has been made without the consent of such subscriber and with intent to cause injury to him/it.
This is again a “legal loophole” provided specifically to ensure that the intermediaries escape their liability without any fear for law and penal sanctions. It seems the Committee was wary of simply and directly providing a “blanket protection” to the intermediaries. It seems the theme of the “entire penal scheme” of the proposed Act is strongly suggesting the “law and its enforcement agencies” to “KEEP THE HANDS OFF” from intermediaries.
A close perusal of section 72(2) reveals that first of all there is no penal provision taking care of this situation and only a right to claim “compensation” has been provided at most. Further, even to claim that compensation, another Herculean task has to be performed. The disclosure to be “civilly actionable” must be made without the consent of such subscriber “and” with intent to cause injury to aggrieved party.
Now this is absurd on the following counts:
(a) Firstly, no penal sanction is there and a civil liability can be imposed at most,
(b) Secondly, such disclosure, to be punishable, must be done without the consent of subscriber “and” with “intent to cause injury”. Now suppose, an intermediary is “negligent” or he fails to exercise “due diligence”, then he cannot be held liable under section 72(2) because he will contend that he had no “intention” to cause injury and that was just an inadvertent mistake. This, in other words is a “blanket protection” to the intermediaries to play with the privacy of the subscribers.
Thus, the section must proceed like this:
Section 72(2): ------ if any intermediary---- intentionally or knowingly discloses---. That can only do justice to this section and situation. Further, penal sanctions must also be attached because the section is already subject to other provisions of the Act protecting intermediaries.
Section 73(3): A welcome provision, but the “legality” of “sting operations” is about to be debated.
Section 72(4): It has the elements of “controversy”, particularly while deciding who the “aggrieved person” is. For instance, if the privacy of a girl/ boy is violated, are their parents “aggrieved parties”? Further, the exclusion of jurisdiction f the courts also may be objected to.
Thus, the provisions under section 72(3) and (4), protecting privacy rights, are welcome provisions provided the ambiguity of “aggrieved person’ is removed.
CHAPTER XI A & CHAPTER XII
CHAPTER XI A: EXAMINER OF ELECTRONIC EVIDENCE
Section 78A: Central Government to notify Examiner of electronic evidence
The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority notify any Department, Body or Agency of the Central or the State Government or any suitably qualified expert as an Examiner of Electronic Evidence. The procedures and conditions for the notification of such examiner shall be as prescribed by the Central Government.
Explanation: For the purposes of this section “Electronic Evidence” means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines etc
The new section 78A, as suggested by Dr. Vishwanathan Follow-up committee, has been incorporated with minor changes.
This is a good provision to be incorporated.
CHAPTER XII: LIMITATION ON THE LIABILITY OF INTERMEDIARY
79. Exemption from liability of intermediary in certain cases
(1) An “Intermediary” shall not be liable under any law for the time being in force, for any third party information, data, or link made available by him, except when the intermediary has conspired or abetted in the commission of the unlawful act.
(2) The provisions of sub-section (1) shall apply in circumstances including but not limited to where:
(a) Intermediary’s function is limited to giving access to a communication network over which information made available by third parties is transmitted or temporarily stored; or The intermediary: (i) does not initiate the transmission, (ii) does not select the receiver of the transmission, and (iii) does not select or modify the information contained in the transmission.
(3) The provisions of sub-section (1) shall not apply if, upon receiving actual knowledge of, or being notified by the Central Government or its agency that any information, data or link residing on a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails expeditiously to remove or disable access to that material on that resource.
Explanation: For the purpose of this section:-
(a) Term ‘Intermediary’ has been defined in Chapter I, Section 2(w).
(b) ‘Intermediary’ shall include, but not limited to, telecom service providers, network service providers, Internet service providers, web-hosting service providers, search engines including on-line auction sites, online-market places, and Cyber Cafes.
(c) ‘Third Party Information’ means any information dealt with by an intermediary in his capacity as an intermediary.
