MODULE 15: INTERNET LAW REGULATION
15.1 AN ANALYSIS OF ISSUES UNDER THE INDIAN LAW
The Internet offers a new form of media, which is convenient, fast, and economical while
the dotcom (the commonly used generic word for internet based ventures) is the most
ubiquitous form of providing content in cyberspace and conducting Internet based
transactions.
15.2 ‘REGULATION’ AND THE INTERNET
A lot has been said, discussed and debated about the Information Technology Act, 2000
(‘the Act’) and how it is expected to give a quantum jump to e-commerce in India.
Unfortunately, the Act deals only with the narrow issue of recognising digital signatures and
setting up certification authorities which will co-ordinate and regulate the process. It does
not (and to be fair) was not expected, to be a panacea for all sorts of ills and new liability
issues which inevitably arise from the use of the net.
In the recent years, governments across the world have made attempts to regulate the
Internet. The common belief that it is unregulated is a fallacy and is best dispensed as soon
as possible. The three basic categories in which regulation of the Internet can be classified
is:
1. Intellectual property (for example, where copyright law governs the use, styling,
linking and copying of content on a web site)
2. Contractual law (for example, the scope and enforceability of limitation and
exclusion of liability clauses and unfair contract terms posted on a web site)
3. State/jurisdictional regulation (issues regarding conflict of laws of various legal
jurisdictions which become involved in any dispute relating to a transaction over the
internet).
15.3 AN EXAMINATION OF THE MAIN ISSUES
15.3.1 INTELLECTUAL PROPERTY ISSUES
Intellectual property rights disputes regarding domain names and cyber-squatting have
been the most visible and possibly most dramatic part of cyber-related disputes. But this
is not the only area of intellectual property, which is getting attention in the post-
internet era. Data, which is the sine qua non of web sites, is equally vulnerable to
intellectual property infringement.
429
Firstly content (data) on a web site essentially consists of text, graphics, audio, video
files which are all protectable as literary, artistic and cinematographic works under the
Indian Copyright Act 1957. The first ownership of the copyright vests in the author of
the work unless it is being done in the course of employment for the purposes of
publication. The creator or the copyright owner can prevent anyone from reproducing,
distributing, adapting, modifying, disseminating the copyrighted content without his
consent3. Secondly, the computer program or the source code, which forms the
backbone of the web site, is also protectable as a ‘literary work’. Thirdly, the layout and
design of the web site, if distinctive, in its style can be protected as what is called a
‘trade-dress’.
A web site owner must first ensure that he owns the copyright in all these elements on
the site, so if the web site is designed and developed by employees or consultants,
which is almost always the case, the web site owner has to make sure that terms of
engagement of the employee/consultant contain unequivocal and express clauses
reserving the exclusive copyright in the owner.
Once the web site is up and going, three issues of copyright protection arise. First, the
protection of the copyright of the content on your web site and which the web site
owner owns. Second, is to take care not to infringe the copyright of other web sites on
the net. Third, is the copyright of content posted on the web site by users of the site?
The first issue concerns the ownership of copyright with the web site owner and has
been briefly touched upon above. Under Indian law, copyright vests in the owner
without any mandatory pre-requisite for registration. It follows, therefore, that to claim
ownership of copyright there is no real need for putting the public to notice. Copyright
law, in its earlier stages of development, required the display of a copyright notice as
proof of ownership of copyright, but the requirement was done away with. However,
even under new legislation, a person who has no reasonable grounds to believe and is
not aware that a work is copyrighted and is not permitted for communication to the
public is not liable for in infringement of copyright. In all circumstances, therefore, and
considering the fact that the web site is accessible from anywhere in the word, it must,
for abundant caution, be made clear in the user agreement posted on your web site that
all copyright (in content, underlying programs and styling) vests in the web site owner
and any unauthorized download would infringe that copyright.
Downloading: The act of downloading from the internet involves making permanent
copies by the user on his hard disk, which amounts to reproduction and, therefore,
infringement, if not authorized by the copyright owner. A web site owner may,
therefore, permit download for personal, non-commercial usage and prohibit further
distribution or posting on the internet. Alternatively the user must be warned that all
copyright notices attached to the files should be retained at the times on the downloads
430
and/or any/copies made from it. Additionally, the user must also be warned that the
modification, deletion, edit or updating of content on the web site without permission
would amount to an unauthorized activity and be subject to penal consequences. All
this has to be specifically spelt out in the user agreement, which must be clearly brought
to the notice of the user and the user must be encouraged to ‘accept’ the terms and
conditions. This is usually done by allowing the user access to the further pages of the
web site only after clicking on the ‘I accept’ button on the home page of the web site
(the ‘click-through’ format).
The second issue is that of the copyright of other web site’s content. It is clearly an
infringement of another’s copyright if one copy-pastes something from another web site
into one’s own web site without prior consent, license or permission. This is rampant on
the Internet and most web sites don’t even blink before copy pasting merrily from other
sites, especially if the web site is information intensive. Needless to say this is
potentially dangerous. Most people harbour under a wrong presumption that
availability of materials on the Internet means that the web site is giving tacit
permission and license to copy and use the content freely. The legal issue, which arises
here, is whether there is an implied license given by a web site by providing the
information for public access. This really depends on the terms and conditions stated in
the other web sites user agreements and if there is no such express license the
presumption that it is freely available for public use cannot be drawn.
Linking and framing – Linking (or ‘hyper-linking’) involves merely clicking on one HTML
(hyper text mark-up language) link and being transmitted to another target web site
page, which may be of the same web site or of a third party web site. Linking is the
raison d’être of the web and allows the user to negative seamlessly between documents
regardless of their location. A hyper link is comparable to a reference or a footnote of
the target document.
It is, therefore, imperative that to avoid problems the user agreement on a web site
must be a ‘click-through’ format where necessary acceptance is required to access or
get linked to content on your web site and necessary restrictions are brought to the
notice of the user11. In case of commercial links, however, to your web site or linking to
other web site, an appropriate “linking agreement” may be entered into with the other
party which should take into account the extent and nature of linking, control of
trademarks and brands and the requirement to remove material on request. Therefore,
to avoid liability for infringement of copyright, consent may be obtained for use of third
party data and adequate disclaimers be given if and when linking to other web sites. It is
also important to give disclaimers for the content which may be available on other web
sites on which there cannot be any control of the host web site.
431
Interestingly, the US has enacted legislation which protects online service providers
(‘OSPs’ – equivalent to internet service providers or ‘ISPs’) from liability for copyright
infringement where the OSP refers users to material of third party web sites via a search
engine, a hypertext link or a list of recommended sites. Framing, however, which is
potentially a more dangerous activity is not protected under this legislation.
