Crime Branch Advisory
The Nigerian Scam
ITA 2000 Amendments ... Impact on IT Companies
The amendments passed on December 22/23 by the Parliament to the eight year old ITA 2000, has been watched keenly by IT and ITES companies. Many are happy since the resulting ITA 2000 -Version 2008 which we prefer to call ITA 2008 has tried to address the demand for "Data Protection".
The earlier version of ITA 2000 did provide that data vandalism would be treated as an offence under Section 66 of the Act with three year's imprisonment and eligible for claiming compensation of upto Rs 1 crore under Section 43. However, since there was no specific indication that this was a measure to protect data in the hands of BPOs, many in the industry were expressing an opinion that India does not have data protection laws. Though the Government introduced a separate bill called "Personal Data Protection Act 2006" to meet this demand, the Bill is still pending in the parliament and is likely to lapse. Now ITA 2008 has tried to address the demand of the IT industry by specifically introducing two sections namely Section 43A and Section 72 A which specify that they are measures towards "Data Protection". This may make the Personal Data Protection Act 2006 redundant and superfluous at least to the extent of punishing breaches in data protection responsibilities of BPOs.
It must be remembered that even now India does not have a separate "Privacy Protection Law" which means that no law has so far guaranteed the Citizens a right to protect his or her Privacy except for the constitutional rights. There is no definition of what is "Sensitive Personal Information", there is no authority such as the "Data Commissioner" to whom complaints can be taken by a victim. There is also no obligation for countries other than India to whom India sends sensitive personal information for processing to have an acceptable data protection mechanism etc.
It is not enough if we simply declare compensation and offence related to Data Protection. These were already there in law and ITA 2008 may make it little more clarified and little more stringent. But does ITA 2008 have provisions that can be considered cardinal for "Privacy Protection"?... Let's explore.
1. Our first stop at exploring the Data Protection related provisions in ITA 2008 will be Section 43A which is reproduced here:
Section 43A: Compensation for failure to protect data
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.
Explanation: For the purposes of this section
(i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities
(ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
(iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
The first observation that we need to make here is that the limit for compensation which was Rs 1 Crore under the Section 43 of ITA 2000 has been removed. In other words, there is no upper limit for damages that can be claimed.
The Government is expected to define "Sensitive Personal Information" and it is the responsibility of "Body Corporates" to ensure that reasonable security practices are followed.
The definition of Reasonable Security Practice is to be determined in the following order.
1. As defined in a mutual contract between the vendor and the processor of data or a data subject and the data processor.
2. As specified in any law for the time being in force
3. To be specified by the Central Government in consultation with such professional bodies or associations as it may deem fit.
The IT and ITES industry should therefore first examine their SLA and in its absence examine if there is any law that directly affects their activities. If neither are there, then the security practices to be specified by the Government as a follow up of ITA 2000 would be followed. In the event SLA makes a mention of security practices as defined in Data Protection Act or HIPAA or GLBA etc, then that will take precedence over any other security practice.
Industry may be happy with this clarification but they should be now concerned about the possibility of large liabilities to which they would be exposed as well as the need to follow compliance of international laws. They also need to implement "Compliance Audits" so that they would steer clear of being termed "negligent". The judgement of what constitutes "negligence" would be left to the wisdom of the "Adjudicator" in respect of claims upto RS 5 crores and a "Civil Judge" in respect of claims beyond RS 5 crores.
The unlimited liability under Section 43 A is good for a Country which is a net exporter of data for processing. But for a country like India which is predominantly an importer of data for processing, the "unlimited liability" is like a sword hanging on the head of every BPO. Any major calamity may result in a huge international liability which may wipe out the BPO in one single case of security breach.
The wisdom of IT industry to force the Government to impose a liability and responsibility on them through changes to ITA 2000 instead of voluntary code of ethics is perhaps questionable.
