The Union Ministry of Communications and
Information Technology notified new rules under the Information Technology Act,
2000, to regulate the use of the Internet on 11th, April, 2011. This led to widespread apprehensions that the
government and private persons might gain free access to sensitive personal
information concerning Internet users. The government, however, clarified in a
press release that the intent of the rules was to protect sensitive personal
information and not to give the government undue powers to access such
information. The government added that wide public consultations had been held
before finalising the rules and that the rules had been endorsed by the
stakeholders.
As the government is empowered to make rules
in order to carry out the purposes of an Act, it is necessary to examine
whether the rules have a nexus with such purposes. Among the four sets of rules
notified on April 11, The Information Technology (Reasonable security practices
and procedures and sensitive personal data or information) Rules, 2011, caused
serious concern in civil society.
Rule 3 in this set defines sensitive personal
data or information as “such personal information which consists of information
relating to password; financial information such as bank account or credit card
or debit card or other payment instrument details; physical, physiological and
mental health condition; sexual orientation; medical records and history;
biometric information; any detail relating to the above clauses as provided to
body corporate for providing service; and any of the information received under
above clauses by body corporate for processing, stored or processed under
lawful contract or otherwise”.
Rule 3 has an important proviso, which says
that any information that is freely available or accessible in the public
domain or furnished under the Right to Information Act, 2005, or any other law,
shall not be regarded as sensitive personal data.
Rule 2(b) defines “biometrics” as
technologies that measure and analyse human body characteristics, such as
“fingerprints”, “eye retinas and irises”, “voice patterns”, “facial patterns”,
“hand measurements”, and DNA for authentication purposes.
The controversial provision is Rule 6, which
deals with disclosure of information. Rule 6(1) lays down that disclosure of
sensitive personal data by a body corporate to any third party shall require
prior permission from the provider of such information, unless such disclosure
has been agreed to in the contract between the body corporate and the provider
of information, or where the disclosure is necessary for compliance of a legal
obligation.
Rule 6(1) carries a key proviso, which, its
critics say, can be misused. It lays down that such information shall be
shared, without obtaining prior consent from the provider of information, with
government agencies mandated under the law to obtain information, including
sensitive personal data for the purpose of verification of identity, or for
prevention, detection, investigation, including cyber incidents, prosecution,
and punishment of offences. The government agency, under this proviso, shall
send a request in writing to the body corporate possessing the sensitive
personal data or information, stating clearly the purpose of seeking such
information. The government agency shall also state that the information so
obtained shall not be published or shared with any other person. Many consider
Rule 6(2) to be even more draconian. It says that notwithstanding anything
contained in Rule 6(1), any sensitive personal data shall be disclosed to any
third party by an order under the law. The safeguards in Rule 6(3) and 6(4)
that the body corporate or the third party receiving such sensitive personal
data shall not publish or disclose them further are considered weak.
Rule 7 elaborates on this. As the bar on the
body corporate is only against publishing sensitive personal data, it may
transfer such data to any other body corporate or a person in India, or located
in any other country, that ensures the same level of data protection that is
adhered to by the body corporate as provided for under these rules. The rule
says that the transfer of such data may be allowed only if it is necessary for
the performance of the lawful contract between the body corporate or any person
on its behalf and the provider of information or where such person has
consented to data transfer. Critics ask whether these safeguards will be
complied with absolutely, and if not, what the remedies available to a victim
are.
Rule 3 (2) requires that such rules and
regulations, terms and conditions or user agreement shall inform users not to
host, display, upload, modify, publish, transmit, update or share any
information that belongs to another person and to which the user does not have
any right to, and is grossly harmful, blasphemous, defamatory, obscene, pornographic,
invasive of another's privacy, hateful, or racially, ethnically objectionable,
disparaging, relating or encouraging money laundering or gambling, or otherwise
unlawful in any manner whatever.
Concerns have been expressed over another set
of rules, too. The Information Technology (Intermediaries guidelines) Rules,
2011, impose certain duties on intermediaries such as Facebook, Google and
Twitter to observe due diligence. Rule 3 in this set requires that the
intermediary shall publish the rules and regulations, privacy policy and user
agreement for access or usage of the intermediary's computer resource by any
person.
Rule 3 (2) (i) requires the intermediary to
ensure that the content posted by the user does not threaten the unity,
integrity, defence, security or sovereignty of India, friendly relations with
foreign states, or public order or cause incitement to the commission of any
cognisable offence or prevent investigation of any offence or is insulting to
any other nation. Again, this rule is loosely phrased, and does not explain how
the intermediary can conclude that a particular post “threatens to…”.
Rule 3(4) is even more mischievous. It
requires that the intermediary, upon obtaining knowledge by itself or being
brought to actual knowledge by an affected person in writing or through e-mail
signed with electronic signature about any such information as mentioned in
Rule 3(2), shall act within 36 hours and work with the user or owner of such
information to disable it. Further, the intermediary has also to preserve such
information for at least 90 days for investigation.
Rule 3(11) provides the remedy for an
aggrieved user. It requires the intermediary to publish on its website the name
of the grievance officer and his contact details as well as the mechanism by
which users or any victim who suffers as a result of access or usage of
computer resource by any person in violation of Rule 3 can notify their
complaints. The grievance officer has been asked to redress such complaints
within one month from the date of receipt of a complaint. Ironically, the rules
do not provide content writers a means to defend their work or appeal a
decision by the intermediary to remove content. The absence of natural justice
in the rules will make it easy for critics to challenge them legally.
Powers to censor content
The loose language of this rule, critics
fear, can be interpreted widely, and the intermediaries may enjoy extraordinary
powers to censor content, resulting in unnecessary restrictions on freedom of
expression.
