The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Published by Enhelion, 2019-12-28 03:06:31





With the advent of the Internet, it has become easy for any one together, compile and
exploit the private information of individuals. What were scattered, unimportant, small bits
of data has now become a potent large set of data that can be misused by companies or by
antisocial elements. This has prompted many countries to come up with legislation on


On July 25, 1995, the EU announced the adoption of a directive on the protection of
individuals’ personal data and on the free movement of such data. The directive seeks to
prevent abuse of personal data and lays down comprehensive rules, including an obligation
to collect data only for specified, explicit and legitimate purposes, as well as to only hold
data if it is relevant, accurate and up-to-date.

The directive requires all companies concluding business in the EU to meet certain minimum
standards of data protection. Any company that does not meet these stringent standards
faces sanctions. The Electronic Communications Privacy Act in the US governs the privacy of
e-mail in public e-mail systems. It bars interception, use, or disclosure of e-mail by third
parties and sets the standards which law enforcement authorities must meet to gain access
to e-mail.


Significantly, India does not have any specific law governing privacy. The courts in India have
not yet had the opportunity to look at privacy issues relating to the Internet. Analogies to
the Internet will, therefore, have to be drawn from cases that the court has actually dealt
with. The Constitution of India does not patently grant the fundamental right to privacy.
However, the courts have read the right to privacy into the other existing Fundamental
Rights: Freedom of Speech and Expression, under Article 19 (1) (a) and the Right to Life and
Personal Liberty under Article 21. In India, the right to privacy is one of the un-enumerated
rights granted to the individual.

Barring a few exceptions, the Fundamental Rights secured to the individual are limitation on
State action. They are not meant to protect persons against the conduct of private persons.
It is to be noted that the Constitutional guarantee of the right to privacy is valid only against
the State and no Constitutional remedy for violation of privacy lies against any individual.
Further, common law also does not provide direct for invasion of privacy. It seeks to provide
protection by the use of civil wrongs such as defamation and breach of confidence.
However, with the advent of e-commerce, such common law seems manifestly unsuited to
this environment.


As seen above, it may be difficult in India to prevent individuals/corporations from violating
privacy. There is, at present, no initiative on the part of the government to regulate privacy
of individuals against its encroachment by private parties.



Even an example that might otherwise be thought to favour the assertion of jurisdiction by a
local sovereign--protection of local citizens from fraud and antitrust violations--shows the
beneficial effects of a Cyberspace legal regime. How should we analyse "markets" for fraud
and consumer protection purposes when the companies at issue do business only through
the World Wide Web? Consumer protection doctrines could also develop differently online--
to take into account the fact that anyone reading an online ad is only a mouse click away
from guidance from consumer protection agencies and discussions with other consumers.
Nevertheless, that does not mean that fraud might not be made "illegal" in at least large
areas of Cyberspace. Those who establish and use online systems have an interest in
preserving the safety of their electronic territory and preventing crime. They are more likely
to be able to enforce their own rules. And, as more fully discussed below, insofar as a
consensually based "law of the Net" needs to obtain respect and deference from local
sovereigns, new Net-based law-making institutions have an incentive to avoid fostering
activities that threaten the vital interests of territorial governments.

Cyberspace could be treated as a distinct marketplace for purposes of assessing
concentration and market power. Concentration in geographic markets would only be
relevant in the rare cases in which such market power could be inappropriately leveraged to
obtain power in online markets--for example by conditioning access to the net by local
citizens on their buying services from the same company (such as a phone company) online.
Claims regarding a right to access to particular online services, as distinct from claims to
access particular physical pipelines would remain tenuous as long as it is possible to create a
new online service instantly in any corner of an expanding online space.

This text focuses also on technological developments as enabling change. But these
technologies will not determine the future of the Internet. The future will be determined by
individuals and organisations that find new uses for the technologies and policies that either
encourage or discourage certain activities. Existing and proposed uses raise important issues
in the areas of electronic contracts, authentication, taxation, jurisdiction, intellectual
property protection, privacy, consumer protection, security, reliability, competition policy
and standards, among others. Although the future is impossible to predict, it seems highly
likely that the exciting possibilities that we can envision based upon technological progress
will continue to raise new issues and demand creative policy responses.


“One of the most facile and legalistic approaches to safeguarding privacy that has been
offered to date is the notion that personal information is a species of property. If this
premise is accepted, the natural corollary is that a data subject has the right to control


information about him and is eligible for the full range of legal protection that attaches to
property ownership.”1

As laws, policies, and technological designs increasingly structure people's relationships with
social institutions, individual privacy faces new threats and new opportunities. Over the
Internet as a medium, there has to be a harmonisation of the specific rules for the
treatment of personal information. India has no data protection laws. Having said this, the
ambit of "personal liberty" as covered by the Constitution of India has been successfully
interpreted in cases relating to privacy (Gobind v. State of M.P).2 and protection of
confidential information. Over the last several years, the realm of technology and privacy
has been transformed, creating a landscape that is both dangerous and encouraging.
Significant changes include large increases in communication bandwidths; the widespread
adoption of computer networking and public-key cryptography; mathematical innovations
that promise a vast family of protocols for protecting identity in complex transactions; new
digital media that support a wide range of social relationships; a new generation of
technologically sophisticated privacy activists; a massive body of practical experience in the
development and application of data-protection laws; and the rapid globalisation of
manufacturing, culture, and policy making.

Potentially the most significant technical innovation, though, is a class of privacy-enhancing
technologies (PETs). Beginning with the publication of the first public-key cryptographic
methods in the 1970s, mathematicians have constructed a formidable array of protocols for
communicating and conducting transactions while controlling access to sensitive
information. These techniques have become practical enough to be used in mass-market
products, and sharp conflicts have been provoked by attempts to propagate them. PETs also
mark a significant philosophical shift. By applying advanced mathematics to the protection
of privacy, they disrupt the conventional pessimistic association between technology and
social control. No longer are privacy advocates in the position of resisting technology as
such, and no longer can objectives of social control (if there are any) be hidden beneath the
mask of technical necessity. As a result, policy debates have opened where many had
assumed that none would exist, and the simple choice between privacy and functionality
has given way to a more complex trade-off among potentially numerous combinations of
architecture and policy choices.

This contrast reflects another, deeper divide. Powerful socio-economic forces are working
toward a global convergence of the conceptual content and the legal instruments of privacy
policy. These forces include commonalties of technology, a well-networked global policy
community, and the strictures on cross-border flows of personal data in the European
Union’s Data Protection Directive. While the United States has moved slowly to establish
formal privacy mechanisms and standardise privacy practices over the last two decades, it
now appears that the globalisation of markets, the growing pervasiveness of the Internet,
and the implementation of the Data Protection Directive will bring new pressures to bear on
the American privacy regime.

1 (Arthur Miller: The Assault on Privacy: Computers, Data Banks and Dossiers 211 (1971)).
2 (1975) 2 SCC 148


The evolution of privacy policy, meanwhile, has interacted with individual nations’ political
philosophies. This interaction should be viewed not on a nation-by-nation basis but rather
as the expression of a series of partial accommodations between the uniform regulation of
data handling and liberal political values that tend to define privacy issues in terms of
localised interactions among individuals. (This tension runs throughout the contemporary
debate and will recur in various guises.)

One constant across this history is the notorious difficulty of defining the concept of privacy.
The lack of satisfactory definitions has obstructed public debate by making it hard to
support detailed policy prescriptions with logical arguments from accepted moral premises.
Attempts to ground privacy rights in first principles have floundered, suggesting their
inherent complexity as social goods. Privacy is more difficult to measure than other objects
of public concern, such as environmental pollution. The extreme lack of transparency in
societal transfers of personal data, moreover, gives the issue a nebulous character. Citizens
may be aware that they suffer harm from the circulation of computerised information about
them, but they usually cannot reconstruct the connections between the cause and effect.
This may account in part for the striking mismatch between public expression of concern in
opinion polls and the almost complete absence of popular mobilisation in support of privacy

The new technologies also have implications for conceptions of relationship, trust, and
public space. Technology and codes of practice determine whether databased
“relationships” between organisations and individuals are fair, or whether they provoke
anxiety. These concerns are a traditional motivation for data protection regulation, but they
are amplified by technologies that permit organisations to maintain highly customised
“relationships” by projecting different organisational personae to different individuals. Such
“relationships” easily become asymmetric; with the organisation, having the greater power
to control what information about it is released while simultaneously obscuring the nature
and scope of the information it has obtained about individuals. Examine, for instance, the
conditions under which individuals can establish private zones that restrict access by
outsiders. A secure telephone line is arguably a precondition for the establishment of an
intimate relationship, an interest that has long been regarded as a defining feature of
human dignity. This concern with the boundaries that are established around a relationship
complements concern with the boundaries that are negotiated within a relationship. It also
draws attention to the contested nature of those boundaries.

Beneficial relationships are generally held to require trust. As the information infrastructure
supports relationships in more complex ways, it also creates the conditions for the
construction of trust. Trust has an obvious moral significance, and it is economically
significant when sustained business relationships cannot be reduced to periodic zero-sum
exchange or specified in advance by contract. Trust and uncertainty are complementary;
cryptography establishes the boundaries of trust by keeping secrets. This approach,
however, reduces trustworthiness to simple reliability, thereby introducing tacit norms
against trusting behaviour. Just as technology provides the conditions for negotiating
relationships, it also provides the conditions for creating trust. Legal systems evolve to the
institutional conditions by which a technical architecture comes to support these conditions
or else evolves toward a regime of coercive surveillance.


No matter how well crafted a privacy code might be, privacy will only be protected if the
necessary information practices are actually followed. Policy-makers need to understand
how privacy issues actually arise in the daily activities of information workers, and
organisational cultures need to incorporate practicable norms of privacy protection. Once
established, these norms will only be sustained if the public understands the issues well
enough to make informed choices and to assert their rights when necessary.


Confidential information constitutes the essence of software development. From the
instructions/specifications received from the client/trade partners, to the algorithms
developed by the co-workers, every part of the development of an item of software code
involves the use of confidential information. All of this information is invaluable to the
software company developing the code and even more so to its competitors. There is no
copyright in ideas or information as such and accordingly there is no remedy under the
copyright law for unauthorised use of confidential ideas or information obtained directly or
indirectly by one person from another. A remedy will have to be sought by proceedings for
breach of confidence or breach of trust. The relief that can be obtained is by a suit for an
injunction or damages.


If ideas and information are acquired by a person in such circumstances that it would be a
breach of good faith to disclose them to a third party or utilise them and he has no just
cause or excuse for doing so, the court will grant an injunction against him. It is well settled
that information imparted in confidence [especially information which is parted in
confidence to servants and agents] will be protected. The courts will restrain the use of it if
it is breach of good faith. The law on this subject does not depend on any implied contract.
It depends on the broad principle of equity that he who has received information in
confidence shall not take unfair advantage of it. He must not make use of it to the prejudice
of him who gave it without obtaining his consent.


It is a matter of common knowledge that, under a system of free private enterprise and
therefore of competition, it is to the advantage of a trader/commercial entity to obtain as
much information as possible concerning the business of his rivals and to let him know as
little as possible of his own.

The information may be a trade secret, for example, a method of production not protected
by a patent, or a business secret, such as the financial structuring of an undertaking or a
piece of domestic ‘in-house’ information like the salary scale of clerks, or the efficiency of
the firm’s filing system. Some of this information would be of a highly confidential nature, as
being potentially damaging if a competitor should obtain it, some would be less so and
much would be worthless to a rival organisation.



If two parties make a contract under which one of them obtains for the purpose of contract
or in connection with it some confidential matter, even though the contract is silent on the
issue of confidence, the law will imply an obligation to treat that confidential matter in a
confidential way, as one of the implied terms of contract, but the obligation to respect
confidence is not limited to cases where the parties are in a contractual relationship.


An action for breach of confidence does not depend upon any right of property or contract
or right of law. It results on an equitable obligation of confidence, which may be implied,
from the circumstances of the case. Even if there exists no contractual relationship between
the plaintiff and the defendant, if a defendant is proved to have used confidential
information obtained directly or indirectly from the plaintiff and without his consent express
or implied, he will be guilty of infringement of the plaintiff’s rights.


