Module_6

MODULE 6

INFORMATION TECHNOLOGY LAWS- A COMPARITIVE
STUDY

I. Introduction

A comparative study of the legal paradigm on a global level has become essential
today. It involves study of the different legal systems that are in existence in the
world. It also addresses the needs of the lawyers to gain better knowledge of
foreign legal systems, which in turn helps the states to develop an adequate
legislation to meet the requirements of the international market, as well as the
changing political world order.

Along with this, comparative law has also become a valuable tool for stimulating
awareness of the cultural and social character of the law of any country.
Comparative law provides an understanding of the way law develops and works in
different cultures.

The Information Technology laws in India are comparatively new and developing
a comparative study will help fill up the vacuum that the lawmakers could not
foresee. The relationship between the legal systems of different countries will be
discussed in this chapter.

II. Comparative analysis: -

The different IT laws, which are going to be discussed, are: -
1. Anti Spam Laws
Ø United States: -
The Controlling the Assault of Non-Solicited Pornography And
Marketing act (CAN-SPAM Act of 2003)1 was signed into law by
President George W. Bush on December 16, 2003. This act
established the requirements for sending of commercial e-mail. It gave
the recipients the right to stop the sender from sending commercial e-
mails to them and it also spelled out penalties for its violation2. This
act uses the Federal Trade Commission (FTC) to enforce its
provisions.
CAN-SPAM act defines a "commercial electronic mail message"
under Section 3(2)3 as "any electronic mail message the primary
purpose of which is the commercial advertisement or promotion of a
commercial product or service (including content on an Internet
website operated for a commercial purpose)." It exempts
"transactional or relationship messages." The FTC issued final rules
(16 C.F.R. 316) clarifying the phrase "primary purpose" on December
16, 2004. Previous state laws had used bulk (a number threshold),
content (commercial), or unsolicited to define spam.

1 “Controlling the Assault of Non-Solicited Pornography and Marketing Act, 2003” available at:
<http://www.legalarchiver.org/cs.htm>
2 “CAN-SPAM Act: A Compliance Guide for Business,” On September 2009, Available at:
<http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business>
3 Supra 1

This act allows the e-mail marketers to send unsolicited commercial e-
mail only if it adheres to the 3 basic compliances defined as,
unsubscribe compliance, content compliance and sending behavior
compliance.

CAN-Spam Act 2003 came into force in January 2004. The major
provisions of the act are:-

i. False and misleading header information is banned
ii. Deceptive subject lines are prohibited
iii. Opt-out methods must be provided
iv. Commercial email must be identified as an advertisement

and it must include the sender's valid physical postal address
v. Receivers must be warned of sexually explicit material

Penalties for the violation of the act include a fine up to USD 11000
and also imprisonment in specific circumstances.

Ø UK
The United Kingdom is directed through the “Privacy and Electronic
Communications (EC Directive) Regulations 2003”4, which has been
major driving force behind enactments of their anti spam laws.

A fine of GBP 5000 is imposed on spammers if they fall within the
ambit of Anti Spam Act. Under the privacy act, it is unlawful to

4 “The Privacy and Electronic Communications (EC Directive) Regulations 2003” available at:
<http://www.legislation.gov.uk/uksi/2003/2426/contents/made>

transmit an automated recorded message for direct marketing
purposes via a telephone, without prior consent of the subscriber. The
Privacy and Electronic Communications Regulations 2003 cover the
sending of email marketing. This legislation says that organizations
must only send marketing emails to individuals if you have agreed to
receive them, except where there is a clearly defined customer
relationship. Many spam emails come from outside the UK. The
Information commissioner’s office (ICO) which is UK’s independent
authority, set up to uphold information rights in the public interest and
data privacy for individuals is the only organization which can
investigate complaints about marketing emails from identifiable UK
senders.