2. Our next stop exploring the Data Protection related provisions in ITA 2008 will be Section 72 A which is reproduced here:
Section 72 A: Punishment for Disclosure of information in breach of lawful contract
Save as otherwise provided in this Act or any other law for the time being in force,
-any person including an intermediary who,
-while providing services under the terms of lawful contract,
-has secured access to any material containing personal information about another person,
-with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain
-without the consent of the person concerned, or
-in breach of a lawful contract,
-such material to any other person,
-shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both
Under this section, disclosure "without consent" or "in breach of lawful contract" exposes a person including an "intermediary" to three year imprisonment. The offence is cognizable but bailable.
The disclosure should be either intentional or with knowledge that it may result in wrongful gain or loss (to somebody).
The subject material should contain "personal information". We may note that this section does not use the term "sensitive personal information" as used under Section 43A. Hence, "Any personal information" can invoke this section if other conditions are satisfied. This applies only when the information is obtained in pursuance to a service offered.
Further, under Section 85, the liabilities that fall on a company under this section will extend to any officer in charge of business or director etc unless "Due Diligence" is proved.
One concern about this section arises out of the use of the words " save as otherwise provided ... under any other law for the time being in force". This makes this section 72 A subordinate to any such laws if it exists. This could be a source of nuisance litigation in the days to come.
Though there is no mention of a "Grievance Redressal Mechanism" separately by victims of data security breaches in the form of "Data Commissioner", the adjudication process with the Cyber Appellate tribunal must be considered as adequate replacement. What is lacking however is a method of proactive regulation such as "Compulsory registration of data processors" along with "De registration as a means of penalizing a contravention".
The need to enforce security norms by data exporters from India has not been specified. However the extra territorial jurisdiction of this Act as per Section 75 may be interpreted as extending data protection obligations to any external party who under a contract takes up processing of data from India.
Some Areas of Concern for IT Companies
While the two sections, Sec 43A and 72A directly impact IT Companies dealing with data processing, some of the following sections also have a significant impact on IT companies and could be source of irritation as well.
For example, under Section 67C, every "Intermediary" has the following obligation:
67C: Preservation and Retention of information by intermediaries
(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
An Intermediary is also a member of the IT industry and the definition in Section 2(w) is wide enough to include many service providers.
The definition states:
"Intermediary" with respect to any particular electronic records, means
any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and
includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.
We may note that this definition includes "Telecom Companies" such as AirTel or Reliance Infocomm or Tata Indicom. It includes Google, Rediff, Sify, Ebay.in, cyber cafes etc. It includes many BPOs who operate as back office service providers, Data Centers, HR service providers, etc.
It is clear that a very large number of IT companies come under the scope of the section 67C.
We are awaiting the notification regarding the time for which specified information needs to be preserved under this section. It could be one year in the minimum and six to seven years at the outer end.
What is important to note is that any alleged non compliance could expose the Company and its executives to the penal provisions of this section as well as section 65. Since this is a "Cognizable" offence, any "Inspector" of Police can now start questioning the CEO of a BPO if he is preserving the information in tact etc.
Will a Police Inspector consider it necessary to enter a BPO office and demand such information?. ..May be initially, this will happen with Cyber Cafes. Next it will happen at ISPs and Small Portal owners. But we never know if the larger Companies are immune to such intrusion.
No discussion on ITA 2008 on Privacy issues is complete without a reference to Sections 69, 69A and 69B which enable the Government to exert a huge influence on the Information Security industry.
While the powers which the Government has gained through these three sections are justified in the context of the Cyber Security requirements, in the event appropriate safeguards are not enshrined in the rules and regulations, these three sections will become the most oppressive clauses of the new Act.
To understand the reasons for coming to such conclusion, let us explore these three sections in depth.
For immediate reference of the readers, the three sections are first reproduced here.
Sec 69: Powers to issue directions for interception or monitoring or decryption of any information through any computer resource.
(1) Where the central Government or a State Government or any of its officer specially authorized by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order,
direct any agency of the appropriate Government
to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information transmitted received or stored through any computer resource
(2) The Procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed
(3) The subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to -
(a) provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or
(b) intercept or monitor or decrypt the information, as the case may be; or
(c) provide information stored in computer resource.
(4) The subscriber or intermediary or any person who fails to assist the agency referred to in sub-section (3) shall be punished with an imprisonment for a term which may extend to seven years and shall also be liable to fine.
