MODULE 3
INFORMATION TECHNOLOGY LAWS (DATA PROTECTION,
PRIVACY AND CORPORATE COMPLIANCE) AND
BUSINESS
3.1 INTRODUCTION
With the advent of the Internet, it has become easy for any one together, compile and exploit
the private information of individuals. What were scattered, unimportant, small bits of data
has now become a potent large set of data that can be misused by companies or by antisocial
elements. This has prompted many countries to come up with legislation on privacy.
3.2 INTERNATIONAL PRIVACY INITIATIVES
On July 25, 1995, the EU announced the adoption of a directive on the protection of
individuals’ personal data and on the free movement of such data. The directive seeks to
prevent abuse of personal data and lays down comprehensive rules, including an obligation to
collect data only for specified, explicit and legitimate purposes, as well as to only hold data if
it is relevant, accurate and up-to-date.
The directive requires all companies concluding business in the EU to meet certain minimum
standards of data protection. Any company that does not meet these stringent standards faces
sanctions. The Electronic Communications Privacy Act in the US governs the privacy of e-
mail in public e-mail systems. It bars interception, use, or disclosure of e-mail by third parties
and sets the standards which law enforcement authorities must meet to gain access to e-mail.
3.3 INDIAN LAW RELATING TO PRIVACY
Significantly, India does not have any specific law governing privacy. The courts in India
have not yet had the opportunity to look at privacy issues relating to the Internet. Analogies
to the Internet will, therefore, have to be drawn from cases that the court has actually dealt
with. The Constitution of India does not patently grant the fundamental right to privacy.
1
However, the courts have read the right to privacy into the other existing Fundamental
Rights: Freedom of Speech and Expression, under Article 19 (1) (a) and the Right to Life and
Personal Liberty under Article 21. In India, the right to privacy is one of the un-enumerated
rights granted to the individual.
Barring a few exceptions, the Fundamental Rights secured to the individual are limitation on
State action. They are not meant to protect persons against the conduct of private persons. It
is to be noted that the Constitutional guarantee of the right to privacy is valid only against the
State and no Constitutional remedy for violation of privacy lies against any individual.
Further, common law also does not provide direct for invasion of privacy. It seeks to provide
protection by the use of civil wrongs such as defamation and breach of confidence. However,
with the advent of e-commerce, such common law seems manifestly unsuited to this
environment.
As seen above, it may be difficult in India to prevent individuals/corporations from violating
privacy. There is, at present, no initiative on the part of the government to regulate privacy of
individuals against its encroachment by private parties.
3.4 SOLUTIONS AND REGULATION: AN EPILOGUE
3.4.1 A PERSPECTIVE ON POSSIBLE SOLUTIONS
Even an example that might otherwise be thought to favour the assertion of jurisdiction by a
local sovereign--protection of local citizens from fraud and antitrust violations--shows the
beneficial effects of a Cyberspace legal regime. How should we analyse "markets" for fraud
and consumer protection purposes when the companies at issue do business only through the
World Wide Web? Consumer protection doctrines could also develop differently online--to
take into account the fact that anyone reading an online ad is only a mouse click away from
guidance from consumer protection agencies and discussions with other consumers.
Nevertheless, that does not mean that fraud might not be made "illegal" in at least large areas
of Cyberspace. Those who establish and use online systems have an interest in preserving the
safety of their electronic territory and preventing crime. They are more likely to be able to
enforce their own rules. And, as more fully discussed below, insofar as a consensually based
2
"law of the Net" needs to obtain respect and deference from local sovereigns, new Net-based
law-making institutions have an incentive to avoid fostering activities that threaten the vital
interests of territorial governments.
Cyberspace could be treated as a distinct marketplace for purposes of assessing concentration
and market power. Concentration in geographic markets would only be relevant in the rare
cases in which such market power could be inappropriately leveraged to obtain power in
online markets--for example by conditioning access to the net by local citizens on their
buying services from the same company (such as a phone company) online. Claims regarding
a right to access to particular online services, as distinct from claims to access particular
physical pipelines would remain tenuous as long as it is possible to create a new online
service instantly in any corner of an expanding online space.
This text focuses also on technological developments as enabling change. But these
technologies will not determine the future of the Internet. The future will be determined by
individuals and organisations that find new uses for the technologies and policies that either
encourage or discourage certain activities. Existing and proposed uses raise important issues
in the areas of electronic contracts, authentication, taxation, jurisdiction, intellectual property
protection, privacy, consumer protection, security, reliability, competition policy and
standards, among others. Although the future is impossible to predict, it seems highly likely
that the exciting possibilities that we can envision based upon technological progress will
continue to raise new issues and demand creative policy responses.
3.5 SECURITY CONCERNS, TRADE SECRETS AND PRIVACY: DEVELOPING
TRENDS
“One of the most facile and legalistic approaches to safeguarding privacy that has been
offered to date is the notion that personal information is a species of property. If this premise
is accepted, the natural corollary is that a data subject has the right to control information
about him and is eligible for the full range of legal protection that attaches to property
ownership.”1
1 (Arthur Miller: The Assault on Privacy: Computers, Data Banks and Dossiers 211 (1971)).
3
As laws, policies, and technological designs increasingly structure people's relationships with
social institutions, individual privacy faces new threats and new opportunities. Over the
Internet as a medium, there has to be a harmonisation of the specific rules for the treatment of
personal information. India has no data protection laws. Having said this, the ambit of
"personal liberty" as covered by the Constitution of India has been successfully interpreted in
cases relating to privacy (Gobind v. State of M.P).2 and protection of confidential
information. Over the last several years, the realm of technology and privacy has been
transformed, creating a landscape that is both dangerous and encouraging. Significant
changes include large increases in communication bandwidths; the widespread adoption of
computer networking and public-key cryptography; mathematical innovations that promise a
vast family of protocols for protecting identity in complex transactions; new digital media
that support a wide range of social relationships; a new generation of technologically
sophisticated privacy activists; a massive body of practical experience in the development
and application of data-protection laws; and the rapid globalisation of manufacturing, culture,
and policy making.
Potentially the most significant technical innovation, though, is a class of privacy-enhancing
technologies (PETs). Beginning with the publication of the first public-key cryptographic
methods in the 1970s, mathematicians have constructed a formidable array of protocols for
communicating and conducting transactions while controlling access to sensitive information.
These techniques have become practical enough to be used in mass-market products, and
sharp conflicts have been provoked by attempts to propagate them. PETs also mark a
significant philosophical shift. By applying advanced mathematics to the protection of
privacy, they disrupt the conventional pessimistic association between technology and social
control. No longer are privacy advocates in the position of resisting technology as such, and
no longer can objectives of social control (if there are any) be hidden beneath the mask of
technical necessity. As a result, policy debates have opened where many had assumed that
none would exist, and the simple choice between privacy and functionality has given way to a
more complex trade-off among potentially numerous combinations of architecture and policy
choices.
2 (1975) 2 SCC 148.
4
This contrast reflects another, deeper divide. Powerful socio-economic forces are working
toward a global convergence of the conceptual content and the legal instruments of privacy
policy. These forces include commonalties of technology, a well-networked global policy
community, and the strictures on cross-border flows of personal data in the European Union’s
Data Protection Directive. While the United States has moved slowly to establish formal
privacy mechanisms and standardise privacy practices over the last two decades, it now
appears that the globalisation of markets, the growing pervasiveness of the Internet, and the
implementation of the Data Protection Directive will bring new pressures to bear on the
American privacy regime.
The evolution of privacy policy, meanwhile, has interacted with individual nations’ political
philosophies. This interaction should be viewed not on a nation-by-nation basis but rather as
the expression of a series of partial accommodations between the uniform regulation of data
handling and liberal political values that tend to define privacy issues in terms of localised
interactions among individuals. (This tension runs throughout the contemporary debate and
will recur in various guises.)
One constant across this history is the notorious difficulty of defining the concept of privacy.
The lack of satisfactory definitions has obstructed public debate by making it hard to support
detailed policy prescriptions with logical arguments from accepted moral premises. Attempts
to ground privacy rights in first principles have floundered, suggesting their inherent
complexity as social goods. Privacy is more difficult to measure than other objects of public
concern, such as environmental pollution. The extreme lack of transparency in societal
transfers of personal data, moreover, gives the issue a nebulous character. Citizens may be
aware that they suffer harm from the circulation of computerised information about them, but
they usually cannot reconstruct the connections between the cause and effect. This may
account in part for the striking mismatch between public expression of concern in opinion
polls and the almost complete absence of popular mobilisation in support of privacy rights.
The new technologies also have implications for conceptions of relationship, trust, and public
space. Technology and codes of practice determine whether databased “relationships”
between organisations and individuals are fair, or whether they provoke anxiety. These
5
concerns are a traditional motivation for data protection regulation, but they are amplified by
technologies that permit organisations to maintain highly customised “relationships” by
projecting different organisational personae to different individuals. Such “relationships”
easily become asymmetric; with the organisation, having the greater power to control what
information about it is released while simultaneously obscuring the nature and scope of the
information it has obtained about individuals. Examine, for instance, the conditions under
which individuals can establish private zones that restrict access by outsiders. A secure
telephone line is arguably a precondition for the establishment of an intimate relationship, an
interest that has long been regarded as a defining feature of human dignity. This concern with
the boundaries that are established around a relationship complements concern with the
boundaries that are negotiated within a relationship. It also draws attention to the contested
nature of those boundaries.
Beneficial relationships are generally held to require trust. As the information infrastructure
supports relationships in more complex ways, it also creates the conditions for the
construction of trust. Trust has an obvious moral significance, and it is economically
significant when sustained business relationships cannot be reduced to periodic zero-sum
exchange or specified in advance by contract. Trust and uncertainty are complementary;
cryptography establishes the boundaries of trust by keeping secrets. This approach, however,
reduces trustworthiness to simple reliability, thereby introducing tacit norms against trusting
behaviour. Just as technology provides the conditions for negotiating relationships, it also
provides the conditions for creating trust. Legal systems evolve to the institutional conditions
by which a technical architecture comes to support these conditions or else evolves toward a
regime of coercive surveillance.
No matter how well crafted a privacy code might be, privacy will only be protected if the
necessary information practices are actually followed. Policy-makers need to understand how
privacy issues actually arise in the daily activities of information workers, and organisational
cultures need to incorporate practicable norms of privacy protection. Once established, these
norms will only be sustained if the public understands the issues well enough to make
informed choices and to assert their rights when necessary.