Ø EU
European Union (EU) directives are required to be implemented into
legislation in all of the 27 member countries. The EU Directive on
privacy and electronic communications was introduced in the year
20025, and its key components have since been incorporated into
various forms of national legislation in the member countries,
including in the United Kingdom. The EU directive covers all direct

5 “Directive 2002/58/EC of the European Parliament and of the Council: concerning the processing of
personal data and the protection of privacy in the electronic communication sector (Directive on privacy
and electronic communications),” on 12 July 2002, available at:
< http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:201:0037:0037:EN:PDF>

email marketing messages, including charitable and political
messages.

Direct marketing email messages may be sent only to subscribers who
have given their prior consent ("opt-in"). Prior permission is required
for business-to-consumer (B2C) communication covering all "natural
persons".6

This Directive has been drafted to keep pace with the changing
requirements of new digital technologies. It does not apply to issues
concerning public security and defense, state security and criminal
law.

Ø Australia

In Australia, spam is regulated by the Spam Act, 20037. The activity
to which it applies to is described in detail under Sections 5 and 6 of
the Act. “Commercial electronic message” covers a message sent
using an Internet or other carriage service to an email account or an
instant messaging, telephone or similar account and relating to a
specific list of commercial purposes.

6“Data protection in the electronic communications sector” available at:
<http://europa.eu/legislation_summaries/information_society/legislative_framework/l24120_en.htm>
7“Spam Act, 2003”, available at:
<http://www.acma.gov.au/webwr/consumer_info/frequently_asked_questions/spam_business_practical_g
uide.pdf>

The term “message” as defined under Section 4 includes text, data,
speech, music, other sounds, visual images (animated or otherwise),
or any other form of information.

The specified list of purposes that render a message “commercial”
includes - advertising; promoting or offering to supply goods,
services, land or an interest in land; or a business opportunity for
investment.

Section 6 of the act includes any message that is intended to
dishonestly obtain a gain, financial advantage or property belonging to
another person by means of deception.

2. Law preventing Misuse of Computers
Ø United States
The issue of computer misuse was addressed in US way back in 1984
through the Computer Fraud and Abuse Act (CFAA)8. This act
governs cases with a compelling federal interest, where computers of
the federal government or certain financial institutions are involved,
where the crime itself is interstate in nature, or computers used in
interstate and foreign commerce.

This act punishes anyone who not just commits or attempts to commit
an offense under the Computer Fraud and Abuse Act but also those

8“ Computer Fraud and Abuse Act, 1984”, available at:
<http://energy.gov/sites/prod/files/cioprod/documents/ComputerFraud-AbuseAct.pdf>

who conspire to do so. This act has been further amended by US
Patriot Act, 2001 which enhanced the scope and penalties imposed.

The penalty for first time offence is ten years imprisonment and for
second time offence is twenty years imprisonment. These are much
more stringent considering Indian law provides for just around three
years punishment in most cases.

The term “protected computer” under the act means a computer:
i. used exclusively by a financial institution or the United
States Government, or, in the case of a computer not
exclusively used for such purpose, it is used by or for a
financial institution or the United States Government and
the conduct constituting the offense affects that use by or
for the financial institution or the Government; or
ii. which is used in interstate or foreign commerce or
communication, including a computer located outside the
United States that is used in a manner that affects
interstate or foreign commerce or communication of the
United States9.
a) In Massachusetts Bay Transportation Authority
(MBTA) vs. Anderson10

9 “18 U.S.C. § 1030: US Code - Section 1030: Fraud and related activity in connection with computers”,
available at:
<http://www.gpo.gov/fdsys/pkg/USCODE-2010-title18/html/USCODE-2010-title18-partI-chap47-
sec1030.htm>
10 MBTA v. Anderson, No. 08-11364, (D. Mass. filed Aug. 19, 2008),

Plaintiff claimed that defendants violated or
threatened to violate the CFAA by releasing the
findings of their research regarding the security
holes associated with the MBTA fare charging
system. The court found that a violation of the
CFAA only occurs if the person knowingly causes
the transmission of programmed information to a
protected computer. Because the defendants in this
case were only seeking to transmit information to a
non-computer audience, the court found that the
MBTA was not likely to succeed on a claim under
the CFAA.