We may note that this section provides access to a designated agency of the Central or State Government to any information stored in any Computer Resource whether in a public place or a private place, whether at home or at office with the excuse that it is required for prevention of or required for the investigation of any offence. The power is not restricted to information in transit such as e-mails but also other information that may be stored.
This means that any Police officer (or such other agency that may be designated under this section) under the excuse of investigating an offence (whether in the interest of national integrity or otherwise) can walk into any IT company and demand that he may intercept (access) information.
It is to be noted that non cooperation by the company can result in imprisonment upto seven years.
The powers under the Section 69 which are quite oppressive enough to sit up and take notice. Sections 69A and 69 B extend the powers further.
These sections state as follows:
Sec 69A: Power to issue directions for blocking for public access of any information through any computer resource
(1) Where the Central Government or any of its officer specially authorized by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above, it may subject to the provisions of sub-sections (2) for reasons to be recorded in writing, by order
direct any agency of the Government or intermediary to
block access by the public or cause to be blocked for access by public any information generated, transmitted, received, stored or hosted in any computer resource.
(2) The procedure and safeguards subject to which such blocking for access by the public may be carried out shall be such as may be prescribed.
(3) The intermediary who fails to comply with the direction issued under sub-section (1) shall be punished with an imprisonment for a term which may extend to seven years and also be liable to fine.
Sec 69B: Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security
(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize
any agency of the Government to
monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource
(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorized under sub-section (1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information
(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed
(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section (2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
Explanation: For the purposes of this section,
(i) "Computer Contaminant" shall have the meaning assigned to it in section 43
(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.
The two sections extend the powers of interception and decryption in Section 69 to power to block access and power to demand "traffic data" from any person who is in possession of the relevant information. Refusal or non cooperation is a cognizable offence.
These three sections therefore provide what can be described as "brutal" powers to certain agencies.
It is not necessary that the designated agency under these sections should be the "Police". However, it is perhaps inevitable that Police will either be directly designated as the "Designated agency" under this section or will be the authority that will advise action under this section to any other agency otherwise designated. (As is presently the case with CERT-In in respect of blocking of websites with obscene content). It is possible that the proposed "Nodal Agency" designated under Section 70 B (Which is called the Indian Computer Emergency Team which position may be occupied by the CERT-IN after due notification) may be entrusted with the responsibility of implementing the powers under Sections 69, 69A and 69B. However the nodal agency may act on the basis of recommendations received from the Police since it may not have direct capability for investigations.
Has any IT industry representative thought about the possible misuse of these sections and what would be the consequences thereof? If not, it is time to do so so that adequate safeguards can also be simultaneously introduced. It is time to think what should be such safeguards, how they should be implemented and which agency should monitor etc.
To repeat my earlier comment, in the current scenario of threats prevailing in India, perhaps it is difficult not to accept such draconian laws as necessary. However, it is the responsibility of all of us to ensure that safeguards that are expected to be in place to prevent abuse of the powers under these three sections are adequate to ensure that the draconian powers are properly reigned and any abuse is adequately punished.
In particular, I consider it absolutely necessary that any agency which is given powers under these three sections should be answerable to a monitoring body which should have the powers to receive complaints from the public, conduct its own investigation even against Police officers involved and also prosecute them as necessary. There should be no immunity given to such officials against being held accountable for breaches of propriety and law.
Such an agency should be like the "Human Rights Commission" and should be an independent body devoted to the welfare of the netizens. It can be a new set up of a "Netizen Rights Commission" with the necessary powers. It should not simply be a judicial body with people who may not understand the technical issues involved. It must have representation of private persons of eminence who understand the technology issues and the human right violations that may arise therefrom.
If there are legal hurdles to create such a commission, then it is suggested that a "Netizen's Rights Advisory Board" is created in every State which should receive complaints, investigate, and give its recommendations. The recommendations may be taken up for implementation by the Human Rights Commission or the Courts to provide justice to the aggrieved.
In case appropriate safeguards and a monitoring mechanism is not immediately set up, there is a grave danger lurking ahead for IT companies and its executives who may become pawns in the hands of law enforcement officers who know where the law pinches and is able to tickle the sensitive spots in the IT industry.