3.6 CONFIDENTIAL INFORMATION
6
Confidential information constitutes the essence of software development. From the
instructions/specifications received from the client/trade partners, to the algorithms developed
by the co-workers, every part of the development of an item of software code involves the
use of confidential information. All of this information is invaluable to the software company
developing the code and even more so to its competitors. There is no copyright in ideas or
information as such and accordingly there is no remedy under the copyright law for
unauthorised use of confidential ideas or information obtained directly or indirectly by one
person from another. A remedy will have to be sought by proceedings for breach of
confidence or breach of trust. The relief that can be obtained is by a suit for an injunction or
damages.
3.6.1 PROTECTION OF CONFIDENTIAL INFORMATION
If ideas and information are acquired by a person in such circumstances that it would be a
breach of good faith to disclose them to a third party or utilise them and he has no just cause
or excuse for doing so, the court will grant an injunction against him. It is well settled that
information imparted in confidence [especially information which is parted in confidence to
servants and agents] will be protected. The courts will restrain the use of it if it is breach of
good faith. The law on this subject does not depend on any implied contract. It depends on
the broad principle of equity that he who has received information in confidence shall not
take unfair advantage of it. He must not make use of it to the prejudice of him who gave it
without obtaining his consent.
3.6.2 NATURE OF CONFIDENTIAL INFORMATION
It is a matter of common knowledge that, under a system of free private enterprise and
therefore of competition, it is to the advantage of a trader/commercial entity to obtain as
much information as possible concerning the business of his rivals and to let him know as
little as possible of his own.
The information may be a trade secret, for example, a method of production not protected by
a patent, or a business secret, such as the financial structuring of an undertaking or a piece of
7
domestic ‘in-house’ information like the salary scale of clerks, or the efficiency of the firm’s
filing system. Some of this information would be of a highly confidential nature, as being
potentially damaging if a competitor should obtain it, some would be less so and much would
be worthless to a rival organisation.
3.6.3 CONFIDENCE IMPLIED IN A CONTRACT
If two parties make a contract under which one of them obtains for the purpose of contract or
in connection with it some confidential matter, even though the contract is silent on the issue
of confidence, the law will imply an obligation to treat that confidential matter in a
confidential way, as one of the implied terms of contract, but the obligation to respect
confidence is not limited to cases where the parties are in a contractual relationship.
3.6.4 CONFIDENCE IMPLIED BY CIRCUMSTANCES
An action for breach of confidence does not depend upon any right of property or contract or
right of law. It results on an equitable obligation of confidence, which may be implied, from
the circumstances of the case. Even if there exists no contractual relationship between the
plaintiff and the defendant, if a defendant is proved to have used confidential information
obtained directly or indirectly from the plaintiff and without his consent express or implied,
he will be guilty of infringement of the plaintiff’s rights.
3.6.5 IDENTIFICATION OF CONFIDENTIAL INFORMATION
In identifying confidential information, four elements must be discerned: First, the
information must be information the release of which the owner believes would be injurious
to him or of advantage to his rivals or others. Second, the owner must believe that the
information is confidential or secret, i.e. that it is not already in the public domain. It may be
that some or all of his rivals already have the information, but as long as the owner believes it
to be confidential, he is entitled to try to protect it. Third, the owner’s belief under the two
previous headings must be reasonable. Fourth, the information must be judged in the light of
the usage and practice of the particular industry or trade concerned. It may be that
8
information, which does not satisfy all these requirements, may be entitled to protection as
confidential information or trade secrets, but that any information, which does satisfy them,
must be of a type, which is entitled to protection.
3.6.6 ESSENTIAL REQUIREMENTS OF BREACH OF CONFIDENCE
Three elements are normally required if, apart from contract, a case of breach of confidence
is to succeed. First, the information itself must have the necessary quality of confidence about
it. Secondly, that information must have been imparted in circumstances importing an
obligation of confidence. Thirdly, there must be unauthorised use of that information to the
detriment of the party communicating it.
3.6.7 EXCEPTIONS TO BREACH OF CONFIDENCE
Where the information is such that it ought to be divulged in the public interest to one who
has an interest in receiving it, the Court will not restrain such a disclosure. Information
relating to anti-national activities, which are against national security, breaches of the law or
statutory duty or fraud, may come under this category. In fact, whenever there is strong
public interest in the disclosure of the matter, Courts may not consider such disclosure as
breach of confidence.
3.6.8 REMEDIES FOR BREACH OF CONFIDENCE
The remedies for breach of confidence consists of an injunction and damages and deliver-up
where applicable. The injunction may be interlocutory or permanent. The information may
remain confidential only for a limited period in which case, the injunction will not extend
beyond that period. Since the information, alleged to be confidential, might be of value to the
plaintiff only for a certain period, an interim injunction will ordinarily be granted only for a
specified period depending upon the circumstances and the nature of confidential
information.
In the balance of convenience, the following factors have to be considered:
9
whether the effect of an injunction would be harmful to the defendants;
whether the terms of the injunction are such that it is extremely difficult for the
defendants to know what they may do and what they may not do;
whether it is certain upon the material before the Court that even if they were
successful in the trial, the plaintiff would obtain an injunction rather than damages.
Damages or compensation is determined based on the market value of the confidential
information based on a notional sale between a willing seller and a willing purchaser. This
method may be more appropriate for confidential information relating to industrial designs or
processes or business secrets.
Where a plaintiff elects in favour of an account of profits, he will in the normal course
receive the difference between the sale price of the goods and the sum expended in
manufacturing them. The sum would be abated by the amounts, if any, expended by the
defendants as commission in relation to the contract.
3.7 EMPLOYEE PRIVACY RIGHTS
Employee privacy is considered one of the most important issues facing companies today3.
This is so because no longer is employee privacy relegated to the employer “monitoring their
workers’ performance by observing production lines, counting sales orders, and simply
looking over the employee’s shoulder.” Instead, employers now have the capability to
monitor their employees through electronic means, including computers and e-mail. This
“development of sophisticated technology is greatly expanding the advanced and highly
effective methods by which employers monitor the workplace.”4
Although it is obvious that e-mail gives companies a great deal of technological advantages
and is an important tool in today's business world, it also creates a problem for employers and
employees in the area of employee privacy. The question becomes, do employers have the
3 (Laurie Thomas Lee, Watch Your E-Mail! Employee E-Mail Monitoring and Privacy Laws in the Age of the
“Electronic Sweatshop”, 28 J. Marshall L. Rev. 139, 139 (1994)).
4 (Larry O. Natt Gantt, II, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace,
8 Harv. J.L. & Tech. 345, 345 (1995)).
10
right to look at employees’ e-mails, and do employees have a right of privacy that should
prevent such an intrusion? Employers argue that they need the right to electronically monitor
employees in order to enhance job performance, prevent theft, fraud, and other illegal
conduct. They also argue that productivity, efficiency, and quality controls are all enhanced
by electronic surveillance. The employee on the other hand, maintains that he has an
expectation of privacy, and that electronic surveillance is an invasion of that right. A number
of e-mail’s attributes led employees to believe these messages were their own private
communications.5
The need for passwords, the ability to personally address e-mail, the use of the word “mail”,
the most confidential form of communication used by the public, in e-mail, and even the
ability to “delete” messages after reading them, all contribute to employee e-mail users
believing that their e-mail communications are private.
Functionally, a proper e-mail privacy standard lies at the confluence of two critical questions:
how much access do employers have to an employee’s workspace, and is that access limited
by a right of the employee to control their workspace; and how much of a right do employees
have to use the employer’s property as resources to pursue their own, private purposes. The
laws concerning this employee privacy are unclear at best, non-existent in many situations,
and still in discussion in India.
3.8 EMPLOYER PROTECTION
The question thus is how an employer can protect against liability. First, it is important to
reduce the employee’s expectation of privacy with notice, and second, it is important to do so
in a manner that evidences the employee’s understanding of the policy.
In Watkins [featured in The Times, July 2000], the employer warned employees that business
telephone calls would be monitored, but that personal calls would only be monitored to the
extent necessary to determine whether the call was personal or business. The court held that
this disclosure protected employees’ personal calls and only implied consent to the
5 (Benkler, Yochai, Rules of the Road for the Information Superhighway: Electronic Communications and the Law,
West Publishing, 1996 at 402).
11
monitoring of business calls. This implies that employers will escape liability if they publish
a policy expressly warning employees that all e-mail messages will be monitored and not just
business related ones. However, the scope of the employer’s intrusion must be matched by a
legitimate business interest justifying the invasion, such as desire to protect business property
or trade secrets.
The London law firm Baker & McKenzie, suggests the following policy to protect employers
from employee e-mail invasion of privacy claims.
“The guidelines and warnings listed below are of critical importance and non-compliance
could in certain circumstances constitute a serious disciplinary matter.
1. Beware what you say in email or voicemail messages. Improper statements can give rise to
personal or company liability. Work on the assumption that messages may be read or listened
by third parties.”6
Whether the current employer/employee relationship exhibits it or not, there is a judicially
created right to privacy. Privacy law has attempted to balance two basic interests: first, the
employer has an interest in minimising losses and injuries, preventing fraud and crime in his
workplace, and maximising production, productivity, and success. Second, the employee has
an interest in being free from intrusion into his/her private affairs. Neither of these basic
interests is more important than the other. In fact, privacy law has taken on a “circumstances”
based inquiry. How then, does this “circumstances” based inquiry apply to the relatively new
concept of privacy in the employer/employee context of e-mail transmission?
The answer is, it really has not gone far enough. The Constitution does not explicitly give the
right to privately employed individuals, and there is some doubt whether it applies to e-mail
at all. At present, legislation is under review, but without an element of finality. Case law is
sketchy at best, and is not on point in e-mail and internet-related activities.
Therefore, to prevent unnecessary situations in the future, there are things that employers and
employees can do. First, employers should notify employees about policies that exist within
6 (See www.netdoor.com/com/bakernet/publicat/europe/alrt21/t-alrt21.html for other warning suggestions protecting
employers’ interests).
12
the company, which may allow the executive to search and conduct surveillance of the
employee. Thus, the expectation of privacy needs to be managed. Second, the employer
should limit the inquiry to matters associated to the workplace and the ability of an individual
to do their job. It probably does not benefit the employer to delve into an employee’s
personal e-mail. Third, employers should limit the amount of sensitive information
employees see. This would essentially negate the need to monitor. Fourth, employers should
not release any private information about the employee. Lastly, employees should keep their
personal correspondence where it belongs - at home and out of the workplace. If both
employers and employees practice these techniques, a more compatible environment for e-
mail monitoring will be available.
Nevertheless, one thing is for sure. Today, the growing restrictions arising from both
judicially created and any company who uses e-mail must consider statutory law. In addition,
any employer, who is thinking about monitoring and “snooping” over e-mail, had better make
sure that the employee has an awareness of this intent. Because although the laws are
ambiguous today, the trend is toward a more protective environment for the employee.