This section is revised in lines with the EU Directives on E-Commerce 2000/31/EC issued on June 8th 2000. The objective of this Directive is to create a legal framework to ensure the free movement of information between Member States and not to harmonise the field of criminal law as such. This Directive strikes a balance between the different interests at stake and establishes principles upon which industry agreements and standards can be based. The exemptions from liability established in this Directive cover only cases where the activity of the information society service provider is limited to the technical process of operating and giving access to a communication network over which information made available by third parties is transmitted or temporarily stored, for the sole purpose of making the transmission more efficient; this activity is of a mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored. A service provider can benefit from the exemptions for ‘mere conduit’ and for ‘caching’ when he is in no way involved with the information transmitted; this requires among other things that he does not modify the information that he transmits; this requirement does not cover manipulations of a technical nature which take place in the course of the transmission as they do not alter the integrity of the information contained in the transmission. A service provider who deliberately collaborates with one of the recipients of his service in order to undertake illegal acts goes beyond the activities of ‘mere conduit’ or ‘caching’ and as a result cannot benefit from the liability exemptions established for these activities.
An analysis of the provisions of the EU Directives shows that nowhere it recommended “harmonisation’ of criminal laws of various countries and it is very clear while establishing liability of intermediaries. The Directives have made intermediaries liable for their involvement in dealing with offensive material. An important aspect of EU Directives is that they maintain a “balance’ between various conflicting interests and no primacy or blanket protection is available to the intermediaries. The introduction of the elements of “conspiracy or abetment” has diluted the criminal liability of the intermediaries to a great extent and its ramifications will be felt in the distant future. The socio economic conditions of India are different and the law must be formulated keeping in mind these ground realities.
Section 79(3) has, however, preserved the requirements of “due diligence” and even if an intermediary has not conspired or abetted the posting or transmission of an offensive material, he/it can be held liable if he/it had the “knowledge’ about such offensive material and failed to remove the same. Thus, innocent violations have been excluded from the penal sanctions.
CHAPTER XIII: MISCELLANEOUS
Section 80: Power of police office and other officers to enter, search, etc-Deleted.
This deletion is an absurd suggestion given by the Committee. It seems the Committee endorses the view that the IT Act is a “private issue” and the law enforcement agencies and the Courts must keep their hands off. It seems the proposed IT Act no more satisfy the traditional purpose of law making, i.e. a measure to preserve and maintain social order. The public interest is different from the private interest that seems to have favoured the Committee while suggesting the deletion of section 80.
The correct approach is to give proper “training” to the police officers and judicial officers dealing with Cyber Laws so that justice can be done to the accused, victim and the society. The power of the police officers should not be taken away.
It would serve the interest of justice if the police officers “consult” the Cyber law experts before taking an action, till they are well equipped with the Cyber Laws.
Section 80A: Compounding of Certain Offenses
(1) Notwithstanding any thing contained in the Code of Criminal Procedures, 1973, any offense punishable under this Act may either before or after the institution of any prosecution be compounded by
(a) the Controller; or
(b) the adjudicating officers appointed under section 46, where the maximum amount of fine and/or imprisonment does not exceed such limits as may be specified by the Central Government.
on payment or credit to the Central Government of such sum as the Controller or the Adjudicating officer, as the case may be, may specify.
(2) Nothing in sub-section (1) shall apply to an offence committed by a person within a period of three years from the date on which a similar offence committed by him was compounded under this section.
Explanation: For the purpose of this section any second or subsequent offence committed after the expiry of a period of three years from the date on which the offence was previously compounded, shall be deemed to be a first offence.
(3) Where any offence is compounded before the institution of any prosecution, no prosecution shall be instituted in relation to such offence, either by the Controller or by the adjudication officer or by any other person, against the offender in relation to whom the offence is so compounded.
(4) Where the composition of any offence is made after the institution of any prosecution, such composition shall be brought by the Controller or the adjudicating officer in writing, to the notice to the Court in which the prosecution is pending and on such notice of the composition of the offence being given, the person in relation to whom the offence is so compounded shall be discharged.
This again is not a good suggestion to be accepted. The reasons are numerous and some of them will be discussed here.
Firstly, the Cr.P.C has been totally excluded in this context. The Cr.P.C contains section 320 that provides for the compounding of offences contained in I.P.C. Now section 320 is divided into two parts. Section 320(1) respects the party autonomy and victimology aspects. The victim can compound the offences specified in Table-1 without the intervention and permission of the court. Section 320(2), on the other hand, allows the victim of the offence to compound the offence with the permission of the court, for the offences mentioned in Table-2. Section 320(8) provides that a compounding of an offence under section 320 will amount to “acquittal’ of the accused. Now if section 320 is “overridden” by section 80A then “all the offences” related to Cyber Crimes and Contraventions under the I.P.C and other laws for the time being in force will be made automatically compoundable too because section 80A is not subject to “Tables” unlike section 320. Thus, practically the bar of “specified compoundable offences” is not there under section 80A.