The third issue is regarding content posted or supplied by the user. There can be a clear
term in the user agreement obliging the user to give a non-exclusive, royalty free,
perpetual license for information submitted in the public areas of the web site. The user
may also be put to notice that the web site will have no liability whatsoever for
materials posted on the web site on which the web site has not control and which
cannot be screened before they are posted for public viewing. Such cases have arisen
more in the case of bulletin boards and chat rooms where the web site or an ISP acts as
an intermediary.
15.3.2 THE WEB SITE AS AN INTERMEDIARY
It is very common to have web sites (or ISPs which provide access to the internet), which
provide the facility of online bulletin boards or chat rooms for users to communicate
and interact online. There are huge potential liability issues lurking here.
India’s new Information Technology Act, 2000 also partially takes this into account.
Section 79 of the Act deals with the exclusion of liability of ‘network service providers’
for third party information as long as he can prove that he exercised due diligence and
had no knowledge of the offence or contravention. The definition of ‘network service
providers’ means an “intermediary” and which as per clause (v) of section 2(1) means
any person who on behalf of another person receives, stores or transmits the message.
This definition would probably include a web site or an ISP, which is providing such
services. The onus is, of course, fairly heavy on the intermediary to prove that it
exercised due diligence. It is also arguable whether this exclusion of liability would
include violations under normal civil law and which do not come within the ambit of
“offences and contravention” under the Act, e.g., copyright infringement and
defamation.
15.4 INFORMATION TECHNOLOGY – REGULATORY COMPLIANCE IN INDIA
15.4.1 THE NEED FOR COMPLIANCE
Banks and other financial institutions collect a huge amount of personal data, which in
the legal parlance are known as SPDI [Sensitive Personal Data or Information]. Banks
and other financial institutions are required to comply under the Information
Technology Act [200] Amended [2008] and its Rules, which lay down certain procedures
432
to be followed at the time of collection of data, transfer of data, and disposal of data,
and to maintain relevant security practices and procedures.
This legal compliance document provides you with all the legal provisions under the
Information Technology Act that a bank or any other financial institution needs to
comply.
15.4.2 PERSONAL AND SENSITIVE PERSONAL DATA OR INFORMATION DEFINED
As per the “Rules” Sensitive personal data or information of a person means such
personal information which consists of information relating to password, financial
information such as Bank account or credit card or debit card or other payment
instrument details, physical, physiological and mental health condition, sexual
orientation, medical records and history, Biometric information, any detail relating to
the above clauses as provided to body corporate for providing service; and any of the
information received under above clauses by body corporate for processing, stored or
processed under lawful contract or otherwise. Freely available or accessible information
or information furnished under the Right to Information Act, 2005 or any other law for
the time being in force has been expressly excluded from the definition.
The “Rules” further defined “Personal information” as any information that relates to a
natural person, which, either directly or indirectly, in combination with other
information available or likely to be available with a body corporate, is capable of
identifying that person.
15.4.3 DATA PRIVACY AND INFORMATION SECURITY
The Information Technology Act places a duty on the organisation to “… maintain
reasonable security practices and procedures” [Section 43A]. The Act under the Section
- “Offences by Companies” [Section 85] – makes it clear that “… every person who, at
the time the contravention was committed, was in charge of, and was responsible to,
the company for the conduct of business of the company as well as the company…” The
persons responsible may not just be Directors or members of the senior management, it
could be any employee entrusted with the related responsibility under the Act. It is
imperative that all facets of the use of organisation’s IT resources should be governed
by internal IT Use and Security Policies.
Data protection has now been made more explicit through clause 43A. This clause
provides for compensation to an aggrieved person whose personal data, including
433
sensitive personal data, may be compromised by a company during the time this data
was under processing with the company and as a result of the company’s negligent
failure to protect such data due to a lack of implementing or maintaining reasonable
security practices.
“Reasonable security practices and procedures” will constitute those practices and
procedures that protect such information from unauthorized access, damage, use,
modification, disclosure, or impairment as may be specified in an agreement between
the parties or as may be specified by any law in force. In the absence of such an
agreement or any law, the central government will prescribe security practices and
procedures in consultation with professional bodies or associations.
The primary law for data privacy in India is the Information Technology (Reasonable
security practices and procedures and sensitive personal data or information) Rules,
2011 issued by the Central Government in exercise of the powers conferred by clause
(ob) of subsection (2) of section 87 read with section 43A of the Information Technology
Act, 2000.
The data privacy rules define sensitive personal data or information to include
passwords, financial information, physical, physiological and mental health condition,
sexual orientation, medical records and history and biometric information.
Non-compliance with any of the provisions of the data privacy rules is penalized with a
compensation /penalty of upto Rs. 25,000 under section 45 of the Information
Technology Act.
15.4.5 CONFIDENTIALITY AND PRIVACY
On breach of confidentiality and privacy, the Act of 2000, restricted to those who gain
access to an electronic record or document, has been enhanced with a new section that
calls for punishment for disclosure of information in breach of a lawful contract.
Any person including an intermediary who has access to any material containing
personal information about another person, as part of a lawful contract, and who
discloses it without the consent of the subject person will be deemed in breach.
Punishment will consist of imprisonment of up to three years, and/or a fine of 500,000
rupees. This may prove to be a strong deterrent to breaching data confidentiality.
These additions and changes aimed at improving data protection and making more
stringent the punishment for breach of confidentiality might encourage greater business
flow across international borders. Enterprises may become more confident about their
global data traffic coming into or even passing through India.