3.9 BREACH OF CONFIDENTIALITY AND PRIVACY: THE INDIAN
PERSPECTIVE - AN ‘OFFENCE’ UNDER THE INDIAN INFORMATION
TECHNOLOGY ACT, 2000 (IT ACT)
India has, as such, no specific privacy laws in place as yet. Yet, drawing analogy from the
rulings of the Indian Supreme Court on Article 21, one can safely presume that the existing
standards and case precedents of the developed world will have a significant impact on the
laws of India and the rulings of the Indian courts. There are obvious enhancements of the
scope of the article 21 in the cases of Kharak Singh and Gobind. The implementation of the
Information Technology Act, 2000, is bound only to strengthen this position.
Section 72 of the IT Act prohibits unauthorised disclosure of the contents of an electronic
record. Privacy, in fact, involves at least two kinds of interests; informational privacy interest
and autonomy privacy interest. Information privacy interest means interest in precluding the
dissemination or misuse of sensitive and confidential information. Autonomy interest means
13
interests in making intimate personal decisions or conducting personal activities without
observation, intrusion or interference.7 Both the interests deserve protection. In regard to
autonomy privacy interests, there are, however, certain limitations and exceptions as set out
in sections 67, 68, 69 of the IT Act, while Section 72 protects the informational privacy
interests. It prohibits disclosure of information received by a person in pursuance of the
powers conferred under the Act. Such disclosure is punishable with imprisonment for a term,
which may extend to two years and/or fine, which may extend to one lakh rupees. Disclosure
could, however, be made without any penal liability to the law enforcing agencies or pursuant
to proper authorisation by the Controller or with the consent of the concerned person.
3.10 PRIVACY AND INTERNET LAW
Privacy protection is a critical element of consumer and user trust in the online environment
and a necessary condition for the development of electronic commerce. Three international
organizations have developed guidelines or rules that set forth basic consumer privacy
protections:
Organisation for Economic Co-operation and Development -- Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data8 (Privacy Guidelines)
(1980)
Council of Europe -- Convention for the Protection of Individuals with Regard to
Automatic Processing of Personal Data (1981)9
Articles 4 - 10 set out the basic principles for data protection.
Internet Privacy Guidelines (23 February 1999) -- practical, non-binding advice for
Internet users and service providers10
A good overview of the privacy rules and recommendations issued by the Council of
Europe11
7 Hill v. National Collegiate Athletic Association, 865 P 2d 633 (1994).
8 http://www.oecd.org/dsti/sti/it/secur/index.htm
9 http://conventions.coe.int/treaty/EN/cadreprincipal.htm
10 http://www.coe.fr/dataprotection/rec/elignes.html
14
European Union -- Data Protection Directive (1995)12 Articles 5 - 17 spell out in
somewhat more detail the basic privacy principles.
Guide to the data privacy directive -- focuses on who is entitled to handle personal
information and how such information can be processed13.
3.11 PRIVACY OVERVIEW
There are two aspects to the concept of privacy:
Consumer privacy - the right of individuals to control information about them generated or
collected in the course of a commercial interaction. Referred to in Europe as "data
protection."
Privacy rights of the individual against the government - the individual's protection against
unreasonable government intrusions on privacy, such as searches of the home or interceptions
of communications.
Internet law needs to address both sets of issues.
3.11.1 CONSUMER PRIVACY
Consumer privacy protection in the US and Europe, as well as under the guidelines of the
OECD, is based on the following principles:
Notice and Consent - before the collection of data, the data subject should be provided:
notice of what information is being collected and for what purpose and an opportunity to
choose whether to accept the data collection and use.
In Europe, data collection cannot proceed unless data subject has unambiguously given his
consent (with exceptions).
11 http://www.coe.fr/dataprotection/eintro.htm
12 http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html
13 http://europa.eu.int/comm/internal_market/en/media/dataprot/news/guide_en.pdf
15
Collection Limitation - data should be collected for specified, explicit and legitimate
purposes. The data collected should be adequate, relevant and not excessive in relation to the
purposes for which they are collected.
Use/Disclosure Limitation - data should be used only for the purpose for which it was
collected and should not be used or disclosed in any way incompatible with those purposes.
Retention Limitation - data should be kept in a form that permits identification of the data
subject no longer than is necessary for the purposes for which the data were collected.
Accuracy - the party collecting and storing data is obligated to ensure its accuracy and,
where necessary, keep it up to date; every reasonable step must be taken to ensure that data
which are inaccurate or incomplete are corrected or deleted
Access - a data subject should have access to data about himself, in order to verify its
accuracy and to determine how it is being used
Security - those holding data about others must take steps to protect its confidentiality.
3.11.2 PRIVACY PROTECTION AGAINST THE GOVERNMENT
The right to privacy is internationally recognized as a human right. However, most
governments claim the authority to invade privacy through the following means:
interception of communications in real-time
interception of traffic data (routing information) in real-time
access to data stored by service providers, including traffic data being stored for
billing purposes
access to data stored by users
These means of access to communications and stored data must be narrowly defined and
subject to independent controls under strict standards. Real-time interception of
16
communications should take place only with prior approval by a judge, issued under
standards at least as strict as those for policy searches of private homes.
3.12 INTERNATIONAL PRIVACY INITIATIVES
On July 25, 1995, the EU announced the adoption of a directive on the protection of
individuals’ personal data and on the free movement of such data. The directive seeks to
prevent abuse of personal data and lays down comprehensive rules, including an obligation to
collect data only for specified, explicit and legitimate purposes, as well as to only hold data if
it is relevant, accurate and up-to-date.
The directive requires all companies concluding business in the EU to meet certain minimum
standards of data protection. Any company that does not meet these stringent standards faces
sanctions. In the Netherlands and New Zealand, codes of conduct or self-regulation are also
employed.
The Electronic Communications Privacy Act in the US governs the privacy of e-mail in
public e-mail systems. It bars interception, use, or disclosure of e-mail by third parties and
sets the standards which law enforcement authorities must meet to gain access to e-mail.
3.13 INDIAN LAW RELATING TO PRIVACY: AN EPILOGUE
Significantly, India does not have any specific law governing privacy. The courts in India
have not yet had the opportunity to look at privacy issues relating to the Internet. Analogies
to the Internet will, therefore, have to be drawn from cases that the court has actually dealt
with.
The Constitution of India does not patently grant the fundamental right to privacy. However,
the courts have read the right to privacy into the other existing Fundamental Rights: Freedom
of Speech and Expression, under Article 19 (1) (a) & Right to Life and Personal Liberty
under Article 21. In India, the right to privacy is one of the un-enumerated rights granted to
the individual. Barring a few exceptions, the Fundamental Rights secured to the individual
are limitation on State action. They are not meant to protect persons against the conduct of
17
private persons. It is to be noted that the Constitutional guarantee of the right to privacy is
valid only against the State and no Constitutional remedy for violation of privacy lies against
any individual.
3.14 IDENTIFYING GOALS AND OBJECTIVES
On December 18, 2000, the European Union and the United States issued a joint statement
regarding the necessity for building consumer confidence in order to further global e-
commerce. The joint statement went on to point out that generating consumer confidence
requires a combination of private sector initiatives and a “clear, consistent and predictable
legal framework.”
It went to ‘reaffirm these important goals and objectives, including the agreement to provide
‘active support for the development, preferably on a global basis, of self-regulators codes of
conduct and technologies to gain consumer confidence in electronic commerce’.”
3.15 IMPLEMENTATION IS MORE DIFFICULT
Does the consumer in fact enjoy the same kind of protection in e-commerce that he or she has
in other kinds of transactions? Does the consumer need the same level of protection or does
the e-commerce consumer have greater relative bargaining strength? How much should
courts enforce agreements by consumers to give up valuable substantive and procedural
rights?
As with all worthy goals, the difficulty is in implementation. This fact is particularly true
when dealing with a worldwide medium like the Internet. Obviously, if we had the same
standards for e-commerce around the world, the system would be relatively clear and
consistent. But for global binding standards, we would need intergovernmental agreement,
which historically takes many years to reach.
Governmentally-endorsed guidelines and recommendations could be a fallback position, so
long as there was a reasonable amount of harmony among the various positions. The
American Bar Association in 2000 embarked on a special project, “Alternative Dispute
18
Resolution in Online Commerce” which hopes to develop a system of guidelines for ADR in
e-commerce disputes. The project focuses particularly on consumer disputes, since the
amount of money involved in consumer matters seldom warrants elaborate ADR machinery.
3.16 CONCERNS OF CONSUMERS
Studies show that key concerns on the part of consumers involve some or all of the following:
Lack of confidence in online financial transactions, e.g., concern over misuse of debit and
credit cards:
Non-delivery or late delivery of goods and services.
Fraud.
Hidden costs, such as postal charges and taxes.
Unrestricted or hidden collection of personal data and channelling of such data to
third parties.
Lack of independent certification of website policies and practices.
3.17 FAILURE OF E-COMMERCE BUSINESS TO FOLLOW BEST PRACTICES
In September 2000, ClickSure conducted a best practice analysis of Internet business
websites in Europe and the United States. It measured six aspects: privacy, security, clarity
of website information, transaction management, quality and monitoring. Its resulting report
concluded that there was a clear failure to measure up to internationally-recognized best
practices.
Consumes International (“CI”) subsequently conducted a privacy study concluded in January
2001. It found that, although the majority of websites collected personal information from
the user, “only a tiny minority provided privacy policy that gave users meaningful
information about how that data would be used. It concluded that websites in both the U.S.
and E.U. fall woefully short of the standards set by international guidelines on data
protection. “ According to the CAI study, the majority of sites ignore even the most basic
principles of fair information use, such as telling consumers how their data will be used, how
19
it can be accessed, what choices the consumer has about its use and how the security of that
data is maintained.
3.18 THE INTERNET AND CONTRACTUAL CHOICE OF LAW AND FORUM
3.18.1 GENERAL CONSIDERATIONS
Many disputes involving electronic commerce arise between parties who are bound by a
contract determining the terms and conditions upon which they have agreed to interact.