In identifying confidential information, four elements must be discerned: First, the
information must be information the release of which the owner believes would be injurious
to him or of advantage to his rivals or others. Second, the owner must believe that the
information is confidential or secret, i.e. that it is not already in the public domain. It may be
that some or all of his rivals already have the information, but as long as the owner believes
it to be confidential, he is entitled to try to protect it. Third, the owner’s belief under the
two previous headings must be reasonable. Fourth, the information must be judged in the
light of the usage and practice of the particular industry or trade concerned. It may be that
information, which does not satisfy all these requirements, may be entitled to protection as
confidential information or trade secrets, but that any information, which does satisfy them,
must be of a type, which is entitled to protection.


Three elements are normally required if, apart from contract, a case of breach of confidence
is to succeed. First, the information itself must have the necessary quality of confidence
about it. Secondly, that information must have been imparted in circumstances importing
an obligation of confidence. Thirdly, there must be unauthorised use of that information to
the detriment of the party communicating it.


Where the information is such that it ought to be divulged in the public interest to one who
has an interest in receiving it, the Court will not restrain such a disclosure. Information
relating to anti-national activities, which are against national security, breaches of the law or
statutory duty or fraud, may come under this category. In fact, whenever there is strong


public interest in the disclosure of the matter, Courts may not consider such disclosure as
breach of confidence.


The remedies for breach of confidence consists of an injunction and damages and deliver-up
where applicable. The injunction may be interlocutory or permanent. The information may
remain confidential only for a limited period in which case, the injunction will not extend
beyond that period. Since the information, alleged to be confidential, might be of value to
the plaintiff only for a certain period, an interim injunction will ordinarily be granted only for
a specified period depending upon the circumstances and the nature of confidential

In the balance of convenience, the following factors have to be considered:

• whether the effect of an injunction would be harmful to the defendants;
• whether the terms of the injunction are such that it is extremely difficult for the

defendants to know what they may do and what they may not do;
• whether it is certain upon the material before the Court that even if they were

successful in the trial, the plaintiff would obtain an injunction rather than damages.

Damages or compensation is determined based on the market value of the confidential
information based on a notional sale between a willing seller and a willing purchaser. This
method may be more appropriate for confidential information relating to industrial designs
or processes or business secrets.

Where a plaintiff elects in favour of an account of profits, he will in the normal course
receive the difference between the sale price of the goods and the sum expended in
manufacturing them. The sum would be abated by the amounts, if any, expended by the
defendants as commission in relation to the contract.


Employee privacy is considered one of the most important issues facing companies today3.
This is so because no longer is employee privacy relegated to the employer “monitoring
their workers’ performance by observing production lines, counting sales orders, and simply
looking over the employee’s shoulder.” Instead, employers now have the capability to
monitor their employees through electronic means, including computers and e-mail. This
“development of sophisticated technology is greatly expanding the advanced and highly
effective methods by which employers monitor the workplace.”4

3 (Laurie Thomas Lee, Watch Your E-Mail! Employee E-Mail Monitoring and Privacy Laws in the Age of
the “Electronic Sweatshop”, 28 J. Marshall L. Rev. 139, 139 (1994))
4 (Larry O. Natt Gantt, II, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector
Workplace, 8 Harv. J.L. & Tech. 345, 345 (1995)).


Although it is obvious that e-mail gives companies a great deal of technological advantages
and is an important tool in today's business world, it also creates a problem for employers
and employees in the area of employee privacy. The question becomes, do employers have
the right to look at employees’ e-mails, and do employees have a right of privacy that
should prevent such an intrusion? Employers argue that they need the right to electronically
monitor employees in order to enhance job performance, prevent theft, fraud, and other
illegal conduct. They also argue that productivity, efficiency, and quality controls are all
enhanced by electronic surveillance. The employee on the other hand, maintains that he has
an expectation of privacy, and that electronic surveillance is an invasion of that right. A
number of e-mail’s attributes led employees to believe these messages were their own
private communications.5

The need for passwords, the ability to personally address e-mail, the use of the word “mail”,
the most confidential form of communication used by the public, in e-mail, and even the
ability to “delete” messages after reading them, all contribute to employee e-mail users
believing that their e-mail communications are private.

Functionally, a proper e-mail privacy standard lies at the confluence of two critical
questions: how much access do employers have to an employee’s workspace, and is that
access limited by a right of the employee to control their workspace; and how much of a
right do employees have to use the employer’s property as resources to pursue their own,
private purposes. The laws concerning this employee privacy are unclear at best, non-
existent in many situations, and still in discussion in India.


The question thus is how an employer can protect against liability. First, it is important to
reduce the employee’s expectation of privacy with notice, and second, it is important to do
so in a manner that evidences the employee’s understanding of the policy.

In Watkins [featured in The Times, July 2000], the employer warned employees that
business telephone calls would be monitored, but that personal calls would only be
monitored to the extent necessary to determine whether the call was personal or business.
The court held that this disclosure protected employees’ personal calls and only implied
consent to the monitoring of business calls. This implies that employers will escape liability if
they publish a policy expressly warning employees that all e-mail messages will be
monitored and not just business related ones. However, the scope of the employer’s
intrusion must be matched by a legitimate business interest justifying the invasion, such as
desire to protect business property or trade secrets.

The London law firm Baker & McKenzie, suggests the following policy to protect employers
from employee e-mail invasion of privacy claims.
“The guidelines and warnings listed below are of critical importance and non-compliance
could in certain circumstances constitute a serious disciplinary matter.

5 (Benkler, Yochai, Rules of the Road for the Information Superhighway: Electronic Communications and
the Law, West Publishing, 1996 at 402)


1. Beware what you say in email or voicemail messages. Improper statements can give rise
to personal or company liability. Work on the assumption that messages may be read or
listened by third parties.”6

Whether the current employer/employee relationship exhibits it or not, there is a judicially
created right to privacy. Privacy law has attempted to balance two basic interests: first, the
employer has an interest in minimising losses and injuries, preventing fraud and crime in his
workplace, and maximising production, productivity, and success. Second, the employee has
an interest in being free from intrusion into his/her private affairs. Neither of these basic
interests is more important than the other. In fact, privacy law has taken on a
“circumstances” based inquiry. How then, does this “circumstances” based inquiry apply to
the relatively new concept of privacy in the employer/employee context of e-mail

The answer is, it really has not gone far enough. The Constitution does not explicitly give the
right to privately employed individuals, and there is some doubt whether it applies to e-mail
at all. At present, legislation is under review, but without an element of finality. Case law is
sketchy at best, and is not on point in e-mail and internet-related activities.

Therefore, to prevent unnecessary situations in the future, there are things that employers
and employees can do. First, employers should notify employees about policies that exist
within the company, which may allow the executive to search and conduct surveillance of
the employee. Thus, the expectation of privacy needs to be managed. Second, the employer
should limit the inquiry to matters associated to the workplace and the ability of an
individual to do their job. It probably does not benefit the employer to delve into an
employee’s personal e-mail. Third, employers should limit the amount of sensitive
information employees see. This would essentially negate the need to monitor. Fourth,
employers should not release any private information about the employee. Lastly,
employees should keep their personal correspondence where it belongs - at home and out
of the workplace. If both employers and employees practice these techniques, a more
compatible environment for e-mail monitoring will be available.

Nevertheless, one thing is for sure. Today, the growing restrictions arising from both
judicially created and any company who uses e-mail must consider statutory law. In
addition, any employer, who is thinking about monitoring and “snooping” over e-mail, had
better make sure that the employee has an awareness of this intent. Because although the
laws are ambiguous today, the trend is toward a more protective environment for the


6 (See for other warning suggestions
protecting employers’ interests).


India has, as such, no specific privacy laws in place as yet. Yet, drawing analogy from the
rulings of the Indian Supreme Court on Article 21, one can safely presume that the existing
standards and case precedents of the developed world will have a significant impact on the
laws of India and the rulings of the Indian courts. There are obvious enhancements of the
scope of the article 21 in the cases of Kharak Singh and Gobind. The implementation of the
Information Technology Act, 2000, is bound only to strengthen this position.

Section 72 of the IT Act prohibits unauthorised disclosure of the contents of an electronic
record. Privacy, in fact, involves at least two kinds of interests; informational privacy interest
and autonomy privacy interest. Information privacy interest means interest in precluding
the dissemination or misuse of sensitive and confidential information. Autonomy interest
means interests in making intimate personal decisions or conducting personal activities
without observation, intrusion or interference.7 Both the interests deserve protection. In
regard to autonomy privacy interests, there are, however, certain limitations and exceptions
as set out in sections 67, 68, 69 of the IT Act, while Section 72 protects the informational
privacy interests. It prohibits disclosure of information received by a person in pursuance of
the powers conferred under the Act. Such disclosure is punishable with imprisonment for a
term, which may extend to two years and/or fine, which may extend to one lakh rupees.
Disclosure could, however, be made without any penal liability to the law enforcing agencies
or pursuant to proper authorisation by the Controller or with the consent of the concerned


Privacy protection is a critical element of consumer and user trust in the online environment
and a necessary condition for the development of electronic commerce. Three international
organizations have developed guidelines or rules that set forth basic consumer privacy

• Organisation for Economic Co-operation and Development -- Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data8 (Privacy Guidelines)

• Council of Europe -- Convention for the Protection of Individuals with Regard to
Automatic Processing of Personal Data (1981)9

Articles 4 - 10 set out the basic principles for data protection.

• Internet Privacy Guidelines (23 February 1999) -- practical, non-binding advice for
Internet users and service providers10

• A good overview of the privacy rules and recommendations issued by the Council of

7 Hill v. National Collegiate Athletic Association, 865 P 2d 633 (1994)


• European Union -- Data Protection Directive (1995)12 Articles 5 - 17 spell out in
somewhat more detail the basic privacy principles.

• Guide to the data privacy directive -- focuses on who is entitled to handle personal
information and how such information can be processed13.


There are two aspects to the concept of privacy:

Consumer privacy - the right of individuals to control information about them generated or
collected in the course of a commercial interaction. Referred to in Europe as "data
Privacy rights of the individual against the government - the individual's protection against
unreasonable government intrusions on privacy, such as searches of the home or
interceptions of communications.

Internet law needs to address both sets of issues.


Consumer privacy protection in the US and Europe, as well as under the guidelines of the
OECD, is based on the following principles:

Notice and Consent - before the collection of data, the data subject should be provided:
notice of what information is being collected and for what purpose and an opportunity to
choose whether to accept the data collection and use.

In Europe, data collection cannot proceed unless data subject has unambiguously given his
consent (with exceptions).

Collection Limitation - data should be collected for specified, explicit and legitimate
purposes. The data collected should be adequate, relevant and not excessive in relation to
the purposes for which they are collected.

Use/Disclosure Limitation - data should be used only for the purpose for which it was
collected and should not be used or disclosed in any way incompatible with those purposes.

Retention Limitation - data should be kept in a form that permits identification of the data
subject no longer than is necessary for the purposes for which the data were collected.

Accuracy - the party collecting and storing data is obligated to ensure its accuracy and,
where necessary, keep it up to date; every reasonable step must be taken to ensure that
data which are inaccurate or incomplete are corrected or deleted



Access - a data subject should have access to data about himself, in order to verify its
accuracy and to determine how it is being used

Security - those holding data about others must take steps to protect its confidentiality.


The right to privacy is internationally recognized as a human right. However, most
governments claim the authority to invade privacy through the following means:

• interception of communications in real-time
• interception of traffic data (routing information) in real-time
• access to data stored by service providers, including traffic data being stored for

billing purposes
• access to data stored by users

These means of access to communications and stored data must be narrowly defined and
subject to independent controls under strict standards. Real-time interception of
communications should take place only with prior approval by a judge, issued under
standards at least as strict as those for policy searches of private homes.


On July 25, 1995, the EU announced the adoption of a directive on the protection of
individuals’ personal data and on the free movement of such data. The directive seeks to
prevent abuse of personal data and lays down comprehensive rules, including an obligation
to collect data only for specified, explicit and legitimate purposes, as well as to only hold
data if it is relevant, accurate and up-to-date.

The directive requires all companies concluding business in the EU to meet certain minimum
standards of data protection. Any company that does not meet these stringent standards
faces sanctions. In the Netherlands and New Zealand, codes of conduct or self-regulation
are also employed.

The Electronic Communications Privacy Act in the US governs the privacy of e-mail in public
e-mail systems. It bars interception, use, or disclosure of e-mail by third parties and sets the
standards which law enforcement authorities must meet to gain access to e-mail.


Significantly, India does not have any specific law governing privacy. The courts in India have
not yet had the opportunity to look at privacy issues relating to the Internet. Analogies to
the Internet will, therefore, have to be drawn from cases that the court has actually dealt

The Constitution of India does not patently grant the fundamental right to privacy. However,
the courts have read the right to privacy into the other existing Fundamental Rights:


Freedom of Speech and Expression, under Article 19 (1) (a) & Right to Life and Personal
Liberty under Article 21. In India, the right to privacy is one of the un-enumerated rights
granted to the individual. Barring a few exceptions, the Fundamental Rights secured to the
individual are limitation on State action. They are not meant to protect persons against the
conduct of private persons. It is to be noted that the Constitutional guarantee of the right to
privacy is valid only against the State and no Constitutional remedy for violation of privacy
lies against any individual.


On December 18, 2000, the European Union and the United States issued a joint statement
regarding the necessity for building consumer confidence in order to further global e-
commerce. The joint statement went on to point out that generating consumer confidence
requires a combination of private sector initiatives and a “clear, consistent and predictable
legal framework.”

It went to ‘reaffirm these important goals and objectives, including the agreement to
provide ‘active support for the development, preferably on a global basis, of self-regulators
codes of conduct and technologies to gain consumer confidence in electronic commerce’.”


Does the consumer in fact enjoy the same kind of protection in e-commerce that he or she
has in other kinds of transactions? Does the consumer need the same level of protection or
does the e-commerce consumer have greater relative bargaining strength? How much
should courts enforce agreements by consumers to give up valuable substantive and
procedural rights?

As with all worthy goals, the difficulty is in implementation. This fact is particularly true
when dealing with a worldwide medium like the Internet. Obviously, if we had the same
standards for e-commerce around the world, the system would be relatively clear and
consistent. But for global binding standards, we would need intergovernmental agreement,
which historically takes many years to reach.

Governmentally-endorsed guidelines and recommendations could be a fallback position, so
long as there was a reasonable amount of harmony among the various positions. The
American Bar Association in 2000 embarked on a special project, “Alternative Dispute
Resolution in Online Commerce” which hopes to develop a system of guidelines for ADR in
e-commerce disputes. The project focuses particularly on consumer disputes, since the
amount of money involved in consumer matters seldom warrants elaborate ADR machinery.


Studies show that key concerns on the part of consumers involve some or all of the
Lack of confidence in online financial transactions, e.g., concern over misuse of debit and
credit cards:


• Non-delivery or late delivery of goods and services.
• Fraud.
• Hidden costs, such as postal charges and taxes.
• Unrestricted or hidden collection of personal data and channelling of such data to

third parties.
• Lack of independent certification of website policies and practices.


In September 2000, ClickSure conducted a best practice analysis of Internet business
websites in Europe and the United States. It measured six aspects: privacy, security, clarity
of website information, transaction management, quality and monitoring. Its resulting
report concluded that there was a clear failure to measure up to internationally-recognized
best practices.

Consumes International (“CI”) subsequently conducted a privacy study concluded in January
2001. It found that, although the majority of websites collected personal information from
the user, “only a tiny minority provided privacy policy that gave users meaningful
information about how that data would be used. It concluded that websites in both the U.S.
and E.U. fall woefully short of the standards set by international guidelines on data
protection. “ According to the CAI study, the majority of sites ignore even the most basic
principles of fair information use, such as telling consumers how their data will be used, how
it can be accessed, what choices the consumer has about its use and how the security of
that data is maintained.



Many disputes involving electronic commerce arise between parties who are bound by a
contract determining the terms and conditions upon which they have agreed to interact.
Frequently, the online contract itself may provide that any dispute concerning it is to be
heard in the courts of a specified state (“choice of forum” clause or “forum selection”
clause) and is to be determined under the substantive law of a specified state (“choice of
law” clause).7

If parties to the contract are presumed to have equal bargaining power and, therefore, an
equal ability to accept or reject such clauses, the clauses are generally uncontroversial and
enforced. However, equality between buyer and seller has not always been presumed
when one party to the contract is a consumer. Instead, the seller is assumed to define is
market and set the terms of the contract for its own benefit. The buyer, in contrast, is
assumed to be confronted with either (a) accepting the terms imposed by one of a limited
number of sellers serving the buyer’s market or (b) foregoing the purchase. As discussed

7 Contract terms themselves, of course, also supply a set of substantive rules to govern the transaction,
which will be used by a court unless they violate the public policy of the forum.


above, in order to protect the customer from perceived disadvantageous choice of forum
and law clauses, the E.U. will enforce them only if they favour the consumer,8 although in
the U.S. they are enforced unless they are “unreasonable.”9

Matthew S. Yeo and Marco Berliri have offered an analysis and perspective on the problem
of determining the governing law in E-Commerce transactions. In a paper posted online,
they post three alternative E.U. approaches to resolve conflicts.10 the first is to simply
permit the merchant to designate any law that has a substantial connection to the
transaction. The difficulty is that the consumer may not know or be able reasonably to
determine his rights under such law. The resulting apprehension on the part of the
consumer may retard the growth of E-Commerce. The second alternative is to adopt the
mandatory rules concept. The contract can specify the law that will apply to the transaction
but would not trump mandatory consumer protection rules. This creates confusion and
increase the cost of compliance, because the merchant is required to be familiar with the
mandatory rules of each jurisdiction.

The third alternative, which the authors favour, is to harmonise national consumer
protection laws. This would create a lower cost mechanism, similar to the model rules
enjoyed by other areas of uniform law. Merchants would not have to lean the law of each
jurisdiction and consumers would know their rights irrespectively of choice of law. Because
harmonization is such a monumental task, probably the only practical low-cost solution is a
system of e-commerce dispute resolution, such as that discussed later.


18.2.1 U.S. CASE LAW.

A “click-wrap” agreement is one which a provider of goods or services presents online to a
user, who can agree to the terms and conditions of the agreement by either clicking a
designated icon or button or typing specified words or phrases. In the on-line environment,
a user may view the terms and conditions on the screen, using a control such as a keyboard,
or mouse to scroll through or otherwise navigate the terms and then click a button or bar
indicating asset. A true click-wrap assent should be distinguished from situation where the
terms and conditions are merely posted on the website and agreement to those terms and
conditions is implied without the user being required actually to expressly indicate

Perhaps the earliest reported case in the U.S. supporting online agreement was the federal
appellate court decision in CompuServe, Inc. v. Patterson.11 this was not strictly a click-
wrap, since the user actually typed “agree” to an online agreement whose choice of
jurisdiction was used as one of several contacts to warrant holding the user subject to

8 See subsection I.A. 3 supra.
9 See subsection II. B. 2 supra


11 89 F.3d 1257 (6th Cir. 1996)


personal jurisdiction in service provider’s home state. Subsequently, a state court upheld a
click-wrap choice of forum by an AOL subscriber where the subscriber could only enrol on
AOL by clicking the “ I agree” button placed next to the “read me” button of the “ I agree”
button next to the “I disagree” button at the conclusion of the subscription agreement,
which contained the forum selection clause.12

Another state court sustained a click-wrap forum selection where subscribers to the
Microsoft Network could click a box saying “I Agree” or another saying “I Don’t Agree” at
any time while scrolling the adjacent terms and conditions, which included the forum
selection clause; before registering for the service.13 Since the subscriber clicked “I Agree”,
the court drew analogy to the pre-contractual opportunity to read the fine-print terms in
Carnival Cruise Lines and refused to treat electronic and paper presentations of terms

Another federal court found a click-wrap binding on the user as against a defence of
procedural unconscionability, where arbitration clause appeared in the final paragraph of
the agreement under the caption “Miscellaneous”, which included provisions on choice of
law and forum.14 Finding the click-wrap binding, the court noted that the clause was in same
front as the rest of the agreement and was freely scrollable and viewable and without time
restrictions and a viewer had to agree to the online license agreement before being able to
install software from the provider’s website. A number of other cases have upheld clickwrap
choice of forum.15

More recently, courts have found grounds on which to decline to enforce consumer click-
wraps. Thus, the California Court of Appeal this year invoked a public policy exception to
consumer choice law.16 The trial court had found the forum selection clause in a clickwrap
agreement made during installation process on CD-ROM unfair and unreasonable, because
the clause was not negotiated at arm’s length, was in standard form contract, was not
readily identifiable by plaintiff in small text and placed at the end of the agreement, and was
contrary to California public policy giving its citizens specific and meaningful remedies that
are readily accessible and available. The prime difference between the Virginia consumer
law and that of California was that in California a consumer can bring a class action while a

12 Groff v. American Online. Inc., 1998 WL, 307001 (R.I. Super. May 27, 1998).
13 Caspi v. Microsoft Network L.I.C. 732 A.2d 528 ( N.J. App. Div. 1999)
14 In the RealNetworks, Inc., Privacy Litigation 2000 WL 631341 (N.D. III. May 8, 2000).
15 America Online, Inc. v. Booker (“Booker”) 781 So. 2d 423 (Fla 2001 Ct. App.) (forum selection provision
in an online ISP subscription “freely negotiated” and not shown “unreasonable or unjust” decision unclear
on whether agreement to the forum was express via a click-through or simply implied in some way);
Clemins v. America Online. Inc., 748 So. 2d 1041 (Fla. Ct. App. 1999) ( electronic agreement with Internet
service provider enforced forum selection clause; no indication whether there was click-through or implied
assent); Lieschke v. RealNetworks, Inc., 2000 WL 198424 (N.D. III. Feb. 11, 2000) ( arbitration clause on
Real Networks site contained in a click-wrap licence which users were required to traverse before they
could download software to play and record music); Rudder v. Microsoft Corp., 1999Carswell Ont. 3195
(WL) (Ontario Super . Ct. Justice Oct 8, 1999) (Canadian court expressly upheld the validity of a forum
selection clause in click-through contract where subscription procedure required the validity of a forum
selection clause in click-through contract where subscription procedure required the user to accept the
agreement terms each time they appeared on the monitor, and entire agreement could be viewed by
scrolling down screen, with terms not analogous to fine print).
16 America Online, Inc. v. Superior Court, 90 Cal. App. 4th 1 (2001)


Virginia consumer could not. It therefore found a Virginia forum selection clause was
therefore invalid.

The appellate court shifted the usual burden of proof to the party seeking to uphold a forum
selection clause contrary to California’s Consumers legal Remedies Act (CLRA). It
emphasized the anti-waiver provision in the CLRA and California consumer protection
provisions, which would be substantially diminished in Virginia, but the court of appeals, did
not explicitly rule on the validity of the click-wrap agreement. [Recheck].

A California federal district court declined to enforce a click-wrap in Ticketmaster involved
an online agreement where the home page of Ticketmaster’s website contained
instructions, a directory to subsequent event pages ( each with separate electronic address
and a hypertext link) and, upon scrolling to the bottom, terms and conditions, including
prohibitions against deep linking and against copying for commercial use, as well as a term
saying that anyone going beyond the home page thereby agreed to the terms and
conditions.17 There was no “I agree” button or other signification of assent by the Website
user, who could go directly to the linked page without seeking the terms and conditions).
Later, the court reaffirmed its ruling.18 Addressing arguments of copyright and trespass, the
court briefly reiterated that contract claim lacked “sufficient proof of agreement by
defendant.” The judgement was affirmed.19

A Massachusetts case declined to enforce a click-wrap in a class action lawsuit concerning
installation of software which damaged the user’s system before the user could review and
assented to the agtement.20 The agreement terms were accessible only by twice overriding
the default choice of “I Agree” and clicking “Read Now” twice. The court here also invoked
public policy, citing the impropriety of requiring residents of Massachusetts with small
claims to litigate in Virginia).