434
15.5 COMPLIANCE FOR THE BANKING INDUSTRY UNDER “THE INFORMATION
TECHNOLOGY ACT, 2000”
1. Retention of electronic records [Section 7]
2. Regular Audit of electronic records [Section 7A]
3. Reasonable measures to ensure that its employees don’t inflict damage upon
any computer, computer system, etc. Without the permission of the owner, they
also must not do the following acts [Section 43]
• Securing access to computer or computer system
• Downloading, copying and extracting data
• Introducing computer virus or contaminant
• Damaging or disrupting the computer
• Denying access to any person authorized to do so
• Assisting someone in gaining access to the computer
• Tampering and manipulating any computer
• Stealing, destroying, deleting or altering any information and assisting
someone in doing so
4. Compensation for failure to protect data [Section 43A]
5. Furnish information, record, document or report including books of accounts to
the concerned authorities [Section 44]
6. Reasonable steps to ensure that its employees don’t tamper with computer
source documents [Section 65]
7. Computer related offences [Section 66 (A-F)]
• Offensive messaging
• Receiving stolen computer source and Data
• Identity Theft
• Cheating by personating using computer source
• Violation of privacy
• Cyber Terrorism
8. Publishing obscene material [Section 67]
9. Preservation and retention of information by intermediaries [Section 67 C]
10. To comply with the directions to monitor and collect traffic data or information
through any computer resource for cyber security [Section 69B]
11. To comply with the direction of the Indian Computer Emergency Response Team
(CERT-IN) in the area of cyber security [Section 70B]
12. Organizations must also take serious note of the following offences:
• Misrepresentation [Section 71]
• Breach of Confidentiality [Section 72]
• Disclosure of information in breach of contract [Section 72A]
• Publishing false particulars in Electronic Signature Certificate [Section 73]
435
• Using Electronic Signature Certificate for fraudulent purposes [Section
74]
13. Intermediary Liability [Section 79]: Intermediary with respect to any particular
electronic records, means any person who on behalf of another person receives,
stores or transmits that record or provides any service with respect to that
record and includes telecom service providers, network service providers,
internet service providers, web hosting service providers, search engines, online
payment sites, online-auction sites, online market places and cyber cafes. Banks
also come under the purview of an Intermediary. As per section 79 of the IT Act,
an intermediary shall not be liable for any third party information, data, or
communication link hosted by him if the intermediary does not-
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
And that the intermediary observes due diligence while discharging his duties
under this Act and also observes such other guidelines as the Central
Government may prescribe in this behalf.
14. Offences committed by Companies [Section 85]: Every person who, at the time an
offence was committed, was in charge of, and was responsible to, the company for
the conduct of businesses of the company as well as the company, shall be guilty of
the contravention and shall be liable to be proceeded against and punished
accordingly.
He/she will not be punished provided he/she proves that the contravention took
place without his knowledge or that he exercised all due diligence to prevent such
contravention.
If it is proved that the contravention has taken place with the consent or connivance
of, or is attributable to any neglect on the part of, any director, manager, secretary
or other officer of the company, such director, manager, secretary or other officer
shall also be deemed to be guilty of the contravention and shall be liable to be
proceeded against and punished accordingly
15.6 PENALTIES FOR NON COMPLIANCE OF IT ACT
Legal Provisions [Information Technology Penalties in case of non-compliance
Act – 2000 [Amended in 2008]
Section 43A - Compensation for failure to Body corporate liable to pay damages by
protect data way of compensation to the person so
affected
436
Section 44 - Penalty for failure to furnish • Failure to furnish information – not
information, return, etc exceeding rupees one lakh fifty
thousand for each failure
• Failure to maintain book of
accounts or records – not
exceeding ten thousand rupees for
everyday during which the failure
continues
Section 45 – Residuary Penalty Whoever contravenes any rules or
regulations made under this Act, for the
contravention of which no penalty has
been separately provided, shall be liable to
pay a compensation not exceeding twenty-
five thousand rupees to the person
affected by such contravention or a
penalty not exceeding twenty-five
thousand rupees.
Section 67 C - Preservation and retention Imprisonment for a term, which may
of information by intermediaries extend to 3 years and shall also be liable to
fine
Section 69 – “Powers to issue directions 7 years imprisonment and fine
for interception or monitoring or
decryption of any information through
any computer resource” - read with
Information Technology (Procedure and
Safeguards for Interception, Monitoring
and Decryption of Information) Rules,
2009.
Section 69A – “Power to issue directions 7 years imprisonment and fine
for blocking for public access of any
information through any computer
resource” - read with Information
Technology (Procedure and Safeguards for
Blocking for Access of Information by
Public) Rules, 2009.
437
Section 69B – “Power to authorize to 3 years imprisonment and fine
monitor and collect traffic data or
information through any computer 1 year imprisonment and / or fine upto Rs
resource for Cyber Security” - read with 1 lakh.
Information Technology (Procedure and Imprisonment for a term, which may
Safeguard for Monitoring and Collecting extend to 3 years or with fine, which may
Traffic Data or Information) Rules, 2009. extend to five lakh rupees, or with both
Section 70B - Indian Computer Emergency
Response Team to serve as national
agency for incident response.
Section 72A - Punishment for Disclosure
of information in breach of lawful
contract
Section 85 - Offences by Companies No express provision vis-à-vis penalties
and compensation. However, the onus is
on the company and its Directors,
Secretary and Officers to prove their
innocence
15.7 COMPLIANCE UNDER “THE INFORMATION TECHNOLOGY [REASONABLE SECURITY
PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR
INFORMATION] RULES, 2011”
1. Rule 4 - Mandatory ‘Privacy Policy’ for handling of or dealing in personal
information including sensitive personal data or information
2. Rule 5 – Collection of information
• Mandatory consent from provider of information while collecting
information
• Disclosure of purpose and intended recipients
• Review of Information by the provider
• Option for the provider of information to pull out
• Duty to keep the information secure
• Mandatory appointment of Grievance Officer to address complaints
3. Rule 6 – Disclosure of Information
• Disclosure to third parties require prior consent; Third parties should not
disclose it further
• Disclosure to certain Government Agencies mandated under law without
prior permission
438
• Body corporate should not publish Sensitive Personal Information / Data
4. Rule 7 – Transfer of Information
• Requires prior consent of provider of information
• Allowed only if its an obligation under a contract
• Same level of data protection should be ensured
5. Rule 8 - Reasonable security practices and procedures while dealing with
Sensitive Personal Information
• Comprehensive documented information security programme and
information security policies
• International Standard IS/ISO/IEC 27001 on “Information Technology /
Security Techniques / Information Security Management System”
approved as compliant
• Other codes must be duly approved by the Central Government
• Audit ‘reasonable security practices and procedures’ by an auditor at
least once a year or after every significant upgradation
15.8 COMPLIANCE UNDER “THE INFORMATION TECHNOLOGY (INTERMEDIARY
GUIDELINES) RULES, 2011”
Apart from the aforementioned compliance requirements, “Intermediaries” must also
adhere to the guidelines under Section 79 of the Information Technology Act. An
‘Intermediary’ shall not knowingly host or publish any information or shall not initiate
the transmission, select the receiver of transmission, and select or modify the
information contained in the transmission. Upon obtaining actual knowledge of a
violation must act expeditiously [within thirty six hours] to remove access to such
information. (this has changed)
An ‘Intermediary’ is under a legal obligation to:
1. publish the terms and conditions of use of its website, user agreement and
privacy policy
2. inform its users that in case of non-compliance with terms, the Intermediary has
the right to immediately terminate the access rights of the users
3. provide information to government agencies that are lawfully authorized for
investigative, protective, cyber security or intelligence activity
4. report cyber security incidents and also share cyber security incidents related
information with the Indian Computer Emergency Response Team.