Ø UK
In the United Kingdom, computer misuse was defined in 1990
through its Computer Misuse Act11. This act was implemented hastily
by the Parliament of the United Kingdom as there was a need to
differentiate between "joyriding hackers” like in the case of R vs.
Gold and Schifreen12 from serious computer criminals.
This act dealt with unauthorized access and modification of computer
material. The penalty imposed under the act is an imprisonment of
five years with fine.

11 “Computer Misuse Act , 1990”, available at:
< http://www.legislation.gov.uk/ukpga/1990/18/contents>
12 R v Gold & Schifreen (1988) 1 AC 1063

Ø Singapore
Singapore has been visualized as 'intelligent island' by the government
in the matter of information technology development and incidental
issues. Singapore has been ranked as the most network ready country
where as United States of America is in the 5th position.

Thus from the period of commercialization of the internet, Singapore
has been one of the front runners. It was the fate of information
technology in general that the technology is running in front and legal
frame work governing or supposed to govern it is running far behind.

Singapore has enacted Computer Misuse Act in the year 1993 with its
subsequent amendments in the year 1998 in order to deal with crimes
committed with or involving use of computers. Even though the Act
was passed in the year 1993, no effective judicial analysis had been
made upon the Act till its amendment in the year 1998 or thereafter.
The criminal provisions envisaged in the Computer Misuse Act as it is
available now lacks clarity and sharpness with respect to the special
nature of cyber crimes.13

The Singapore Computer Misuse Act 1993 classifies the following
activities as computer crime:-

i. Unauthorized access to computer material.

13 By Jolly John “A Critical Study of Penal Provisions of Singapore Computer Misuse Act”, on May 17,
2006, available at: <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=901902>

ii. Unauthorized access with intent to commit or facilitate
commission of further offences.

iii. Unauthorized modification of computer material.
iv. Unauthorized use and interception of computer services.

Offences and punishments under this Act comprises of
i. Imprisonment up to 2 years and/or fine up to $2,000.
ii. Imprisonment up to 5 years and/or fine up to $20,000 if
the damage exceeds $10,000.

An unauthorized access of a computer with an intention to commit or
facilitate commission of further offences is punishable with an
imprisonment up to 10 years and/or fine up to $50,000.

3. Law related to Data Protection and Personal Privacy
Ø USA
Identity Theft Enforcement and Restitution Act of US has made
further enhancements to the original act14 by making the act of
causing damage to ten or more computers as felony. It also removed
the limit of damage, which was earlier set to USD 5000 in Computer
Fraud and Abuse Act.

One of the major emphases of this act has been to criminalize not only
explicit threats to cause damage to a computer, but also threats to

14 “Computer Fraud and Abuse Act, 1984” (Supra at 8)

a) steal data on a victim’s computer,
b) publicly disclose stolen data, or
c) to not repair damage the offender already caused to the

computer;

Also, ensuring that restitution orders for identity theft cases may
include an amount equal to the value of the victim’s time spent
remediating the actual or intended harm of the identity theft or
aggravated identity theft offense.

Ø UK
Data protection and privacy have been of major concern in the United
Kingdom and legislations were passed in the year 1998 to ensure
protection of personal data. One of the leading legislations is the Data
Protection Act, 1998.15 This act specifically defines sensitive personal
data as personal data consisting of information as to:-
i. the racial or ethnic origin of the data subject,
ii. his political opinions,
iii. his religious beliefs or other beliefs of a similar nature,
iv. whether he is a member of a trade union,
v. his physical or mental health or condition,
vi. his sexual life,
vii. the commission or alleged commission by him of any offence,
or

15“ Data Protection Act, 1998” available at: <http://www.legislation.gov.uk/ukpga/1998/29/contents>

viii. Any proceedings for any offence committed or alleged to have
been committed by him, the disposal of such proceedings or the
sentence of any court in such proceedings.

Ø EU
Under EU law, personal data can only be gathered legally under strict
conditions, for a legitimate purpose. Furthermore, persons or
organizations, which collect and manage personal information must
protect it from misuse and must respect certain rights of the data
owners, which are guaranteed by EU law.

