Crime Branch Advisory
The Nigerian Scam
Powers of State Governments Redefined by ITA 2008
With the passage of ITA 2008 (Amended ITA 2000), the role of State Governments in Cyber regulations has undergone a significant change.
The Section 90 of the Act which empowers State Government to make "Rules" for the purpose of implementing the provisions of the Act assumes new meaning under ITA 2008.
In ITA 2000, the section referred to powers required to be exercised under section 6 which was in relation to e-Governance requirements such as filing of forms, granting of licenses, receipt of money etc. There were not many other powers conferred on the State Government. Hence it could be interpreted that the powers of the State Government were intended to be used only for giving effect to Section 6 and perhaps sections relating to the powers of the Police.
Under ITA 2008, no change has been made to Section 90. However, the words "..without prejudice to the generality of the foregoing power.." used in Section 90 (2) assumes a greater meaning now since ITA 2008 envisages a lot more responsibilities and powers to State Governments under the amended provisions.
It is now no longer easy to restrict this section to only "Section 6" as it appeared appropriate in the earlier version. Now there are several more sections of ITA 2008 where State Government needs to exercise its powers.
One of the other sections under ITA 2008 which necessitates exercise of power by State Government is section 6A regarding delivery of services by service providers.
The provisions of Section 7A regarding audit of e-documents also apply to the State Governments and hence rules need to be framed for this purpose also.
Section 10 is another section under which rules are to be notified for use of digital signatures or other approved forms of electronic signatures if any.
Section 43 A which defines the liability of body corporates regarding handling of sensitive personal information makes a reference to "reasonable security practices and procedures specified in any law for the time being in force". Since the definition of "law" includes state laws and ordinances, it is possible for State Governments to define reasonable security practices for any class of users such as "Cyber Cafes", "Hotels", "Educational Institutions" or even "Households".
As regards the "Cyber Café Regulations", there is however a conflict in section 67 (C) where the Central Government alone has been vested with the powers to preserve and retain information in a particular manner and format for a specified duration. Presently some of the State regulations on Cyber Cafes already specify such information and hence the State Governments need to review the present notifications and modify them in accordance with the ITA 2008.
More importantly, sections 69, 69 A and 69 B provide powers to State Governments along with the Central Government to
a) Appoint an officer or agency of the Government specially authorized to to intercept, monitor, decrypt, block access to any content , collect traffic data or information generated, transmitted, received or stored in any computer resource.
b) to notify procedures and safeguards for exercising the powers as indicated in the above paragraph
c) Define the term "traffic data"
It is of course possible for the State Government to consider declaring any officer of the Police department as an officer for the purpose of these sections. However, since the Act has at different places mentioned the powers of the Police where relevant and has used the words "any officer" in Section 69 and "any agency of the Government" in sections 69 A and 69 B, it is perhaps the intention of the legislature not to vest the powers under Sections 69, 69A and 69 B with the Police either at the State level or with CBI or that National Investigating Agency at the Central level.
The State Government has to therefore determine and notify which officer or agency would be entrusted with the onerous responsibilities envisaged under these three sections and the procedures, safeguards etc to be associated with such appointment.
Further, under the modified Section 70, the appropriate Government can declare any "facility of critical information infrastructure" as a "protected system". The State Government has to frame rules and procedures to identify such systems, authorize appropriate persons in writing, how they are to be accessed etc.
Under Section 78 of ITA 2008, now Inspectors will be authorized to investigate cases falling under the Act, instead of the DSPs as per ITA 2000. State Governments which had presently set up Cyber Crime Police Stations with statewide jurisdiction need to review the system and consider if they need to declare more number of police stations as "Cyber Crime Police Stations" especially since the number of offences falling under ITA 2008 shall be far more than in the case of ITA 2000.
Under Section 79 A, the Central Government may designate any department, body or agency of the Central or State Government as "Examiner of Electronic Evidence". The State Government may have to therefore identify and recommend which state level agency can be notified for this purpose.
State Governments will therefore be exercising far more powers under the ITA 2008 than what was envisaged under ITA 2000. The powers also need to be accompanied by several definitions, procedures, safeguards, appointment of agencies etc.
In order to effectively formulate a strategy for the State Governments, they need to constitute an advisory body of experts which may be called the "Cyber Law Advisory Group" so that detailed action plan can be drawn up.