5. not deploy or install or modify the technological measures which may change
the normal course of operation of the computer resource
439
6. publish the details of the Grievance Officer on its website and the designated
agent to receive notification of claimed infringements
An ‘Intermediary’ must also notify users of the computer resource not to host, display,
upload, modify, publish, transmit, update, share or store any information that:
1. belongs to another person
2. is harmful, threatening, abusive, harassing, blasphemous, objectionable,
defamatory, vulgar, obscene, pornographic, pedophilic, libelous, invasive of
another's privacy, hateful, or racially, ethnically or otherwise objectionable,
disparaging, relating or encouraging money laundering or gambling, or otherwise
unlawful in any manner whatever
3. infringes any patent, trademark, copyright or other proprietary rights
4. violates any law for the time being in force
5. impersonate another person
6. contains software viruses or any other computer code, files or programs
designed to interrupt, destroy or limit the functionality of any computer
resource
15.9 COMPLIANCE UNDER “THE INFORMATION TECHNOLOGY [PROCEDURE AND
SAFEGUARDS FOR INTERCEPTION, MONITORING AND DECRYPTION OF
INFORMATION] RULES, 2009”
1. Rule 13 – Intermediary to provide facilities
The intermediary should extend all facilities, co-operation and assistance for
interception or monitoring or decryption mentioned in the directions /
requisition
2. Rule 14 – Intermediary to designate officers
The intermediary should designate separate officer to receive requisition and to
handle requisitions for interception or monitoring or decryption of information
3. Rule 15 – Acknowledgement of Instructions
The intermediary should acknowledge the instructions received by way of letters
/ fax / electronically signed email to the concerned agencies within two hours on
receipt of intimation.
4. Rule 16 – Maintenance of Records by intermediary
The intermediary should maintain proper records mentioning therein, the
intercepted or monitored or decrypted information, the particulars of persons,
computer resource, email account(s), website address, etc. whose information
has been intercepted or monitored or decrypted, the name and other particulars
of the officer or the authority to whom the intercepted or monitored or
decrypted information has been disclosed, the number of copies, including
440
corresponding electronic records of the intercepted or monitored or decrypted
information made and the mode or the method by which such copies, including
corresponding electronic record are made, the date of destruction of the copies,
including corresponding electronic record and the duration within which the
directions remain in force.
5. Rule 18 – Submission of list of requisitions / instructions
The intermediary should forward every fifteen days a list of interception or
monitoring or decryption authorizations received by them during the preceding
fortnight to the nodal officers of the agencies authorized. The list should include
details such as the reference and date of orders of the concerned competent
authority such as Union Home Secretary or Secretary in-charge of the Home
Department in the State Government or Union Territory including orders issued
under emergency cases, date and time of receipt of such orders and the date
and time of implementation of such orders.
6. Rule 19 – Intermediary to ensure effective check on handling of instructions
The intermediary should provide technical assistance and the equipment
wherever requested by the agency authorized.
7. Rule 20 – Intermediary to ensure effective check on handling of instructions
[Internal Checks]
The intermediary should put in place adequate and effective internal checks to
ensure the unauthorized interception of messages does not take place and
extreme secrecy is maintained and utmost care and precaution is taken in the
matter of interception or monitoring or decryption of information as it affects
privacy of citizens and also that no other person of the intermediary shall have
access to such intercepted or monitored or decrypted information.
8. Rule 21 – Responsibility of Intermediary
The intermediary is responsible for their respective actions of their employees
also. In case of established violations action should be taken.
15.10 COMPLIANCE UNDER “THE TELECOM COMMERCIAL COMMUNICATIONS
CUSTOMER PREFERENCE REGULATIONS, 2010”
1. Registration of telemarketer
2. Securing registration number
3. Due Payment of Deposit
• The Telemarketer is required to deposit with the Originating Access
Provider an amount of rupees one lakh only (Rs. 1,00,000/-) as
refundable security deposit
• Telemarketer also undertakes to deposit any additional security deposit
4. Telemarketer to be responsible for any misuse of telecom resources allotted it
for the purposes of telemarketing
441
5. Telemarketer shall ensure that telecom resources allocated to them for voice
calls are only used for making any telemarketing calls
6. Telemarketers shall also ensure use of correct header for sending promotional or
transactional message.
7. Telemarketer to make necessary arrangements and provisions for downloading
updated data from the National Consumer Preference Register
a. Updation of National Customer Preference Register (NCPR) by Access
Providers [Schedule 2 (A)]
• NCPR to be updated with the data received from the Access
Providers twice a week on every Tuesday and Friday from 0000
Hrs to 0600 Hrs. During this period NCPR shall not be available for
use by the telemarketers and Access Providers
• The data shall be available for download by the telemarketers
from 0700 Hrs to 1300 Hrs on every Tuesday and Friday
respectively.
• The telemarketers shall update their national customer
preference data with this data every Tuesday and Friday
• In order that there is synchronization between the telemarketers
and Access Providers, the data updated and downloaded on
Tuesday will be used from 0000 Hrs of Wednesday to 2359 Hrs of
Friday and the data updated and downloaded on Friday will be
used from 0000 Hrs of Saturday to 2359 Hrs of Tuesday
b. Downloading and use of the data from National Customer Preference
Register [Schedule 2 (B)]
• Every registered telemarketer shall be allowed to download NCPR
data from website www.nccptrai.gov.in
• The agency maintaining NCPR should provide unique user name
and password to each Access Provider and registered
telemarketer to download the data from NCPR
• Every registered telemarketer shall be provided dump of updated
NCPR data by the respective Access Provider
• The database updated on Tuesday shall be operational from 0000
Hrs of Wednesday to 2359 Hrs of Friday. Similarly the database
updated on Friday shall be operational from 0000 Hrs of Saturday
to 2359 Hrs of Tuesday
8. Telemarketer to be responsible for maintaining complete confidentiality of the
data downloaded from the National Customer Preference Register for the
purposes of telemarketing
9. Scrub the telephone number of such subscriber with the data base received from
the National Customer Preference register
10. Failure to follow the scrubbing process
442
• Telecom resources allotted shall be disconnected by the Access Provider
from whom the telemarketer has taken the telecom resource
• Name shall be entered into the black list maintained by the agency
maintaining the National Telemarketer Register for a period of two years
11. Blacklisting of Telemarketer, upon:
• failure to furnish the additional security amount as agreed to by it in the
agreement entered into with the Originating Access Provider
• upon service of the sixth notice in a calendar year by any Access Provider
on such telemarketer for sending unsolicited commercial communication
12. The Telemarketer shall obtain the Telecom Resources from a Licensed Telecom
Service Provider only
13. Formalities pertaining to provision of telecom resources to the telemarketers
• Telemarketer may apply for telecom resources from one or more Access
Providers
• Telemarketer to comply with subscriber verification guidelines issued by
Department of Telecommunication
• In case of promotional message or transactional message, agreement as
stipulated in the regulations must be entered into by and between the
telemarketer and access provider
• Telecom resources provided to a telemarketer for making voice calls
should not have facility for receiving incoming call and sending of SMS
• Telecom resources provided to a telemarketer for sending transactional
message should not have facility for receiving incoming call or SMS
14. Use alpha-numeric identifier for sending commercial communication in the
format having nine alpha numeric characters and related
15. Telemarketers to be allotted and should only use “140” number series for
commercial communication
16. Calls to the subscriber whose telephone number does not appear in the National
Customer Preference Register shall be sent only between 0900 Hrs to 2100 Hrs
17. Not to send commercial communications to any subscriber whose telephone
number appears on the National Customer Preference Register, except for
sending SMS in respect of categories of preference opted by the customer
18. Restrictions on ‘Transfer of Registration’ - The Telemarketer shall not, without
the prior written consent of TRAI, either directly or indirectly, assign or transfer
this registration in any manner whatsoever to a third party or enter into any
agreement for sub-Leasing and/or partnership relating to any subject matter of
the registration to any third party either in whole or in part i.e. no
subleasing/partnership/third party interest shall be created.