The United States Department of Commerce created the International
Safe Harbor Privacy Principles certification program in response to
the 1995 Directive on Data Protection (Directive 95/46/EC) of the
European Commission. Directive 95/46/EC declares in Chapter IV
Article 25 that personal data may only be transferred from the
countries in the European Economic Area to countries, which provide
adequate privacy protection.

According to the EU directive, personal data may only be transferred
to third countries if that country provides an adequate level of
protection. Some exceptions to this rule are provided, for instance
when the controller himself can guarantee that the recipient will
comply with the data protection rules.

The European Commission has set up the "Working party on the
Protection of Individuals with regard to the Processing of Personal

Data," commonly known as the "Article 29 Working Party". The
Working Party gives advice about the level of protection in the
European Union and third countries.

The Working Party negotiated with U.S. representatives about the
protection of personal data, the Safe Harbor Principles were the result.
Notwithstanding that approval, the self-assessment approach of the
Safe Harbor remains controversial with a number of European privacy
regulators and commentators.

The Safe Harbor is not a perfect solution to the challenges posed by
Article 25 of Directive 95/46/EC. Under the European law, personal
data can only be gathered legally under strict conditions, for a
legitimate purpose. Furthermore, persons or organizations, which
collect and manage personal information must protect it from misuse
and must respect certain rights of the data owners, which are
guaranteed by EU law. In addition, any dispute arising in relation to
the transfer of HR data to the US Safe Harbor must be heard by a
panel of EU privacy regulators16.

4. Liabilities of an Intermediary in different countries:-
Ø US

16 “Protection of Personal Data”, Available at:<http://ec.europa.eu/justice/data-protection/index_en.htm>

In the United States of America, Section 230 of the Communications
Act and Section 512 of the Copyright Act deal with the liabilities of
an intermediary.

Section 230 gives intermediaries protection against liability for any
content created by a third-party user. This section has been used by
intermediaries like interactive online services as a screen against a
variety of claims including negligence, fraud, violations of federal
civil rights laws, and defamation.
Without Section 230, entry barriers for new Internet services and
applications that allow user-generated content would be much higher,
dampening the innovation we have seen in interactive media.

The Digital Millennium Copyright Act limits the scope of liability for
copyright infringement for certain types of intermediaries. Section
512 of the said act provides a “safe harbor” for online service
providers from claims of copyright infringement made against them
that result from the infringing conduct of their customers, but only if
the service providers meet certain criteria.

A broad range of service providers can benefit from this safe harbor,
including internet service providers, search engines, and content
hosting services. The criteria that service providers must meet to
qualify for the safe harbor varies depending on the type of provider,
but include, taking down infringing material when notified by the
copyright owner of its presence on the provider’s service. If a service
provider meets the relevant requirements, only the individual

infringing customer may be subject to liability; if the provider doesn’t
satisfy the requirements, it loses its safe harbor.

This act also provides that this safe harbor is not conditioned on
providers monitoring or affirmatively investigating unlawful activity
on their networks.

Yahoo was sued in the French courts by anti-Nazi groups on the basis
that Nazi memorabilia and Neo-Nazi materials were being sold by
third parties via its US auction site. The basis of the claim was
contravention of the laws prohibiting the promotions of Nazism, i.e.
liability based on publication. Because the auction site was accessible
in France, the court ordered Yahoo! to take all necessary measures to
make it impossible for the French residents to access the Nazi
material via Yahoo auction service17. A California court later granted
a declaration that the French judgment could not be enforced within
U.S as such enforcement would contravene the free speech provisions
of the first amendment to the U.S Constitution18. Yahoo! resolved the
civil litigation by banning the sale of Nazi-related material on its
auction sites, but this did not prevent Timothy Koogle, former
chairman and chief executive of Yahoo US, from being arrested in
France and facing charges of justifying war crimes before a criminal
court in Paris19.