In those jurisdictions which will honour clickwrap choice of law and forum when fairness
requirements are met, legal parishioners should advise their clients to create the best
factual basis to support validity of the agreement. The goal involves several important
parts: 1) a reasonable opportunity for the newer to access the terms and conditions and
review them; 2) sufficient conspicuousness and readability of the terms and conditions; 3)
clear and unambiguous manifestation of asset to the terms and conditions; 4) preclusion of
online contracting by a viewer who has not clearly manifested consent.

To satisfy the first requirement, proposed terms that involve any choice of law or forum
should be presented to the user before the user has any opportunity to take an action to be
bound by the agreement’s terms. All the terms should either appear automatically or the

17 Ticketmaster Corp. v. Inc., 54 U.S.P.Q. 1344, 2000 U.S. Dist. LEXIS 4553, 2000 WL
525390 (C.D.Cal. March 27, 2000)
18 2000 WL 1887522(C.D. Cal Cug. 10,2000)
19 2001 WL 51509 (9th Cir. Jan. 8, 2001) (unpublished).
20 William v. American Online. Inc. 201 WL 135825 (Mass. Super. Ct. Feb.8, 2001)


user should be required to click on a clear icon or hyperlink that accesses the terms. The
user should then be afforded user sufficient opportunity to review the agreement terms,
with the ability to read the terms and his or her own pace and to navigate back and
forthwith in the terms by scrolling or changing pages. Once the user views the terms, those
terms should remain accessible to the user for further reference.

In the U.S., sufficient conspicuousness includes having the format and content of the terms
comply with requirements in applicable laws, such as the Uniform Commercial Code, as to
notice, disclosure language, conspicuousness, and the like. The terms should be plain
language and legible. It is equally important that other information on the website should
not contradict the agreement terms or render the agreement ambiguous.

The format of the assent must comply with any applicable laws requiring particular assent
to a particular type of term, as well as an overall assent to all of the terms. It is desirable
that there can be an express statement just before the user is able to click his agreement
that stresses the effect agreement. Thus, the user might be expressly warned that: “By
clicking ‘I agree’ below you acknowledge that you have read, understand, and agree to be
bound by the terms above.”

In order to assure that the user has the opportunity to see all of the agreement before
assenting; it is advisable to place the means of assent at the end of the agreement terms. It
is also important to use clear language of asset, e.g. “I agree,” “I consent,” or “I assent,”
rather than more ambiguous language, .e.g., “Continue,”, “Submit,” or “Enter.” Such clear
language of assent should be combined with clear choice for the user not only to assent
but to reject the terms and to be informed of the consequence of rejection. Ideally, the
option to reject will occur at the same point in the process where final assent is requested,
and involve an equally clear and unambiguous button or term, such an “I disagree,” “I do
not agree,” “Not agreed,” “No,” or “I decline.”

Finally, a user who rejects the online agreement should not be able to take the transaction
any further, without choosing to go back and specifically agreeing to the terms and


One of the conclusions drawn by the report prepared by the American Bar Association’s two
year Project on Jurisdiction in Cyberspace was that cyberspace may need new forms of
dispute resolution, in order to reduce transaction costs for small value disputes and have
structures that will work effectively across national boundaries.21 Following submission of
the report, the ABA constituted a multi-disciplinary special committee to develop criteria
and recommendations for such a dispute resolution system. That group has held a number
of meetings over the past eleven months, starting in the late November 2000, and is
currently working on a set of guidelines which might form a worldwide-acceptable basis of
dispute resolution procedures. If industry and consumers can both “buy in” to such

21 Report, Achieving Legal Business Order in Cyberspace, 55 BUS. LAW. 1801,1824 (2000).


guidelines, consumers may become more comfortable in online transactions, and the results
of whose law and forum should apply will become essentially moot.

In conclusion, the e-Commerce Law set forth a number of provisions intended to secure B2C
transactions. The provision of general and pre-contractual information, the clarification of
the contract formation process, the grant of a right of withdrawal and the requirement
placed on the provider to bear the burden of proof regarding a number of obligations
resting on him are favourable to consumers and should assist in building confidence for
online transactions. Nevertheless, the right of the providers to bring electronic evidence is
not so clear.

The provider should also make sure that the T&C comply with general consumer law
provisions. For international transactions, the providers will need to ensure that the site
architecture and the T&C comply not only with Luxembourg laws, but also with the laws of
the country of the buyers’ place of residence, as consumer protection provisions usually
cannot be derogated from.

Finally, the intent of the Law, which is to give consumes a satisfactory level of protection by
giving them a number of rights, is partly defeated by the fact that the e-Commerce law is
not clear on the applicable sanctions in the event that its consumer protection provisions
are not complied with. Moreover, the existing dispute resolution mechanisms are not
adapted to small online transactions and no recognition is made in the Law of electronic
dispute resolution mechanisms.


The principal commercial advantage of using the internet, and also perhaps its biggest
drawback, is its ability vast amounts of data almost simultaneously to any number of
persons in any number of locations virtually anywhere in the world. However, this is also a
concern for companies doing business electronically where personal information about
individuals is involved, whether this involves existing or prospective clients, employees or
other third party individuals. There is a huge sensitivity surrounding the use of personal
data in databases, both the United Kingdom and the European Union, of which business and
lawyers alike need to be aware. The European Union and certain other jurisdiction such as
Australia, Canada and Hong Kong have enacted data protection legislation to protect
individuals in their respective jurisdictions. These laws have a major effect on the use of the


By 1998, the vast majority of the top 100 visited websites had including privacy policies.
However, a recent Consumers International survey of 751 e-commerce sites worldwide
revealed that while two-third of sites collected personal data, the majority did not give the
individual users a choice as to whether such data was to be kept private, or that there was
any prohibition on it being passed to third parties or kept on the collector’s mailing list.



Under the EU Data Protection Directive and the UK implementing legislation, the Data
Protection Act 1998, a party to the European Economic Area (EEA) who is controlling
personal data must:

• use the data held fairly and lawfully;
• Obtain data for specified purposes and use it only in ways compatible with those

• Hold only such data as is adequate, relevant and not excessive.
• Ensure the data is accurate and up to date.
• not retain the data longer than necessary for the stated purposes.
• take appropriate measures against unauthorized or unlawful use of data and its

accidental loss or damage;
• not transfer data outside the EEA except to a country that ensures an adequate

level of protection of a data subject’s right in that data.

Personal data will not be regarded as being held or used fairly or lawfully unless the data
subject has consented to that use ( although there are a limited number of exceptions) in
general, a data controller may not do anything on contravention of the above principles
except with the consent of the data subject.

Consent can be either explicit or implicit. This may consist of the site visitor knowing that
the data will be collected or used for a specific purpose, e.g. completing a purchase order
form. However, if the information is sensitive personal data, express consent is required.
Express consent requires, at the very least, a positive act such as clicking on a tick box to
indicate consent. Sensitive data includes such matters as information relating to racial,
political or sexual matters.

Data subjects also have a right, subject to paying a small fee, to be given details of data held
on them by any organization.

Privacy policies in the United Kingdom should be written accordingly. They therefore need
to contain:

• the identity of the collecting entity which has control of the data;
• a clear statement of the users of the data;
• details of the persons receiving the information, if such is the case, and those to

whom it may be transferred outside the EEA;
• Clarification, where relevant, that the information has been collected by means of a

‘cookie’. (A cookie is a file stored by a browser on an individual’s computer system
that holds information. Typically, such files store information to identify site users,
such as their names, addresses and e-mail details, and to record a user’s choices or
preferences. This means of gathering information may not be apparent on the face
of the site.)
• the express consent of the subject, where sensitive data is collected;


• a statement that the data subject has a right to view the information held by the

• an opt-out box for one or more of the specified purposes for which the information
is collected;

• a statement of the safeguards relating to transfer where the information is to be
transferred outside the EEA.


The privacy policies that many US companies have put in place are at least equal to those
commonly found on European-based websites. However, under the Data Protection
Directive (and the UK enabling legislation, European companies are not permitted to
transfer data protection. There is no exemption for intra-group transfers, e.g. this
prohibition would therefore apply prima facie to a UK company that transfers personal data
obtained from its website to its US parent.

The European Union’s expectations of what is ‘adequate’ stringent. In addition to the need
to adapt the legislation and data principles applicable to EU Member States, the European
Union requires that each government must establish a relevant agency that monitors data
protection, and keeps a mandatory register of entities processing personal data. For
example, an EU-based company may legitimately transfer data to Hong Kong as it satisfies
the necessary requirements.

The European Union has now reached agreement with the US Department of Commerce
such that, subject to compliance with certain safe harbour rules, data may be transferred to
the United States. Transfer of data to members involved in the scheme may be made
without the need for specific consent from the affected data subject. However, this does
not remove the requirement that the EU data subject must know the uses to which the data
will be put, including any intended transfers of that data.


‘Cybercrime’ has emerged as a distinct category of study and an ever increasing problem
requiring the sustained attention of governments, law enforcement agencies and judicial
systems of countries world-wide. Jurisdictions that already had developed computing and
digital communications infrastructure have, over the last decade or so, been forced to
confront the reality of criminal expansion into the ‘cyberworld’, and to evaluate and
understand the adequacy of existing legal systems in order to insure the necessary
transnational investment and co-operation.

Through the course of this brief chapter, it must be emphasised that whether in India or for
that matter, anywhere in the world, criminal or penal sanctions can only be one element of
the overall response to cybercrime. Moreover, as has been seen from bitter experience,
such sanctions are not necessarily the most efficient or desirable form of response. Other
ways of preventing or minimising the harm of cybercrime include technological measures,
regulatory controls and civil proceedings. In the last resort, where most jurisdictions have


recognised the need for some form of punitive measures, particularly where the level of
criminality or harm caused or threatened is especially serious.


There is no universally accepted general definition of cybercrime, no national legislation
provides us with a definition or explicitly employs the term14! Cybercrime comprises two
overlapping domains. The first is illegal activities directed at or perpetrated through the use
of computers. This can include crimes through and via the medium that is the Internet:
wilful damage to computer systems or networks, unlawful access to or interference with the
operation of computer systems, transmitting offensive or illegal content and committing
fraud or other offences through the use of the medium15.

The second related area is the protection of information. This has been a concern of legal
systems from well before the introduction of modern technologies of mass-communication,
but is clearly brought into focus by the development of global networked computer-based
information media such as the World Wide Web and the Internet16. Principal legal measures
related to the protection of information from unlawful use, distribution or exploitation
include intellectual property laws, privacy laws, laws relating to secrecy and national
security, and laws relating to unfair commercial advantage.


A more systematic international understanding of the legal aspects of cybercrime is
emerging through sources such as:

• The Council of Europe’s Draft Convention on Cybercrime (Council of Europe 2001)17;
• The United Nations symposium on “The Challenge of Borderless Cybercrime” held in

conjunction with the Palermo signing conference of the Convention Against
Transactional Organised Crime (see Grabosky 2000; Tan 2000);
• The United Nations President’s Working Group on Unlawful Conduct on the Internet
(United States Department of Justice 2000)18;

14 An analysis of legislation introduced in Asia relating to crimes on the Internet is not quite illustrative as
regards a definition. For instance, the laws introduced in Malaysia [1997] covering computer crimes,
copyright, telemedicine and digital signatures were promoted by the Malaysian Government’s Multimedia
Super Corridor as a package of “cyberlaws” [].
In India, Chapter X of the Indian Information Technology Act 2000 establishes the “Cyber Regulations
Appellate`Tribunal”: Ministry of Law, Justice and Company Affairs [Legislative Department], accessible
through the Ministry of Information Technology web site at The
Australian Parliament is currently considering the Cybercrime Bill 2000 [introduced 27 June 2001]; see
15 Grabosky, P.N., Smith, R.G. & Dempsey G. 2001, Electronic Theft: Unlawful Acquisition in Cyberspace,
Cambridge University Press, Cambridge.
16 Tan, K.H. 2000, “Prosecuting foreign-based computer crime: International law and technology collide”,
Symposium on the Rule of Law in the Global Village, Panel on Borderless Crime, 12-14 December 2000,
Palermo; see
17 Council of Europe 2001, Draft Convention on Cybercrime [Final Draft and Explanatory Note], European
Committee on Crime Problems and Committee Experts on Crime in Cyber-Space, Strasbourg, 29 June
2001; see


• Cross-national comparative studies such as Cyber Crime … and Punishment? Archaic
Laws Threaten Global Information (McConnell International 2000)19.

The most significant international development is the Council of Europe’s Convention on
Cybercrime (final draft released on 25 May 2001). The text, which has taken almost four
years and many redrafts to reach its present form, was approved by the Parliamentary
Assembly (24 April 2001) with recommendations to include provisions on human rights and
a protocol to ban “hate speech”, and adopted by the European Committee on Crime
Problems at its 50th plenary session (18-22 June 2001). The final draft will be submitted to
the Committee of Ministers for adoption during its 109th Session, on 8 November 2001.

The convention will be the first international treaty to address criminal law and procedural
aspects of various types of criminal behaviour directed against computer systems, networks,
or data and other types of similar misuse. Signatories to the Convention include the 43
member states of the Council of Europe plus the United States, Canada and Japan.

The legal analysis that follows adopts the Council of Europe’s classification of computer
offences, and also reviews offence provisions under national intellectual property laws.


Countries can be initially categorised according to whether they have:

1. basic criminal and commercial laws;
2. a developed system of intellectual property laws; and
3. legislation directed specifically at computers and electronic commerce.

Each of the countries considered below may be observed to fall within one or more of these
categories, with most satisfying the second category and having made some progress
towards the third. Whether the existing legal system in any country can adequately address
cybercrime depends on the precise scope and interaction of its criminal, commercial,
intellectual property and computer-related laws. As a general rule, however, the
development of each of the later categories has been necessitated in part by the perceived
inadequacy of legal remedies provided by other categories. The reliance on specific
intellectual property laws to protect valuable information, for example, is partly attributable
(in jurisdictions based on the English system) to the common law doctrine that information
is not properly capable of being stolen. Thus, information piracy is not amenable to
prosecution under the criminal law relating to theft or dishonest acquisition20. In many
countries there are also difficulties in prosecuting under criminal law acts which may be
performed outside the jurisdiction but which result in harm within the jurisdiction, such as
the posting of offensive or obscene content on the Internet.

18 United States Department of Justice 2000, The Electronic Frontier: Unlawful Conduct Involving the Use
of the Internet, Report of the President’s Working Group on Unlawful Conduct on the Internet, March 2000;
19 McConnell International 2000, Cyber Crime…and Punishment? Archaic Laws Threaten Global
Information, online report; see
20 Grabosky, P.N. & Smith, R.G. 1998, Crime in the Digital Age: Controlling Telecommunications and
Cyberspace Illegalities, Transaction Publishers/Federation Press, New Brunswick, New Jersey.


Clearly, there are also significant differences in the legal, social and political contexts within
which these laws have been formulated and are enforced. Before reviewing the legislative
provisions, it is useful to explore these contexts in greater detail.


During the parliamentary debates and discussions leading up to the enactment of the
Information Technology bill, the Indian Internet Community awaited the final shape of the
proposed legislation. Understandably, there were fears over possible excessive policing.
Observers wondered whether the Draconian provisions would fit in to existing Indian
Criminal and Commercial laws21.

Some provisions attracted controversy and were the focus of debate in the Parliament and
within the Internet and legal community. These provisions are:

• Section 79 wherein police personnel have been granted extensive powers to arrest
and seize material from individuals and corporates

• Section 73 (a) which makes it mandatory for person hosting a website or a portal on
a server located in India to give details of the website, portal, person and such other
details as may be prescribed by the Controller, failure will entail penalty;

• Section 73 (b) wherein the government mandates that all people visiting cyber cafes
will have to maintain a log sheet of all the web sites visited by them. Failure will
entail monetary penalty and imprisonment [later removed from the legislation]


Certain activists groups have been asking for Network Service Provider's / Internet Service
Providers ("ISP's") to be made responsible for information, which is transmitted through
their system. The reason for doing so would be to try and put a check on any mischief, which
may take place through such systems and affix the liability on the ISP's. However, the
impossibility of monitoring millions of mails and accesses has promoted the government to
absolve NWSP/ISPs from any third party civil and criminal liability.

There are divergent views to such a provision. The ISPs have hailed this move, as they are
now be able to provide access without the tension or undue interference or the prospect of
civil or criminal liability. However, activists groups have criticised this provision and seek an


21 The Indian Information Technology Act 2000 attempts to recognise electronic business and it does so,
by amending several archaic legislations like the Indian Evidence Act, 872, Indian Penal Code, 1860,
General Clauses Act, 1897, the Reserve Bank of India Act, 1934 and the Bankers Book Evidence Act,
1891. Through the amendment of these laws it will now be possible for courts to recognise digital
signatures and electronic records and hence permit electronic commerce.


After the Love Bug crisis, legal experts have realised the lacuna that exists in the current
legal regime in India. If such a virus or contaminant was launched in India and the culprit
were to be arrested then under the current legal framework, such a person would not be

An extensive definition clause defines numerous activities that can amount to a cyber crime.
Under this provision, almost every conceivable computer mischief can face civil and criminal

Perhaps to give teeth to this provision, the IT Bill further empowers a police officer not
below the rank of Deputy Superintendent of Police (DSP) to investigate such an offence,
who has the powers to enter in any "public place" and conduct a search and arrest without a
warrant if he/she suspects that a computer crime is being committed. This provision has
faced a lot of criticisms from Human Rights activists who suspect that this provision may be
abused to violate the fundamental rights of the Indian citizens22.


An Adjudicator shall adjudicate Cyber crime. The decision of Adjudication may be appealed
before the Cyber Appellate Tribunal. A further appeal may be preferred before the High
Court. The following are the drawbacks of such an elaborate adjudicatory process:

The Adjudicator and the officers of the Cyber Appellate Tribunal are not required to have
any technical or Internet related qualifications. In the eventuality of a cyber crime or cyber
dispute relevant knowledge of technology is of critical importance.

The abovementioned appellate framework ensures that there is no finality to such a dispute
and such dispute may continue ad nauseum. In the Internet world, speedy and timely
dispute resolution is of critical importance. The prescribed dispute resolution mechanism
suffers from all the infirmity of present day dispute resolution in India. This means that in
the Internet age such disputes could continue for years, which would cripple the eBusiness.


The modern day e-consumer is flooded by innumerable junk mails. Also in any eBusiness,
employers or other third parties may monitor e-mails depriving the users of their right to
privacy. The present IT Bill does not prevent spamming and anti privacy issues by making
them punishable.

22 Not every police officer enjoys such extensive powers under the Act. Only officers above the position of
a DSP may exercise these powers. Furthermore, such powers cannot be delegated and will come under a
judicial scrutiny. Cyber crime happens at Internet speed and since very little infrastructure is needed for
conducting such a crime, evidence can easily be concealed or destroyed. In such a situation, an
investigating officer might not find time to obtain search warrant and such a provision is necessary. This
provision ousts the Code of Criminal Procedure, wherein ordinary police officials may enter into the
premises and conduct a search or make arrests in case of cognizable offences. It is infinitely better to have
a senior and trained official exercise discretion in conducting such searches or raids, rather than have a
police sub-inspector or a head constable investigate such an offence.



The IT Bill is technology specific and the entire legislation is based on digital signatures
based on "double key encryption". Further, many "techies" argue that soon double key
encryption may be replaced by more sophisticated third generation of bio-metric
technology. Under this technology encryption is based on biological inputs of the user e.g.
thumb impression, retina scan, DNA finger printing etc. In such a situation, the IT Bill will
need to be replaced with another law as the current law is technology specific. However, it
is recommended that the 'technology neutral' legislation be formulated, where the change
in technology will not require a change in legislation. Under such a legal framework despite
whatever technology is used for encryption certain standards will have to be maintained for
digital signature to receive legal recognition.


The term ‘fraud’s has not been defined in the Indian Penal Code. Nevertheless, Section 25
of Indian Penal Code does attempt to define the word ‘fraudulently’ by saying that there can
be no fraud unless there is an intention to defraud. The word fraud is clearly defined in
Section 16 of the Indian Contract Act, 1872. However, this definition cannot be made
applicable in criminal law.

In general, fraud is committed in three different ways

• To deprive a man of his right, either by obtaining something by deception or by
taking something wrong fully without the knowledge or consent of the owner;

• To withhold wrongfully from another what is due to him, or to wrongfully prevent
one from obtaining what he may firstly claim; and

• To defeat or frustrate wrongfully another’s right to property.

Whenever the words fraud, intent to defraud have fraudulently occur in the definition of a
crime under the IPC, two elements, at least, are essential to the commission of that crime:

• Deceit or an intention to deceive; and
• Either actual injury or possible injury or intent to expose some person to actual or

possible injury.

The main intent and principal object of the fraudulent person is in nearly every case, his own
advantage. A practically conclusive test as to the fraudulent character of a deception for
criminal purpose is whether the author of the deceit derived any advantage from it, which
he would not have had if the truth had been known. It so, that advantage would generally
have an equivalent is was or risk of loss of someone else; and if so, there is fraud.

It is submitted that his definition of fraud encompasses within its fold, scams on the
Internet. Both the essential requisites of fraud, i.e. deceit or intention to deceive and actual
or possible injury to an individual or a group of individuals are present in such scams. All
such scams, whatever their modus operandi are intended to gain advantage for some almost


always at the risk of loss to others. Sections 415 to 420, IPC details the law rating to
cheating. The grounds for these provisions to be attracted are the same as that of fraud, i.e.
dishonestly, deceit etc. In the case of internet of internet scams, relevant sections relating
to the crime of cheating such as cheating by impersonation (Section 416) cheating with
knowledge that wrongful loss may ensue to the person whose interest the offender is
bound to protect (Section 418), etc, may be applied according to the facts of the case.


Even an example that might otherwise be thought to favour the assertion of jurisdiction by a
local sovereign—protection of local citizens from fraud and antitrust violations—shows the
beneficial effects of a Cyberspace legal regime. How should wee analyse “markets” for
fraud and consumer protection purposes when the companies at issue do business only
through the World Wide Web?

Cyberspace could be treated as a distinct marketplace for purposes of assessing
concentration and market power. Concentration in geographic markets would only be
relevant in the rare cases in which such market power could be inappropriately leveraged to
obtain power in online markets—for example by conditioning access to the net by local
citizens on their buying services from the same company (such as a phone company) online.
Claims regarding a right to access to particular online services, as distinct from claims to
access particular physical pipelines would remain tenuous as long as it is possible to create a
new online service instantly in any corner of an expanding online space.

Consumer protection doctrines could also develop differently online—to take into account
the fact that anyone reading an online ad is only a mouse click away from guidance from
consumer protection agencies and discussions with other consumers. Nevertheless, that
does not mean that fraud might not be made “illegal” in at least large areas of Cyberspace.
Those who establish and use online systems have an interest in preserving the safety of
their electronic territory and preventing crime. They are more likely to be able to enforce
their own rules. A consensually based “law of the Net” needs to obtain respect and
deference from local sovereigns; new Net-based law-making institutions have an incentive
to avoid fostering activities that threaten the vital interests of territorial governments.


Achieving legal and business order in cyberspace, forms but another step in the quest for
knowledge that is perhaps the special legacy of the new millennium23. For commercial
interests eager to gain ground in the new order, ironically, the Internet is at the same time
intimidating and indispensable, essential for business success. The issue of regulation is
replete with unanswered e-business issues that desperately need to be clarified as
companies operate electronically across the globe. Some of the regulatory issues are:

23 Report of the American Bar Association (“ABA”) Jurisdiction in Cyberspace Project empaneled in 1998
under the title, “Transnational Issues in Cyberspace: A Project on the Law relating to Jurisdiction”.