19. Requirement to furnish information - The Telemarketer shall furnish to TRAI, on
demand in the manner and as per the time frame such documents, accounts,
estimates, returns, reports or other information in accordance with the rules/
orders as may be prescribed from time to time
443
20. Prohibition of certain Activities by the Telemarketer
• The Telemarketer shall not engage on the strength of this registration in
the provision of any Service other than telemarketing and/ or requiring
separate Licence / permission
• Telemarketer will not infringe on the jurisdiction of Licensed Telecom
Service Providers and they shall neither provide switched telephony nor
use telecom resources as Public Call Office (PCO)
21. The Telemarketer shall make available on demand to the person authorized by
TRAI, full access to their equipments for technical scrutiny and for inspection,
which can be visual inspection or an operational inspection
22. The Telemarketer will ensure that their equipment installations should not
become a safety hazard and is not in contravention of any statute, rule or
regulation and public policy
23. The Telemarketer shall be required to provide the call data records of all the
specified calls handled by the system at specified periodicity, as and when
required by the security agencies
24. Wherever considered appropriate, TRAI may conduct any inquiry either suo-
motu or on complaint to determine whether there has been any breach in
compliance of the guidelines for registration by the Telemarketer and upon such
inquiry the Telemarketer shall extend all reasonable facilities without any
hindrance
25. Suspension or Termination of Registration:
• Telecom Regulatory Authority of India (TRAI) reserves the right to
suspend the operation of this registration at any time, if, in the opinion of
TRAI, it is necessary or expedient to do so in public interest or in the
interest of the security of the State or for the proper conduct of the
TELEGRAPH. If situation so warrant, it shall not be necessary for TRAI to
issue a notice for seeking comments of the Telemarketer for this purpose
and the decision of TRAI shall be final and binding
• Registration may be terminated for any failure to comply with the
guidelines for Registration of Telemarketer
26. Liability for making any unsolicited commercial communication, through the
telecom resources allotted to it, to any subscriber whose telephone number
appears in the National Customer Preference Register
• on the issue of first notice, a sum of rupees twenty five thousand only
(Rs.25000/-) shall be deducted from the security deposit of the
telemarketer
• on the issue of second notice, a sum of rupees seventy five thousand only
(Rs. 75000/) shall be deducted from the security deposit
• on the issue of third notice, a sum of rupees eighty thousand only (Rs.
80000/-) shall be deducted from the security deposit
444
• on the issue of fourth notice, a sum of rupees one lakh twenty thousand
only (Rs. 120,000/-) shall be deducted from the security deposit
• on the issue of fifth notice, a sum of rupees one lakh fifty thousand only
(Rs. 150,000/-) shall be deducted from the security deposit
• on the issue of sixth notice, a sum of rupees two lakh fifty thousand only
(Rs. 250,000/-) shall be deducted from the security deposit
27. On issue of first notice by the Access Provider to the telemarketer for sending
unsolicited commercial communication to the subscriber whose telephone
number appears in the National Customer Preference Register, the telemarketer
shall deposit additional security amount of rupees two lakh only (Rs. 2,00,000/-)
and on issue of third notice by the Access Provider to the telemarketer for
sending similar unsolicited commercial communication, the telemarketer shall
deposit an additional security of amount of rupees four lakh only (Rs. 4,00,000/-)
28. Failure to deposit the additional security deposit or no amount is available in the
security deposit of the telemarketer due to deductions made, the telecom
resources allotted to the telemarketer for the purposes of telemarketing shall be
disconnected and the name of telemarketer shall be intimated by the Access
Provider to the agency maintaining the National Telemarketer Register for
entering the name of such telemarketer in the black list and the name of such
telemarketer shall not be removed from the black list before the completion of
the period of two years from the date of entering his name in such black list and
the registration of the telemarketer shall be cancelled by TRAI under the
provisions of the regulations
29. In case of issue of sixth notice by the Access Provider to the telemarketer for
sending unsolicited commercial communication as provided under clause 10(f) of
this Agreement, without prejudice to the amount which shall be deducted from
the security deposit of the telemarketer under clause 10(f), the telecom
resources allotted to the telemarketer shall be disconnected without any further
notice. The Access Provider shall intimate the name of such telemarketer to the
agency maintaining the National Telemarketer Register for entering the name of
the telemarketer in the black list and the name of such telemarketer shall not be
removed from the black list before the completion of the period of two years
from the date of entering his name in such black list and the registration of the
telemarketer shall be cancelled by TRAI under the provisions of the regulations
15.11 ACHIEVING E-SECURITY THROUGH DOCUMENTED POLICIES
The Policies required to e-secure an organization are listed below:
1. Information and Communication Technology Policy - A policy to govern the ICT
structure of a company by providing the acceptable standards of IT usage or
related services.
445
2. Privacy Policy - A policy to govern the collection, usage, handling, processing and
disclosure of personal information / data of a customer. It is like reconciling
privacy expectations with privacy rights.
3. Cyber Law Policy - A policy to seek compliance with the cyber laws for the time
being in force in the Union of India such as the Information Technology Act,
various ‘Rules’ and clarifications.
4. E-Security Policy - A policy to ensure that the basic computer security [e-
security] perimeters are well in place. Perimeters like firewalls with secure
passwords, correct maintenance of routers, encryption, etc.
5. Software Usage Policy - A policy to counter Soft-lifting, Counterfeiting, Renting,
Original equipment manufacturer (OEM) unbundling, Uploading and
downloading, Hard disk loading, etc with respect to software.