Frequently, the online contract itself may provide that any dispute concerning it is to be
heard in the courts of a specified state (“choice of forum” clause or “forum selection”
clause) and is to be determined under the substantive law of a specified state (“choice of
law” clause).7
If parties to the contract are presumed to have equal bargaining power and, therefore, an
equal ability to accept or reject such clauses, the clauses are generally uncontroversial and
enforced. However, equality between buyer and seller has not always been presumed when
one party to the contract is a consumer. Instead, the seller is assumed to define is market and
set the terms of the contract for its own benefit. The buyer, in contrast, is assumed to be
confronted with either (a) accepting the terms imposed by one of a limited number of sellers
serving the buyer’s market or (b) foregoing the purchase. As discussed above, in order to
protect the customer from perceived disadvantageous choice of forum and law clauses, the
E.U. will enforce them only if they favour the consumer,8 although in the U.S. they are
enforced unless they are “unreasonable.”9
Matthew S. Yeo and Marco Berliri have offered an analysis and perspective on the problem
of determining the governing law in E-Commerce transactions. In a paper posted online, they
post three alternative E.U. approaches to resolve conflicts.10 the first is to simply permit the
merchant to designate any law that has a substantial connection to the transaction. The
7 Contract terms themselves, of course, also supply a set of substantive rules to govern the transaction, which will be
used by a court unless they violate the public policy of the forum.
8 See subsection I.A. 3 supra.
9 See subsection II. B. 2 supra
10 <http://pubs.bna.com/ip/BNA/EIP.NSF/b3e99e4adbdfc8cc85256580004f6e47/f916e63b1616fb7b852567
06001efe99?OpenDocument>
20
difficulty is that the consumer may not know or be able reasonably to determine his rights
under such law. The resulting apprehension on the part of the consumer may retard the
growth of E-Commerce. The second alternative is to adopt the mandatory rules concept. The
contract can specify the law that will apply to the transaction but would not trump mandatory
consumer protection rules. This creates confusion and increase the cost of compliance,
because the merchant is required to be familiar with the mandatory rules of each jurisdiction.
The third alternative, which the authors favour, is to harmonise national consumer protection
laws. This would create a lower cost mechanism, similar to the model rules enjoyed by other
areas of uniform law. Merchants would not have to lean the law of each jurisdiction and
consumers would know their rights irrespectively of choice of law. Because harmonization is
such a monumental task, probably the only practical low-cost solution is a system of e-
commerce dispute resolution, such as that discussed later.
3.18.2 PRE-DISPUTE SELECTION USING CLICK-WRAP AGREEMENTS.
3.18.2.1 U.S. CASE LAW.
A “click-wrap” agreement is one which a provider of goods or services presents online to a
user, who can agree to the terms and conditions of the agreement by either clicking a
designated icon or button or typing specified words or phrases. In the on-line environment, a
user may view the terms and conditions on the screen, using a control such as a keyboard, or
mouse to scroll through or otherwise navigate the terms and then click a button or bar
indicating asset. A true click-wrap assent should be distinguished from situation where the
terms and conditions are merely posted on the website and agreement to those terms and
conditions is implied without the user being required actually to expressly indicate
agreement.
Perhaps the earliest reported case in the U.S. supporting online agreement was the federal
appellate court decision in CompuServe, Inc. v. Patterson.11 this was not strictly a click-
wrap, since the user actually typed “agree” to an online agreement whose choice of
11 89 F.3d 1257 (6th Cir. 1996).
21
jurisdiction was used as one of several contacts to warrant holding the user subject to
personal jurisdiction in service provider’s home state. Subsequently, a state court upheld a
click-wrap choice of forum by an AOL subscriber where the subscriber could only enrol on
AOL by clicking the “ I agree” button placed next to the “read me” button of the “ I agree”
button next to the “I disagree” button at the conclusion of the subscription agreement, which
contained the forum selection clause.12
Another state court sustained a click-wrap forum selection where subscribers to the Microsoft
Network could click a box saying “I Agree” or another saying “I Don’t Agree” at any time
while scrolling the adjacent terms and conditions, which included the forum selection clause;
before registering for the service.13 Since the subscriber clicked “I Agree”, the court drew
analogy to the pre-contractual opportunity to read the fine-print terms in Carnival Cruise
Lines and refused to treat electronic and paper presentations of terms differently.
Another federal court found a click-wrap binding on the user as against a defence of
procedural unconscionability, where arbitration clause appeared in the final paragraph of the
agreement under the caption “Miscellaneous”, which included provisions on choice of law
and forum.14 Finding the click-wrap binding, the court noted that the clause was in same front
as the rest of the agreement and was freely scrollable and viewable and without time
restrictions and a viewer had to agree to the online license agreement before being able to
install software from the provider’s website. A number of other cases have upheld clickwrap
choice of forum.15
12 Groff v. American Online. Inc., 1998 WL, 307001 (R.I. Super. May 27, 1998).
13 Caspi v. Microsoft Network L.I.C. 732 A.2d 528 ( N.J. App. Div. 1999).
14 In the RealNetworks, Inc., Privacy Litigation 2000 WL 631341 (N.D. III. May 8, 2000).
15 America Online, Inc. v. Booker (“Booker”) 781 So. 2d 423 (Fla 2001 Ct. App.) (forum selection provision in an
online ISP subscription “freely negotiated” and not shown “unreasonable or unjust” decision unclear on whether
agreement to the forum was express via a click-through or simply implied in some way); Clemins v. America Online.
Inc., 748 So. 2d 1041 (Fla. Ct. App. 1999) ( electronic agreement with Internet service provider enforced forum
selection clause; no indication whether there was click-through or implied assent); Lieschke v. RealNetworks, Inc.,
2000 WL 198424 (N.D. III. Feb. 11, 2000) ( arbitration clause on Real Networks site contained in a click-wrap
licence which users were required to traverse before they could download software to play and record music); Rudder
v. Microsoft Corp., 1999Carswell Ont. 3195 (WL) (Ontario Super . Ct. Justice Oct 8, 1999) (Canadian court
expressly upheld the validity of a forum selection clause in click-through contract where subscription procedure
required the validity of a forum selection clause in click-through contract where subscription procedure required the
user to accept the agreement terms each time they appeared on the monitor, and entire agreement could be viewed by
scrolling down screen, with terms not analogous to fine print).
22
More recently, courts have found grounds on which to decline to enforce consumer click-
wraps. Thus, the California Court of Appeal this year invoked a public policy exception to
consumer choice law.16 The trial court had found the forum selection clause in a clickwrap
agreement made during installation process on CD-ROM unfair and unreasonable, because
the clause was not negotiated at arm’s length, was in standard form contract, was not readily
identifiable by plaintiff in small text and placed at the end of the agreement, and was contrary
to California public policy giving its citizens specific and meaningful remedies that are
readily accessible and available. The prime difference between the Virginia consumer law
and that of California was that in California a consumer can bring a class action while a
Virginia consumer could not. It therefore found a Virginia forum selection clause was
therefore invalid.
The appellate court shifted the usual burden of proof to the party seeking to uphold a forum
selection clause contrary to California’s Consumers legal Remedies Act (CLRA). It
emphasized the anti-waiver provision in the CLRA and California consumer protection
provisions, which would be substantially diminished in Virginia, but the court of appeals, did
not explicitly rule on the validity of the click-wrap agreement. [Recheck].
A California federal district court declined to enforce a click-wrap in Ticketmaster involved
an online agreement where the home page of Ticketmaster’s website contained instructions, a
directory to subsequent event pages ( each with separate electronic address and a hypertext
link) and, upon scrolling to the bottom, terms and conditions, including prohibitions against
deep linking and against copying for commercial use, as well as a term saying that anyone
going beyond the home page thereby agreed to the terms and conditions.17 There was no “I
agree” button or other signification of assent by the Website user, who could go directly to
the linked page without seeking the terms and conditions). Later, the court reaffirmed its
ruling.18 Addressing arguments of copyright and trespass, the court briefly reiterated that
contract claim lacked “sufficient proof of agreement by defendant.” The judgement was
affirmed.19
16 America Online, Inc. v. Superior Court, 90 Cal. App. 4th 1 (2001).
17 Ticketmaster Corp. v. Tickets.com Inc., 54 U.S.P.Q. 1344, 2000 U.S. Dist. LEXIS 4553, 2000 WL 525390
(C.D.Cal. March 27, 2000).
18 2000 WL 1887522(C.D. Cal Cug. 10,2000).
19 2001 WL 51509 (9th Cir. Jan. 8, 2001).
23
A Massachusetts case declined to enforce a click-wrap in a class action lawsuit concerning
installation of software which damaged the user’s system before the user could review and
assented to the agtement.20 The agreement terms were accessible only by twice overriding the
default choice of “I Agree” and clicking “Read Now” twice. The court here also invoked
public policy, citing the impropriety of requiring residents of Massachusetts with small
claims to litigate in Virginia).
3.18.3 PRACTICES BY WHICH ONLINE PROVIDERS MAY PROPERLY OBTAIN
ASSENT TO ONLINE TERMS
In those jurisdictions which will honour clickwrap choice of law and forum when fairness
requirements are met, legal parishioners should advise their clients to create the best factual
basis to support validity of the agreement. The goal involves several important parts: 1) a
reasonable opportunity for the newer to access the terms and conditions and review them; 2)
sufficient conspicuousness and readability of the terms and conditions; 3) clear and
unambiguous manifestation of asset to the terms and conditions; 4) preclusion of online
contracting by a viewer who has not clearly manifested consent.
To satisfy the first requirement, proposed terms that involve any choice of law or forum
should be presented to the user before the user has any opportunity to take an action to be
bound by the agreement’s terms. All the terms should either appear automatically or the user
should be required to click on a clear icon or hyperlink that accesses the terms. The user
should then be afforded user sufficient opportunity to review the agreement terms, with the
ability to read the terms and his or her own pace and to navigate back and forthwith in the
terms by scrolling or changing pages. Once the user views the terms, those terms should
remain accessible to the user for further reference.
In the U.S., sufficient conspicuousness includes having the format and content of the terms
comply with requirements in applicable laws, such as the Uniform Commercial Code, as to
notice, disclosure language, conspicuousness, and the like. The terms should be plain
20 William v. American Online. Inc. 201 WL 135825 (Mass. Super. Ct. Feb.8, 2001).
24
language and legible. It is equally important that other information on the website should not
contradict the agreement terms or render the agreement ambiguous.
The format of the assent must comply with any applicable laws requiring particular assent to
a particular type of term, as well as an overall assent to all of the terms. It is desirable that
there can be an express statement just before the user is able to click his agreement that
stresses the effect agreement. Thus, the user might be expressly warned that: “By clicking ‘I
agree’ below you acknowledge that you have read, understand, and agree to be bound by the
terms above.”
In order to assure that the user has the opportunity to see all of the agreement before
assenting; it is advisable to place the means of assent at the end of the agreement terms. It is
also important to use clear language of asset, e.g. “I agree,” “I consent,” or “I assent,” rather
than more ambiguous language, .e.g., “Continue,”, “Submit,” or “Enter.” Such clear language
of assent should be combined with clear choice for the user not only to assent but to reject the
terms and to be informed of the consequence of rejection. Ideally, the option to reject will
occur at the same point in the process where final assent is requested, and involve an equally
clear and unambiguous button or term, such an “I disagree,” “I do not agree,” “Not agreed,”
“No,” or “I decline.”
Finally, a user who rejects the online agreement should not be able to take the transaction any
further, without choosing to go back and specifically agreeing to the terms and conditions.
3.18.4 TOWARD LOW COST AND TRUSTED DISPUTE RESOLUTION: NOTES
BY WAY OF EPILOGUE
One of the conclusions drawn by the report prepared by the American Bar Association’s two
year Project on Jurisdiction in Cyberspace was that cyberspace may need new forms of
dispute resolution, in order to reduce transaction costs for small value disputes and have
structures that will work effectively across national boundaries.21 Following submission of
the report, the ABA constituted a multi-disciplinary special committee to develop criteria and
21 Report, Achieving Legal Business Order in Cyberspace, 55 BUS. LAW. 1801,1824 (2000).
25
recommendations for such a dispute resolution system. That group has held a number of
meetings over the past eleven months, starting in the late November 2000, and is currently
working on a set of guidelines which might form a worldwide-acceptable basis of dispute
resolution procedures. If industry and consumers can both “buy in” to such guidelines,
consumers may become more comfortable in online transactions, and the results of whose
law and forum should apply will become essentially moot.
In conclusion, the e-Commerce Law set forth a number of provisions intended to secure B2C
transactions. The provision of general and pre-contractual information, the clarification of the
contract formation process, the grant of a right of withdrawal and the requirement placed on
the provider to bear the burden of proof regarding a number of obligations resting on him are
favourable to consumers and should assist in building confidence for online transactions.
Nevertheless, the right of the providers to bring electronic evidence is not so clear.
The provider should also make sure that the T&C comply with general consumer law
provisions. For international transactions, the providers will need to ensure that the site
architecture and the T&C comply not only with Luxembourg laws, but also with the laws of
the country of the buyers’ place of residence, as consumer protection provisions usually
cannot be derogated from.
Finally, the intent of the Law, which is to give consumes a satisfactory level of protection by
giving them a number of rights, is partly defeated by the fact that the e-Commerce law is not
clear on the applicable sanctions in the event that its consumer protection provisions are not
complied with. Moreover, the existing dispute resolution mechanisms are not adapted to
small online transactions and no recognition is made in the Law of electronic dispute
resolution mechanisms.
3.18.5 CONSUMERS PROTECTION AND PRIVACY: THE UK PERSPECTIVE
The principal commercial advantage of using the internet, and also perhaps its biggest
drawback, is its ability vast amounts of data almost simultaneously to any number of persons
in any number of locations virtually anywhere in the world. However, this is also a concern
for companies doing business electronically where personal information about individuals is
26
involved, whether this involves existing or prospective clients, employees or other third party
individuals. There is a huge sensitivity surrounding the use of personal data in databases,
both the United Kingdom and the European Union, of which business and lawyers alike need
to be aware. The European Union and certain other jurisdiction such as Australia, Canada
and Hong Kong have enacted data protection legislation to protect individuals in their
respective jurisdictions. These laws have a major effect on the use of the internet.
3.18.5.1 PRIVACY POLICIES
By 1998, the vast majority of the top 100 visited websites had including privacy policies.
However, a recent Consumers International survey of 751 e-commerce sites worldwide
revealed that while two-third of sites collected personal data, the majority did not give the
individual users a choice as to whether such data was to be kept private, or that there was any
prohibition on it being passed to third parties or kept on the collector’s mailing list.
3.18.5.2 UK DATA PROTECTION ACT
Under the EU Data Protection Directive and the UK implementing legislation, the Data
Protection Act 1998, a party to the European Economic Area (EEA) who is controlling
personal data must:
use the data held fairly and lawfully;
Obtain data for specified purposes and use it only in ways compatible with those
purposes.
Hold only such data as is adequate, relevant and not excessive.
Ensure the data is accurate and up to date.
not retain the data longer than necessary for the stated purposes.
take appropriate measures against unauthorized or unlawful use of data and its
accidental loss or damage;
not transfer data outside the EEA except to a country that ensures an adequate level
of protection of a data subject’s right in that data.
27
Personal data will not be regarded as being held or used fairly or lawfully unless the data
subject has consented to that use ( although there are a limited number of exceptions) in
general, a data controller may not do anything on contravention of the above principles
except with the consent of the data subject.
Consent can be either explicit or implicit. This may consist of the site visitor knowing that the
data will be collected or used for a specific purpose, e.g. completing a purchase order form.
However, if the information is sensitive personal data, express consent is required. Express
consent requires, at the very least, a positive act such as clicking on a tick box to indicate
consent. Sensitive data includes such matters as information relating to racial, political or
sexual matters.
Data subjects also have a right, subject to paying a small fee, to be given details of data held
on them by any organization.
Privacy policies in the United Kingdom should be written accordingly. They therefore need
to contain:
the identity of the collecting entity which has control of the data;
a clear statement of the users of the data;
details of the persons receiving the information, if such is the case, and those to
whom it may be transferred outside the EEA;
Clarification, where relevant, that the information has been collected by means of a
‘cookie’. (A cookie is a file stored by a browser on an individual’s computer system
that holds information. Typically, such files store information to identify site users,
such as their names, addresses and e-mail details, and to record a user’s choices or
preferences. This means of gathering information may not be apparent on the face of
the site.)
the express consent of the subject, where sensitive data is collected;
a statement that the data subject has a right to view the information held by the
recipient;
28
an opt-out box for one or more of the specified purposes for which the information is
collected;
a statement of the safeguards relating to transfer where the information is to be
transferred outside the EEA.
3.19 TRANSFERRING DATA TO THE UNITED STATES AND THE SAFE
HARBOUR SCHEME
The privacy policies that many US companies have put in place are at least equal to those
commonly found on European-based websites. However, under the Data Protection
Directive (and the UK enabling legislation, European companies are not permitted to transfer
data protection. There is no exemption for intra-group transfers, e.g. this prohibition would
therefore apply prima facie to a UK company that transfers personal data obtained from its
website to its US parent.
The European Union’s expectations of what is ‘adequate’ stringent. In addition to the need to
adapt the legislation and data principles applicable to EU Member States, the European
Union requires that each government must establish a relevant agency that monitors data
protection, and keeps a mandatory register of entities processing personal data. For example,
an EU-based company may legitimately transfer data to Hong Kong as it satisfies the
necessary requirements.
The European Union has now reached agreement with the US Department of Commerce such
that, subject to compliance with certain safe harbour rules, data may be transferred to the
United States. Transfer of data to members involved in the scheme may be made without the
need for specific consent from the affected data subject. However, this does not remove the
requirement that the EU data subject must know the uses to which the data will be put,
including any intended transfers of that data.
3.20 CYBERCRIME: CONCEPTS AND LEGAL THEORY
‘Cybercrime’ has emerged as a distinct category of study and an ever increasing problem
requiring the sustained attention of governments, law enforcement agencies and judicial
29
systems of countries world-wide. Jurisdictions that already had developed computing and
digital communications infrastructure have, over the last decade or so, been forced to
confront the reality of criminal expansion into the ‘cyberworld’, and to evaluate and
understand the adequacy of existing legal systems in order to insure the necessary
transnational investment and co-operation.
Through the course of this brief chapter, it must be emphasised that whether in India or for
that matter, anywhere in the world, criminal or penal sanctions can only be one element of the
overall response to cybercrime. Moreover, as has been seen from bitter experience, such
sanctions are not necessarily the most efficient or desirable form of response. Other ways of
preventing or minimising the harm of cybercrime include technological measures, regulatory
controls and civil proceedings. In the last resort, where most jurisdictions have recognised the
need for some form of punitive measures, particularly where the level of criminality or harm
caused or threatened is especially serious.
3.20.1 CYBERCRIME: DEFINING ASPECTS
There is no universally accepted general definition of cybercrime, no national legislation
provides us with a definition or explicitly employs the term14! Cybercrime comprises two
overlapping domains. The first is illegal activities directed at or perpetrated through the use
of computers. This can include crimes through and via the medium that is the Internet: wilful
damage to computer systems or networks, unlawful access to or interference with the
operation of computer systems, transmitting offensive or illegal content and committing fraud
or other offences through the use of the medium15.
14 An analysis of legislation introduced in Asia relating to crimes on the Internet is not quite illustrative as regards a
definition. For instance, the laws introduced in Malaysia [1997] covering computer crimes, copyright, telemedicine
and digital signatures were promoted by the Malaysian Government’s Multimedia Super Corridor as a package of
“cyberlaws” [http://www.mdc.com.my/msc.comm/html/cyberights01.html]. In India, Chapter X of the Indian
Information Technology Act 2000 establishes the “Cyber Regulations Appellate`Tribunal”: Ministry of Law, Justice
and Company Affairs [Legislative Department], accessible through the Ministry of Information Technology web site
at http://www.mit.gov.in/itbillmain.htm. The Australian Parliament is currently considering the Cybercrime Bill 2000
[introduced 27 June 2001]; see http://www.aph.gov.au/legis.htm.
15 Grabosky, P.N., Smith, R.G. & Dempsey G. 2001, Electronic Theft: Unlawful Acquisition in Cyberspace,
Cambridge University Press, Cambridge.
30
The second related area is the protection of information. This has been a concern of legal
systems from well before the introduction of modern technologies of mass-communication,
but is clearly brought into focus by the development of global networked computer-based
information media such as the World Wide Web and the Internet16. Principal legal measures
related to the protection of information from unlawful use, distribution or exploitation include
intellectual property laws, privacy laws, laws relating to secrecy and national security, and
laws relating to unfair commercial advantage.
3.20.2 CYBERCRIME LEGISLATION WORLD-WIDE
A more systematic international understanding of the legal aspects of cybercrime is emerging
through sources such as:
The Council of Europe’s Draft Convention on Cybercrime (Council of Europe
2001)17;
The United Nations symposium on “The Challenge of Borderless Cybercrime” held in
conjunction with the Palermo signing conference of the Convention Against
Transactional Organised Crime (see Grabosky 2000; Tan 2000);
The United Nations President’s Working Group on Unlawful Conduct on the Internet
(United States Department of Justice 2000)18;
Cross-national comparative studies such as Cyber Crime … and Punishment?
Archaic Laws Threaten Global Information (McConnell International 2000)19.