• Whose law governs contracts that are formed online? Are contracts valid without a
physical signature? Do the same laws apply to both consumers and businesses?

• Can the actual electronic transmission between countries be subject to taxes or
tariffs? Are product and service sales treated the same under local law? Who

• What are acceptable forms of online promotion? Are firms with websites that link to
other sites using questionable tactics, putting themselves at risk?

• When the buyer sends his address and phone number to the seller, whose laws
determine the restrictions on the use of that data? How is the seller’s credit card
number protected? Who is empowered to address disagreements that might arise?

• What tariffs and taxes are due? How are they accounted for and paid?
• What transaction crosses a border, what consumer protection is available? What

additional risks do sellers assume?
• What happens if the seller does not get paid? Where do consumers return damaged

goods purchased online? Does business-to-business commerce operate predictably
across all trading jurisdictions?
• How can buyers and sellers enforce their rights in foreign countries? What
international treaties apply? Does enforcement differ geographically? By product or
service type?
• Many laws applicable to global e-business are not yet clear. Does it make sense to
move aggressively to gain first mover advantage? Or wait? How can an individual
company protect its interests?

Questions, questions with not so obvious answers? Business in the new economy will mean
that traditional business approaches don’t necessarily apply when viewed through the lens
of the digital environmental. E-business is a completely different way to transact ordinary
business. Since new, unfamiliar business practices are routinely scrutinised by governments
and regulatory organisations, one can expect continued regulatory review, especially where
consumer protection and economic welfare are at stake.

E-business shrinks the optimal regulatory action. New business arrangements with industry-
wrenching impacts can take effect in months, not years. This rapid change means that
regulatory issues must be addressed early on to avoid overly “reactive” responses that can
be counterproductive.

E-business effectiveness depends on a regulatory environment that is both supportive and
predictable. While onerous rules can be stifling to business interests, regulatory indecision
can be similarly disruptive. In order for e-business to work best, business must accept equal
responsibility with governments to point the way.


Companies must remain vigilant both to protect their business interests and ensure that
they can proceed securely in uncharted territory. While some maintain it is unrealistic to
have no restriction whatsoever on e-business, yet others shudder at the burden various
bureaucracies might place upon the Internet. Most are hopeful that industry, driven by


market forces, will ultimately regulate itself. If that fails, however, a wide range of
regulators can be expected to step in forcefully.

Perhaps industry groups could identify potential and real ‘hurdles’ and attempt a solution.
The vast majority of regulatory hurdles facing Internet businesses today relate to traditional
considerations whose scope and application are transformed by the global character of the
electronic market. This industry alongwith CII should examine key international issues and
identify major international institutions that are addressing them. The issues include:

• International trade and tariffs
• Data Security
• Encryption
• Infrastructure and Access
• Intellectual Property Rights
• Liability: Choice of Law and Jurisdiction
• Content
• Competition Law
• Self-Regulation
• Privacy


According to Internet surveys, the fastest growing Web Sites are those, which provide a
place for personal expression, such, as chat rooms, message boards, email and personal web
pages24. In addition, "e-tailing," or retail sales over the Web has exceeded industry
expectations. Online sales tripled from $3 billion in 1997 to $9 billion in 1998. By the year
2000, commerce on the Internet is expected to generate $30 billion25. Not surprisingly,
many companies are launching Web sites to establish their presence on the Internet and to
introduce themselves to the emerging online consumer market.

In doing so, many of these companies enter into new businesses, and some may enter into
regulated industries. Each of these Web site owners--whether they are software vendors,
search engines, banks or auction houses--becomes a publisher, in addition to their original
core business. And, because of the thick competition to offer more and better services on
the Web, Internet companies frequently move from their core business to entirely new
ventures as sales agents, financial information providers, mail providers, and more. This
article outlines some of the issues arising from operating a Web site in India and offers some
suggestions to minimise legal risk.

For a variety of reasons, initial and periodic legal audits for content liability issues on a Web
site play an important role in managing a company’s risk on the Internet. First, for Web site
operators located in the India, there are a number of constitutional and statutory
protections for these "New Media" publishers, similar to the protections long enjoyed by

24 Media Metrix, "The Media Metrix Web in Review: Top 50 Fastest Growing Web Sites in Audience
Reach," (Aug. 10, 1998),
25 U.S. Dept. of Commerce, "Remarks of Sec. of Commerce William M. Daley," (Feb. 5, 1999),


traditional publishers, such as newspapers, magazines and TV. or radio broadcasters. The
same probably for “new media” laws world-wide. Indeed, the U.S. Supreme Court
determined that online "speech," or content, should enjoy the highest level of constitutional
protection26. As part of the audit, Web sites also should be reviewed for compliance with
legislation regulating Internet content, commerce and conduct.

Second, Web sites generally contain a mixture of content--some of which may be generated
by the site owner, but often, is not. An audit identifies the different types of content and the
different risk associated with each type, and creates risk management strategies to protect
the company.

Finally, the most successful Web sites are highly dynamic; that is, the content is not only
interactive but constantly growing, and therefore changing. A good audit identifies "hot
spots" on a site that are more likely to draw complaints or have greater exposure. Given the
uncertainty of the law in the Internet space, a primary objective of risk management is to
"marginalize" the potential plaintiff's success. An audit may provide guidelines for dealing
with particularly complex areas, such as chat rooms or message boards, e-commerce
transactions and user privacy. A great deal of thought and practical judgement are
necessary to conduct a legal audit of Web site content.


A Web site audit begins with a survey of the site--identifying the types of content and
services provided on the site, the types of terms of service or legal disclaimers needed the
intellectual property rights, and the potential hot spots that are likely to give rise to liability.
Typically, this phase of the audit requires discussions with the staff responsible for the site's
content to determine how content is generated, which areas are the subject of complaints
and what policies exist to handle complaints.

Depending upon the company, Web sites fulfil different and often multiple functions. Some
sites are essentially advertisements that bolster brand identity, describe the company's
product or services and provide investors or shareholders with information. Others fulfil
traditional media functions of providing news, entertainment or other content (such as
financial information or classified ads). Many of the largest sites have moved toward
building online communities--sites that draw users back again and again. These sites offer a
variety of services, including search engines, e-mail, chat, message boards, and commercial
services--such as travel, brokerage and retail. The breadth of an audit depends in large part
on the complexity of the site.



26 Reno v. American Civil Liberties Union, U.S., 117 S. Ct. 2329 (1997) (the Internet receives full First
Amendment protection).


Web site content which is entirely or mostly generated by the Web site owner often
presents the least complex liability issues. These issues are substantially similar to liability
issues that a newspaper publisher has when publishing its daily paper or that a company has
when publishing its prospectus or retail catalogue. Like their traditional media counterparts,
Web site owners in India enjoy the significant legal protections available to publishers.
Generally, Web site owners should review their content for accuracy, fair advertising
practices, intellectual property rights and Securities Exchange Commission and other
regulatory related issues.


Many Web sites license content rather than create their own. An audit therefore may also
include review of the licensing agreements to ensure that the Web site owner has the rights
it needs to distribute, alter, republish or otherwise use the licensed content. In addition, the
audit should review all representations and warranties for the content and any appropriate
indemnifications by the licensor.


As interactivity becomes a primary draw for bringing back Internet users, more sites are
including chat, message boards, e-commerce and e-mail at their site. As a result, much of
the content in these areas is created by users of the site and cannot as a practical matter be
reviewed or edited by the Web site owner. Not surprisingly, while user-created content
draws the most interest, it also draws the most complaints.

In the United States, the Congress enacted Section 230 of the Communications Decency Act
of 1996, which largely immunises online service providers from liability arising from the
statements of third parties27. Recent legal decisions have held that under Section 230 a Web
site owner cannot be held responsible for the defamatory or otherwise tortious statements
of individuals who post on its message boards28. Nonetheless, because users occasionally
make offensive, inflammatory or otherwise objectionable statements, Web site owners
should have clear and reasonable policies to handle complaints that arise in these areas and
all appropriate disclaimers and indemnifications.

In 1998, the U.S. Congress also passed the Digital Millennium Copyright Act, which provides
limited safe harbours for online service providers that unknowingly or inadvertently
transmit, link to, or host infringing material provided or posted by third parties. Under this
new legislation, each Web site must register with the Copyright Office and put in place a
policy for reporting possible copyright infringement on their site.


27 47 U.S.C. 230. Other provisions of the Act related to "obscene" material were struck down as
unconstitutional in Reno v. American Civil Liberties Union.
28 See, e.g., Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997); Blumenthal v. Drudge, 992 F.
Supp. 44 (D.D.C. 1998).


The practice of linking to or framing other Web sites raises liability issues unique to the
Internet. A Web site owner may be found liable for contributory infringement or vicarious
liability for knowingly linking to another site that contains copyright infringing material or
otherwise engages in infringing activity. In an interesting claim arising from allegedly
improper linking, Ticketmaster sued Microsoft for its use of hypertext links to bypass
Ticketmaster's homepage and advertising.29.

A Web site owner also may be found liable for trademark infringement or unfair
competition for framing another site on its site. For example, in Washington Post, et al. v.
TotalNEWS30, a number of news media sued TotalNEWS, a Web site which aggregated the
other news sites and "framed" those sites with their own ads, thus effectively deriving ad
revenues based on others' content without their permission. Although that case settled out
of court, the practice of framing should be carefully reviewed in an audit.



A content audit should include a review of the third-party content, and the corresponding
license agreements, to ensure that the Web site owner has acquired the appropriate rights
for use on its site. This includes graphics, images, logos and text. Indeed, use of another's
trademark as a link may give rise to liability if the manner in which one uses a trademark
creates the false impression that the trademark owner is somehow affiliated with the Web
site owner. In addition, the audit should review the owner's copyright and trademark
notices to ensure that they are accurate and current.


Under U.S. law, a Web site owner may be held liable for false statements of fact which are
defamatory and published with fault. While the owner may not be liable for statements by
third parties because of the statutory protections of the Communications Decency Act,
statements originating with the owner may give rise to liability. Traditional publishers
frequently have an attorney review sensitive articles prior to publication to identify
troublesome statements and to set up the best possible legal defences for publication of the
article. A similar practice may be appropriate for articles published on the Internet which
are written by the Web site owner.


There are three types of privacy torts that may arise from statements made on Web sites:
the public disclosure of private facts, statements which place the subject in a false and
defamatory light, and the commercial use of another's image or likeness without their
permission. As in defamation, while the Web site owner in the United States may not be
liable for state law invasion of privacy claims arising from third party statements, the owner
should carefully review original content.

29 Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 DDP (C.D. Cal., filed Apr. 29, 1997).
30 97 Civ. 1190 (PKL) (S.D.N.Y., filed Feb. 28, 1997)



An audit should include a review of the Web site's collection of user information. This
usually is done at the registration page, and may include name, address, email address,
telephone number and credit card number. In addition, most sites now monitor the pages
viewed and services utilised by a user via "cookie" technology. Thus, sites may maintain and
use personally identifiable information about its users for a wide range of purposes such as
targeting banner advertisements, tailoring services to individual users and sending direct
advertisements to individual users based on their demonstrated interests. What information
is collected, how it is used and to whom it is disclosed should be carefully reviewed to
ensure that the Web site owner is in compliance with applicable privacy statutes,
Competition and MRTP regulations and the site's privacy policy.


As a growing number of Web sites move toward the advertising business model, a content
audit should include review of the site's guidelines for accepting advertising on its site,
particularly banner ads which hyperlink to the advertiser's site. The guidelines should
adhere to state and federal fair advertising laws, particularly in regard to minors. In
addition, the audit should review the ad insertion orders to ensure that they include
appropriate indemnifications and representations and warranties. Some Web sites also
sponsor interactive contests or sweepstakes and an audit may include review for
compliance with sweepstake and contest laws.