6. Internet Usage Policy - A policy to keep employees in line while they are online
by banning inappropriate sites, prohibit the wasting of computer resources,
enforce language guidelines, keep web copy clean and using various other
measures to secure internet usage.
7. E-Mail Policy - A policy clarifying contentious points like E-Mail retention and
deletion and rules to work by.
8. Cyber Insurance Policy - A policy to govern cyber insurance to help limit
employment practices liability, limit E-mail risks, insure against Copyright &
Trademark Infringement, Patent Infringement, protect your computer assets and
guard against E-Theft, to name a few.
9. E-Writing Policy - A policy formulated for safe and secure electronic writing
understanding the employees’ electronic writing concerns, managerial writing
and assessing / addressing employees’ electronic writing needs.
10. E-Crisis Communications Policy - An e-crisis management policy is document
prepared on the lines of the long established formula ‘hoping for the best,
preparing for the worst’. The policy lays down guidelines for assessing the
potential for electronic crises and the methodology to handle the crisis.
15.12 TECHNO-LEGAL COMPLIANCE FOR ORGANIZATIONS – A DETAILED LOOK
The text enables an organization to conduct a complete Techno-Legal Compliance
assessment with reference to the Information Technology Act, 2000 [Amended in 2008].
With specific regard to the new responsibilities which arise as a result of the Indian
Rules recently issued under Section 43A and 79 of the IT [Amendment] Act; Chief Privacy
/ Security Officers, Data Protection Managers, In-House Counsels or any other officer
designated by the organization for securing Information and Communications
Technology [ICT] infrastructure security and operations should take strict note of the
following:
446
1. Retention of Electronic Records (Sec. 7):
• The documents, records or information must be retained for any specific
period in electronic form, as required by the law for the time being in
force in India.
• The information contained therein remains accessible so as to be usable
for subsequent reference.
• The electronic record is retained in the format in which it was originally
generated, sent or received or in a format which can be demonstrated to
represent accurately the information originally generated, sent or
received.
• The details which will facilitate the identification of the origin,
destination, date and time of dispatch or receipt of such electronic record
are available in the electronic record.
2. Audit of Documents (Sec. 7A):
• The documents, records or information processed and maintained in the
electronic form have been subjected to an audit.
• The said audit is performed in a manner required by the specific law for
the time being in force in India.
3. Penalty by way of compensation for Damage to computer, computer system,
etc without permission of the owner (Sec. 43):
• Securing access to computer or computer system
• Downloading, copying and extracting data
• Introducing computer virus or contaminant
• Damaging or disrupting the computer
• Denying access to any person authorized to do so
• Assisting someone in gaining access to the computer
• Tampering and manipulating any computer
• Stealing, destroying, deleting or altering any information and assisting
someone in doing so
4. Penalty for Failure to protect data (Sec. 43A):
• The body corporate must not be negligent in implementing and
maintaining reasonable security practices and procedures while dealing
with Sensitive Personal Information
• Please refer to Annexure “A” for a detailed compliance with rules under
this section
5. Penalty for Failure to furnish information, return, etc (Sec. 44):
• Furnish document, record or report to an authority under legal obligation
as to any law for the time being in force, demanding so
447
• File any return as demanded by law or otherwise
• Maintain books of account or records as demanded by law or otherwise
6. Offences under the act [Sec. 65 - 74]:
• Tampering with computer source documents; knowingly or intentionally
concealing, destroying or altering computer source code (Sec. 65)
• Computer related offences – dishonest and fraudulent (Sec. 66):
• Offensive message (Sec. 66A)
• Receiving stolen computer source and Data (Sec. 66B)
• Identity Theft (Sec. 66C)
• Cheating by personation using computer source (66D)
• Violation of privacy (66E)
• Cyber Terrorism (66F)
• Publishing obscene material (Sec. 67):
• Material with sexually explicit act (Sec. 67A)
• Material with children in sexually explicit act (Sec. 67B)
• Preservation and retention of information by Intermediaries (Sec.
67C)
• Breach of Confidentiality and Privacy; Confidentiality regarding accessed
electronic record, book, register, correspondence, information or
document without the permission (Sec. 72)
• Disclosure of information in breach of contract; Information disclosed in
order to cause wrongful gain or wrongful loss (Sec. 72A)
• Publishing false particulars in Electronic Signature Certificate (Sec. 73)
• Using Electronic Signature Certificate for fraudulent purposes (Sec. 74)
7. Exemption from liability of intermediaries in certain cases (Sec. 79):
• Intermediary, with respect to any particular electronic records, means
any person who on behalf of another person receives stores or transmits
that record or provides any service with respect to that record. And
includes telecom service providers, network service providers, internet
service providers, web-hosting service providers, search engines, online
payment sites, online-auction sites, online-market places and cyber cafes.
• Please refer to Annexure “B” for a detailed compliance with rules under
this section
8. Abetment of offences: Abetment in consequence of instigation, conspiracy or
aiding (Sec. 84B) AND Attempt to commit offences; Attempt to commit an
offence or attempt to cause an offense to be committed (Sec. 84C)
15.13 NEW (DRAFT) RULES UNDER SECTION 43A OF THE INFORMATION TECHNOLOGY
ACT
448
15.13.1 THE INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES
AND PROCEDURES AND SENSITIVE PERSONAL INFORMATION) RULES,
2011
The Central Government has notified draft rules to provide further clarity to the
application of Section 43A of the Indian Information Technology Act, 2000 [Amended in
2008]. These rules may be called the Information Technology (Reasonable security
practices and procedures and sensitive personal information) Rules, 2011.
15.13.1.1 SECTION 43A - COMPENSATION FOR FAILURE TO PROTECT DATA
Where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and
thereby causes wrongful loss or wrongful gain to any person, such body corporate shall
be liable to pay damages by way of compensation, to the person so affected.
Explanation: For the purposes of this section-
(i) "body corporate" means any company and includes a firm, sole proprietorship or
other association of individuals engaged in commercial or professional activities
(ii) "reasonable security practices and procedures" means security practices and
procedures designed to protect such information from unauthorized access,
damage, use, modification, disclosure or impairment, as may be specified in an
agreement between the parties or as may be specified in any law for the time
being in force and in the absence of such agreement or any law, such reasonable
security practices and procedures, as may be prescribed by the Central
Government in consultation with such professional bodies or associations as it
may deem fit.
(iii) "Sensitive personal data or information" means such personal information as
may be prescribed by the Central Government in consultation with such
professional bodies or associations as it may deem fit.