The most significant international development is the Council of Europe’s Convention on
Cybercrime (final draft released on 25 May 2001). The text, which has taken almost four
years and many redrafts to reach its present form, was approved by the Parliamentary
16 Tan, K.H. 2000, “Prosecuting foreign-based computer crime: International law and technology collide”,
Symposium on the Rule of Law in the Global Village, Panel on Borderless Crime, 12-14 December 2000, Palermo;
see http://www.odccp.org/palermo/convmain.html.
17 Council of Europe 2001, Draft Convention on Cybercrime [Final Draft and Explanatory Note], European
Committee on Crime Problems and Committee Experts on Crime in Cyber-Space, Strasbourg, 29 June 2001; see
http://conventions.coe.int/treaty/EN/projets/projets.htm.
18 United States Department of Justice 2000, The Electronic Frontier: Unlawful Conduct Involving the Use of the
Internet, Report of the President’s Working Group on Unlawful Conduct on the Internet, March 2000; see
http://usdoj.gov/criminal/cybercrime/unlawful.htm
19 McConnell International 2000, Cyber Crime…and Punishment? Archaic Laws Threaten Global Information, online
report; see http://www.mcconnellinternational.com/services/CyberCrime.pdf.
31
Assembly (24 April 2001) with recommendations to include provisions on human rights and
a protocol to ban “hate speech”, and adopted by the European Committee on Crime Problems
at its 50th plenary session (18-22 June 2001). The final draft will be submitted to the
Committee of Ministers for adoption during its 109th Session, on 8 November 2001.
The convention will be the first international treaty to address criminal law and procedural
aspects of various types of criminal behaviour directed against computer systems, networks,
or data and other types of similar misuse. Signatories to the Convention include the 43
member states of the Council of Europe plus the United States, Canada and Japan.
The legal analysis that follows adopts the Council of Europe’s classification of computer
offences, and also reviews offence provisions under national intellectual property laws.
3.20.3 ADEQUACY OF LEGISLATION
Countries can be initially categorised according to whether they have:
1. basic criminal and commercial laws;
2. a developed system of intellectual property laws; and
3. legislation directed specifically at computers and electronic commerce.
Each of the countries considered below may be observed to fall within one or more of these
categories, with most satisfying the second category and having made some progress towards
the third. Whether the existing legal system in any country can adequately address
cybercrime depends on the precise scope and interaction of its criminal, commercial,
intellectual property and computer-related laws. As a general rule, however, the
development of each of the later categories has been necessitated in part by the perceived
inadequacy of legal remedies provided by other categories. The reliance on specific
intellectual property laws to protect valuable information, for example, is partly attributable
(in jurisdictions based on the English system) to the common law doctrine that information is
not properly capable of being stolen. Thus, information piracy is not amenable to prosecution
32
under the criminal law relating to theft or dishonest acquisition20. In many countries there are
also difficulties in prosecuting under criminal law acts which may be performed outside the
jurisdiction but which result in harm within the jurisdiction, such as the posting of offensive
or obscene content on the Internet.
Clearly, there are also significant differences in the legal, social and political contexts within
which these laws have been formulated and are enforced. Before reviewing the legislative
provisions, it is useful to explore these contexts in greater detail.
3.20.4 FEARS OF OVER POLICING
During the parliamentary debates and discussions leading up to the enactment of the
Information Technology bill, the Indian Internet Community awaited the final shape of the
proposed legislation. Understandably, there were fears over possible excessive policing.
Observers wondered whether the Draconian provisions would fit in to existing Indian
Criminal and Commercial laws21.
Some provisions attracted controversy and were the focus of debate in the Parliament and
within the Internet and legal community. These provisions are:
Section 79 wherein police personnel have been granted extensive powers to arrest and
seize material from individuals and corporates
Section 73 (a) which makes it mandatory for person hosting a website or a portal on a
server located in India to give details of the website, portal, person and such other
details as may be prescribed by the Controller, failure will entail penalty;
20 Grabosky, P.N. & Smith, R.G. 1998, Crime in the Digital Age: Controlling Telecommunications and Cyberspace
Illegalities, Transaction Publishers/Federation Press, New Brunswick, New Jersey.
21 The Indian Information Technology Act 2000 attempts to recognise electronic business and it does so, by amending
several archaic legislations like the Indian Evidence Act, 872, Indian Penal Code, 1860, General Clauses Act, 1897,
the Reserve Bank of India Act, 1934 and the Bankers Book Evidence Act, 1891. Through the amendment of these
laws it will now be possible for courts to recognise digital signatures and electronic records and hence permit
electronic commerce.
33
Section 73 (b) wherein the government mandates that all people visiting cyber cafes
will have to maintain a log sheet of all the web sites visited by them. Failure will
entail monetary penalty and imprisonment [later removed from the legislation]
3.20.5 LIABILITY OF NET WORK SERVICE PROVIDERS (NWSP)
Certain activists groups have been asking for Network Service Provider's / Internet Service
Providers ("ISP's") to be made responsible for information, which is transmitted through their
system. The reason for doing so would be to try and put a check on any mischief, which may
take place through such systems and affix the liability on the ISP's. However, the
impossibility of monitoring millions of mails and accesses has promoted the government to
absolve NWSP/ISPs from any third party civil and criminal liability.
There are divergent views to such a provision. The ISPs have hailed this move, as they are
now be able to provide access without the tension or undue interference or the prospect of
civil or criminal liability. However, activists groups have criticised this provision and seek an
amendment.
3.20.6 COMPUTER CRIME AND DATA PROTECTION
After the Love Bug crisis, legal experts have realised the lacuna that exists in the current
legal regime in India. If such a virus or contaminant was launched in India and the culprit
were to be arrested then under the current legal framework, such a person would not be
punishable.
An extensive definition clause defines numerous activities that can amount to a cyber crime.
Under this provision, almost every conceivable computer mischief can face civil and criminal
liabilities.
Perhaps to give teeth to this provision, the IT Bill further empowers a police officer not
below the rank of Deputy Superintendent of Police (DSP) to investigate such an offence, who
has the powers to enter in any "public place" and conduct a search and arrest without a
warrant if he/she suspects that a computer crime is being committed. This provision has faced
34
a lot of criticisms from Human Rights activists who suspect that this provision may be abused
to violate the fundamental rights of the Indian citizens22.
3.20.7 ADJUDICATION AND CYBER APPELLATE TRIBUNAL
An Adjudicator shall adjudicate Cyber crime. The decision of Adjudication may be appealed
before the Cyber Appellate Tribunal. A further appeal may be preferred before the High
Court. The following are the drawbacks of such an elaborate adjudicatory process:
The Adjudicator and the officers of the Cyber Appellate Tribunal are not required to have any
technical or Internet related qualifications. In the eventuality of a cyber crime or cyber
dispute relevant knowledge of technology is of critical importance.
The abovementioned appellate framework ensures that there is no finality to such a dispute
and such dispute may continue ad nauseum. In the Internet world, speedy and timely dispute
resolution is of critical importance. The prescribed dispute resolution mechanism suffers from
all the infirmity of present day dispute resolution in India. This means that in the Internet age
such disputes could continue for years, which would cripple the eBusiness.
3.20.8 SPAMMING AND PRIVACY
The modern day e-consumer is flooded by innumerable junk mails. Also in any eBusiness,
employers or other third parties may monitor e-mails depriving the users of their right to
privacy. The present IT Bill does not prevent spamming and anti privacy issues by making
them punishable.
3.20.9 TECHNOLOGY SPECIFIC
22 Not every police officer enjoys such extensive powers under the Act. Only officers above the position of a DSP
may exercise these powers. Furthermore, such powers cannot be delegated and will come under a judicial scrutiny.
Cyber crime happens at Internet speed and since very little infrastructure is needed for conducting such a crime,
evidence can easily be concealed or destroyed. In such a situation, an investigating officer might not find time to
obtain search warrant and such a provision is necessary. This provision ousts the Code of Criminal Procedure,
wherein ordinary police officials may enter into the premises and conduct a search or make arrests in case of
cognizable offences. It is infinitely better to have a senior and trained official exercise discretion in conducting such
searches or raids, rather than have a police sub-inspector or a head constable investigate such an offence.
35
The IT Bill is technology specific and the entire legislation is based on digital signatures
based on "double key encryption". Further, many "techies" argue that soon double key
encryption may be replaced by more sophisticated third generation of bio-metric technology.
Under this technology encryption is based on biological inputs of the user e.g. thumb
impression, retina scan, DNA finger printing etc. In such a situation, the IT Bill will need to
be replaced with another law as the current law is technology specific. However, it is
recommended that the 'technology neutral' legislation be formulated, where the change in
technology will not require a change in legislation. Under such a legal framework despite
whatever technology is used for encryption certain standards will have to be maintained for
digital signature to receive legal recognition.
3.20.10 THE ANATOMY OF FRAUD UNDER INDIAN LAW: THE QUESTION
OF MENS REA
The term ‘fraud’s has not been defined in the Indian Penal Code. Nevertheless, Section 25 of
Indian Penal Code does attempt to define the word ‘fraudulently’ by saying that there can be
no fraud unless there is an intention to defraud. The word fraud is clearly defined in Section
16 of the Indian Contract Act, 1872. However, this definition cannot be made applicable in
criminal law.
In general, fraud is committed in three different ways
To deprive a man of his right, either by obtaining something by deception or by taking
something wrong fully without the knowledge or consent of the owner;
To withhold wrongfully from another what is due to him, or to wrongfully prevent
one from obtaining what he may firstly claim; and
To defeat or frustrate wrongfully another’s right to property.
Whenever the words fraud, intent to defraud have fraudulently occur in the definition of a
crime under the IPC, two elements, at least, are essential to the commission of that crime:
36
Deceit or an intention to deceive; and
Either actual injury or possible injury or intent to expose some person to actual or
possible injury.
The main intent and principal object of the fraudulent person is in nearly every case, his own
advantage. A practically conclusive test as to the fraudulent character of a deception for
criminal purpose is whether the author of the deceit derived any advantage from it, which he
would not have had if the truth had been known. It so, that advantage would generally have
an equivalent is was or risk of loss of someone else; and if so, there is fraud.
It is submitted that his definition of fraud encompasses within its fold, scams on the Internet.
Both the essential requisites of fraud, i.e. deceit or intention to deceive and actual or possible
injury to an individual or a group of individuals are present in such scams. All such scams,
whatever their modus operandi are intended to gain advantage for some almost always at the
risk of loss to others. Sections 415 to 420, IPC details the law rating to cheating. The
grounds for these provisions to be attracted are the same as that of fraud, i.e. dishonestly,
deceit etc. In the case of internet of internet scams, relevant sections relating to the crime of
cheating such as cheating by impersonation (Section 416) cheating with knowledge that
wrongful loss may ensue to the person whose interest the offender is bound to protect
(Section 418), etc, may be applied according to the facts of the case.
