ASSOCHAM

CORPORATE

ASSOCHAM submission to Ministry of Communications and Information Technology Cyber Regulation Advisory Committee on Information Technology Act (December 2012)

At the outset, ASSOCHAM would like to place on record its appreciation towards the Ministry for the step it took in reconstituting the Cyber Regulation Advisory Committee, and for holding the first meeting of the reconstituted body on November 29th with extensive participation from industry, experts, and other critical stakeholders. We are grateful at being invited to be part of the Cyber Regulation Advisor Committee, and look forward to helping aid in its upcoming meetings, in line with the Hon'ble Minister's announcement that the Committee meeting on a regular recurring basis.

As requested by the Hon'ble Minister, we wish to use the opportunity of this letter to offer consolidated inputs regarding the subject taken up in the last Cyber Regulation Advisory Committee meeting; namely Section 66A and the rules issued under Section 79. It is our sincere hope that this inputs can be of use to the Committee, and the Ministry as a whole, as the task of helping reform the regulations put in place by the Information Technology Act (IT Act) is taken forward. ASSOCHAM believes this is key to help drive forward the potential of the digital economy for India and to demonstrate India as a world leader in Internet policy making and committed to governance models in favour of openness and balance.

ASSOCHAM welcomes the policy announcement made by the Minister in the last meeting of the Cyber Regulation Advisory Committee that any penal action taken under the Information Technology will be made subject to additional due process safeguards - specifically that all such actions should be approved by police officers of a certain designated rank. This measure by the Ministry is a positive one, which should go some way in addressing the situation that had developed where provisions of the Information Technology have been used in improver and excessive ways. We urge the Ministry to publish the formal policy directive on this soon; currently this is not published on the Ministry’s website nor been circulated across government departments. Specifically, we request the Ministry to formally circulate the directive on this inter-departmentally – including to the home departments of state governments across India alongside the Union Ministry for Home Affairs and the Union Ministry for Law and Justice. This will help ensure that the Government's clearly stated positive policy measure is made clear to the wide spectrum of operating agencies and bodies involved in such matters, which is a key factor in the measure being implemented in a way to carry forward its intent.

Detailed inputs on the rules issued under Section 79 of the Act:

Section 79 of the IT Act was amended to provide some degree of safe harbor to intermediaries who had hitherto been subject to a strict liability regime which did not foster a conducive legal framework and environment for the internet industry to flourish in India.

Accordingly, the amended Section 79 provided that no intermediary shall be liable for any third party information, data or communication link made available or hosted by it if the intermediary simply provided access to a communication system over which information made available by third parties was transmitted or temporarily stored or hosted or did not initiate transmission, select its receiver, and select and modify information contained in the transmission. The amended Section 79 also required the intermediary to observe due diligence while discharging its duties under the IT Act and also to observe such other guidelines as Central Government prescribed in this regard. This safe harbor, however, would not be available to the intermediary if it conspired or abetted or aided in the commission of an unlawful offence or did not expeditiously remove or disable access to the third party data, information or communication link upon receiving actual knowledge or on being notified by the appropriate government or its agency that any such information, data or communication link is being used to commit an unlawful Act.

What would constitute sufficient due diligence or which is the appropriate Government or its agency to notify intermediaries for taking down what kind of third party information, data or communication link for what kind of unlawful acts were matters that the Internet industry was hoping would be simplified by rules made under this amended Section 79, which would be light touch and would allow internet industry to grow.

The Rules provide that the intermediaries shall act within thirty-six hours and where applicable, work with the owner of such information to disable such information that is in contravention of sub-rule 3(2) of the Rules. Industry understands the intent of the Government as enshrined in the Act and Rules recognizes that intermediaries cannot pro-actively monitor content on their sites. However, it is respectfully submitted that some provisions of the Rules could be more clearly defined.

We appreciate the Ministry’s efforts to engage with industry and other stakeholders in reviewing the IT Act rules. ASSOCHAM has provided inputs below on how the IT Act Section 79 rules can be reviewed. ASSOCHAM would be happy to provide any assistance that might be required for this review process 

Rule 3 (2):

Rule 3(2) is overbroad and prescriptive. The guidelines currently do not provide appropriate definitions of terms “grossly harmful, hateful, disparaging” etc. In the absence of such definitions, it is left open to interpretation of public at large, specifically law enforcement officers in different parts of the country. We recommend that such ambiguous words – which have been exposed to abuse - be removed from the Rules as 'violates any law for the time being in force' is covered in Rule 3(2)[e].

Further, an intermediary is a private body which is not competent to determine compliance or enforcement of the law. It would be arbitrary to create obligations on an intermediary to take action upon receipt of complaint from an individual without any independent legal determination of the validity of the claim and whether the impugned content is actually unlawful. The Government should consider the fact of bad actors misusing such measures to force intermediaries to take down content even in cases where is may constitute legitimate speech protected by free expression, or where content clearly capable of varying interpretations. To cover such clear cases, the Government must put in place safeguards into the Rules, including possibly mandating that in cases where it is not clear that content is unlawful, parties requesting takedown should obtain a finding – even of a mere interim nature – from a court or appropriate legal authority of the content appearing unlawful.

ASSOCHAM also wishes to submit that the terms used in Rule 3(2) are open to varying interpretations. Though some of the words used in the clause appear to be common with some of the terms contained in Article 19(2) of the Constitution, it is important to note that Indian judicial precedent itself holds that the grounds used in Article 19(2) should be adjudicated on a case by case basis by courts. Every statute has to be viewed in the background of the purpose intended to be achieved, the context of its likely use and the existing institutional process for its implementation and enforcement. ASSOCHAM believes that this is an important issue in the current drafting of the Rules, and would be happy to provide additional inputs, based on an cross-jurisdictional analysis, to aid the Government in its review.

Rule 3(3)

Section 79(2) (b) provides that immunity granted to an intermediary under Section 79 (1) is revoked if the intermediary is involved in modification of the content. Consistent with the legislative intent of Section 79 of IT Act, Rule 3 (3) broadly sets out that an intermediary should not be held liable for user-generated content if it has not changed or modified the substance of such allegedly unlawful content. The Rules currently do not explicitly recognize that automated/algorithmic or other types of alteration can occur (e.g. - transposition for change in viewing form/user interface, translation/transliteration, or automated injection of advertisements) which does not change the substance of the user-generated content. Such activities include widely utilized tools, common systems and techniques which result in automated processing, not affecting the substance of the user-generated content. Exclusion of automated alteration from safe harbor enshrined under Section 79 would be detrimental for the Indian industry and also deviate from the globally accepted position.

It is recommended that Rule 3 (3) expressly clarifies that automated/algorithm or other types of transposition or alteration is not considered as modification or selection of information and sub-clause (a) of the provisio should be accordingly amended to include any process where the user-generated content is not changed, including automated code-generated processing of information.

Rule 3(4):

Clause 3(4) of the Rules currently reads as follows:

“The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.”

We propose that the words : “upon obtaining knowledge by itself” should be removed for the reason that the moment content is published, it is possible to presume that the intermediary had the knowledge of the same since intermediary is in control of the said website and is responsible for the running and operating the website in accordance with the laws of the land. The current language to this point in Clause 3(4) of the Rules appears to be beyond the legislative scope of Section 79 itself, given that the parent section only uses the clear words “actual knowledge” and does not use words requiring a “upon obtaining knowledge by itself” standard.

The rule is also unclear as to what a service provider is expected to do or achieve in this time frame of 36 hours - is he merely required to acknowledge receipt of the complaint or is he required to take some definitive action?  A requirement to act in a strict time bound manner for  any take-down request is not present in other countries. It also conflicts with the website  blocking process put in place by Parliament and the Government under Section 69A. This portion of the Rules is also being interpreted in an unclear manner; with some focus being laid on a view that content should be taken down within 36 hours instead of the complaint only being acted-upon.

ASSOCHAM was grateful for the clear view that the Hon'ble Minister provided in his remarks at the last meeting of the Cyber Regulation Advisory Committee that this clause should only be understood as mandating that an intermediary should acknowledge receipt of a take-down request – and not a requirement to act within 36 hours. Given that confusion that exists in the interpretation of this provision by law enforcement agencies, courts, and in the legal notices directly sent to intermediaries, it is critical that the Ministry categorically settle this by amending this clause to state that the reference to 36 hours to act is only for the intermediary to acknowledge receipt of a complaint. This change to the Rules must also be widely publicized in order to make things clear when it comes to implementation.

To summarize, ASSOCHAM recommends that the term 'affected person' be defined more precisely to cover a person who is directly affected by any content on the website of an intermediary. The 36 hours for action as provisioned be extended to 36 working hours and the term 'action' be clearly defined to be limited to meaning acknowledging receipt of a takedown notice, alongside deleting the language regarding “upon obtaining knowledge by itself”.

Rule 3(7):

Rule 3 (7) does not prescribe a transparent procedure for investigative authorities’ requests for information. It is imperative that a uniform standard and format for issuing such requests is incorporated in the said Rules dealing with this subject matter. Furthermore, the legality and constitutionality of Rule 3(7) has been called into question in a sub judice matter before the Hon’ble Delhi High Court.

The current framing of Rule 3(7) in fact allows for cases where individual law enforcement agencies can abuse due process, by using notices claiming powers under Rule 3(7) to demand access to communications information even when the process demanded by substantive legal provisions – such as those regarding interception or law enforcement investigation requests in the IT Act and Telegraph Act – has not been followed by them. In essence, it leaves open a loophole which leads to misuse. Given the clear intent of the Ministry as stated in the Cyber Regulation Advisory Committee to prevent such cases of misuse of the IT Act, it is crucial for this issue to be addressed.

Therefore, the recommendation is that Rule 3 (7) be deleted and uniform and transparent processes for issuing notices for information under IT Act should be devised;

Rule 3 (11):

Rule 3 (11) mandates intermediaries to appoint a grievance redressal officer. However, intermediary services are always online and therefore a grievance redressal procedure rather than a single officer would be of better utility to customers. Such a process ensures timely (24x7) grievance redressal services to customers in the absence of grievance officer concerned.

Additionally, the term ‘redressal’ is of wide import and the standard of redress for any complaint is unclear. A complaint can be considered to be redressed if it has been discharged to the satisfaction of the parties as per the terms of service or if the individual has been directed to the law enforcement or other appropriate agencies for formal processing of the complaint.

Therefore, Rule 3 (11) may be appropriately modified to require intermediaries to publish and communicate their grievance redressal processes and require appointment of a grievance officer only in the absence of such process. To help carry this out, intermediaries can be asked to provide a grievance team mail ID and/or a mechanism by which an affected person can communicate any complaints regarding content on the website of the intermediary.

Deterrent to curb possible misuse:

It is also possible that unscrupulous persons may try and misuse the provisions of the Act and Rules for personal benefit or for creating mischief. In this context we respectfully submit that the following suggestions be considered for inclusion in the Rules:

(a) the Rules include a provisions that provide for penalty where a person makes groundless threats and threatens an intermediary with legal proceedings or liability in respect of a content where such person is not the affected person or the content is not violation of law for the time being in force.

(b) the Rules also provide that an intermediary may recover such damages, if any, as may be sustained by reason of such threats or due to any action taken by the intermediary on the basis of false and/or misleading information provided by any person.

(c) the Rules include penalties for making any false statements for deceiving or influencing any authority or officer of the Government.