15.13.1.2 SENSITIVE PERSONAL DATA AND INFORMATION [RULE 3]
The ‘Rules’ defines “Sensitive Personal Data or Information” [Rule 3] as information
collected, received, stored, transmitted or processed by body corporate or intermediary
or any person, consisting of and relating to:
1. Password
449
Rule 2 (h) - "Password" means a secret word or phrase or code or pass
phrase or secret key, or encryption or decryption keys that one
uses to gain admittance or access to information;
2. Financial information such as Bank account or credit card or debit card or other
payment instrument details
3. Physical, physiological and mental health condition
4. Sexual orientation
5. Medical records and history
6. Biometric information
Rule 2 (b) - "Biometrics" means the technologies that measure and analyze
human body characteristics, such as 'fingerprints', 'eye retinas and
irises', 'voice patterns', "facial patterns', 'hand measurements' and
'DNA' for authentication purposes;
7. Any detail relating to the above clauses as provided to body corporate for
providing service
8. The information received under above clauses by body corporate for processing,
stored or processed under lawful contract or otherwise
Rule 3 further bars any information that is freely available or accessible in public domain
or accessible under the Right to Information Act, 2005 or any other law for the time
being in force within the territory of the Union of India as sensitive personal data or
information for purposes of these rules.
15.13.2 MANNER IN WHICH INFORMATION MUST BE COLLECTED [RULE 5]
Rule 5 lists in details the mode and manner in which the Information must be collected.
The list is as follows:
1. Body corporate or any person on its behalf shall obtain consent in writing
through letter or Fax or email from the provider of the sensitive personal data or
information regarding purpose of usage before collection of such information.
2. Body corporate or any person on its behalf shall not collect sensitive personal
data or information unless —
(a) the information is collected for a lawful purpose connected with a
function or activity of the body corporate or any person on its behalf; and
(b) the collection of the sensitive personal data or information is considered
necessary for that purpose.
3. While collecting information directly from the person concerned, the body
corporate or any person on its behalf should take such steps as are, in the
circumstances, reasonable to ensure that the person concerned is having the
knowledge of —
(a) the fact that the information is being collected;
450
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of —
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.
4. Body corporate or any person on its behalf holding sensitive personal data or
information shall not retain that information for longer than is required for the
purposes for which the information may lawfully be used or is otherwise
required under any other law for the time being in force.
5. The information collected shall be used for the purpose for which it has been
collected.
6. Body corporate or any person on its behalf permit the providers of information,
as and when requested by them, to review the information they had provided
and ensure that any personal information or sensitive personal data or
information found to be inaccurate or deficient shall be corrected or amended as
feasible:
Provided that a body corporate shall not be responsible for the authenticity of
the personal information or sensitive personal data or information supplied by
the provider of information to such boy corporate or any other person acting on
behalf of such body corporate.
7. Body corporate or any person on its behalf shall, prior to the collection of
information including sensitive personal data or information, provide an option
to the provider of the information to not to provide the data or information
sought to be collected. The provider of information shall, at any time while
availing the services or otherwise, also have an option to withdraw its consent
given earlier to the body corporate. Such withdrawal of the consent shall be sent
in writing to the body corporate. In the case of provider of information not
providing or later on withdrawing his consent, the body corporate shall have the
option not to provide goods or services for which the said information was
sought.
8. Body corporate or any person on its behalf shall keep the information secure as
provided in rule 8.
9. Body corporate shall address any discrepancies and grievances of their provider
of the information with respect to processing of information in a time bound
manner. For this purpose, the body corporate shall designate a Grievance Officer
and publish his name and contact details on its website. The Grievance Officer
shall redress the grievances or provider of information expeditiously but within
one month from the date of receipt of grievance.
15.13.3 REASONABLE SECURITY PRACTICES AND PROCEDURES [RULE 8]
451
The long awaited compliance issue with “Reasonable Security Practices and
Procedures” has also been taken care of, in the most prolific manner, in the ‘Rules’.
1. A body corporate or a person on its behalf shall be considered to have complied
with reasonable security practices and procedures, if they have implemented
such security practices and standards and have a comprehensive documented
information security programme and information security policies that contain
managerial, technical, operational and physical security control measures that
are commensurate with the information assets being protected with the nature
of business.
2. The international Standard IS/ISO/IEC 27001 on "Information Technology -
Security Techniques - Information Security Management System - Requirements"
is one such standard referred to in sub-rule (1).
3. The body corporate or a person on its behalf who have implemented either
IS/ISO/IEC 27001 standard or the codes of best practices for data protection as
approved and notified under sub-rule (3) shall be deemed to have complied with
reasonable security practices and procedures provided that such standard or the
codes of best practices have been certified or audited on a regular basis by
entities through independent auditor, duly approved by the Central
Government. The audit of reasonable security practices and procedures shall be
carried cut by an auditor at least once a year or as and when the body corporate
or a person on its behalf undertakes significant up gradation of its process and
computer resource.
4. The International Standard IS/ISO/IEC 27001 on “Information Technology /
Security Techniques / Information Security Management System” has been
adopted by the country. Industry associations or industry cluster who are
following other codes [and not IS/ISO/IEC 27001] of best practices for data
protection and fulfills the preliminary requirement, must get their codes of best
practices approved by the government.
5. The rule further iterates that in the event of an information security breach, any
such person, including the body corporate shall be required to demonstrate that
they have implemented security control measures as per their documented
information security programmes and information security policies.
15.13.4 PRIVACY POLICY AND EXTENT OF DISCLOSURE [RULE 4]
Rule 4 of the ‘Rules’ bestows the Body Corporate to provide policy for privacy and
further describes the extent to which disclosure of information can take place. The rule
purports that the body corporate or any person who on behalf of body corporate
collects, receives, possess, stores, deals or handle information of provider of
information, shall provide a privacy policy for handling of or dealing in personal
information including sensitive personal data or information and ensure that the same
452
are available for view by such providers of information who has provided such
information under lawful contract. Such policy shall be published on website of body
corporate or any person on its behalf and shall provide for:
1. Clear and easily accessible statements of its practices and policies
2. Type of personal or sensitive personal data or information collected under rule 3
3. Purpose of collection and usage of such information
4. Disclosure of information including sensitive personal data or information as
provided in rule 6
5. Reasonable security practices and procedures as provided under rule 8
15.13.5 DISCLOSURE TO THIRD PARTIES [RULE 6]
The ‘Rules’ lays down the methodology to be followed in order to legibly disclose
information to third parties. Disclosure of information by body corporate to any third
party shall require the prior permission from the provider of such information. The
information shall be provided to government agencies for the purpose of verification of
identity, or for prevention, detection, investigation, prosecution, and punishment of
offences. The government agency shall send a written request stating clearly the
purpose of seeking such information.
