The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by Enhelion, 2019-11-21 09:34:06

Module_5

Module_5

MODULE 5: DATA PROTECTION, PRIVACY AND CORPORATE COMPLIANCE

5.1 INTRODUCTION

With the advent of the Internet, it has become easy for any one together, compile and
exploit the private information of individuals. What were scattered, unimportant, small bits
of data has now become a potent large set of data that can be misused by companies or by
antisocial elements. This has prompted many countries to come up with legislation on
privacy.

5.2 INTERNATIONAL PRIVACY INITIATIVES

On July 25, 1995, the EU announced the adoption of a directive on the protection of
individuals’ personal data and on the free movement of such data. The directive seeks to
prevent abuse of personal data and lays down comprehensive rules, including an obligation
to collect data only for specified, explicit and legitimate purposes, as well as to only hold
data if it is relevant, accurate and up-to-date.

The directive requires all companies concluding business in the EU to meet certain minimum
standards of data protection. Any company that does not meet these stringent standards
faces sanctions. The Electronic Communications Privacy Act in the US governs the privacy of
e-mail in public e-mail systems. It bars interception, use, or disclosure of e-mail by third
parties and sets the standards which law enforcement authorities must meet to gain access
to e-mail.

5.3 INDIAN LAW RELATING TO PRIVACY

Significantly, India does not have any specific law governing privacy. The courts in India have
not yet had the opportunity to look at privacy issues relating to the Internet. Analogies to
the Internet will, therefore, have to be drawn from cases that the court has actually dealt
with. The Constitution of India does not patently grant the fundamental right to privacy.
However, the courts have read the right to privacy into the other existing Fundamental
Rights: Freedom of Speech and Expression, under Article 19 (1) (a) and the Right to Life and
Personal Liberty under Article 21. In India, the right to privacy is one of the un-enumerated
rights granted to the individual.

Barring a few exceptions, the Fundamental Rights secured to the individual are limitation on
State action. They are not meant to protect persons against the conduct of private persons.
It is to be noted that the Constitutional guarantee of the right to privacy is valid only against
the State and no Constitutional remedy for violation of privacy lies against any individual.
Further, common law also does not provide direct for invasion of privacy. It seeks to provide
protection by the use of civil wrongs such as defamation and breach of confidence.
However, with the advent of e-commerce, such common law seems manifestly unsuited to
this environment.


1

As seen above, it may be difficult in India to prevent individuals/corporations from violating
privacy. There is, at present, no initiative on the part of the government to regulate privacy
of individuals against its encroachment by private parties.

5.4 SOLUTIONS AND REGULATION: AN EPILOGUE

5.4.1 A PERSPECTIVE ON POSSIBLE SOLUTIONS

Even an example that might otherwise be thought to favour the assertion of jurisdiction by a
local sovereign--protection of local citizens from fraud and antitrust violations--shows the
beneficial effects of a Cyberspace legal regime. How should we analyse "markets" for fraud
and consumer protection purposes when the companies at issue do business only through
the World Wide Web? Consumer protection doctrines could also develop differently online--
to take into account the fact that anyone reading an online ad is only a mouse click away
from guidance from consumer protection agencies and discussions with other consumers.
Nevertheless, that does not mean that fraud might not be made "illegal" in at least large
areas of Cyberspace. Those who establish and use online systems have an interest in
preserving the safety of their electronic territory and preventing crime. They are more likely
to be able to enforce their own rules. And, as more fully discussed below, insofar as a
consensually based "law of the Net" needs to obtain respect and deference from local
sovereigns, new Net-based law-making institutions have an incentive to avoid fostering
activities that threaten the vital interests of territorial governments.

Cyberspace could be treated as a distinct marketplace for purposes of assessing
concentration and market power. Concentration in geographic markets would only be
relevant in the rare cases in which such market power could be inappropriately leveraged to
obtain power in online markets--for example by conditioning access to the net by local
citizens on their buying services from the same company (such as a phone company) online.
Claims regarding a right to access to particular online services, as distinct from claims to
access particular physical pipelines would remain tenuous as long as it is possible to create a
new online service instantly in any corner of an expanding online space.

This text focuses also on technological developments as enabling change. But these
technologies will not determine the future of the Internet. The future will be determined by
individuals and organisations that find new uses for the technologies and policies that either
encourage or discourage certain activities. Existing and proposed uses raise important issues
in the areas of electronic contracts, authentication, taxation, jurisdiction, intellectual
property protection, privacy, consumer protection, security, reliability, competition policy
and standards, among others. Although the future is impossible to predict, it seems highly
likely that the exciting possibilities that we can envision based upon technological progress
will continue to raise new issues and demand creative policy responses.

5.5 SECURITY CONCERNS, TRADE SECRETS AND PRIVACY: DEVELOPING TRENDS

“One of the most facile and legalistic approaches to safeguarding privacy that has been
offered to date is the notion that personal information is a species of property. If this
premise is accepted, the natural corollary is that a data subject has the right to control

2

information about him and is eligible for the full range of legal protection that attaches to
property ownership.”1

As laws, policies, and technological designs increasingly structure people's relationships with
social institutions, individual privacy faces new threats and new opportunities. Over the
Internet as a medium, there has to be a harmonisation of the specific rules for the
treatment of personal information. India has no data protection laws. Having said this, the
ambit of "personal liberty" as covered by the Constitution of India has been successfully
interpreted in cases relating to privacy (Gobind v. State of M.P).2 and protection of
confidential information. Over the last several years, the realm of technology and privacy
has been transformed, creating a landscape that is both dangerous and encouraging.
Significant changes include large increases in communication bandwidths; the widespread
adoption of computer networking and public-key cryptography; mathematical innovations
that promise a vast family of protocols for protecting identity in complex transactions; new
digital media that support a wide range of social relationships; a new generation of
technologically sophisticated privacy activists; a massive body of practical experience in the
development and application of data-protection laws; and the rapid globalisation of
manufacturing, culture, and policy making.

Potentially the most significant technical innovation, though, is a class of privacy-enhancing
technologies (PETs). Beginning with the publication of the first public-key cryptographic
methods in the 1970s, mathematicians have constructed a formidable array of protocols for
communicating and conducting transactions while controlling access to sensitive
information. These techniques have become practical enough to be used in mass-market
products, and sharp conflicts have been provoked by attempts to propagate them. PETs also
mark a significant philosophical shift. By applying advanced mathematics to the protection
of privacy, they disrupt the conventional pessimistic association between technology and
social control. No longer are privacy advocates in the position of resisting technology as
such, and no longer can objectives of social control (if there are any) be hidden beneath the
mask of technical necessity. As a result, policy debates have opened where many had
assumed that none would exist, and the simple choice between privacy and functionality
has given way to a more complex trade-off among potentially numerous combinations of
architecture and policy choices.

This contrast reflects another, deeper divide. Powerful socio-economic forces are working
toward a global convergence of the conceptual content and the legal instruments of privacy
policy. These forces include commonalties of technology, a well-networked global policy
community, and the strictures on cross-border flows of personal data in the European
Union’s Data Protection Directive. While the United States has moved slowly to establish
formal privacy mechanisms and standardise privacy practices over the last two decades, it
now appears that the globalisation of markets, the growing pervasiveness of the Internet,
and the implementation of the Data Protection Directive will bring new pressures to bear on
the American privacy regime.


1 (Arthur Miller: The Assault on Privacy: Computers, Data Banks and Dossiers 211 (1971)).
2 (1975) 2 SCC 148

3

The evolution of privacy policy, meanwhile, has interacted with individual nations’ political
philosophies. This interaction should be viewed not on a nation-by-nation basis but rather
as the expression of a series of partial accommodations between the uniform regulation of
data handling and liberal political values that tend to define privacy issues in terms of
localised interactions among individuals. (This tension runs throughout the contemporary
debate and will recur in various guises.)

One constant across this history is the notorious difficulty of defining the concept of privacy.
The lack of satisfactory definitions has obstructed public debate by making it hard to
support detailed policy prescriptions with logical arguments from accepted moral premises.
Attempts to ground privacy rights in first principles have floundered, suggesting their
inherent complexity as social goods. Privacy is more difficult to measure than other objects
of public concern, such as environmental pollution. The extreme lack of transparency in
societal transfers of personal data, moreover, gives the issue a nebulous character. Citizens
may be aware that they suffer harm from the circulation of computerised information about
them, but they usually cannot reconstruct the connections between the cause and effect.
This may account in part for the striking mismatch between public expression of concern in
opinion polls and the almost complete absence of popular mobilisation in support of privacy
rights.

The new technologies also have implications for conceptions of relationship, trust, and
public space. Technology and codes of practice determine whether databased
“relationships” between organisations and individuals are fair, or whether they provoke
anxiety. These concerns are a traditional motivation for data protection regulation, but they
are amplified by technologies that permit organisations to maintain highly customised
“relationships” by projecting different organisational personae to different individuals. Such
“relationships” easily become asymmetric; with the organisation, having the greater power
to control what information about it is released while simultaneously obscuring the nature
and scope of the information it has obtained about individuals. Examine, for instance, the
conditions under which individuals can establish private zones that restrict access by
outsiders. A secure telephone line is arguably a precondition for the establishment of an
intimate relationship, an interest that has long been regarded as a defining feature of
human dignity. This concern with the boundaries that are established around a relationship
complements concern with the boundaries that are negotiated within a relationship. It also
draws attention to the contested nature of those boundaries.

Beneficial relationships are generally held to require trust. As the information infrastructure
supports relationships in more complex ways, it also creates the conditions for the
construction of trust. Trust has an obvious moral significance, and it is economically
significant when sustained business relationships cannot be reduced to periodic zero-sum
exchange or specified in advance by contract. Trust and uncertainty are complementary;
cryptography establishes the boundaries of trust by keeping secrets. This approach,
however, reduces trustworthiness to simple reliability, thereby introducing tacit norms
against trusting behaviour. Just as technology provides the conditions for negotiating
relationships, it also provides the conditions for creating trust. Legal systems evolve to the
institutional conditions by which a technical architecture comes to support these conditions
or else evolves toward a regime of coercive surveillance.

4

No matter how well crafted a privacy code might be, privacy will only be protected if the
necessary information practices are actually followed. Policy-makers need to understand
how privacy issues actually arise in the daily activities of information workers, and
organisational cultures need to incorporate practicable norms of privacy protection. Once
established, these norms will only be sustained if the public understands the issues well
enough to make informed choices and to assert their rights when necessary.

5.6 CONFIDENTIAL INFORMATION

Confidential information constitutes the essence of software development. From the
instructions/specifications received from the client/trade partners, to the algorithms
developed by the co-workers, every part of the development of an item of software code
involves the use of confidential information. All of this information is invaluable to the
software company developing the code and even more so to its competitors. There is no
copyright in ideas or information as such and accordingly there is no remedy under the
copyright law for unauthorised use of confidential ideas or information obtained directly or
indirectly by one person from another. A remedy will have to be sought by proceedings for
breach of confidence or breach of trust. The relief that can be obtained is by a suit for an
injunction or damages.

5.6.1 PROTECTION OF CONFIDENTIAL INFORMATION

If ideas and information are acquired by a person in such circumstances that it would be a
breach of good faith to disclose them to a third party or utilise them and he has no just
cause or excuse for doing so, the court will grant an injunction against him. It is well settled
that information imparted in confidence [especially information which is parted in
confidence to servants and agents] will be protected. The courts will restrain the use of it if
it is breach of good faith. The law on this subject does not depend on any implied contract.
It depends on the broad principle of equity that he who has received information in
confidence shall not take unfair advantage of it. He must not make use of it to the prejudice
of him who gave it without obtaining his consent.

5.6.2 NATURE OF CONFIDENTIAL INFORMATION

It is a matter of common knowledge that, under a system of free private enterprise and
therefore of competition, it is to the advantage of a trader/commercial entity to obtain as
much information as possible concerning the business of his rivals and to let him know as
little as possible of his own.

The information may be a trade secret, for example, a method of production not protected
by a patent, or a business secret, such as the financial structuring of an undertaking or a
piece of domestic ‘in-house’ information like the salary scale of clerks, or the efficiency of
the firm’s filing system. Some of this information would be of a highly confidential nature, as
being potentially damaging if a competitor should obtain it, some would be less so and
much would be worthless to a rival organisation.


5

5.6.3 CONFIDENCE IMPLIED IN A CONTRACT

If two parties make a contract under which one of them obtains for the purpose of contract
or in connection with it some confidential matter, even though the contract is silent on the
issue of confidence, the law will imply an obligation to treat that confidential matter in a
confidential way, as one of the implied terms of contract, but the obligation to respect
confidence is not limited to cases where the parties are in a contractual relationship.

5.6.4 CONFIDENCE IMPLIED BY CIRCUMSTANCES

An action for breach of confidence does not depend upon any right of property or contract
or right of law. It results on an equitable obligation of confidence, which may be implied,
from the circumstances of the case. Even if there exists no contractual relationship between
the plaintiff and the defendant, if a defendant is proved to have used confidential
information obtained directly or indirectly from the plaintiff and without his consent express
or implied, he will be guilty of infringement of the plaintiff’s rights.

7.6.5 IDENTIFICATION OF CONFIDENTIAL INFORMATION

In identifying confidential information, four elements must be discerned: First, the
information must be information the release of which the owner believes would be injurious
to him or of advantage to his rivals or others. Second, the owner must believe that the
information is confidential or secret, i.e. that it is not already in the public domain. It may be
that some or all of his rivals already have the information, but as long as the owner believes
it to be confidential, he is entitled to try to protect it. Third, the owner’s belief under the
two previous headings must be reasonable. Fourth, the information must be judged in the
light of the usage and practice of the particular industry or trade concerned. It may be that
information, which does not satisfy all these requirements, may be entitled to protection as
confidential information or trade secrets, but that any information, which does satisfy them,
must be of a type, which is entitled to protection.

5.6.6 ESSENTIAL REQUIREMENTS OF BREACH OF CONFIDENCE

Three elements are normally required if, apart from contract, a case of breach of confidence
is to succeed. First, the information itself must have the necessary quality of confidence
about it. Secondly, that information must have been imparted in circumstances importing
an obligation of confidence. Thirdly, there must be unauthorised use of that information to
the detriment of the party communicating it.

5.6.7 EXCEPTIONS TO BREACH OF CONFIDENCE

Where the information is such that it ought to be divulged in the public interest to one who
has an interest in receiving it, the Court will not restrain such a disclosure. Information
relating to anti-national activities, which are against national security, breaches of the law or
statutory duty or fraud, may come under this category. In fact, whenever there is strong
public interest in the disclosure of the matter, Courts may not consider such disclosure as
breach of confidence.

6

5.6.8 REMEDIES FOR BREACH OF CONFIDENCE

The remedies for breach of confidence consists of an injunction and damages and deliver-up
where applicable. The injunction may be interlocutory or permanent. The information may
remain confidential only for a limited period in which case, the injunction will not extend
beyond that period. Since the information, alleged to be confidential, might be of value to
the plaintiff only for a certain period, an interim injunction will ordinarily be granted only for
a specified period depending upon the circumstances and the nature of confidential
information.

In the balance of convenience, the following factors have to be considered:


whether the effect of an injunction would be harmful to the defendants;
whether the terms of the injunction are such that it is extremely difficult for the
defendants to know what they may do and what they may not do;
whether it is certain upon the material before the Court that even if they were
successful in the trial, the plaintiff would obtain an injunction rather than damages.

Damages or compensation is determined based on the market value of the confidential
information based on a notional sale between a willing seller and a willing purchaser. This
method may be more appropriate for confidential information relating to industrial designs
or processes or business secrets.

Where a plaintiff elects in favour of an account of profits, he will in the normal course
receive the difference between the sale price of the goods and the sum expended in
manufacturing them. The sum would be abated by the amounts, if any, expended by the
defendants as commission in relation to the contract.

5.7 EMPLOYEE PRIVACY RIGHTS

Employee privacy is considered one of the most important issues facing companies today3.
This is so because no longer is employee privacy relegated to the employer “monitoring
their workers’ performance by observing production lines, counting sales orders, and simply
looking over the employee’s shoulder.” Instead, employers now have the capability to
monitor their employees through electronic means, including computers and e-mail. This
“development of sophisticated technology is greatly expanding the advanced and highly
effective methods by which employers monitor the workplace.” (Larry O. Natt Gantt, II, An
Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace, 8
Harv. J.L. & Tech. 345, 345 (1995)).

Although it is obvious that e-mail gives companies a great deal of technological advantages
and is an important tool in today's business world, it also creates a problem for employers
and employees in the area of employee privacy. The question becomes, do employers have

3 (Laurie Thomas Lee, Watch Your E-Mail! Employee E-Mail Monitoring and Privacy Laws in the Age
of the “Electronic Sweatshop”, 28 J. Marshall L. Rev. 139, 139 (1994))

7

the right to look at employees’ e-mails, and do employees have a right of privacy that
should prevent such an intrusion? Employers argue that they need the right to electronically
monitor employees in order to enhance job performance, prevent theft, fraud, and other
illegal conduct. They also argue that productivity, efficiency, and quality controls are all
enhanced by electronic surveillance. The employee on the other hand, maintains that he has
an expectation of privacy, and that electronic surveillance is an invasion of that right. A
number of e-mail’s attributes led employees to believe these messages were their own
private communications (Benkler, Yochai, Rules of the Road for the Information
Superhighway: Electronic Communications and the Law, West Publishing, 1996 at 402). The
need for passwords, the ability to personally address e-mail, the use of the word “mail”, the
most confidential form of communication used by the public, in e-mail, and even the ability
to “delete” messages after reading them, all contribute to employee e-mail users believing
that their e-mail communications are private.

Functionally, a proper e-mail privacy standard lies at the confluence of two critical
questions: how much access do employers have to an employee’s workspace, and is that
access limited by a right of the employee to control their workspace; and how much of a
right do employees have to use the employer’s property as resources to pursue their own,
private purposes. The laws concerning this employee privacy are unclear at best, non-
existent in many situations, and still in discussion in India.

5.8 EMPLOYER PROTECTION

The question thus is how can an employer protect against liability. First, it is important to
reduce the employee’s expectation of privacy with notice, and second, it is important to do
so in a manner that evidences the employee’s understanding of the policy.

In Watkins [featured in The Times, July 2000], the employer warned employees that
business telephone calls would be monitored, but that personal calls would only be
monitored to the extent necessary to determine whether the call was personal or business.
The court held that this disclosure protected employees’ personal calls and only implied
consent to the monitoring of business calls. This implies that employers will escape liability if
they publish a policy expressly warning employees that all e-mail messages will be
monitored and not just business related ones. However, the scope of the employer’s
intrusion must be matched by a legitimate business interest justifying the invasion, such as
desire to protect business property or trade secrets.

The London law firm Baker & McKenzie, suggests the following policy to protect employers
from employee e-mail invasion of privacy claims.
“The guidelines and warnings listed below are of critical importance and non-compliance
could in certain circumstances constitute a serious disciplinary matter.
1. Beware what you say in email or voicemail messages. Improper statements can give rise
to personal or company liability. Work on the assumption that messages may be read or
listened by third parties.”4

4 (See www.netdoor.com/com/bakernet/publicat/europe/alrt21/t-alrt21.html for other warning
suggestions protecting employers’ interests).

8

Whether the current employer/employee relationship exhibits it or not, there is a judicially
created right to privacy. Privacy law has attempted to balance two basic interests: first, the
employer has an interest in minimising losses and injuries, preventing fraud and crime in his
workplace, and maximising production, productivity, and success. Second, the employee has
an interest in being free from intrusion into his/her private affairs. Neither of these basic
interests is more important than the other. In fact, privacy law has taken on a
“circumstances” based inquiry. How then, does this “circumstances” based inquiry apply to
the relatively new concept of privacy in the employer/employee context of e-mail
transmission?

The answer is, it really has not gone far enough. The Constitution does not explicitly give the
right to privately employed individuals, and there is some doubt whether it applies to e-mail
at all. At present, legislation is under review, but without an element of finality. Case law is
sketchy at best, and is not on point in e-mail and internet-related activities.

Therefore, to prevent unnecessary situations in the future, there are things that employers
and employees can do. First, employers should notify employees about policies that exist
within the company, which may allow the executive to search and conduct surveillance of
the employee. Thus, the expectation of privacy needs to be managed. Second, the employer
should limit the inquiry to matters associated to the workplace and the ability of an
individual to do their job. It probably does not benefit the employer to delve into an
employee’s personal e-mail. Third, employers should limit the amount of sensitive
information employees see. This would essentially negate the need to monitor. Fourth,
employers should not release any private information about the employee. Lastly,
employees should keep their personal correspondence where it belongs - at home and out
of the workplace. If both employers and employees practice these techniques, a more
compatible environment for e-mail monitoring will be available.

Nevertheless, one thing is for sure. Today, the growing restrictions arising from both
judicially created and any company who uses e-mail must consider statutory law. In
addition, any employer, who is thinking about monitoring and “snooping” over e-mail, had
better make sure that the employee has an awareness of this intent. Because although the
laws are ambiguous today, the trend is toward a more protective environment for the
employee.

5.9 BREACH OF CONFIDENTIALITY AND PRIVACY: THE INDIAN PERSPECTIVE - AN

‘OFFENCE’ UNDER THE INDIAN INFORMATION TECHNOLOGY ACT, 2000 (IT ACT)

India has, as such, no specific privacy laws in place as yet. Yet, drawing analogy from the
rulings of the Indian Supreme Court on Article 21, one can safely presume that the existing
standards and case precedents of the developed world will have a significant impact on the
laws of India and the rulings of the Indian courts. There are obvious enhancements of the
scope of the article 21 in the cases of Kharak Singh and Gobind. The implementation of the
Information Technology Act, 2000, is bound only to strengthen this position.


9

Section 72 of the IT Act prohibits unauthorised disclosure of the contents of an electronic
record. Privacy, in fact, involves at least two kinds of interests; informational privacy interest
and autonomy privacy interest. Information privacy interest means interest in precluding
the dissemination or misuse of sensitive and confidential information. Autonomy interest
means interests in making intimate personal decisions or conducting personal activities
without observation, intrusion or interference. [Refer to Hill v. National Collegiate Athletic
Association, 865 P 2d 633 (1994)]. Both the interests deserve protection. In regard to
autonomy privacy interests, there are, however, certain limitations and exceptions as set
out in sections 67, 68, 69 of the IT Act, while Section 72 protects the informational privacy
interests. It prohibits disclosure of information received by a person in pursuance of the
powers conferred under the Act. Such disclosure is punishable with imprisonment for a
term, which may extend to two years and/or fine, which may extend to one lakh rupees.
Disclosure could, however, be made without any penal liability to the law enforcing agencies
or pursuant to proper authorisation by the Controller or with the consent of the concerned
person.

5.10 PRIVACY AND INTERNET LAW

Privacy protection is a critical element of consumer and user trust in the online environment
and a necessary condition for the development of electronic commerce. Three international
organizations have developed guidelines or rules that set forth basic consumer privacy
protections:

Organisation for Economic Co-operation and Development -- Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data5 (Privacy Guidelines)
(1980)

Council of Europe -- Convention for the Protection of Individuals with Regard to
Automatic Processing of Personal Data (1981)6

Articles 4 - 10 set out the basic principles for data protection.

Internet Privacy Guidelines (23 February 1999) -- practical, non-binding advice for
Internet users and service providers7
A good overview of the privacy rules and recommendations issued by the Council of
Europe8
European Union -- Data Protection Directive (1995)9 Articles 5 - 17 spell out in
somewhat more detail the basic privacy principles.
Guide to the data privacy directive -- focuses on who is entitled to handle personal
information and how such information can be processed10.


5 http://www.oecd.org/dsti/sti/it/secur/index.htm
6 http://conventions.coe.int/treaty/EN/cadreprincipal.htm
7 http://www.coe.fr/dataprotection/rec/elignes.html
8 http://www.coe.fr/dataprotection/eintro.htm
9 http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html
10 http://europa.eu.int/comm/internal_market/en/media/dataprot/news/guide_en.pdf

10

5.11 PRIVACY OVERVIEW

There are two aspects to the concept of privacy:

Consumer privacy - the right of individuals to control information about them generated or
collected in the course of a commercial interaction. Referred to in Europe as "data
protection."
Privacy rights of the individual against the government - the individual's protection against
unreasonable government intrusions on privacy, such as searches of the home or
interceptions of communications.

Internet law needs to address both sets of issues.

5.11.1 CONSUMER PRIVACY

Consumer privacy protection in the US and Europe, as well as under the guidelines of the
OECD, is based on the following principles:

Notice and Consent - before the collection of data, the data subject should be provided:
notice of what information is being collected and for what purpose and an opportunity to
choose whether to accept the data collection and use.

In Europe, data collection cannot proceed unless data subject has unambiguously given his
consent (with exceptions).

Collection Limitation - data should be collected for specified, explicit and legitimate
purposes. The data collected should be adequate, relevant and not excessive in relation to
the purposes for which they are collected.

Use/Disclosure Limitation - data should be used only for the purpose for which it was
collected and should not be used or disclosed in any way incompatible with those purposes.

Retention Limitation - data should be kept in a form that permits identification of the data
subject no longer than is necessary for the purposes for which the data were collected.

Accuracy - the party collecting and storing data is obligated to ensure its accuracy and,
where necessary, keep it up to date; every reasonable step must be taken to ensure that
data which are inaccurate or incomplete are corrected or deleted

Access - a data subject should have access to data about himself, in order to verify its
accuracy and to determine how it is being used

Security - those holding data about others must take steps to protect its confidentiality.

5.11.2 PRIVACY PROTECTION AGAINST THE GOVERNMENT


11

The right to privacy is internationally recognized as a human right. However, most
governments claim the authority to invade privacy through the following means:


interception of communications in real-time
interception of traffic data (routing information) in real-time
access to data stored by service providers, including traffic data being stored for
billing purposes
access to data stored by users

These means of access to communications and stored data must be narrowly defined and
subject to independent controls under strict standards. Real-time interception of
communications should take place only with prior approval by a judge, issued under
standards at least as strict as those for policy searches of private homes.

5.12 INTERNATIONAL PRIVACY INITIATIVES

On July 25, 1995, the EU announced the adoption of a directive on the protection of
individuals’ personal data and on the free movement of such data. The directive seeks to
prevent abuse of personal data and lays down comprehensive rules, including an obligation
to collect data only for specified, explicit and legitimate purposes, as well as to only hold
data if it is relevant, accurate and up-to-date.

The directive requires all companies concluding business in the EU to meet certain minimum
standards of data protection. Any company that does not meet these stringent standards
faces sanctions. In the Netherlands and New Zealand, codes of conduct or self-regulation
are also employed.

The Electronic Communications Privacy Act in the US governs the privacy of e-mail in public
e-mail systems. It bars interception, use, or disclosure of e-mail by third parties and sets the
standards which law enforcement authorities must meet to gain access to e-mail.

5.13 INDIAN LAW RELATING TO PRIVACY: AN EPILOGUE

Significantly, India does not have any specific law governing privacy. The courts in India have
not yet had the opportunity to look at privacy issues relating to the Internet. Analogies to
the Internet will, therefore, have to be drawn from cases that the court has actually dealt
with.

The Constitution of India does not patently grant the fundamental right to privacy. However,
the courts have read the right to privacy into the other existing Fundamental Rights:
Freedom of Speech and Expression, under Article 19 (1) (a) & Right to Life and Personal
Liberty under Article 21. In India, the right to privacy is one of the un-enumerated rights
granted to the individual. Barring a few exceptions, the Fundamental Rights secured to the
individual are limitation on State action. They are not meant to protect persons against the
conduct of private persons. It is to be noted that the Constitutional guarantee of the right to
privacy is valid only against the State and no Constitutional remedy for violation of privacy
lies against any individual.

12

5.14 IDENTIFYING GOALS AND OBJECTIVES

On December 18, 2000, the European Union and the United States issued a joint statement
regarding the necessity for building consumer confidence in order to further global e-
commerce. The joint statement went on to point out that generating consumer confidence
requires a combination of private sector initiatives and a “clear, consistent and predictable
legal framework.”

It went to ‘reaffirm these important goals and objectives, including the agreement to
provide ‘active support for the development, preferably on a global basis, of self-regulators
codes of conduct and technologies to gain consumer confidence in electronic commerce’.”

5.15 IMPLEMENTATION IS MORE DIFFICULT

Does the consumer in fact enjoy the same kind of protection in e-commerce that he or she
has in other kinds of transactions? Does the consumer need the same level of protection or
does the e-commerce consumer have greater relative bargaining strength? How much
should courts enforce agreements by consumers to give up valuable substantive and
procedural rights?

As with all worthy goals, the difficulty is in implementation. This fact is particularly true
when dealing with a worldwide medium like the Internet. Obviously, if we had the same
standards for e-commerce around the world, the system would be relatively clear and
consistent. But for global binding standards, we would need intergovernmental agreement,
which historically takes many years to reach.

Governmentally-endorsed guidelines and recommendations could be a fallback position, so
long as there was a reasonable amount of harmony among the various positions. The
American Bar Association in 2000 embarked on a special project, “Alternative Dispute
Resolution in Online Commerce” which hopes to develop a system of guidelines for ADR in
e-commerce disputes. The project focuses particularly on consumer disputes, since the
amount of money involved in consumer matters seldom warrants elaborate ADR machinery.

5.16 CONCERNS OF CONSUMERS

Studies show that key concerns on the part of consumers involve some or all of the
following:
Lack of confidence in online financial transactions, e.g., concern over misuse of debit and
credit cards:


Non-delivery or late delivery of goods and services.
Fraud.
Hidden costs, such as postal charges and taxes.
Unrestricted or hidden collection of personal data and channelling of such data to
third parties.
Lack of independent certification of website policies and practices.

13

5.17 FAILURE OF E-COMMERCE BUSINESS TO FOLLOW BEST PRACTICES

In September 2000, ClickSure conducted a best practice analysis of Internet business
websites in Europe and the United States. It measured six aspects: privacy, security, clarity
of website information, transaction management, quality and monitoring. Its resulting
report concluded that there was a clear failure to measure up to internationally-recognized
best practices.

Consumes International (“CI”) subsequently conducted a privacy study concluded in January
2001. It found that, although the majority of websites collected personal information from
the user, “only a tiny minority provided privacy policy that gave users meaningful
information about how that data would be used. It concluded that websites in both the U.S.
and E.U. fall woefully short of the standards set by international guidelines on data
protection. “ According to the CAI study, the majority of sites ignore even the most basic
principles of fair information use, such as telling consumers how their data will be used, how
it can be accessed, what choices the consumer has about its use and how the security of
that data is maintained.

5.18 THE INTERNET AND CONTRACTUAL CHOICE OF LAW AND FORUM

5.18.1 GENERAL CONSIDERATIONS

Many disputes involving electronic commerce arise between parties who are bound by a
contract determining the terms and conditions upon which they have agreed to interact.
Frequently, the online contract itself may provide that any dispute concerning it is to be
heard in the courts of a specified state (“choice of forum” clause or “forum selection”
clause) and is to be determined under the substantive law of a specified state (“choice of
law” clause).7

If parties to the contract are presumed to have equal bargaining power and, therefore, an
equal ability to accept or reject such clauses, the clauses are generally uncontroversial and
enforced. However, equality between buyer and seller has not always been presumed
when one party to the contract is a consumer. Instead, the seller is assumed to define is
market and set the terms of the contract for its own benefit. The buyer, in contrast, is
assumed to be confronted with either (a) accepting the terms imposed by one of a limited
number of sellers serving the buyer’s market or (b) foregoing the purchase. As discussed
above, in order to protect the customer from perceived disadvantageous choice of forum
and law clauses, the E.U. will enforce them only if they favour the consumer,8 although in
the U.S. they are enforced unless they are “unreasonable.”9

Matthew S. Yeo and Marco Berliri have offered an analysis and perspective on the problem
of determining the governing law in E-Commerce transactions. In a paper posted online,

7 Contract terms themselves, of course, also supply a set of substantive rules to govern the
transaction, which will be used by a court unless they violate the public policy of the forum.
8 See subsection I.A. 3 supra.
9 See subsection II. B. 2 supra

14

they post three alternative E.U. approaches to resolve conflicts.10 the first is to simply
permit the merchant to designate any law that has a substantial connection to the
transaction. The difficulty is that the consumer may not know or be able reasonably to
determine his rights under such law. The resulting apprehension on the part of the
consumer may retard the growth of E-Commerce. The second alternative is to adopt the
mandatory rules concept. The contract can specify the law that will apply to the transaction
but would not trump mandatory consumer protection rules. This creates confusion and
increase the cost of compliance, because the merchant is required to be familiar with the
mandatory rules of each jurisdiction.

The third alternative, which the authors favour, is to harmonise national consumer
protection laws. This would create a lower cost mechanism, similar to the model rules
enjoyed by other areas of uniform law. Merchants would not have to lean the law of each
jurisdiction and consumers would know their rights irrespectively of choice of law. Because
harmonization is such a monumental task, probably the only practical low-cost solution is a
system of e-commerce dispute resolution, such as that discussed later.


5.18.2 PRE-DISPUTE SELECTION USING CLICK-WRAP AGREEMENTS.

5.18.2.1 U.S. CASE LAW.

A “click-wrap” agreement is one which a provider of goods or services presents online to a
user, who can agree to the terms and conditions of the agreement by either clicking a
designated icon or button or typing specified words or phrases. In the on-line environment,
a user may view the terms and conditions on the screen, using a control such as a keyboard,
or mouse to scroll through or otherwise navigate the terms and then click a button or bar
indicating asset. A true click-wrap assent should be distinguished from situation where the
terms and conditions are merely posted on the website and agreement to those terms and
conditions is implied without the user being required actually to expressly indicate
agreement.

Perhaps the earliest reported case in the U.S. supporting online agreement was the federal
appellate court decision in CompuServe, Inc. v. Patterson.11 this was not strictly a click-
wrap, since the user actually typed “agree” to an online agreement whose choice of
jurisdiction was used as one of several contacts to warrant holding the user subject to
personal jurisdiction in service provider’s home state. Subsequently, a state court upheld a
click-wrap choice of forum by an AOL subscriber where the subscriber could only enrol on
AOL by clicking the “ I agree” button placed next to the “read me” button of the “ I agree”
button next to the “I disagree” button at the conclusion of the subscription agreement,
which contained the forum selection clause.12


10

<http://pubs.bna.com/ip/BNA/EIP.NSF/b3e99e4adbdfc8cc85256580004f6e47/f916e63b1616fb7b8525
67 06001efe99?OpenDocument>
11 89 F.3d 1257 (6th Cir. 1996)
12 Groff v. American Online. Inc., 1998 WL, 307001 (R.I. Super. May 27, 1998).

15

Another state court sustained a click-wrap forum selection where subscribers to the
Microsoft Network could click a box saying “I Agree” or another saying “I Don’t Agree” at
any time while scrolling the adjacent terms and conditions, which included the forum
selection clause; before registering for the service.13 Since the subscriber clicked “I Agree”,
the court drew analogy to the pre-contractual opportunity to read the fine-print terms in
Carnival Cruise Lines and refused to treat electronic and paper presentations of terms
differently.

Another federal court found a click-wrap binding on the user as against a defence of
procedural unconscionability, where arbitration clause appeared in the final paragraph of
the agreement under the caption “Miscellaneous”, which included provisions on choice of
law and forum.14 Finding the click-wrap binding, the court noted that the clause was in same
front as the rest of the agreement and was freely scrollable and viewable and without time
restrictions and a viewer had to agree to the online license agreement before being able to
install software from the provider’s website. A number of other cases have upheld clickwrap
choice of forum.15

More recently, courts have found grounds on which to decline to enforce consumer click-
wraps. Thus, the California Court of Appeal this year invoked a public policy exception to
consumer choice law.16 The trial court had found the forum selection clause in a clickwrap
agreement made during installation process on CD-ROM unfair and unreasonable, because
the clause was not negotiated at arm’s length, was in standard form contract, was not
readily identifiable by plaintiff in small text and placed at the end of the agreement, and was
contrary to California public policy giving its citizens specific and meaningful remedies that
are readily accessible and available. The prime difference between the Virginia consumer
law and that of California was that in California a consumer can bring a class action while a
Virginia consumer could not. It therefore found a Virginia forum selection clause was
therefore invalid.

The appellate court shifted the usual burden of proof to the party seeking to uphold a forum
selection clause contrary to California’s Consumers legal Remedies Act (CLRA). It
emphasized the anti-waiver provision in the CLRA and California consumer protection

13 Caspi v. Microsoft Network L.I.C. 732 A.2d 528 ( N.J. App. Div. 1999)
14 In the RealNetworks, Inc., Privacy Litigation 2000 WL 631341 (N.D. III. May 8, 2000).
15 America Online, Inc. v. Booker (“Booker”) 781 So. 2d 423 (Fla 2001 Ct. App.) (forum selection
provision in an online ISP subscription “freely negotiated” and not shown “unreasonable or unjust”
decision unclear on whether agreement to the forum was express via a click-through or simply
implied in some way); Clemins v. America Online. Inc., 748 So. 2d 1041 (Fla. Ct. App. 1999) (
electronic agreement with Internet service provider enforced forum selection clause; no indication
whether there was click-through or implied assent); Lieschke v. RealNetworks, Inc., 2000 WL
198424 (N.D. III. Feb. 11, 2000) ( arbitration clause on Real Networks site contained in a click-wrap
licence which users were required to traverse before they could download software to play and
record music); Rudder v. Microsoft Corp., 1999Carswell Ont. 3195 (WL) (Ontario Super . Ct. Justice
Oct 8, 1999) (Canadian court expressly upheld the validity of a forum selection clause in click-through
contract where subscription procedure required the validity of a forum selection clause in click-
through contract where subscription procedure required the user to accept the agreement terms
each time they appeared on the monitor, and entire agreement could be viewed by scrolling down
screen, with terms not analogous to fine print).
16 America Online, Inc. v. Superior Court, 90 Cal. App. 4th 1 (2001)

16

provisions, which would be substantially diminished in Virginia, but the court of appeals, did
not explicitly rule on the validity of the click-wrap agreement. [Recheck].

A California federal district court declined to enforce a click-wrap in Ticketmaster involved
an online agreement where the home page of Ticketmaster’s website contained
instructions, a directory to subsequent event pages ( each with separate electronic address
and a hypertext link) and, upon scrolling to the bottom, terms and conditions, including
prohibitions against deep linking and against copying for commercial use, as well as a term
saying that anyone going beyond the home page thereby agreed to the terms and
conditions.17 There was no “I agree” button or other signification of assent by the Website
user, who could go directly to the linked page without seeking the terms and conditions).
Later, the court reaffirmed its ruling.18 Addressing arguments of copyright and trespass, the
court briefly reiterated that contract claim lacked “sufficient proof of agreement by
defendant.” The judgement was affirmed.19

A Massachusetts case declined to enforce a click-wrap in a class action lawsuit concerning
installation of software which damaged the user’s system before the user could review and
assented to the agtement.20 The agreement terms were accessible only by twice overriding
the default choice of “I Agree” and clicking “Read Now” twice. The court here also invoked
public policy, citing the impropriety of requiring residents of Massachusetts with small
claims to litigate in Virginia).

5.18.3 PRACTICES BY WHICH ONLINE PROVIDERS MAY PROPERLY OBTAIN ASSENT TO

ONLINE TERMS

In those jurisdictions which will honour clickwrap choice of law and forum when fairness
requirements are met, legal parishioners should advise their clients to create the best
factual basis to support validity of the agreement. The goal involves several important
parts: 1) a reasonable opportunity for the newer to access the terms and conditions and
review them; 2) sufficient conspicuousness and readability of the terms and conditions; 3)
clear and unambiguous manifestation of asset to the terms and conditions; 4) preclusion of
online contracting by a viewer who has not clearly manifested consent.

To satisfy the first requirement, proposed terms that involve any choice of law or forum
should be presented to the user before the user has any opportunity to take an action to be
bound by the agreement’s terms. All the terms should either appear automatically or the
user should be required to click on a clear icon or hyperlink that accesses the terms. The
user should then be afforded user sufficient opportunity to review the agreement terms,
with the ability to read the terms and his or her own pace and to navigate back and
forthwith in the terms by scrolling or changing pages. Once the user views the terms, those
terms should remain accessible to the user for further reference.