17 Yahoo! Inc vs. LICRA (TGI Paris, 22 May 2000, Interim court order no. 00/05308, 00/05309).
18 Yahoo! Inc vs. La Ligue Contra Le Rascime et L’Antisemitisme 169 F Supp 2d 1181 (ND Cal ,2001).
19 Le Monde, 8 January 2003. “The criminal court later dismissed all charges, finding that Yahoo has
never tried to ‘justify war crimes [or] crimes against humanity”, available at:<www.cdt.org/jurisdiction>

Ø Europe
The liability of Internet service providers in the European Union is
governed by the E-Commerce Directive, 200020. The Directive
introduces absolute and qualified exemptions from liability. The
service providers are not liable if there is an absence of actual
knowledge of illegal content. When they receive notice of the
presence of illegal content or gain actual knowledge of the same, they
need to act expeditiously to remove the content in question or make it
inaccessible, or risk losing their exemption from liability. If a hosting
provider refuses to act upon knowledge or if he tarries in taking a
decision, he can no longer appeal to the exemption.

Article 15 of the directive declares that Member States must prohibit
any kind of interception or surveillance of such communications by
others than the senders and receivers, except when legally authorized.

Article 47 on the other hand states a duty to monitor the service
provider can be imposed in specific cases. Monitoring can be
described as, checking the legality or illegality of content. If
monitoring leads to knowledge of illegality, a hosting provider must
act expeditiously to remove the content or make it inaccessible.

20“Directive 2000/31/EC of the European Parliament and of the Council, 8 June 2000”, available at: <See
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:178:0001:0001:EN:PDF>

The E-Commerce Directive does not create a monitoring duty; it
merely leaves the door open for national specific monitoring duties
and actually forbids the creation of a general duty. The Directive also
states that the rules do not stand in the way of injunctions against
service providers.

For copyright infringements, a positive obligation for Member States
is to have the possibility of injunctions laid down under article 8.3 of
the Directive on Copyright in the Information Society21, which reads
as follows: “Member States shall ensure that right holders are in a
position to apply for an injunction against intermediaries whose
services are used by a third party to infringe a copyright or related
right”. The Enforcement Directive also adds that Member States shall
also ensure that right holders are in a position to apply for an
injunction against intermediaries whose services are used by a third
party to infringe an intellectual property right, without prejudice to art
8.3 of the Directive.

Under Article 12, the internet service provider (ISP) is not liable as
long as it acts as a “mere conduit” of information provided by others.
This immunity is applicable if the information transmitted is “for the
sole purpose of carrying out the transmissions in the communication
network, and provided that the information is not stored for any period
longer than is reasonably necessary for the transmission”.

21 “Consultation on UK Implementation of Directive 2001/29/EC on Copyright
and Related Rights in the Information Society: Analysis of Responses and
Government Conclusions”, available at: <http://www.ipo.gov.uk/copydirect.pdf>

• L’Oreal vs. eBay22
This was a case between cosmetic manufacturer L’Oreal and
distributors of unauthorized sampler products which have had
their packaging removed and then sold on eBay. The question
raised in this case is, whether eBay can be held liable for trade
mark infringement committed by merchants operating in its
website.

While ordinarily eBay would not have been held liable for
whatever is sold on its site, they allowed the placement of
sponsored links to infringing products. They also included the
infringing products in its listings under the affected marks.
Moreover, infringing merchants could purchase ad words and
keywords in search engines that direct to the pages on eBay.
The question then was whether these actions warranted liability.
The ECJ ruled that an operator of an online marketplace cannot
rely on the liability exemption if it played an 'active role' that
would give 'it knowledge of, or control over, the data relating to
the offers for sale'. The operator already plays such a role 'when
it provides assistance which entails, in particular, optimizing
the presentation of the online offers for sale or promoting
those.' The ECJ also confirmed that even if the operator did not
provide such assistance, it may nonetheless be held liable if it is
aware of facts or circumstances from which the illegal

22 L’Oréal v eBay (C-324/09)

information is apparent and fails to remove this information
from its website.

Furthermore, the ECJ pointed out that, national courts should be
able to order the operator to take measures, not only to end
infringements but also to prevent further infringements. To
ensure that there is a right to an effective remedy against the
individual sellers who used the online service for intellectual
property right infringements, the ECJ added that the operator
may be ordered to take measures to make it easier to identify
those persons.