Other sub-rules states that:
1. Information shall be disclosed to any third party by an order under the law for
the time being in force
2. The body corporate or any person on its behalf shall not publish the sensitive
personal information
3. The third party receiving the information from body corporate shall not disclose
it further
15.13.6 TRANSFER OF INFORMATION [RULE 7]:
A body corporate or any person on its behalf may transfer sensitive personal data or
information including any information, to any other body corporate or a person in India,
or located in any other country, that ensures the same level of data protection that is
adhered to by the body corporate as provided for under these Rules. The transfer may
be allowed only if it is necessary for the performance of the lawful contract between the
body corporate or any person on its behalf and provider of information or where such
person has consented to data transfer.
453
15.14 NEW (DRAFT) RULES UNDER SECTION 79 OF THE INFORMATION TECHNOLOGY
ACT: THE INFORMATION TECHNOLOGY (DUE DILIGENCE OBSERVED BY
INTERMEDIARIES GUIDELINES) RULES, 2011
The Central Government has notified draft rules to provide further clarity to the
application of Section 79 of the Indian Information Technology Act, 2000 [Amended in
2008]. These rules may be called the Information Technology (Due diligence observed
by intermediaries guidelines) Rules, 2011.
15.14.1 SECTION 79 - EXEMPTION FROM LIABILITY OF INTERMEDIARY IN
CERTAIN CASES:
(1) Notwithstanding anything contained in any law for the time being in force but
subject to the provisions of sub-sections (2) and (3), an intermediary shall not be
liable for any third party information, data, or communication link hosted by
him.
(2) The provisions of sub-section (1) shall apply if-
(a) the function of the intermediary is limited to providing access to a
communication system over which information made available by third
parties is transmitted or temporarily stored; or
(b) the intermediary does not-
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
(c) the intermediary observes due diligence while discharging his duties
under this Act and also observes such other guidelines as the Central
Government may prescribe in this behalf
(3) The provisions of sub-section (1) shall not apply if
(a) the intermediary has conspired or abetted or aided or induced whether
by threats or promise or otherwise in the commission of the unlawful act
(b) upon receiving actual knowledge, or on being notified by the appropriate
Government or its agency that any information, data or communication
link residing in or connected to a computer resource controlled by the
intermediary is being used to commit the unlawful act, the intermediary
fails to expeditiously remove or disable access to that material on that
resource without vitiating the evidence in any manner.
Explanation: For the purpose of this section, the expression "third party
information" means any information dealt with by an intermediary in his
capacity as an intermediary.
15.14.2 SECTION 2 (W) - INTERMEDIARY
454
"Intermediary" with respect to any particular electronic records, means any person who
on behalf of another person receives, stores or transmits that record or provides any
service with respect to that record and includes telecom service providers, network
service providers, internet service providers, web hosting service providers, search
engines, online payment sites, online-auction sites, online market places and cyber
cafes.
15.14.3 DUE DILIGENCE OBSERVED BY INTERMEDIARY [RULE 3]:
The intermediary shall observe following due diligence while discharging its duties:
1. The intermediary shall publish the terms and conditions of use of its website,
user agreement, privacy policy etc.
2. The intermediary through the above mentioned documents shall notify users of
computer resource not to host, display, upload, modify, publish, transmit,
update, share or store any information that:
• belongs to another person
• is harmful, threatening, abusive, harassing, blasphemous, objectionable,
defamatory, vulgar, obscene, pornographic, pedophilic, libelous, invasive
of another's privacy, hateful, or racially, ethnically or otherwise
objectionable, disparaging, relating or encouraging money laundering or
gambling, or otherwise unlawful in any manner whatever
• harm minors in any way;
• infringes any patent, trademark, copyright or other proprietary rights
• violates any law for the time being in force
• deceives or misleads the addressee about the origin of such messages or
communicates any information which is grossly offensive or menacing in
nature
• impersonate another person
• contains software viruses or any other computer code, files or programs
designed to interrupt, destroy or limit the functionality of any computer
resource
• threatens the unity, integrity, defence, security or sovereignty of India,
friendly relations with foreign states, or public order or causes incitement
to the commission of any cognizable offence or prevents investigation of
any offence or is insulting any other nation.
3. The intermediary shall not knowingly host or publish any information or shall not
initiate the transmission, select the receiver of transmission, and select or
modify the information contained in the transmission as specified in sub-rule (2).
455
Provided that the following actions by an intermediary shall not amount to
hosting, publishing, editing or storing of any such information as specified in
sub-rule (2)-
• temporary or transient or intermediate storage of information
automatically within the computer resource as an intrinsic feature of
such computer resource, involving no exercise of any human editorial
control, for onward transmission or communication to another computer
resource
• removal of access to any information, data or communication link by an
intermediary after such information, data or communication link comes
to the actual knowledge of a person authorized by the intermediary
pursuant to any order or direction as per the provisions of the Act
4. The intermediary upon obtaining actual knowledge by itself or been brought to
actual knowledge by an authority in writing or through email signed with
electronic signature about any such information, shall act expeditiously to work
with user or owner of such information to remove access to such information
within 6 hours. Further the intermediary shall inform the police about such
information and preserve the records for 90 days.
5. The Intermediary shall inform its users that in case of non-compliance with
terms, the Intermediary has the right to immediately terminate the access rights
of the users.
6. The intermediary shall follow provisions of the Act or any other laws for the time
being in force.
7. Intermediary shall provide information to government agencies that are lawfully
authorized for investigative, protective, cyber security or intelligence activity.
The information shall be provided for the purpose of verification of identity, or
for prevention, detection, investigation, prosecution, cyber security incidents
and punishment of offences under any law for the time being in force, on a
written request stating clearly the purpose of seeking such information.
8. The intermediary shall take all measures to secure its computer resource and
information contained therein.
9. The intermediary shall report cyber security incidents and also share cyber
security incidents related information with the Indian Computer Emergency
Response Team.
Rule 2(e) - “Cyber security incident” means any real or suspected adverse event
in relation to cyber security that violates an explicitly or implicitly applicable
security policy resulting in unauthorized access, denial of service or disruption,
unauthorized use of a computer resource for processing or storage of
information or changes to data, information without authorization.
10. The intermediary shall not deploy or install or modify the technological measures
or become party to any such act which may change or has the potential to
456
change the normal course of operation of the computer resource than what it is
supposed to perform thereby circumventing any law for the time being in force.
Provided that the intermediary may develop, produce, distribute or employ
technological means for the sole purpose of performing the acts of securing the
computer resource.
11. The intermediary shall publish the details of the Grievance Officer on its website
the designated agent to receive notification of claimed infringements.
457
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Module_15
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Module_15
- 1 - 29
Pages: