LIIofIndia Home | Databases | WorldLII | Search | Feedback

Indian Parliamentary Research Service Legislative Summaries

Parliamentary Research Service
You are here:  LIIofIndia >> Databases >> Indian Parliamentary Research Service Legislative Summaries >> 2006 >> [2006] INPRSLS 15

Database Search | Name Search | Recent Documents | Noteup | LawCite | Help

The Information Technology (Amendment) Bill, 2006 - Legislative Brief [2006] INPRSLS 15 (15 December 2006)

Legislative Brief

The Information Technology (Amendment) Bill, 2006

The Bill was introduced in the Lok Sabha on 15th December, 2006 and referred to the Standing Committee on Information Technology (Chairperson: Nikhil Kumar).

The Standing Committee presented its report in Lok Sabha on 7th September, 2007.

Highlights of the Bill

Key Issues and Analysis

Recent Briefs:

The Clinical Establishments (Registration and Regulation) Bill, 2007

November 13, 2007


The Private Detective Agencies (Regulation) Bill, 2007

November 2, 2007


Chakshu Roy

chakshu@prsindia.org


November 19, 2007


PRS Legislative ResearchCentre for Policy Research Dharma Marg Chanakyapuri New Delhi – 110021

Tel: (011) 2611 5273-76, Fax: 2687 2746

PART A: HIGHLIGHTS OF THE BILL1

Context

The Information Technology Act, 2000 (IT Act) is based on the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law (UNCITRAL) in 1996.2 The IT Act provides legal recognition to electronic commerce transactions, allows electronic filing of documents and penalises computer related crimes. The government set up an expert committee to review the IT Act in January 2005. The committee which comprised of representatives from the government, IT industry, legal experts etc. submitted its report in August 2005.3

The committee recommended that the IT Act be made technology neutral. It revisited the provisions related to data protection and privacy and proposed stringent provisions for handling sensitive personal data. The committee addressed the issue of liability of intermediaries and suggested amendments using the European Union Directive on E-Commerce as the guiding principle.4 It suggested severe punishments to prevent child pornography. It also made recommendations on computer related crime and electronic evidence.Error: Reference source not found

Key Features

The Information Technology (Amendment) Bill, 2006 proposes to amend the IT Act to (a) make the authentication of electronic record technology neutral,5 (b) provide for protection of personal information, (c) change the name and constitution of the appellate tribunal, (d) limit the liability of intermediaries and (e) establish an examiner of electronic evidence. It specifies that publishing or transmitting of offensive or pornographic material in electronic form would be an offence. In addition the Bill amends the Indian Penal Code, 1860 to include new offences such as identity theft and recording or transmitting nude images of a person without his permission.

The proposed amendments in the Bill are compared with the existing provisions of the IT Act in Table 1.

Table 1: Comparison of the Bill with the existing law


Information Technology Act, 2000

Information Technology (Amendment) Bill, 2006

Definition

Intermediary” means any person who on behalf of another person receives stores, transmits or provides any service with respect to an electronic message.

The Bill adds to the definition of “Intermediary”. It specifically includes telecom, network, internet and web hosting service providers, search engines, online payment and auction sites, online market places and cyber cafes in the definition of intermediaries.

Body corporates handling “sensitive personal data” are excluded from the definition of intermediary.


Cyber Café not defined.

Cyber Café” means any facility from where internet access is provided to the public in the ordinary course of business.

Technology neutral

A person may authenticate an electronic record by a digital signature. Digital signature technology is a form of encryption.

A person may authenticate an electronic record by an electronic signature.* The Bill proposes to substitute the phrase “digital signature” with “electronic signature”. This change would make the IT Act technology neutral.

Protection of personal information

No Provision.

A body corporate shall be liable to pay compensation if it is negligent in implementing “reasonable security precautions” with respect to “sensitive personal data”. The liability would arise if the negligence leads to a wrongful loss or wrongful gain to a person.

A person is held liable if he discloses “personal information” which he accessed while providing services under a contract. The liability arises if the disclosure was made with an intention to cause or knowing that he is likely to cause wrongful loss or wrongful gain to a person.

Liability of intermediaries

An intermediary shall not be responsible for any third party information, data made available by him.

To avail of this protection he shall have to prove that data or content which led to the offence was committed without his knowledge or that he exercised due diligence to prevent the commission of such offence.

An intermediary shall not be responsible for any third party information, data or communication link made available by him.

This protection shall be available if the intermediary only provides access to information and if he does not (a) initiate/ select the receiver of the transmission, and (b) select or modify the information contained in the transmission. The protection is not available if the intermediary conspires or abets in the commission of the unlawful act. Upon receiving actual knowledge or being notified by the government authority about unlawful data or content the intermediary is required to remove such data or content or disable access to it.

Interception and monitoring of information

The power of interception is vested with the Controller of Certifying Authorities.

He may intercept any information transmitted through any computer resource in the interest of national security, sovereignty, public order etc.

The power of interception is now vested with the central government.

In addition to the existing circumstances under the IT Act, the central government may intercept /monitor any information transmitted through any computer resource for investigation of any offence.

New offences


The Bill adds eight new offences: five under the IT Act and three under the Indian Penal Code, 1860.

Offences under the IT Act include, sending offensive messages through a computer or mobile phone, publishing or transmitting material in electronic form containing sexually explicit act, disclosing information in breach of lawful contract.

Under the Indian Penal Code punishment is provided for identity theft, cheating by personation using computer resource and for recording or transmitting nude images of a person without his permission.

Change in penalties

More imprisonment, lower fines.

Less imprisonment, higher fines.

Electronic document filing with government

No provision.

The government may authorise any service provider to provide electronic document filing services to the public for a fee.

Formation and validity of contracts

No provision.

Contracts formed through electronic means shall not be unenforceable solely on the ground that the contract was entered into electronically.

Examiner of electronic evidence

No provision.

To give expert opinion on “electronic form evidence” before any court/authority the central government may appoint an “examiner of electronic evidence”.

Appellate Tribunal

The appellate authority under the IT Act is called the “Cyber Regulations Appellate Tribunal”. It consists of only one person to be appointed by the government.

The name of the appellate tribunal is changed to, “Cyber Appellate Tribunal”. It would consist of a chairperson and other members to be appointed by the government. One member of the tribunal would be a judicial member.

Sources: Information Technology Act, 2000; Information Technology (Amendment) Bill, 2006; PRS

PART B: KEY ISSUES AND ANALYSIS

Interception of Messages

I

Clause 33


n India letters, postal articles, phones, emails and computer messages can be intercepted by the government in the interest of national security, sovereignty, public order etc. The Bill expands the power of the central government to include interception of information transmitted through a computer resource for the purpose of investigation of any offence. Table 2 compares the power of the government to intercept messages sent through different mediums.


Table 2: Comparison of power of the government to intercept messages

Type of Message

Condition for interception

Law applicable

Letter/postal articles

On the occurrence of any public emergency; or in the interest of public safety or tranquillity

Sec 26, The Indian Post Office Act, 1898

Land line / mobile phones

On the occurrence of any public emergency; in the interest of public safety; sovereignty and integrity of India; security of the State; friendly relations with foreign States; public order; or for preventing incitement to the commission of an offence

Sec 5(2), The Indian Telegraph Act, 1885

Email / Computer messages (Existing law)

Sovereignty and integrity of India; security of the State; friendly relations with foreign States; public order; or for preventing incitement to the commission of a cognizablen offence

Sec 69, IT Act

Email / Computer messages (Proposed)

Investigation of any offence

Clause 33, IT Amendment Bill

Sources: The Indian Post Office Act, 1898; The Indian Telegraph Act, 1885; PRS

The Standing Committee on Information Technology, while reviewing the Bill, observed that “Public Order” and “Police” are state subjects as per Schedule VII of the Constitution. It was of the view that it would be appropriate and expedient to confer powers of interception on the State Governments in tune with the provisions of Section 5(2) of the Indian Telegraph Act, 1885. It also recommended that interception should be allowed for prevention of any cognizable offence in addition to the already prescribed grounds.


Data Protection

T

Clauses

20, 36

he European Union defines data protection as securing for every individual, respect for his rights and fundamental freedoms and in particular his right to privacy, with regard to automatic processing of personal data relating to him.
6 Separate legislation for data protection exists in many countries.7 India does not have specific legislation for data protection. The IT Act is a law to facilitate e-commerce and has some provisions for protecting data.


Lack of separate legislation for data protection implies that individuals have no control over how their personal data is collected, processed and used. Thus under the amended Act, companies are not prohibited from selling or sharing their customers personal data with telemarketers or recovery agents. Also the protection of data as proposed in the Bill is only against wrongful loss or wrongful gain and not against breach of privacy.

The Standing Committee observed that, there is no specific provision in the Bill for protection and retention of data. The Committee also observed that suitable provisions to define and protect personal privacy should be added.