17 Ticketmaster Corp. v. Tickets.com Inc., 54 U.S.P.Q. 1344, 2000 U.S. Dist. LEXIS 4553, 2000 WL
525390 (C.D.Cal. March 27, 2000)
18 2000 WL 1887522(C.D. Cal Cug. 10,2000)
19 2001 WL 51509 (9th Cir. Jan. 8, 2001) (unpublished).
20 William v. American Online. Inc. 201 WL 135825 (Mass. Super. Ct. Feb.8, 2001)

17

In the U.S., sufficient conspicuousness includes having the format and content of the terms
comply with requirements in applicable laws, such as the Uniform Commercial Code, as to
notice, disclosure language, conspicuousness, and the like. The terms should be plain
language and legible. It is equally important that other information on the website should
not contradict the agreement terms or render the agreement ambiguous.

The format of the assent must comply with any applicable laws requiring particular assent
to a particular type of term, as well as an overall assent to all of the terms. It is desirable
that there can be an express statement just before the user is able to click his agreement
that stresses the effect agreement. Thus, the user might be expressly warned that: “By
clicking ‘I agree’ below you acknowledge that you have read, understand, and agree to be
bound by the terms above.”

In order to assure that the user has the opportunity to see all of the agreement before
assenting; it is advisable to place the means of assent at the end of the agreement terms. It
is also important to use clear language of asset, e.g. “I agree,” “I consent,” or “I assent,”
rather than more ambiguous language, .e.g., “Continue,”, “Submit,” or “Enter.” Such clear
language of assent should be combined with clear choice for the user not only to assent
but to reject the terms and to be informed of the consequence of rejection. Ideally, the
option to reject will occur at the same point in the process where final assent is requested,
and involve an equally clear and unambiguous button or term, such an “I disagree,” “I do
not agree,” “Not agreed,” “No,” or “I decline.”

Finally, a user who rejects the online agreement should not be able to take the transaction
any further, without choosing to go back and specifically agreeing to the terms and
conditions.

5.18.4 TOWARD LOW COST AND TRUSTED DISPUTE RESOLUTION: NOTES BY WAY OF

EPILOGUE

One of the conclusions drawn by the report prepared by the American Bar Association’s two
year Project on Jurisdiction in Cyberspace was that cyberspace may need new forms of
dispute resolution, in order to reduce transaction costs for small value disputes and have
structures that will work effectively across national boundaries.21 Following submission of
the report, the ABA constituted a multi-disciplinary special committee to develop criteria
and recommendations for such a dispute resolution system. That group has held a number
of meetings over the past eleven months, starting in the late November 2000, and is
currently working on a set of guidelines which might form a worldwide-acceptable basis of
dispute resolution procedures. If industry and consumers can both “buy in” to such
guidelines, consumers may become more comfortable in online transactions, and the results
of whose law and forum should apply will become essentially moot.

In conclusion, the e-Commerce Law set forth a number of provisions intended to secure B2C
transactions. The provision of general and pre-contractual information, the clarification of
the contract formation process, the grant of a right of withdrawal and the requirement

21 Report, Achieving Legal Business Order in Cyberspace, 55 BUS. LAW. 1801,1824 (2000).

18

placed on the provider to bear the burden of proof regarding a number of obligations
resting on him are favourable to consumers and should assist in building confidence for
online transactions. Nevertheless, the right of the providers to bring electronic evidence is
not so clear.

The provider should also make sure that the T&C comply with general consumer law
provisions. For international transactions, the providers will need to ensure that the site
architecture and the T&C comply not only with Luxembourg laws, but also with the laws of
the country of the buyers’ place of residence, as consumer protection provisions usually
cannot be derogated from.

Finally, the intent of the Law, which is to give consumes a satisfactory level of protection by
giving them a number of rights, is partly defeated by the fact that the e-Commerce law is
not clear on the applicable sanctions in the event that its consumer protection provisions
are not complied with. Moreover, the existing dispute resolution mechanisms are not
adapted to small online transactions and no recognition is made in the Law of electronic
dispute resolution mechanisms.

5.18.5 CONSUMERS PROTECTION AND PRIVACY: THE UK PERSPECTIVE

The principal commercial advantage of using the internet, and also perhaps its biggest
drawback, is its ability vast amounts of data almost simultaneously to any number of
persons in any number of locations virtually anywhere in the world. However, this is also a
concern for companies doing business electronically where personal information about
individuals is involved, whether this involves existing or prospective clients, employees or
other third party individuals. There is a huge sensitivity surrounding the use of personal
data in databases, both the United Kingdom and the European Union, of which business and
lawyers alike need to be aware. The European Union and certain other jurisdiction such as
Australia, Canada and Hong Kong have enacted data protection legislation to protect
individuals in their respective jurisdictions. These laws have a major effect on the use of the
internet.

5.18.5.1 PRIVACY POLICIES

By 1998, the vast majority of the top 100 visited websites had including privacy policies.
However, a recent Consumers International survey of 751 e-commerce sites worldwide
revealed that while two-third of sites collected personal data, the majority did not give the
individual users a choice as to whether such data was to be kept private, or that there was
any prohibition on it being passed to third parties or kept on the collector’s mailing list.

5.18.5.2 UK DATA PROTECTION ACT

Under the EU Data Protection Directive and the UK implementing legislation, the Data
Protection Act 1998, a party to the European Economic Area (EEA) who is controlling
personal data must:


use the data held fairly and lawfully;

19

Obtain data for specified purposes and use it only in ways compatible with those
purposes.
Hold only such data as is adequate, relevant and not excessive.
Ensure the data is accurate and up to date.
not retain the data longer than necessary for the stated purposes.
take appropriate measures against unauthorized or unlawful use of data and its
accidental loss or damage;
not transfer data outside the EEA except to a country that ensures an adequate
level of protection of a data subject’s right in that data.

Personal data will not be regarded as being held or used fairly or lawfully unless the data
subject has consented to that use ( although there are a limited number of exceptions) in
general, a data controller may not do anything on contravention of the above principles
except with the consent of the data subject.

Consent can be either explicit or implicit. This may consist of the site visitor knowing that
the data will be collected or used for a specific purpose, e.g. completing a purchase order
form. However, if the information is sensitive personal data, express consent is required.
Express consent requires, at the very least, a positive act such as clicking on a tick box to
indicate consent. Sensitive data includes such matters as information relating to racial,
political or sexual matters.

Data subjects also have a right, subject to paying a small fee, to be given details of data held
on them by any organization.

Privacy policies in the United Kingdom should be written accordingly. They therefore need
to contain:

the identity of the collecting entity which has control of the data;
a clear statement of the users of the data;
details of the persons receiving the information, if such is the case, and those to
whom it may be transferred outside the EEA;
Clarification, where relevant, that the information has been collected by means of a
‘cookie’. (A cookie is a file stored by a browser on an individual’s computer system
that holds information. Typically, such files store information to identify site users,
such as their names, addresses and e-mail details, and to record a user’s choices or
preferences. This means of gathering information may not be apparent on the face
of the site.)
the express consent of the subject, where sensitive data is collected;
a statement that the data subject has a right to view the information held by the
recipient;
an opt-out box for one or more of the specified purposes for which the information
is collected;
a statement of the safeguards relating to transfer where the information is to be
transferred outside the EEA.

5.19 TRANSFERRING DATA TO THE UNITED STATES AND THE SAFE HARBOUR SCHEME

20

The privacy policies that many US companies have put in place are at least equal to those
commonly found on European-based websites. However, under the Data Protection
Directive (and the UK enabling legislation, European companies are not permitted to
transfer data protection. There is no exemption for intra-group transfers, e.g. this
prohibition would therefore apply prima facie to a UK company that transfers personal data
obtained from its website to its US parent.

The European Union’s expectations of what is ‘adequate’ stringent. In addition to the need
to adapt the legislation and data principles applicable to EU Member States, the European
Union requires that each government must establish a relevant agency that monitors data
protection, and keeps a mandatory register of entities processing personal data. For
example, an EU-based company may legitimately transfer data to Hong Kong as it satisfies
the necessary requirements.

The European Union has now reached agreement with the US Department of Commerce
such that, subject to compliance with certain safe harbour rules, data may be transferred to
the United States. Transfer of data to members involved in the scheme may be made
without the need for specific consent from the affected data subject. However, this does
not remove the requirement that the EU data subject must know the uses to which the data
will be put, including any intended transfers of that data.

5.20 CYBERCRIME: CONCEPTS AND LEGAL THEORY

‘Cybercrime’ has emerged as a distinct category of study and an ever increasing problem
requiring the sustained attention of governments, law enforcement agencies and judicial
systems of countries world-wide. Jurisdictions that already had developed computing and
digital communications infrastructure have, over the last decade or so, been forced to
confront the reality of criminal expansion into the ‘cyberworld’, and to evaluate and
understand the adequacy of existing legal systems in order to insure the necessary
transnational investment and co-operation.

Through the course of this brief chapter, it must be emphasised that whether in India or for
that matter, anywhere in the world, criminal or penal sanctions can only be one element of
the overall response to cybercrime. Moreover, as has been seen from bitter experience,
such sanctions are not necessarily the most efficient or desirable form of response. Other
ways of preventing or minimising the harm of cybercrime include technological measures,
regulatory controls and civil proceedings. In the last resort, where most jurisdictions have
recognised the need for some form of punitive measures, particularly where the level of
criminality or harm caused or threatened is especially serious.

5.20.1 CYBERCRIME: DEFINING ASPECTS

There is no universally accepted general definition of cybercrime, no national legislation
provides us with a definition or explicitly employs the term11! Cybercrime comprises two

11 An analysis of legislation introduced in Asia relating to crimes on the Internet is not quite illustrative
as regards a definition. For instance, the laws introduced in Malaysia [1997] covering computer

21

overlapping domains. The first is illegal activities directed at or perpetrated through the use
of computers. This can include crimes through and via the medium that is the Internet:
willful damage to computer systems or networks, unlawful access to or interference with
the operation of computer systems, transmitting offensive or illegal content and committing
fraud or other offences through the use of the medium12.

The second related area is the protection of information. This has been a concern of legal
systems from well before the introduction of modern technologies of mass-communication,
but is clearly brought into focus by the development of global networked computer-based
information media such as the World Wide Web and the Internet13. Principal legal measures
related to the protection of information from unlawful use, distribution or exploitation
include intellectual property laws, privacy laws, laws relating to secrecy and national
security, and laws relating to unfair commercial advantage.

5.20.2 CYBERCRIME LEGISLATION WORLD-WIDE

A more systematic international understanding of the legal aspects of cybercrime is
emerging through sources such as:


The Council of Europe’s Draft Convention on Cybercrime (Council of Europe 2001)14;
The United Nations symposium on “The Challenge of Borderless Cybercrime” held in
conjunction with the Palermo signing conference of the Convention Against
Transactional Organised Crime (see Grabosky 2000; Tan 2000);
The United Nations President’s Working Group on Unlawful Conduct on the Internet
(United States Department of Justice 2000)15;
Cross-national comparative studies such as Cyber Crime … and Punishment? Archaic
Laws Threaten Global Information (McConnell International 2000)16.

The most significant international development is the Council of Europe’s Convention on
Cybercrime (final draft released on 25 May 2001). The text, which has taken almost four

crimes, copyright, telemedicine and digital signatures were promoted by the Malaysian Government’s
Multimedia Super Corridor as a package of “cyberlaws”
[http://www.mdc.com.my/msc.comm/html/cyberights01.html]. In India, Chapter X of the Indian
Information Technology Act 2000 establishes the “Cyber Regulations Appellate`Tribunal”: Ministry of
Law, Justice and Company Affairs [Legislative Department], accessible through the Ministry of
Information Technology web site at http://www.mit.gov.in/itbillmain.htm. The Australian Parliament is
currently considering the Cybercrime Bill 2000 [introduced 27 June 2001]; see
http://www.aph.gov.au/legis.htm.
12 Grabosky, P.N., Smith, R.G. & Dempsey G. 2001, Electronic Theft: Unlawful Acquisition in
Cyberspace, Cambridge University Press, Cambridge.
13 Tan, K.H. 2000, “Prosecuting foreign-based computer crime: International law and technology
collide”, Symposium on the Rule of Law in the Global Village, Panel on Borderless Crime, 12-14
December 2000, Palermo; see http://www.odccp.org/palermo/convmain.html.
14 Council of Europe 2001, Draft Convention on Cybercrime [Final Draft and Explanatory Note],
European Committee on Crime Problems and Committee Experts on Crime in Cyber-Space,
Strasbourg, 29 June 2001; see http://conventions.coe.int/treaty/EN/projets/projets.htm.
15 United States Department of Justice 2000, The Electronic Frontier: Unlawful Conduct Involving the
Use of the Internet, Report of the President’s Working Group on Unlawful Conduct on the Internet,
March 2000; see http://usdoj.gov/criminal/cybercrime/unlawful.htm
16 McConnell International 2000, Cyber Crime…and Punishment? Archaic Laws Threaten Global
Information, online report; see http://www.mcconnellinternational.com/services/CyberCrime.pdf.

22

years and many redrafts to reach its present form, was approved by the Parliamentary
Assembly (24 April 2001) with recommendations to include provisions on human rights and
a protocol to ban “hate speech”, and adopted by the European Committee on Crime
Problems at its 50th plenary session (18-22 June 2001). The final draft will be submitted to
the Committee of Ministers for adoption during its 109th Session, on 8 November 2001.

The convention will be the first international treaty to address criminal law and procedural
aspects of various types of criminal behaviour directed against computer systems, networks,
or data and other types of similar misuse. Signatories to the Convention include the 43
member states of the Council of Europe plus the United States, Canada and Japan.

The legal analysis that follows adopts the Council of Europe’s classification of computer
offences, and also reviews offence provisions under national intellectual property laws.

5.20.3 ADEQUACY OF LEGISLATION

Countries can be initially categorised according to whether they have:

1. basic criminal and commercial laws;
2. a developed system of intellectual property laws; and
3. legislation directed specifically at computers and electronic commerce.

Each of the countries considered below may be observed to fall within one or more of these
categories, with most satisfying the second category and having made some progress
towards the third. Whether the existing legal system in any country can adequately address
cybercrime depends on the precise scope and interaction of its criminal, commercial,
intellectual property and computer-related laws. As a general rule, however, the
development of each of the later categories has been necessitated in part by the perceived
inadequacy of legal remedies provided by other categories. The reliance on specific
intellectual property laws to protect valuable information, for example, is partly attributable
(in jurisdictions based on the English system) to the common law doctrine that information
is not properly capable of being stolen. Thus, information piracy is not amenable to
prosecution under the criminal law relating to theft or dishonest acquisition17. In many
countries there are also difficulties in prosecuting under criminal law acts which may be
performed outside the jurisdiction but which result in harm within the jurisdiction, such as
the posting of offensive or obscene content on the Internet.

Clearly, there are also significant differences in the legal, social and political contexts within
which these laws have been formulated and are enforced. Before reviewing the legislative
provisions, it is useful to explore these contexts in greater detail.

5.20.4 FEARS OF OVER POLICING

During the parliamentary debates and discussions leading up to the enactment of the
Information Technology bill, the Indian Internet Community awaited the final shape of the

17 Grabosky, P.N. & Smith, R.G. 1998, Crime in the Digital Age: Controlling Telecommunications and
Cyberspace Illegalities, Transaction Publishers/Federation Press, New Brunswick, New Jersey.

23

proposed legislation. Understandably, there were fears over possible excessive policing.
Observers wondered whether the Draconian provisions would fit in to existing Indian
Criminal and Commercial laws18.

Some provisions attracted controversy and were the focus of debate in the Parliament and
within the Internet and legal community. These provisions are:


Section 79 wherein police personnel have been granted extensive powers to arrest
and seize material from individuals and corporates
Section 73 (a) which makes it mandatory for person hosting a website or a portal on
a server located in India to give details of the website, portal, person and such other
details as may be prescribed by the Controller, failure will entail penalty;
Section 73 (b) wherein the government mandates that all people visiting cyber cafes
will have to maintain a log sheet of all the web sites visited by them. Failure will
entail monetary penalty and imprisonment [later removed from the legislation]

5.20.5 LIABILITY OF NET WORK SERVICE PROVIDERS (NWSP)

Certain activists groups have been asking for Network Service Provider's / Internet Service
Providers ("ISP's") to be made responsible for information, which is transmitted through
their system. The reason for doing so would be to try and put a check on any mischief, which
may take place through such systems and affix the liability on the ISP's. However, the
impossibility of monitoring millions of mails and accesses has promoted the government to
absolve NWSP/ISPs from any third party civil and criminal liability.

There are divergent views to such a provision. The ISPs have hailed this move, as they are
now be able to provide access without the tension or undue interference or the prospect of
civil or criminal liability. However, activists groups have criticised this provision and seek an
amendment.

5.20.6 COMPUTER CRIME AND DATA PROTECTION

After the Love Bug crisis, legal experts have realised the lacuna that exists in the current
legal regime in India. If such a virus or contaminant was launched in India and the culprit
were to be arrested then under the current legal framework, such a person would not be
punishable.

An extensive definition clause defines numerous activities that can amount to a cyber crime.
Under this provision, almost every conceivable computer mischief can face civil and criminal
liabilities.


18 The Indian Information Technology Act 2000 attempts to recognise electronic business and it does
so, by amending several archaic legislations like the Indian Evidence Act, 872, Indian Penal Code,
1860, General Clauses Act, 1897, the Reserve Bank of India Act, 1934 and the Bankers Book
Evidence Act, 1891. Through the amendment of these laws it will now be possible for courts to
recognise digital signatures and electronic records and hence permit electronic commerce.

24

Perhaps to give teeth to this provision, the IT Bill further empowers a police officer not
below the rank of Deputy Superintendent of Police (DSP) to investigate such an offence,
who has the powers to enter in any "public place" and conduct a search and arrest without a
warrant if he/she suspects that a computer crime is being committed. This provision has
faced a lot of criticisms from Human Rights activists who suspect that this provision may be
abused to violate the fundamental rights of the Indian citizens19.

5.20.7 ADJUDICATION AND CYBER APPELLATE TRIBUNAL

An Adjudicator shall adjudicate Cyber crime. The decision of Adjudication may be appealed
before the Cyber Appellate Tribunal. A further appeal may be preferred before the High
Court. The following are the drawbacks of such an elaborate adjudicatory process:

The Adjudicator and the officers of the Cyber Appellate Tribunal are not required to have
any technical or Internet related qualifications. In the eventuality of a cyber crime or cyber
dispute relevant knowledge of technology is of critical importance.

The abovementioned appellate framework ensures that there is no finality to such a dispute
and such dispute may continue ad nauseum. In the Internet world, speedy and timely
dispute resolution is of critical importance. The prescribed dispute resolution mechanism
suffers from all the infirmity of present day dispute resolution in India. This means that in
the Internet age such disputes could continue for years, which would cripple the eBusiness.

5.20.8 SPAMMING AND PRIVACY

The modern day e-consumer is flooded by innumerable junk mails. Also in any eBusiness,
employers or other third parties may monitor e-mails depriving the users of their right to
privacy. The present IT Bill does not prevent spamming and anti privacy issues by making
them punishable.

5.20.9 TECHNOLOGY SPECIFIC

The IT Bill is technology specific and the entire legislation is based on digital signatures
based on "double key encryption". Further, many "techies" argue that soon double key
encryption may be replaced by more sophisticated third generation of bio-metric
technology. Under this technology encryption is based on biological inputs of the user e.g.
thumb impression, retina scan, DNA finger printing etc. In such a situation, the IT Bill will
need to be replaced with another law as the current law is technology specific. However, it

19 Not every police officer enjoys such extensive powers under the Act. Only officers above the
position of a DSP may exercise these powers. Furthermore, such powers cannot be delegated and
will come under a judicial scrutiny. Cyber crime happens at Internet speed and since very little
infrastructure is needed for conducting such a crime, evidence can easily be concealed or destroyed.
In such a situation, an investigating officer might not find time to obtain search warrant and such a
provision is necessary. This provision ousts the Code of Criminal Procedure, wherein ordinary police
officials may enter into the premises and conduct a search or make arrests in case of cognizable
offences. It is infinitely better to have a senior and trained official exercise discretion in conducting
such searches or raids, rather than have a police sub-inspector or a head constable investigate such
an offence.

25

is recommended that the 'technology neutral' legislation be formulated, where the change
in technology will not require a change in legislation. Under such a legal framework despite
whatever technology is used for encryption certain standards will have to be maintained for
digital signature to receive legal recognition.

5.20.10 THE ANATOMY OF FRAUD UNDER INDIAN LAW: THE QUESTION OF MENS
REA

The term ‘fraud’s has not been defined in the Indian Penal Code. Nevertheless, Section 25
of Indian Penal Code does attempt to define the word ‘fraudulently’ by saying that there can
be no fraud unless there is an intention to defraud. The word fraud is clearly defined in
Section 16 of the Indian Contract Act, 1872. However, this definition cannot be made
applicable in criminal law.

In general, fraud is committed in three different ways



To deprive a man of his right, either by obtaining something by deception or by
taking something wrong fully without the knowledge or consent of the owner;

To withhold wrongfully from another what is due to him, or to wrongfully prevent

one from obtaining what he may firstly claim; and

To defeat or frustrate wrongfully another’s right to property.


Whenever the words fraud, intent to defraud have fraudulently occur in the definition of a
crime under the IPC, two elements, at least, are essential to the commission of that crime:


Deceit or an intention to deceive; and

Either actual injury or possible injury or intent to expose some person to actual or
possible injury.

The main intent and principal object of the fraudulent person is in nearly every case, his own
advantage. A practically conclusive test as to the fraudulent character of a deception for
criminal purpose is whether the author of the deceit derived any advantage from it, which
he would not have had if the truth had been known. It so, that advantage would generally
have an equivalent is was or risk of loss of someone else; and if so, there is fraud.


It is submitted that his definition of fraud encompasses within its fold, scams on the
Internet. Both the essential requisites of fraud, i.e. deceit or intention to deceive and actual
or possible injury to an individual or a group of individuals are present in such scams. All
such scams, whatever their modus operandi are intended to gain advantage for some almost
always at the risk of loss to others. Sections 415 to 420, IPC details the law rating to
cheating. The grounds for these provisions to be attracted are the same as that of fraud, i.e.
dishonestly, deceit etc. In the case of internet of internet scams, relevant sections relating
to the crime of cheating such as cheating by impersonation (Section 416) cheating with
knowledge that wrongful loss may ensue to the person whose interest the offender is
bound to protect (Section 418), etc, may be applied according to the facts of the case.

5.20.11 PERSPECTIVE ON POSSIBLE SOLUTIONS

26

Even an example that might otherwise be thought to favour the assertion of jurisdiction by a
local sovereign—protection of local citizens from fraud and antitrust violations—shows the
beneficial effects of a Cyberspace legal regime. How should wee analyse “markets” for
fraud and consumer protection purposes when the companies at issue do business only
through the World Wide Web?

Cyberspace could be treated as a distinct marketplace for purposes of assessing
concentration and market power. Concentration in geographic markets would only be
relevant in the rare cases in which such market power could be inappropriately leveraged to
obtain power in online markets—for example by conditioning access to the net by local
citizens on their buying services from the same company (such as a phone company) online.
Claims regarding a right to access to particular online services, as distinct from claims to
access particular physical pipelines would remain tenuous as long as it is possible to create a
new online service instantly in any corner of an expanding online space.

Consumer protection doctrines could also develop differently online—to take into account
the fact that anyone reading an online ad is only a mouse click away from guidance from
consumer protection agencies and discussions with other consumers. Nevertheless, that
does not mean that fraud might not be made “illegal” in at least large areas of Cyberspace.
Those who establish and use online systems have an interest in preserving the safety of
their electronic territory and preventing crime. They are more likely to be able to enforce
their own rules. A consensually based “law of the Net” needs to obtain respect and
deference from local sovereigns; new Net-based law-making institutions have an incentive
to avoid fostering activities that threaten the vital interests of territorial governments.

5.21 E-BUSINESS REGULATION: NOTES ON COMPLIANCE ISSUES IN THE “BORDERLESS

ECONOMY”

Achieving legal and business order in cyberspace, forms but another step in the quest for
knowledge that is perhaps the special legacy of the new millennium20. For commercial
interests eager to gain ground in the new order, ironically, the Internet is at the same time
intimidating and indispensable, essential for business success. The issue of regulation is
replete with unanswered e-business issues that desperately need to be clarified as
companies operate electronically across the globe. Some of the regulatory issues are:


Whose law governs contracts that are formed online? Are contracts valid without a
physical signature? Do the same laws apply to both consumers and businesses?
Can the actual electronic transmission between countries be subject to taxes or
tariffs? Are product and service sales treated the same under local law? Who
decides?
What are acceptable forms of online promotion? Are firms with websites that link to
other sites using questionable tactics, putting themselves at risk?

20 Report of the American Bar Association (“ABA”) Jurisdiction in Cyberspace Project empanelled in
1998 under the title, “Transnational Issues in Cyberspace: A Project on the Law relating to
Jurisdiction”.

27

When the buyer sends his address and phone number to the seller, whose laws
determine the restrictions on the use of that data? How is the seller’s credit card
number protected? Who is empowered to address disagreements that might arise?
What tariffs and taxes are due? How are they accounted for and paid?
What transaction crosses a border, what consumer protection is available? What
additional risks do sellers assume?
What happens if the seller does not get paid? Where do consumers return damaged
goods purchased online? Does business-to-business commerce operate predictably
across all trading jurisdictions?
How can buyers and sellers enforce their rights in foreign countries? What
international treaties apply? Does enforcement differ geographically? By product or
service type?
Many laws applicable to global e-business are not yet clear. Does it make sense to
move aggressively to gain first mover advantage? Or wait? How can an individual
company protect its interests?

Questions, questions with not so obvious answers? Business in the new economy will mean
that traditional business approaches don’t necessarily apply when viewed through the lens
of the digital environmental. E-business is a completely different way to transact ordinary
business. Since new, unfamiliar business practices are routinely scrutinised by governments
and regulatory organisations, one can expect continued regulatory review, especially where
consumer protection and economic welfare are at stake.

E-business shrinks the optimal regulatory action. New business arrangements with industry-
wrenching impacts can take effect in months, not years. This rapid change means that
regulatory issues must be addressed early on to avoid overly “reactive” responses that can
be counterproductive.

E-business effectiveness depends on a regulatory environment that is both supportive and
predictable. While onerous rules can be stifling to business interests, regulatory indecision
can be similarly disruptive. In order for e-business to work best, business must accept equal
responsibility with governments to point the way.

5.21.1 COMPANIES, INDUSTRY ‘VIGILANCE’ AND AUDITS

Companies must remain vigilant both to protect their business interests and ensure that
they can proceed securely in uncharted territory. While some maintain it is unrealistic to
have no restriction whatsoever on e-business, yet others shudder at the burden various
bureaucracies might place upon the Internet. Most are hopeful that industry, driven by
market forces, will ultimately regulate itself. If that fails, however, a wide range of
regulators can be expected to step in forcefully.

Perhaps industry groups could identify potential and real ‘hurdles’ and attempt a solution.
The vast majority of regulatory hurdles facing Internet businesses today relate to traditional
considerations whose scope and application are transformed by the global character of the
electronic market. This industry alongwith CII should examine key international issues and
identify major international institutions that are addressing them. The issues include:

28

International trade and tariffs
Data Security
Encryption
Infrastructure and Access
Intellectual Property Rights
Liability: Choice of Law and Jurisdiction
Content
Competition Law
Self-Regulation
Privacy

5.21.2 WEB AUDITS AND COMMERCIAL STRATEGY: AN ADVANTAGE

According to Internet surveys, the fastest growing Web Sites are those, which provide a
place for personal expression, such, as chat rooms, message boards, email and personal web
pages21. In addition, "e-tailing," or retail sales over the Web has exceeded industry
expectations. Online sales tripled from $3 billion in 1997 to $9 billion in 1998. By the year
2000, commerce on the Internet is expected to generate $30 billion22. Not surprisingly,
many companies are launching Web sites to establish their presence on the Internet and to
introduce themselves to the emerging online consumer market.

In doing so, many of these companies enter into new businesses, and some may enter into
regulated industries. Each of these Web site owners--whether they are software vendors,
search engines, banks or auction houses--becomes a publisher, in addition to their original
core business. And, because of the thick competition to offer more and better services on
the Web, Internet companies frequently move from their core business to entirely new
ventures as sales agents, financial information providers, mail providers, and more. This
article outlines some of the issues arising from operating a Web site in India and offers some
suggestions to minimise legal risk.

For a variety of reasons, initial and periodic legal audits for content liability issues on a Web
site play an important role in managing a company’s risk on the Internet. First, for Web site
operators located in the India, there are a number of constitutional and statutory
protections for these "New Media" publishers, similar to the protections long enjoyed by
traditional publishers, such as newspapers, magazines and TV. or radio broadcasters. The
same probably for “new media” laws world-wide. Indeed, the U.S. Supreme Court
determined that online "speech," or content, should enjoy the highest level of constitutional
protection23. As part of the audit, Web sites also should be reviewed for compliance with
legislation regulating Internet content, commerce and conduct.


21 Media Metrix, "The Media Metrix Web in Review: Top 50 Fastest Growing Web Sites in Audience
Reach," (Aug. 10, 1998), http://www.relevantknowledge.com/PressRoom.
22 U.S. Dept. of Commerce, "Remarks of Sec. of Commerce William M. Daley," (Feb. 5, 1999),
http://204.193.243.2/public.nsf/docs/commerce-ftc-online-shopping-briefing.
23 Reno v. American Civil Liberties Union, U.S., 117 S. Ct. 2329 (1997) (the Internet receives full First
Amendment protection).

29

Second, Web sites generally contain a mixture of content--some of which may be generated
by the site owner, but often, is not. An audit identifies the different types of content and the
different risk associated with each type, and creates risk management strategies to protect
the company.

Finally, the most successful Web sites are highly dynamic; that is, the content is not only
interactive but constantly growing, and therefore changing. A good audit identifies "hot
spots" on a site that are more likely to draw complaints or have greater exposure. Given the
uncertainty of the law in the Internet space, a primary objective of risk management is to
"marginalize" the potential plaintiff's success. An audit may provide guidelines for dealing
with particularly complex areas, such as chat rooms or message boards, e-commerce
transactions and user privacy. A great deal of thought and practical judgment are necessary
to conduct a legal audit of Web site content.

5.21.3 WHERE TO BEGIN: THE FIRST STEPS

A Web site audit begins with a survey of the site--identifying the types of content and
services provided on the site, the types of terms of service or legal disclaimers needed the
intellectual property rights, and the potential hot spots that are likely to give rise to liability.
Typically, this phase of the audit requires discussions with the staff responsible for the site's
content to determine how content is generated, which areas are the subject of complaints
and what policies exist to handle complaints.

Depending upon the company, Web sites fulfil different and often multiple functions. Some
sites are essentially advertisements that bolster brand identity, describe the company's
product or services and provide investors or shareholders with information. Others fulfil
traditional media functions of providing news, entertainment or other content (such as
financial information or classified ads). Many of the largest sites have moved toward
building online communities--sites that draw users back again and again. These sites offer a
variety of services, including search engines, e-mail, chat, message boards, and commercial
services--such as travel, brokerage and retail. The breadth of an audit depends in large part
on the complexity of the site.

5.21.4 CONTENT AND CONTROL: A GUIDE FOR BUSINESSES

5.21.4.1 ORIGINAL CONTENT

Web site content which is entirely or mostly generated by the Web site owner often
presents the least complex liability issues. These issues are substantially similar to liability
issues that a newspaper publisher has when publishing its daily paper or that a company has
when publishing its prospectus or retail catalogue. Like their traditional media counterparts,
Web site owners in India enjoy the significant legal protections available to publishers.
Generally, Web site owners should review their content for accuracy, fair advertising
practices, intellectual property rights and Securities Exchange Commission and other
regulatory related issues.



30

5.21.4.2 LICENSED CONTENT

Many Web sites license content rather than create their own. An audit therefore may also
include review of the licensing agreements to ensure that the Web site owner has the rights
it needs to distribute, alter, republish or otherwise use the licensed content. In addition, the
audit should review all representations and warranties for the content and any appropriate
indemnifications by the licensor.

5.21.4.3 THIRD PARTY CONTENT

As interactivity becomes a primary draw for bringing back Internet users, more sites are
including chat, message boards, e-commerce and e-mail at their site. As a result, much of
the content in these areas is created by users of the site and cannot as a practical matter be
reviewed or edited by the Web site owner. Not surprisingly, while user-created content
draws the most interest, it also draws the most complaints.

In the United States, the Congress enacted Section 230 of the Communications Decency Act
of 1996, which largely immunises online service providers from liability arising from the
statements of third parties24. Recent legal decisions have held that under Section 230 a Web
site owner cannot be held responsible for the defamatory or otherwise tortious statements
of individuals who post on its message boards25. Nonetheless, because users occasionally
make offensive, inflammatory or otherwise objectionable statements, Web site owners
should have clear and reasonable policies to handle complaints that arise in these areas and
all appropriate disclaimers and indemnifications.

In 1998, the U.S. Congress also passed the Digital Millennium Copyright Act, which provides
limited safe harbours for online service providers that unknowingly or inadvertently
transmit, link to, or host infringing material provided or posted by third parties. Under this
new legislation, each Web site must register with the Copyright Office and put in place a
policy for reporting possible copyright infringement on their site.

5.21.4.4 LINKING AND FRAMING

The practice of linking to or framing other Web sites raises liability issues unique to the
Internet. A Web site owner may be found liable for contributory infringement or vicarious
liability for knowingly linking to another site that contains copyright infringing material or
otherwise engages in infringing activity. In an interesting claim arising from allegedly
improper linking, Ticketmaster sued Microsoft for its use of hypertext links to bypass
Ticketmaster's homepage and advertising.26.

A Web site owner also may be found liable for trademark infringement or unfair
competition for framing another site on its site. For example, in Washington Post, et al. v.

24 47 U.S.C. 230. Other provisions of the Act related to "obscene" material were struck down as
unconstitutional in Reno v. American Civil Liberties Union.
25 See, e.g., Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997); Blumenthal v. Drudge, 992
F. Supp. 44 (D.D.C. 1998).
26 Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 DDP (C.D. Cal., filed Apr. 29, 1997).

31

TotalNEWS27, a number of news media sued TotalNEWS, a Web site which aggregated the
other news sites and "framed" those sites with their own ads, thus effectively deriving ad
revenues based on others' content without their permission. Although that case settled out
of court, the practice of framing should be carefully reviewed in an audit.

5.22 CONTENT LIABILITY ISSUES: A CHECKLIST FOR WEB PUBLISHERS

5.22.1 COPYRIGHT & TRADEMARK

A content audit should include a review of the third-party content, and the corresponding
license agreements, to ensure that the Web site owner has acquired the appropriate rights
for use on its site. This includes graphics, images, logos and text. Indeed, use of another's
trademark as a link may give rise to liability if the manner in which one uses a trademark
creates the false impression that the trademark owner is somehow affiliated with the Web
site owner. In addition, the audit should review the owner's copyright and trademark
notices to ensure that they are accurate and current.

5.22.2 DEFAMATION

Under U.S. law, a Web site owner may be held liable for false statements of fact which are
defamatory and published with fault. While the owner may not be liable for statements by
third parties because of the statutory protections of the Communications Decency Act,
statements originating with the owner may give rise to liability. Traditional publishers
frequently have an attorney review sensitive articles prior to publication to identify
troublesome statements and to set up the best possible legal defences for publication of the
article. A similar practice may be appropriate for articles published on the Internet which
are written by the Web site owner.

5.22.3 INVASION OF PRIVACY

There are three types of privacy torts that may arise from statements made on Web sites:
the public disclosure of private facts, statements which place the subject in a false and
defamatory light, and the commercial use of another's image or likeness without their
permission. As in defamation, while the Web site owner in the United States may not be
liable for state law invasion of privacy claims arising from third party statements, the owner
should carefully review original content.

5.22.4 USER PRIVACY

An audit should include a review of the Web site's collection of user information. This
usually is done at the registration page, and may include name, address, email address,
telephone number and credit card number. In addition, most sites now monitor the pages
viewed and services utilised by a user via "cookie" technology. Thus, sites may maintain and
use personally identifiable information about its users for a wide range of purposes such as
targeting banner advertisements, tailoring services to individual users and sending direct

27 97 Civ. 1190 (PKL) (S.D.N.Y., filed Feb. 28, 1997)

32

advertisements to individual users based on their demonstrated interests. What information
is collected, how it is used and to whom it is disclosed should be carefully reviewed to
ensure that the Web site owner is in compliance with applicable privacy statutes,
Competition and MRTP regulations and the site's privacy policy.

5.22.5 ADVERTISING & PROMOTIONS

As a growing number of Web sites move toward the advertising business model, a content
audit should include review of the site's guidelines for accepting advertising on its site,
particularly banner ads which hyperlink to the advertiser's site. The guidelines should
adhere to state and federal fair advertising laws, particularly in regard to minors. In
addition, the audit should review the ad insertion orders to ensure that they include
appropriate indemnifications and representations and warranties. Some Web sites also
sponsor interactive contests or sweepstakes and an audit may include review for
compliance with sweepstake and contest laws.

5.22.6 SALES

If the site includes commercial transactions, the audit should include a review of the online
contracts and also the Web site owner's account procedures for creating and maintaining
records of the transactions. In some cases, the owner also may need to obtain accounting,
security or other professional advice.

5.22.7 REGULATORY COMPLIANCE

If the business hosting the Web site is publicly traded or involved in a regulated industry,
such as banking, real estate, utilities, pharmaceuticals, or alcoholic beverages, the audit
should include a review of SEC compliance and the specific advertising, shipping or other
regulations for such industries.

5.23 THE SPHERE OF AUDIT

Specific components of a Web site are worth particular attention.

5.23.1 DISCLAIMERS & TERMS OF SERVICE

The disclaimers and Terms of Service are important in establishing the relationship between
the Web site owner and its users. Generally, the comprehensiveness of a user agreement is
determined by balancing the potential exposure created by site content and activities
against the potentially intimidating impression a long agreement will make on the user. For
example, relatively straightforward sites that provide information about a company, but
have little user interactivity, may only require a short disclaimer. On the other hand, sites
which host e-commerce, chat, email, or message boards or provide sensitive information,
such as financial information and services, will likely require a more extensive user
agreement.



33

5.23.2 MESSAGE BOARDS & CHAT

Many Web sites now provide areas for users to interact with both the Web site owner and
other users. These areas take the form of message boards (where users can post a message
that can be read and responded to by other users) and chat rooms (where users can send
each other messages, or "chat," in real time).

In my experience, user interaction is fun and free-wheeling, but it can also be highly
inflammatory. Frequently, a user may make defamatory or otherwise objectionable
statements about another. Users then tend to turn to the Web site owner to remedy the
problem by removing the statements, correcting the statements or somehow punishing the
author of the statements. An audit should include a review of how the owner responds to
such demands and set up a policy for when, if ever, it is appropriate to either remove a post
or provide information about the author.

5.23.3 USER INFORMATION

The privacy and security of personal information on the Internet has become an increasing
concern. A Web site audit should include review of the site's policies for disclosing user
information and, in particular, policies for responding to subpoenas for user information. In
the United States, responding to requests for either the content of communications (i.e.,
email messages) or user information is strictly limited by the [federal] Electronic
Communications Privacy Act. Any policy should take into consideration privacy or
procedural requirements and other duties arising from common law or the site's Terms of
Service.

Finally, an audit should include a review of the site's privacy policy. In general, the policy
should provide notice to users about the types of information collected, how such
information is used and to whom it is disclosed. In addition, Web sites should provide their
users with reasonable access to their personal information and the ability to update or
remove such data as appropriate.

The legal audit provides some guidance for Web site owners by identifying areas of
potential liability before litigation arises. In addition, further content liability counselling can
be done to place the Web site owner in the best possible legal position--by posting proper
disclaimers, establishing sensible complaint policies, etc.--should a legal demand be made.

34


Click to View FlipBook Version