22.6 SALES

If the site includes commercial transactions, the audit should include a review of the online
contracts and also the Web site owner's account procedures for creating and maintaining
records of the transactions. In some cases, the owner also may need to obtain accounting,
security or other professional advice.


If the business hosting the Web site is publicly traded or involved in a regulated industry,
such as banking, real estate, utilities, pharmaceuticals, or alcoholic beverages, the audit
should include a review of SEC compliance and the specific advertising, shipping or other
regulations for such industries.


Specific components of a Web site are worth particular attention.


The disclaimers and Terms of Service are important in establishing the relationship between
the Web site owner and its users. Generally, the comprehensiveness of a user agreement is


determined by balancing the potential exposure created by site content and activities
against the potentially intimidating impression a long agreement will make on the user. For
example, relatively straightforward sites that provide information about a company, but
have little user interactivity, may only require a short disclaimer. On the other hand, sites
which host e-commerce, chat, email, or message boards or provide sensitive information,
such as financial information and services, will likely require a more extensive user


Many Web sites now provide areas for users to interact with both the Web site owner and
other users. These areas take the form of message boards (where users can post a message
that can be read and responded to by other users) and chat rooms (where users can send
each other messages, or "chat," in real time).

In my experience, user interaction is fun and free-wheeling, but it can also be highly
inflammatory. Frequently, a user may make defamatory or otherwise objectionable
statements about another. Users then tend to turn to the Web site owner to remedy the
problem by removing the statements, correcting the statements or somehow punishing the
author of the statements. An audit should include a review of how the owner responds to
such demands and set up a policy for when, if ever, it is appropriate to either remove a post
or provide information about the author.


The privacy and security of personal information on the Internet has become an increasing
concern. A Web site audit should include review of the site's policies for disclosing user
information and, in particular, policies for responding to subpoenas for user information. In
the United States, responding to requests for either the content of communications (i.e.,
email messages) or user information is strictly limited by the [federal] Electronic
Communications Privacy Act. Any policy should take into consideration privacy or
procedural requirements and other duties arising from common law or the site's Terms of

Finally, an audit should include a review of the site's privacy policy. In general, the policy
should provide notice to users about the types of information collected, how such
information is used and to whom it is disclosed. In addition, Web sites should provide their
users with reasonable access to their personal information and the ability to update or
remove such data as appropriate.

The legal audit provides some guidance for Web site owners by identifying areas of
potential liability before litigation arises. In addition, further content liability counselling can
be done to place the Web site owner in the best possible legal position--by posting proper
disclaimers, establishing sensible complaint policies, etc.--should a legal demand be made.





Description of Agreement/Document

The agreement for IT procurement and/or turnkey solutions relates to the supply of a fully
operational system to a customer. The contract with the supplier relates to procuring the
customer’s various requirements to enable the customer to simply turn a key. The supplier
under the contract will be responsible for procuring all relevant components to achieve the
turnkey or procurement contract according to the customer’s requirements.

Practical Guidance/Issues List

The parties should consider the obligations of each party and consider:
• clearly stating the user’s requirements as comprehensively as possible;
• agreeing the exact tests and acceptance criteria required;
• specifying liquidated damages provision and an effective remedy in relation to specific

• ensuring the grant of relevant third party licences to the customer;
• ensuring that any relevant manufacturer’s warranties are assigned (if assignable);
• obtaining any third party approval as may be required for delivery of the procurement or

turnkey solution;
• clarity in respect of the price payable, terms of payment and whether any additional

costs will be incurred;
• avoiding any unilateral variations of prices, services or contract terms;
• relevant arrangements for delivery of any codes (particularly in relation to bespoke

• entering into escrow arrangements;
• negotiating and agreeing all ancillary contracts (training, project management, support,

etc.) at the same time;
• avoiding unenforceable provisions such as ‘agreement to agree’;
• setting out the user’s specification in plain English with comprehensive requirements

relating to functionality, technical requirements or details, what the system is to
• setting out specific team for the project;
• agreeing clear timetables;
• obtaining third party assistance as required.

Some Key Definitions

‘Acceptance Test(s)’ means the tests by the [Contractor] which is suitable to demonstrate
that the System complies with and performs in accordance with the Orders.


‘Acknowledgement’ means the Contractor’s acceptance and acknowledgement of the
Orders containing the payment schedule, timetable and detailing the implementation and
each phase of the relevant Services.

‘Customer Equipment’ means the equipment, communications links, computer programs,
apparatus, materials and or other items (other than the System) to be provided (including
the installation of them) by the Customer at the Location for use in association with the

‘Location’ means the Customer’s offices or such other location(s) set out in the Customer’s
Requirements where the System or parts of it will be installed.

‘Operating Software’ means the computer programs and associated documentation (if any)
supplied by a manufacturer in connection with the operation of a Hardware item.

‘Orders’ means the instructions and orders of the Customer in respect of its information
technology requirements contained in an agreed form (including the specification of the
System describing the intended functions and facilities for the System and the Customer’s
particular requirements on each occasion in respect of the Services, maintenance and other
matters) from time to time and expressly accepted by the Contractor.

‘Timetable’ means as regards any of the Contractor’s obligations to deliver any of the
Hardware, Software or Documentation or to perform any of the Services, the relevant date
or time agreed or set out in the Orders (if any).

Specific Provisions

The Contractor may employ Sub-Contractors for carrying out any part of the Services
provided that the Contractor will not be relieved of any of its obligations under this
Agreement by entering into any sub-contract for the performance of any part of the
Services, and will at all times remain primarily responsible and liable to the Customer for the
conduct of the Sub-Contractors.

Required Skill
The Contractor shall use its reasonable endeavours to provide and carry out the Services
with reasonable care and skill using appropriately qualified and experienced persons.

Except as expressly provided, no changes to this Agreement or any Orders shall be binding
unless agreed in writing between the authorised representatives of the Contractor and
Customer provided always that any changes to this Agreement shall be authorised by a
partner of the Contractor.

The Contractor may make a reasonable charge for investigating a proposed change and
preparing an impact assessment or a quotation or estimate for that change (whether or not
subsequently implemented) subject to agreeing the basis of charging for doing so with the
Customer in writing before proceeding with the investigatory work.


The Customer will provide the Contractor with such information as it may reasonably need
concerning the Customer’s operations and answers to queries, decisions and approvals
which may be reasonably necessary for the Contractor and its Sub-Contractors to undertake
the Services. The Customer is responsible for ensuring that such information and answers
are accurate and complete.



In preparing information technology procurement and turnkey contracts, individuals or
businesses should consider the following non-exhaustive matters.

Actions/Issues: Comments:

1 Consider the scope of the agreement and the parties’ []
requirements or objectives. []
2 Set out background, history and summary in recital. []
3 Ascertain and consider relevant service to be provided in []
connection with: []
3.1 information technology procurement; []
3.2 turnkey contract; []
3.3 software development and supply; []
3.4 installation []
3.5 testing; []
3.6 maintenance and support; []
3.7 integration services; []
3.8 training;

3.9 escrow arrangements;

3.10 consultancy.

4 Is there an agreed specification and/or list of customer’s

5 As to the parties to the agreement, consider:

5.1 parties’ names, addresses, registered offices and

5.2 parties’ details for service of notices including
email and fax;

5.3 requirement for guarantor (parent company or

5.4 any other contracting party or related third

6 Consider key terms and relevant definitions including:

6.1 bespoke software, operating software,


6.2 contract price; []
6.3 order, delivery, acceptance tests; []
6.4 customer equipment, system, documentation; []

6.5 sub-contractor, timetable. []
7 Review requirements for IT procurement and/or turnkey []
solution agreement. Consider and specify the scope of []
the solution or services to be provided including: []
7.1 appointment as contractor to supply solution or []
service; []
7.2 basis of appointment (exclusive, sole or non- []
exclusive); []
7.3 procedure for orders and specification; []
7.4 variation or acceptance in writing; []

7.5 obligation to deliver and install hardware and []
software at location; []
7.6 obligation to carry out installation tests on the []
system; []
7.7 supply of orders; []

7.8 provision of consumable supplies by contractor;

7.9 procure licence and third party licence for use of
relevant software;

7.10 supply of documentation;

7.11 assisting the contractor with acceptance tests;

7.12 agreement to procure or provide training,
support and maintenance and consultancy

7.13 use of sub-contractors for performance of

7.14 use of reasonably skilled and experienced

7.15 entering into further agreements.

8 Change request procedure in connection with
agreement including:
8.1 request in writing;

8.2 specify required change;

8.3 analysis of impact;


8.4 estimates or liability for expense and cost of []
review, investigation or implementation; []
8.5 formal acceptance or adoption of change. []
9 Ascertain, review and specify obligations or []
responsibilities of the customer including: []
9.1 provision of required information; []
9.2 provision of facilities; []
9.3 allowing access to premises; []
9.4 permission and use of customer’s equipment;
9.5 liaising with contractor’s representative; []
9.6 satisfying specified conditions and providing []
required environmental conditions for solution; []
9.7 ensuring adequate security for system; []
9.8 ensuring proper and satisfactory installation; []
9.9 preparation of specification. []
10 Will the contract be for a defined period or will it
continue until delivery of solution or termination.
Consider and specify:
10.1 how long contract is for;

10.2 provisions for extension or roll over;

10.3 length of subsequent terms;

10.4 applicable extension or option to extend

11 Consider administration of project and requirements for:

11.1 each party to appoint a representative or
account manager;

11.2 periodic written reports;

11.3 regular progress meetings;

11.4 replacement of representative.

12 How will payment be made and what are the agreed
pricing arrangements? Consider or specify as follows:
12.1 amount of contract price;

12.2 method of calculation of contract price;


12.3 whether price is all inclusive; []
12.4 whether exclusive of VAT; []
12.5 payment timing and dates; []
12.6 procedure for varying price; []
12.7 whether additional charges applicable; []
12.8 basis upon which payment can be withheld; []
12.9 default interest penalty provisions; []
12.10 liability for additional duties, surcharges or tax; []
12.11 remedy for late payment in addition to default []
12.12 interest; []
12.13 price increases due to law and regulatory []
changes; []
price adjustments, discounts or rebates. []
13 In relation to software procurement or solution, []
13.1 responsibility for installation; []

13.2 arrangements for code and escrow; []

13.3 delivery of bespoke software;

13.4 any relevant licensing arrangement or third
party approvals.

14 Consider the following in relation to hardware:

14.1 ensuring compliance with environment

14.2 delivery and off-loading arrangements;

14.3 installation obligations;

14.4 responsibility for costs;

14.5 when risk passes to the customer;

14.6 when title passes to the customer (payment in
full of relevant price for item or all outstanding

15 What are the terms of the required solution? Is the
specification together with required functionality

16 Timetable obligations should be considered including:


16.1 setting out relevant phases and compliance []
periods or dates; []
16.2 whether dates are target dates only; []
16.3 whether time is of the essence of the contract; []
16.4 procedure for extension of time if delayed due []
to force majeure event or customer’s action. []
17 Consider and specify: []
17.1 relevant installation tests; []
17.2 what is to be submitted for testing; []
17.3 applicable testing or re-testing procedure; []
17.4 preparation for acceptance tests; []
17.5 responsibility for carrying out the acceptance []
test; []
17.6 any maintenance or support requirement or []
obligation to enter into agreement. []

18 What warranties have the parties agreed? Consider
warranties relating to:
18.1 quality of service;

18.2 quality of solution or turnkey product;

18.3 prompt installation;

18.4 non-reliance (by customer) on

18.5 defects warranty (repair and/or replace) and
warranty period;

18.6 conditions of warranty;

18.7 ownership of systems and non-infringement of
third party rights.