3.20.11 PERSPECTIVE ON POSSIBLE SOLUTIONS
Even an example that might otherwise be thought to favour the assertion of jurisdiction by a
local sovereign—protection of local citizens from fraud and antitrust violations—shows the
beneficial effects of a Cyberspace legal regime. How should wee analyse “markets” for fraud
and consumer protection purposes when the companies at issue do business only through the
World Wide Web?
Cyberspace could be treated as a distinct marketplace for purposes of assessing concentration
and market power. Concentration in geographic markets would only be relevant in the rare
cases in which such market power could be inappropriately leveraged to obtain power in
online markets—for example by conditioning access to the net by local citizens on their
37
buying services from the same company (such as a phone company) online. Claims
regarding a right to access to particular online services, as distinct from claims to access
particular physical pipelines would remain tenuous as long as it is possible to create a new
online service instantly in any corner of an expanding online space.
Consumer protection doctrines could also develop differently online—to take into account
the fact that anyone reading an online ad is only a mouse click away from guidance from
consumer protection agencies and discussions with other consumers. Nevertheless, that does
not mean that fraud might not be made “illegal” in at least large areas of Cyberspace. Those
who establish and use online systems have an interest in preserving the safety of their
electronic territory and preventing crime. They are more likely to be able to enforce their
own rules. A consensually based “law of the Net” needs to obtain respect and deference from
local sovereigns; new Net-based law-making institutions have an incentive to avoid fostering
activities that threaten the vital interests of territorial governments.
3.21 E-BUSINESS REGULATION: NOTES ON COMPLIANCE ISSUES IN THE
“BORDERLESS ECONOMY”
Achieving legal and business order in cyberspace, forms but another step in the quest for
knowledge that is perhaps the special legacy of the new millennium23. For commercial
interests eager to gain ground in the new order, ironically, the Internet is at the same time
intimidating and indispensable, essential for business success. The issue of regulation is
replete with unanswered e-business issues that desperately need to be clarified as companies
operate electronically across the globe. Some of the regulatory issues are:
Whose law governs contracts that are formed online? Are contracts valid without a
physical signature? Do the same laws apply to both consumers and businesses?
Can the actual electronic transmission between countries be subject to taxes or tariffs?
Are product and service sales treated the same under local law? Who decides?
What are acceptable forms of online promotion? Are firms with websites that link to
other sites using questionable tactics, putting themselves at risk?
23 Report of the American Bar Association (“ABA”) Jurisdiction in Cyberspace Project empaneled in 1998 under the
title, “Transnational Issues in Cyberspace: A Project on the Law relating to Jurisdiction”.
38
When the buyer sends his address and phone number to the seller, whose laws
determine the restrictions on the use of that data? How is the seller’s credit card
number protected? Who is empowered to address disagreements that might arise?
What tariffs and taxes are due? How are they accounted for and paid?
What transaction crosses a border, what consumer protection is available? What
additional risks do sellers assume?
What happens if the seller does not get paid? Where do consumers return damaged
goods purchased online? Does business-to-business commerce operate predictably
across all trading jurisdictions?
How can buyers and sellers enforce their rights in foreign countries? What
international treaties apply? Does enforcement differ geographically? By product or
service type?
Many laws applicable to global e-business are not yet clear. Does it make sense to
move aggressively to gain first mover advantage? Or wait? How can an individual
company protect its interests?
Questions, questions with not so obvious answers? Business in the new economy will mean
that traditional business approaches don’t necessarily apply when viewed through the lens of
the digital environmental. E-business is a completely different way to transact ordinary
business. Since new, unfamiliar business practices are routinely scrutinised by governments
and regulatory organisations, one can expect continued regulatory review, especially where
consumer protection and economic welfare are at stake.
E-business shrinks the optimal regulatory action. New business arrangements with industry-
wrenching impacts can take effect in months, not years. This rapid change means that
regulatory issues must be addressed early on to avoid overly “reactive” responses that can be
counterproductive.
E-business effectiveness depends on a regulatory environment that is both supportive and
predictable. While onerous rules can be stifling to business interests, regulatory indecision
can be similarly disruptive. In order for e-business to work best, business must accept equal
responsibility with governments to point the way.
39
3.21.1 COMPANIES, INDUSTRY ‘VIGILANCE’ AND AUDITS
Companies must remain vigilant both to protect their business interests and ensure that they
can proceed securely in uncharted territory. While some maintain it is unrealistic to have no
restriction whatsoever on e-business, yet others shudder at the burden various bureaucracies
might place upon the Internet. Most are hopeful that industry, driven by market forces, will
ultimately regulate itself. If that fails, however, a wide range of regulators can be expected to
step in forcefully.
Perhaps industry groups could identify potential and real ‘hurdles’ and attempt a solution.
The vast majority of regulatory hurdles facing Internet businesses today relate to traditional
considerations whose scope and application are transformed by the global character of the
electronic market. This industry alongwith CII should examine key international issues and
identify major international institutions that are addressing them. The issues include:
International trade and tariffs
Data Security
Encryption
Infrastructure and Access
Intellectual Property Rights
Liability: Choice of Law and Jurisdiction
Content
Competition Law
Self-Regulation
Privacy
3.21.2 WEB AUDITS AND COMMERCIAL STRATEGY: AN ADVANTAGE
According to Internet surveys, the fastest growing Web Sites are those, which provide a place
for personal expression, such, as chat rooms, message boards, email and personal web
40
pages24. In addition, "e-tailing," or retail sales over the Web has exceeded industry
expectations. Online sales tripled from $3 billion in 1997 to $9 billion in 1998. By the year
2000, commerce on the Internet is expected to generate $30 billion25. Not surprisingly, many
companies are launching Web sites to establish their presence on the Internet and to introduce
themselves to the emerging online consumer market.
In doing so, many of these companies enter into new businesses, and some may enter into
regulated industries. Each of these Web site owners--whether they are software vendors,
search engines, banks or auction houses--becomes a publisher, in addition to their original
core business. And, because of the thick competition to offer more and better services on the
Web, Internet companies frequently move from their core business to entirely new ventures
as sales agents, financial information providers, mail providers, and more. This article
outlines some of the issues arising from operating a Web site in India and offers some
suggestions to minimise legal risk.
For a variety of reasons, initial and periodic legal audits for content liability issues on a Web
site play an important role in managing a company’s risk on the Internet. First, for Web site
operators located in the India, there are a number of constitutional and statutory protections
for these "New Media" publishers, similar to the protections long enjoyed by traditional
publishers, such as newspapers, magazines and TV. or radio broadcasters. The same probably
for “new media” laws world-wide. Indeed, the U.S. Supreme Court determined that online
"speech," or content, should enjoy the highest level of constitutional protection26. As part of
the audit, Web sites also should be reviewed for compliance with legislation regulating
Internet content, commerce and conduct.
Second, Web sites generally contain a mixture of content--some of which may be generated
by the site owner, but often, is not. An audit identifies the different types of content and the
different risk associated with each type, and creates risk management strategies to protect the
company.
24 Media Metrix, "The Media Metrix Web in Review: Top 50 Fastest Growing Web Sites in Audience Reach," (Aug.
10, 1998), http://www.relevantknowledge.com/PressRoom.
25 U.S. Dept. of Commerce, "Remarks of Sec. of Commerce William M. Daley," (Feb. 5, 1999),
http://204.193.243.2/public.nsf/docs/commerce-ftc-online-shopping-briefing.
26 Reno v. American Civil Liberties Union, U.S., 117 S. Ct. 2329 (1997) (the Internet receives full First Amendment
protection).
41
Finally, the most successful Web sites are highly dynamic; that is, the content is not only
interactive but constantly growing, and therefore changing. A good audit identifies "hot
spots" on a site that are more likely to draw complaints or have greater exposure. Given the
uncertainty of the law in the Internet space, a primary objective of risk management is to
"marginalize" the potential plaintiff's success. An audit may provide guidelines for dealing
with particularly complex areas, such as chat rooms or message boards, e-commerce
transactions and user privacy. A great deal of thought and practical judgement are necessary
to conduct a legal audit of Web site content.
3.21.3 WHERE TO BEGIN: THE FIRST STEPS
A Web site audit begins with a survey of the site--identifying the types of content and
services provided on the site, the types of terms of service or legal disclaimers needed the
intellectual property rights, and the potential hot spots that are likely to give rise to liability.
Typically, this phase of the audit requires discussions with the staff responsible for the site's
content to determine how content is generated, which areas are the subject of complaints and
what policies exist to handle complaints.
Depending upon the company, Web sites fulfil different and often multiple functions. Some
sites are essentially advertisements that bolster brand identity, describe the company's product
or services and provide investors or shareholders with information. Others fulfil traditional
media functions of providing news, entertainment or other content (such as financial
information or classified ads). Many of the largest sites have moved toward building online
communities--sites that draw users back again and again. These sites offer a variety of
services, including search engines, e-mail, chat, message boards, and commercial services--
such as travel, brokerage and retail. The breadth of an audit depends in large part on the
complexity of the site.
3.21.4 CONTENT AND CONTROL: A GUIDE FOR BUSINESSES
5.21.4.1 ORIGINAL CONTENT
42
Web site content which is entirely or mostly generated by the Web site owner often presents
the least complex liability issues. These issues are substantially similar to liability issues that
a newspaper publisher has when publishing its daily paper or that a company has when
publishing its prospectus or retail catalogue. Like their traditional media counterparts, Web
site owners in India enjoy the significant legal protections available to publishers. Generally,
Web site owners should review their content for accuracy, fair advertising practices,
intellectual property rights and Securities Exchange Commission and other regulatory related
issues.
3.21.4.2 LICENSED CONTENT
Many Web sites license content rather than create their own. An audit therefore may also
include review of the licensing agreements to ensure that the Web site owner has the rights it
needs to distribute, alter, republish or otherwise use the licensed content. In addition, the
audit should review all representations and warranties for the content and any appropriate
indemnifications by the licensor.
3.21.4.3 THIRD PARTY CONTENT
As interactivity becomes a primary draw for bringing back Internet users, more sites are
including chat, message boards, e-commerce and e-mail at their site. As a result, much of the
content in these areas is created by users of the site and cannot as a practical matter be
reviewed or edited by the Web site owner. Not surprisingly, while user-created content draws
the most interest, it also draws the most complaints.
In the United States, the Congress enacted Section 230 of the Communications Decency Act
of 1996, which largely immunises online service providers from liability arising from the
statements of third parties27. Recent legal decisions have held that under Section 230 a Web
site owner cannot be held responsible for the defamatory or otherwise tortious statements of
27 47 U.S.C. 230. Other provisions of the Act related to "obscene" material were struck down as unconstitutional in
Reno v. American Civil Liberties Union.
