V VENKATESAN IN THE FRONTLINE
Certain provisions in the rules notified under the IT Act cause concern about the security of sensitive personal information.
ON April 11, the Union Ministry of Communications and Information Technology notified new rules under the Information Technology Act, 2000, to regulate the use of the Internet. This led to widespread apprehensions that the government and private persons might gain free access to sensitive personal information concerning Internet users.
The government, however, clarified in a press release that the intent of the rules was to protect sensitive personal information and not to give the government undue powers to access such information. The government added that wide public consultations had been held before finalising the rules and that the rules had been endorsed by the stakeholders.
As the government is empowered to make rules in order to carry out the purposes of an Act, it is necessary to examine whether the rules have a nexus with such purposes. Among the four sets of rules notified on April 11, The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, caused serious concern in civil society. Rule 3 in this set defines sensitive personal data or information as “such personal information which consists of information relating to password; financial information such as bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; any detail relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise”.
Rule 3 has an important proviso, which says that any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005, or any other law, shall not be regarded as sensitive personal data.
Rule 2(b) defines “biometrics” as technologies that measure and analyse human body characteristics, such as “fingerprints”, “eye retinas and irises”, “voice patterns”, “facial patterns”, “hand measurements”, and DNA for authentication purposes.
The controversial provision is Rule 6, which deals with disclosure of information. Rule 6(1) lays down that disclosure of sensitive personal data by a body corporate to any third party shall require prior permission from the provider of such information, unless such disclosure has been agreed to in the contract between the body corporate and the provider of information, or where the disclosure is necessary for compliance of a legal obligation.
Rule 6(1) carries a key proviso, which, its critics say, can be misused. It lays down that such information shall be shared, without obtaining prior consent from the provider of information, with government agencies mandated under the law to obtain information, including sensitive personal data for the purpose of verification of identity, or for prevention, detection, investigation, including cyber incidents, prosecution, and punishment of offences. The government agency, under this proviso, shall send a request in writing to the body corporate possessing the sensitive personal data or information, stating clearly the purpose of seeking such information. The government agency shall also state that the information so obtained shall not be published or shared with any other person. Many consider Rule 6(2) to be even more draconian. It says that notwithstanding anything contained in Rule 6(1), any sensitive personal data shall be disclosed to any third party by an order under the law. The safeguards in Rule 6(3) and 6(4) that the body corporate or the third party receiving such sensitive personal data shall not publish or disclose them further are considered weak.
Rule 7 elaborates on this. As the bar on the body corporate is only against publishing sensitive personal data, it may transfer such data to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these rules. The rule says that the transfer of such data may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and the provider of information or where such person has consented to data transfer. Critics ask whether these safeguards will be complied with absolutely, and if not, what the remedies available to a victim are.
R. Chandrashekhar, Secretary in the Department of Information Technology, said the rules were framed to fix the liability on service providers, intermediaries and bodies looking after the details of the users as the government could not allow complete insulation to anyone from any illegitimate activity that involved a body or a person. “The rules were made to define that liability and restrict that liability,” he clarified. He denied that the government intended to restrict free speech through these rules.
Rule 3 (2) requires that such rules and regulations, terms and conditions or user agreement shall inform users not to host, display, upload, modify, publish, transmit, update or share any information that belongs to another person and to which the user does not have any right to, and is grossly harmful, blasphemous, defamatory, obscene, pornographic, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever.
Powers to censor content
The loose language of this rule, critics fear, can be interpreted widely, and the intermediaries may enjoy extraordinary powers to censor content, resulting in unnecessary restrictions on freedom of expression.
Rule 3 (2) (i) requires the intermediary to ensure that the content posted by the user does not threaten the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or cause incitement to the commission of any cognisable offence or prevent investigation of any offence or is insulting to any other nation. Again, this rule is loosely phrased, and does not explain how the intermediary can conclude that a particular post “threatens to…”.
Rule 3(4) is even more mischievous. It requires that the intermediary, upon obtaining knowledge by itself or being brought to actual knowledge by an affected person in writing or through e-mail signed with electronic signature about any such information as mentioned in Rule 3(2), shall act within 36 hours and work with the user or owner of such information to disable it. Further, the intermediary has also to preserve such information for at least 90 days for investigation.
Rule 3(11) provides the remedy for an aggrieved user. It requires the intermediary to publish on its website the name of the grievance officer and his contact details as well as the mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of Rule 3 can notify their complaints. The grievance officer has been asked to redress such complaints within one month from the date of receipt of a complaint. Ironically, the rules do not provide content writers a means to defend their work or appeal a decision by the intermediary to remove content. The absence of natural justice in the rules will make it easy for critics to challenge them legally.
Google has expressed fears that the rules could impede its operations in India as it could become liable for questionable content posted by third parties and suffer great harm in terms of huge fines or other punishment. It is reported that the Indian authorities have asked Google to remove content that speaks ill of leading politicians. The Ministry has denied that it intends to acquire regulatory jurisdiction over content posted on the Web.