19 Review liability requirements and consider provisions
relating to:
19.1 agreement being exhaustive in respect of
parties’ obligations and liabilities;
19.2 exclusion of all implied, statutory or other
19.3 responsibility of customer for use of system;

19.4 exclusion of liability for indirect, consequential
loss or damage, loss of profits or data;

19.5 capping liability at contract price or insurance


19.6 indemnity for breach (and whether within []
liability cap) or third party claims; []
19.7 acknowledgement of risk – fair/reasonable risk
allocation. []
20 Are there any indemnity provisions in respect of []
intellectual property rights infringement? Is the []
indemnity conditional? Consider and specify applicable
conditions. Are there any contractor exclusions in []
respect of infringement of third party rights? []
21 Will the customer be required to give any warranties? []
Consider warranty that: []
21.1 specification, design or instruction will not []
infringe third party rights; []
21.2 customer will indemnify contractor for third []
party claims. []
22 Specify obligations of confidentiality. Consider definition
of ‘confidential information’ as any specific obligations []
or undertakings. Will the undertaking survive
termination of contract? Are there any exclusions from []
non-disclosure restrictions?

23 Ascertain, consider or specify:

23.1 undertaking in relation to continuity of
personnel by contractor;

23.2 consent requirement prior to key personnel

23.3 customer right to require replacement of
project personnel;

23.4 requirement to comply with health and safety,
site regulations and other relevant policies;

23.5 non-solicitation undertakings in relation to
employees for specified period;

23.6 statement of requirements;

23.7 provisions for serving notices;

23.8 dispute resolution provisions;

23.9 relevant schedules to agreement and
23.10 requirement to prepare documents or
23.11 agreements;
force majeure provisions, obligation to notify,
discretion to terminate, responsibility for costs
and what amounts to a matter beyond a party’s
conflict resolution between agreement and


23.12 project management obligations; []
23.13 required performance parameters; []
23.14 implementation plan and acceptance []
23.15 procedures; []
23.16 liquidated damages for failure to attain specific []
milestones or customer’s loss due to lateness; []
insurance requirements; []
23.17 ancillary services; []
23.18 data protection obligations, requirements and []
23.19 undertakings; []
regulatory approvals; []
23.20 compliance with relevant laws; []
23.21 further assurance provisions; []
23.22 relevant guarantee provisions. []
24 Ascertain and set out acceptance testing provisions []
including: []
24.1 acceptance testing criteria and scope of testing; []
24.2 conduct of tests and attendance;

24.3 user’s requirements;

24.4 assistance with testing;

24.5 delays in testing;

24.6 user as final arbiter or independent

24.7 preliminary testing by contractor;

24.8 final testing by customer or user;

24.9 revealed defects or system failure;

24.10 warranty period for remedies for minor defects;

24.11 retesting failed system;

24.12 payment of liquidated damages pending re-
submission for testing;

24.13 option to accept defective system with price

25 Termination provisions to be set out including
considering provisions relating to:


25.1 circumstances permitting customer to []
terminate; []
25.2 termination by either party with or without []
cause; []
25.3 termination notice periods; []
25.4 limits on timing of termination; []
25.5 post-termination consequences; []
25.6 post-termination obligations; []
25.7 termination immediately for specified events of []
default; []
25.8 termination for insolvency; []
25.9 applicable charges for cancellation or []
termination; []
25.10 accrued rights of the parties prior to []
termination. []
26 Review and consider relevant provisions relating to: []

26.1 waiver of rights by either party;

26.2 agreement being complete;

26.3 exclusion of all other terms;

26.4 third party rights exclusion;

26.5 severance of unenforceable or illegal

26.6 right to assign agreement or sub-contract;

26.7 effect of contract on affiliated or group

26.8 remedies to be cumulative;

26.9 parties not being partners or agents;

26.10 who is responsible for legal costs;

26.11 any rights of set off;

26.12 restriction on publicity or press announcement
26.13 without approval;
26.14 waiver of right to terminate for non-fraudulent
signing contract in counterparts;

26.15 varying or altering the contract.




Description of Agreement/Document

An outsourcing agreement or application service provider (ASP) contract relates to the
provision of services by one party to another. However, with an outsourcing contract, the
entity that previously provided the relevant services in-house transfers some of its
employees and assets to an external service provider to enable them to provide the entity
with the services. The agreement details the arrangements between the parties including
where relevant, the transfer of employees and assets, agreement to purchase the services
and re-transfer provisions.

In relation to ASP services, the service provider details and manages applications and
technology services from a remote location to users via the internet or a private network.
The agreement details the service arrangements, partner obligations, service levels and
liability provisions. The customer buys the use of the application without having to transfer
any internal resources to the ASP service provider.

Practical Guidance/Issues List

The parties should take great care with the contract as it governs a long term relationship
between the parties.

Parties should consider:
• the necessity to transfer employees;
• relevant assets required for provision of the services;
• each party’s requirements and objectives;
• what the outsourcing arrangement is intended to achieve;
• suitable restrictions in the contract to provide the relevant ‘contracting back in’

protection for the company outsourcing the services at the end;
• setting out arrangements for replacing the service provider;
• the appropriate duration of the outsourcing arrangements;
• ensuring that the agreement is subject to review during the term.

In relation to ASP services, the parties should also consider the following:
• The confidentiality and data protection provisions are important. The parties will need

to ensure that they are carefully drafted to protect the parties in relation to relevant
proprietary information and compliance with data protection. The provision of services
online also increases security risks and it will be important for the provider to
demonstrate that it has adequate data protection mechanisms in place.


• The provider will require time to fix problems. The service level agreement (SLA) should
clearly set out the relevant period allowed for a provider to fix any problems it may
have with its service before penalties are imposed. Where the problem is likely to last
for an unreasonable period of time there should be a provision requiring the provider to
make alternative arrangements for provision of the services to the customer, for
example by way of a back up system or through another provider.

• Security is always a very important issue for the customer. The customer should satisfy
itself and make provision in the contract for the SLA to include detailed security
requirements used in providing the services. There should also be adequate provision
requiring the provider to take certain specific steps, including notification to the
customer, in the event of a breach of security.

• Security provisions will relate both to offline and online issues. In relation to offline
issues, the SLA may detail the protections in relation to the data centre: 24 hour
security, CCTV and other physical protections in place could be outlined. These security
measures may be implemented by third parties.

• In relation to online protections, the SLA will need to address the various mechanisms in
place guaranteeing security of the service to the customer, such as use of domain
structures to centralise login and account information in secure locations, rotation of
passwords for routers, account login and server and local administration. The
installation and updating of virus protection software by the provider would also be
crucial from the customer’s perspective.

• The provider will need to deal with issues relating to scheduled and unscheduled
maintenance and provide for this appropriately in the contract.

• The customer should ensure that the data centre or location from which services are
provided is equipped with and will maintain an uninterruptible power supply and power
regulators capable of ensuring that the operation of the necessary equipment located in
the data centre is unhindered by any fluctuations or interruptions in the power supply.

• The responsibility for upgrading and maintaining the application software should be
clearly dealt with as this is important for the customer.

• Customers should require information on upgrade obligations, timing and any additional
costs involved.

• The provider will need to ensure that the SLA not only covers the service requirements
for the customer but that it is commercially achievable for the provider.

Law/Compliance Requirement

Apart from general contract law, the arrangements may require reference to the Transfer of
Undertakings (Protection of Employment) Regulations 1981 (as amended), which are
relevant to the transfer of employees to the service provider.

The Data Protection Act 1998 is of importance in an ASP relationship. ASPs may require
access to sensitive data needed to put in place relevant compliance procedures. The Act was
introduced due to increasing concerns about how data on individuals is handled and
protected by organisations. The parties will need to comply with the provisions of the Act.


Some Key Definitions

‘Intellectual Property Rights’ means all copyrights, patents, utility models, trade marks,
service marks, registered designs, moral rights, design rights (whether registered or
unregistered), technical information, know-how, database rights, semiconductor
topography rights, business names and logos, computer data, generic rights, proprietary
information rights and all other similar proprietary rights (and all applications and rights to
apply for registration or protection of any of the foregoing) as may exist anywhere in the

‘Operating Rules’ means any Provider rules or protocols, in whatever form recorded, that
affect the Customer’s access to or use of the Services, and made available by the Provider
from time to time to the Customer.

‘Services’ means the software applications services of the Provider, as specified in Schedule
1, made available to the Customer (together with any Operating Rules) and including any
computer software programs and, if appropriate, Updates thereto.

‘Updates’ means any new or updated applications services or tools (including any computer
software programs) made available by the Provider as part of the Services.

‘Required Service Level’ in respect of any Service in any period means the standard of
performance referred to in clause [ ] in the provision of that Service in the period in

‘Service Charges’ means the charges levied by the Provider for the Services in accordance
with the tariffs, scales, charges, invoicing methods and terms of payment as set out in Annex

‘Service Credits’ means the credits which become payable to the Client by way of a
reduction in the Service Charges where the Required Service Levels are not as achieved as
set out in Annex [ ]

Specific Provisions

The Provider agrees to provide the Services in accordance with the Implementation Plan.
Notwithstanding the foregoing, the parties agree that the Implementation Plan shall be
amended to the extent reasonably necessary in order to reflect any breach of the
Customer’s obligations, negligence by it or any force majeure event preventing the Provider
from providing the Services.

The Provider shall keep records of the service levels achieved for the Services it is providing
to the Customer for each [ ] month period throughout this Agreement and provide copies
of such records to the Customer upon request.


Service Level
In the event that the service levels achieved by the Provider fall short of the Required
Service Level in any [specified] period or the goals set out in the Implementation Plan are
not achieved, the Provider shall provide the Service Credits as specified in Annex [ ]. If the
Provider fails to provide the Services in accordance with the Required Service Levels
measured over any [ ] month period, the Customer shall incur Service Credits as set out in
Annex [ ]. Such Service Credits shall be calculated [monthly] and applied as a deduction to
any Service Charges payable under this Agreement.

Price Increase
The Provider reserves the right, by giving notice to the Customer at any time before
performance of the relevant Services to increase the price of such Services to reflect any
increase in the cost to the Provider which is due to an act or omission of the Customer
including but not limited to any change in the date for the performance of Services or any
delay caused by any instructions of the Customer or failure by the Customer to give the
Provider adequate information or instructions.

ASP Warranty
The Provider warrants that by performing the Services it will not knowingly infringe the
rights of any third party (including but not limited to Intellectual Property Rights) in any
jurisdiction or be in breach of any obligations it may have to a third party. The Provider
further warrants that it is not prohibited from providing the Services by any statutory or
other rules or regulations in any relevant jurisdiction.

ASP Licence
Subject to the Customer’s payment of the Fees, the Customer is granted a non-exclusive and
non-transferable licence to use the Services (including any associated software, Intellectual
Property Rights and Confidential Information) during the Term. Such licence shall permit the
Customer to make such copies of software or other information as are required for the
Customer to receive the Services.

Nothing in this Agreement shall be construed to mean, by inference or otherwise, that the
Customer has any right to obtain source code for the software comprised within the
Services. All Intellectual Property Rights and title to the Services (save to the extent they
incorporate any Customer or third party owned item) shall remain with the Provider and/or
its licensors and no interest or ownership therein is conveyed to the Customer under this
Agreement. No right to modify, adapt or translate the Services or create derivative works is
granted to the Customer.



In preparing an outsourcing agreement or letter, individuals or businesses should consider
the following non-exhaustive matters.

Actions/Issues: Comments:

1 General. What are the parties’ requirements and objectives? []
What is being outsourced? Consider relevant services to be
provided and how. []

2 Introduction. Indicate background – parties’ status, history or []
objectives including parties’ group structure in the recitals and []
introductory paragraph. []
3 Parties. Consider and specify the parties to the agreement []
including: []
3.1 the client company/customer’s name, address, []
registration number and other contract details; []
3.2 the service provider’s address details and contract []
information; []
3.3 whether a guarantee is required by either party; []
3.4 any third party contractor involved in the outsourcing []
process. []
4 Definitions. Consider definition of key terms, words or phrases []
including: []
4.1 change request, change control procedure;

4.2 continuous performance assessment;

4.3 dispute resolution procedure;

4.4 cut-over date;

4.5 exit management plan;

4.6 force majeure;

4.7 key personnel, third party provider, replacement
service provider;

4.8 persistent failure;

4.9 quality management plan, requirements plan,
transition plan, disaster recovery plan;

4.10 request for service;

4.11 service level agreement;


Click to View FlipBook Version