43
individuals who post on its message boards28. Nonetheless, because users occasionally make
offensive, inflammatory or otherwise objectionable statements, Web site owners should have
clear and reasonable policies to handle complaints that arise in these areas and all appropriate
disclaimers and indemnifications.
In 1998, the U.S. Congress also passed the Digital Millennium Copyright Act, which
provides limited safe harbours for online service providers that unknowingly or inadvertently
transmit, link to, or host infringing material provided or posted by third parties. Under this
new legislation, each Web site must register with the Copyright Office and put in place a
policy for reporting possible copyright infringement on their site.
3.21.4.4 LINKING AND FRAMING
The practice of linking to or framing other Web sites raises liability issues unique to the
Internet. A Web site owner may be found liable for contributory infringement or vicarious
liability for knowingly linking to another site that contains copyright infringing material or
otherwise engages in infringing activity. In an interesting claim arising from allegedly
improper linking, Ticketmaster sued Microsoft for its use of hypertext links to bypass
Ticketmaster's homepage and advertising.29.
A Web site owner also may be found liable for trademark infringement or unfair competition
for framing another site on its site. For example, in Washington Post, et al. v. TotalNEWS30,
a number of news media sued TotalNEWS, a Web site which aggregated the other news sites
and "framed" those sites with their own ads, thus effectively deriving ad revenues based on
others' content without their permission. Although that case settled out of court, the practice
of framing should be carefully reviewed in an audit.
3.22 CONTENT LIABILITY ISSUES: A CHECKLIST FOR WEB PUBLISHERS
3.22.1 COPYRIGHT & TRADEMARK
28 See, e.g., Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997); Blumenthal v. Drudge, 992 F. Supp. 44
(D.D.C. 1998).
29 Ticketmaster Corp. v. Microsoft Corp., No. 97-3055 DDP (C.D. Cal., filed Apr. 29, 1997).
30 97 Civ. 1190 (PKL) (S.D.N.Y., filed Feb. 28, 1997)
44
A content audit should include a review of the third-party content, and the corresponding
license agreements, to ensure that the Web site owner has acquired the appropriate rights for
use on its site. This includes graphics, images, logos and text. Indeed, use of another's
trademark as a link may give rise to liability if the manner in which one uses a trademark
creates the false impression that the trademark owner is somehow affiliated with the Web site
owner. In addition, the audit should review the owner's copyright and trademark notices to
ensure that they are accurate and current.
3.22.2 DEFAMATION
Under U.S. law, a Web site owner may be held liable for false statements of fact which are
defamatory and published with fault. While the owner may not be liable for statements by
third parties because of the statutory protections of the Communications Decency Act,
statements originating with the owner may give rise to liability. Traditional publishers
frequently have an attorney review sensitive articles prior to publication to identify
troublesome statements and to set up the best possible legal defences for publication of the
article. A similar practice may be appropriate for articles published on the Internet which are
written by the Web site owner.
5.22.3 INVASION OF PRIVACY
There are three types of privacy torts that may arise from statements made on Web sites: the
public disclosure of private facts, statements which place the subject in a false and
defamatory light, and the commercial use of another's image or likeness without their
permission. As in defamation, while the Web site owner in the United States may not be
liable for state law invasion of privacy claims arising from third party statements, the owner
should carefully review original content.
3.22.4 USER PRIVACY
An audit should include a review of the Web site's collection of user information. This
usually is done at the registration page, and may include name, address, email address,
45
telephone number and credit card number. In addition, most sites now monitor the pages
viewed and services utilised by a user via "cookie" technology. Thus, sites may maintain and
use personally identifiable information about its users for a wide range of purposes such as
targeting banner advertisements, tailoring services to individual users and sending direct
advertisements to individual users based on their demonstrated interests. What information is
collected, how it is used and to whom it is disclosed should be carefully reviewed to ensure
that the Web site owner is in compliance with applicable privacy statutes, Competition and
MRTP regulations and the site's privacy policy.
3.22.5 ADVERTISING & PROMOTIONS
As a growing number of Web sites move toward the advertising business model, a content
audit should include review of the site's guidelines for accepting advertising on its site,
particularly banner ads which hyperlink to the advertiser's site. The guidelines should adhere
to state and federal fair advertising laws, particularly in regard to minors. In addition, the
audit should review the ad insertion orders to ensure that they include appropriate
indemnifications and representations and warranties. Some Web sites also sponsor interactive
contests or sweepstakes and an audit may include review for compliance with sweepstake and
contest laws.
3.22.6 SALES
If the site includes commercial transactions, the audit should include a review of the online
contracts and also the Web site owner's account procedures for creating and maintaining
records of the transactions. In some cases, the owner also may need to obtain accounting,
security or other professional advice.
3.22.7 REGULATORY COMPLIANCE
If the business hosting the Web site is publicly traded or involved in a regulated industry,
such as banking, real estate, utilities, pharmaceuticals, or alcoholic beverages, the audit
should include a review of SEC compliance and the specific advertising, shipping or other
regulations for such industries.
46
3.23 THE SPHERE OF AUDIT
Specific components of a Web site are worth particular attention.
3.23.1 DISCLAIMERS & TERMS OF SERVICE
The disclaimers and Terms of Service are important in establishing the relationship between
the Web site owner and its users. Generally, the comprehensiveness of a user agreement is
determined by balancing the potential exposure created by site content and activities against
the potentially intimidating impression a long agreement will make on the user. For example,
relatively straightforward sites that provide information about a company, but have little user
interactivity, may only require a short disclaimer. On the other hand, sites which host e-
commerce, chat, email, or message boards or provide sensitive information, such as financial
information and services, will likely require a more extensive user agreement.
3.23.2 MESSAGE BOARDS & CHAT
Many Web sites now provide areas for users to interact with both the Web site owner and
other users. These areas take the form of message boards (where users can post a message
that can be read and responded to by other users) and chat rooms (where users can send each
other messages, or "chat," in real time).
In my experience, user interaction is fun and free-wheeling, but it can also be highly
inflammatory. Frequently, a user may make defamatory or otherwise objectionable
statements about another. Users then tend to turn to the Web site owner to remedy the
problem by removing the statements, correcting the statements or somehow punishing the
author of the statements. An audit should include a review of how the owner responds to such
demands and set up a policy for when, if ever, it is appropriate to either remove a post or
provide information about the author.
3.23.3 USER INFORMATION
47
The privacy and security of personal information on the Internet has become an increasing
concern. A Web site audit should include review of the site's policies for disclosing user
information and, in particular, policies for responding to subpoenas for user information. In
the United States, responding to requests for either the content of communications (i.e., email
messages) or user information is strictly limited by the [federal] Electronic Communications
Privacy Act. Any policy should take into consideration privacy or procedural requirements
and other duties arising from common law or the site's Terms of Service.
Finally, an audit should include a review of the site's privacy policy. In general, the policy
should provide notice to users about the types of information collected, how such information
is used and to whom it is disclosed. In addition, Web sites should provide their users with
reasonable access to their personal information and the ability to update or remove such data
as appropriate.
The legal audit provides some guidance for Web site owners by identifying areas of potential
liability before litigation arises. In addition, further content liability counselling can be done
to place the Web site owner in the best possible legal position--by posting proper disclaimers,
establishing sensible complaint policies, etc.--should a legal demand be made.
3.24 AGREEMENT CHECKLISTS & TEMPLATES
3.24.1 INFORMATION TECHNOLOGY PROCUREMENT AND TURNKEY
CONTRACT
Overview
Description of Agreement/Document
The agreement for IT procurement and/or turnkey solutions relates to the supply of a fully
operational system to a customer. The contract with the supplier relates to procuring the
customer’s various requirements to enable the customer to simply turn a key. The supplier
under the contract will be responsible for procuring all relevant components to achieve the
turnkey or procurement contract according to the customer’s requirements.
48
Practical Guidance/Issues List
The parties should consider the obligations of each party and consider:
clearly stating the user’s requirements as comprehensively as possible;
agreeing the exact tests and acceptance criteria required;
specifying liquidated damages provision and an effective remedy in relation to specific
breaches;
ensuring the grant of relevant third party licences to the customer;
ensuring that any relevant manufacturer’s warranties are assigned (if assignable);
obtaining any third party approval as may be required for delivery of the procurement or
turnkey solution;
clarity in respect of the price payable, terms of payment and whether any additional costs
will be incurred;
avoiding any unilateral variations of prices, services or contract terms;
relevant arrangements for delivery of any codes (particularly in relation to bespoke
software);
entering into escrow arrangements;
negotiating and agreeing all ancillary contracts (training, project management, support,
etc.) at the same time;
avoiding unenforceable provisions such as ‘agreement to agree’;
setting out the user’s specification in plain English with comprehensive requirements
relating to functionality, technical requirements or details, what the system is to achieve;
setting out specific team for the project;
agreeing clear timetables;
obtaining third party assistance as required.
Some Key Definitions
‘Acceptance Test(s)’ means the tests by the [Contractor] which is suitable to demonstrate that
the System complies with and performs in accordance with the Orders.
49
‘Acknowledgement’ means the Contractor’s acceptance and acknowledgement of the Orders
containing the payment schedule, timetable and detailing the implementation and each phase
of the relevant Services.
‘Customer Equipment’ means the equipment, communications links, computer programs,
apparatus, materials and or other items (other than the System) to be provided (including the
installation of them) by the Customer at the Location for use in association with the System.
‘Location’ means the Customer’s offices or such other location(s) set out in the Customer’s
Requirements where the System or parts of it will be installed.
‘Operating Software’ means the computer programs and associated documentation (if any)
supplied by a manufacturer in connection with the operation of a Hardware item.
‘Orders’ means the instructions and orders of the Customer in respect of its information
technology requirements contained in an agreed form (including the specification of the
System describing the intended functions and facilities for the System and the Customer’s
particular requirements on each occasion in respect of the Services, maintenance and other
matters) from time to time and expressly accepted by the Contractor.
‘Timetable’ means as regards any of the Contractor’s obligations to deliver any of the
Hardware, Software or Documentation or to perform any of the Services, the relevant date or
time agreed or set out in the Orders (if any).
Specific Provisions
Sub-Contractors
The Contractor may employ Sub-Contractors for carrying out any part of the Services
provided that the Contractor will not be relieved of any of its obligations under this
Agreement by entering into any sub-contract for the performance of any part of the Services,
and will at all times remain primarily responsible and liable to the Customer for the conduct
of the Sub-Contractors.
Required Skill
50
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Module 3
Discover the best professional documents and content resources in AnyFlip Document Base.
Search