Definitions

T

Clauses

20, 36

he Bill proposes to add two more provisions to protect data in addition to existing provisions. The first provision protects “sensitive personal data” and the second protects “personal information”.
8 The Bill requires the central government to define “sensitive personal data”. “Personal information” is not defined.


In the United Kingdom “sensitive personal data” consists of information as to the racial or ethnic origin of a person, his political opinions, religious beliefs, physical or mental health, commission of an offence etc. “Personal data” means data which relates to a living individual who can be identified from such data.9

Liability of Intermediaries

T

Clause 38


he Bill follows the European Union’s E-Commerce Directive to determine the extent of responsibility of intermediaries for third party data or content. As per the Bill intermediaries are not ordinarily responsible for third party content. However this protection is not available if the intermediary, upon receiving actual knowledge or on being notified about unlawful content, fails to quickly remove access to such data or content.


The Bill does not specify as to what constitutes actual knowledge. This could lead to intermediaries stopping access to data/content on receiving frivolous complaints without verifying their genuineness. At the other extreme it could also result in intermediaries requiring a detailed notice before they remove or disable access to content. The Bill also does not protect intermediaries from legal action if they, in good faith, remove data or content to prevent possible unlawful activity. The Bill also does not provide a mechanism for restoring access to data if false complaints are registered with them with respect to data/content.

In the United States, responsibility of intermediaries with respect to copyrighted content is regulated under the Digital Millennium Copyright Act, 1998. It establishes procedures for providing proper notice of unlawful data or content. It also specifies the time frame (10 to 14 days) in which access to data/content would be restored by an intermediary on receiving a counter notice from the data owner that the data is not unlawful. It also requires intermediaries to designate a person to receive notices about data/content. Actions of intermediaries taken in good faith are also protected.

Misuse of Access to Data

T

Clause 19


he IT Act makes a person liable to pay damages for copying, downloading or damaging data without permission of the owner. It does not cover situations where a person who has permission of the owner to do certain acts exceeds his mandate.
For example an employee may be permitted to access customer data, but could misuse such data. The expert committee constituted to review the IT Act had made a recommendation to prevent such misuse. This has not been incorporated in the Bill.


Child Pornography

The expert committee constituted to review the IT Act had recommended penalizing publication or transmission of child pornography through electronic form. This recommendation of the expert committee has not been incorporated in the Bill. The Standing Committee in its report observed that specific provisions should be incorporated to criminalise child pornography in tune with laws prevailing in advanced countries and Article 9 of the Council of Europe Convention on Cyber Crime.

Spam

T

Clause 31


he Bill makes sending of content which is grossly offensive or of a menacing character through a computer or mobile phone a punishable offence. The Standing Committee observed that the Bill does not adequately address the issue of unwanted commercial e-mails (spam).


Issues raised by the Standing Committee

The Standing Committee made several recommendations/ observations.

Table 3: Some recommendations/ observations of the Standing Committee

Topic

Standing Committee recommendations/observations

Cyber terrorism

Cyber terrorism has not been defined anywhere in the IT Act or in the Bill. Cyber terrorism is equivalent to waging war against the State. Stringent provisions should be incorporated in the IT Act to deal with such offences.

Jurisdiction of law

The provisions of the IT Act seem to be inadequate for enforcing the will of the State in cases where cyber crime committed against India from outside India.

India should be a signatory to an international convention on the issue of cross border cyber crime so that such crimes are tackled with promptly. India should take initiative in materialising such an international convention.

Technology neutral

Awareness should be created to educate people on the possible misuse/ abuse of digital signatures. Government should make digital records available to the public in people friendly and easily accessible formats.

Definition and liability of intermediaries

The definition of an “intermediary” is not very clear particularly in regard to the exclusion of a body corporate which deals with “sensitive personal data”.

A definite obligation should be cast upon the intermediaries in view of the damage caused to victims through reckless activities that are undertaken in the cyber space by using the intermediary’s platform.

The absence of due diligence to be exercised by the intermediaries like online market places/ auction sites, with respect to third party data or content would disturb the equilibrium with similar entities in the offline world. Due diligence to be exercised by intermediaries should be made a pre-requisite before giving immunity to intermediaries online market places and online auction sites.

Compensation for failure to protect sensitive personal data

The government should simplify the complicated adjudication process to ensure that the remedy of providing damages by way of compensation is effectively implemented.