Secondly, the blanket protection of compounding the offences and contraventions either before or after the institution of any prosecution without any safeguard of “specified compoundable offences” cannot be accepted to be rationale and reasonable in any society. If “all” the offences and contraventions can be compounded then there is no need of putting these offences and contraventions in the IT Act.
Thirdly, a “bar of jurisdiction” has been created by section 80A (3) if the offence or contravention has been compounded before the institution of the prosecution. Now suppose the “privacy” of an individual has been violated and he is planning to file a complaint before the competent authority. If that privacy violation is compounded before that complaint, then he cannot file that complaint at all. The worst part about this process is that there is no need of “consulting” the “aggrieved party”.
Fourthly, an ‘obligation” has been imposed upon the courts to discharge the accused if the compounding has been done after the institution of the proceedings. Thus, no discretion whatsoever has been given to the courts.
Section 81: General Provisions
(1) The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.
(2) Nothing that is permitted under the Copyright Act 1957 and the Patents Act 1970 as amended from time to time shall render any person liable for contravention of any of the provisions of this Act.
This is a welcome provision that will go a long way in the overall economic development of the nation. This will also reduce the chances of prosecution for innocent and inadvertent IT Act violations that are permitted as per Copyright Act and Patents Act. It would be better if the protection is also extended to other IPRs as well particularly the Trade Marks Act, 1999.
Section 85: Offences by companies
(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly:
Provided that nothing contained in this sub-section shall render any such person liable to punishment (if he proves-Deleted) unless it is proved that the contravention took place with (without-Deleted) his knowledge and connivance and that he failed to prevent such contravention. (or that he exercised all due diligence to prevent such contravention-Deleted).
This is a “peculiar” suggestion. It seems the Committee got confused with the “burden of proof” aspect between a “natural person” and an “artificial person”.
The law expects every person to act fairly, reasonably and diligently. That is why deviations from these standards are made punishable by the law. One cannot in the zeal of earning profit or in the sense of indifference take the law casually. There are certain well-recognised cardinal principles of criminal laws, which need to be discussed before proceeding further. These are:
(1) The ignorance of law is no excuse,
(2) The “presumption of innocence” continues until the guilt of the accused is proved,
(3) The guilt of the accused must be proved “beyond reasonable doubt”,
(4) No person is guilty of an offence unless it is accompanied by an act/ omission and the guilty intention for the same,
(5) The law may presume the guilty intention if the commission of the act is proved. This is known as “strict liability offences”, and
(6) The law may fix the liability of certain individuals on a “notional basis”. This usually happens where a company is involved in the commission of an offence or wrong. The imputation of criminal liability to certain “natural persons” is logical because a company, being an artificial person, cannot operate automatically. Thus, to conduct the affairs of the company certain natural persons are required, who alone can be saddled with the liability of the wrongs committed by the company.
Now it is logical and reasonable to fix the “burden of proof” upon the prosecution where natural persons are involved in the commission of an offence. The same yardstick and parameters cannot, however, be made applicable to an artificial person like company, though ultimately it is manned by natural persons. That is why the burden of proof is upon the company to prove its innocence. For instance, a natural person can be held liable for murder, grievous hurt, etc. If we are applying the “normal rules’ of criminal law then perhaps the Companies must also be held liable for “manslaughter”, grievous hurt, etc. That will bring absurd results. That is why a “reasonable classification’ has been made between natural and artificial persons and the same should not be mixed at any cost. If this suggestion is accepted, then we have to change all the existing laws that contain a “standard form clause” regarding the liability of the Companies. The liability clause in the IT Act is exactly same as is found in all other statutes. Even otherwise, in the ultimate analysis the prosecution has to prove the guilt of the accused beyond reasonable doubts once the preliminary burden of proof is discharged by the person managing the company. It seems the Committee has fixed the preliminary burden of proof upon the prosecution unlike other statutes where it is upon the company.
Cyber Law Consultant and Advocate
Delhi High Court
phone:: +91 11 9899169611.