Powers of civil courts

Circumstances under which the civil courts role come into play should be spelt out clearly and it should be clarified whether the civil court can restrict the jurisdiction of the appellate tribunal.

Training

The government in tandem with the industry should take some measures to initiate some basic training programs for all those dealing with cyber cases.

Sources: Standing Committee Report; PRS


International Comparison

Some of the issues related to the Bill as well as those raised by the Standing Committee are addressed by other countries in different ways. The corresponding provisions in the laws of the United States and the United Kingdom are summarised in Table 4.

Table 4: Some related provisions in the US and UK

Topic

United States

United Kingdom

India

Interception

Requires a court order for investigation or prevention of a crime. The long list of offences include those related to chemical weapons and terrorism.

Can be ordered by the government in the interests of national security or for the purpose of preventing / detecting serious crime or for safeguarding the economic well-being of the country.

Can be ordered by the government in the interest of national security, sovereignty and integrity of India etc. This Bill extends this to investigation of any offence.

Child pornography

Distribution, reproduction and possession with intent to sell are punishable with up to 15 years imprisonment.

Possession is punishable with maximum of five years imprisonment. Making an indecent image of a child carries a maximum sentence of 10 years imprisonment.

No specific provision.

Spam

Sending spam is illegal and punishable with one to five years imprisonment.

The European Union directive on Privacy and Electronic Communication prohibits the sending of spam.

No law on spam.

Cyber Terrorism

Damaging protected computers or computers used for national security or criminal justice is punishable with a maximum imprisonment of 20 years.

Collecting information of a kind likely to be useful to a person committing / preparing an act of terrorism is punishable with a term not exceeding 10 years.

No specific provisions to address cyber terrorism.

Sources: Various Acts10; PRS

Technology neutral means neither promoting nor discouraging the use of a particular technology. For example: A law requires that goods need to be transported from one point to another. Requiring the use of trucks to transport goods would make the law technology specific. Specifying that any means of transport may be used to transport goods, such as airplanes, railways, tempos, bullock carts etc., would make the law technology neutral.

*The term “electronic signature” is technology neutral. It describes the full range of technologies that can be used for authenticating an electronic record. It includes digital signature.



A cognizable offence (listed in the First Schedule to the Code of Criminal Procedure, 1973) is one in which a police officer may arrest a person without a warrant.

1Notes

. This Brief has been written on the basis of the Information Technology (Amendment) Bill, 2006 introduced in the Lok Sabha on December 15, 2006. The Parliamentary Standing Committee on Information Technology (Chairperson: Nikhil Kumar) submitted its report on September 7, 2007.

2. The model law was adopted by the General Assembly of the UN vide resolution A/RES/51/162, dated January 30, 1997.

3. Press release dated August 29, 2005 issued by the Department of Information Technology, Ministry of Communications & Information Technology. http://www.mit.gov.in/download/PressRelease.doc.

4. European Union Directive 2000/31/EC 8 June 2000.

5. This change is based on the Model Law on Electronic Signatures, it was adopted by UNCITRAL on July 5, 2001.

6. The Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, January 28, 1981.

7. United Kingdom enacted its Data Protection Act in 1984. Countries in the European Union have data protection legislation based on Directive 95/46/EC of the European Parliament. United States of America has sector specific data protection legislation with respect to online privacy of children (Children's Online Privacy Protection Act) and health records of individuals (Health Insurance Portability and Accountability Act).

8. Clause 20 and Clause 36 of this Bill.

9. Section 1(1) and Section 2, Data Protection Act 1998 of United Kingdom.

10. United States: The Omnibus Crime Control and Safe Street Act, 1968, The Child Pornography Protection Act, 1996, Controlling the Assault of Non-Solicited Pornography and Marketing Act, 2003, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, 2001. United Kingdom: The Regulation of Investigatory Powers Act, 2000, The Protection of Children Act, 1978, The Criminal Justice Act, Terrorism Act 2000. European Union: European Union Directive 2002/58/EC on Privacy and Electronic Communication.



DISCLAIMER: This document is being furnished to you for your information. You may choose to reproduce or redistribute this report for non-commercial purposes in part or in full to any other person with due acknowledgement of PRS Legislative Research (“PRS”). The opinions expressed herein are entirely those of the author(s). PRS makes every effort to use reliable and comprehensive information, but PRS does not represent that the contents of the report are accurate or complete. PRS is an independent, not-for-profit group. This document has been prepared without regard to the objectives or opinions of those who may receive it.



LIIofIndia: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.liiofindia.org/in/other/INPRSLS/2006/15.html