COMMENTS ON THE PUBL IC CONSULTATION OF

Draft Rules under Section 43A & Section 79

of IT Act

Apar Gupta
Partner, Accendo Law Partners
E-215, Third Level, East of Kailash, New Delhi - 110062
Email apar@accendolaw.com • Mobile 9990000256

From the India Law and Technology Blog accessible at www.iltb.net

Comments on Reasonable Security Practices and Procedures and
1
Sensitive Personal Information (Draft) Rules, 2011

Draft rules
under section 43
From the India Law and Technology Blog accessible at www.iltb.net
 1. DEFINITIONS

1.1. The Draft Reasonable Security Practices and Procedures and Sensitive Personal
Information Rules, 2011 which are sought to be formed under Section 43A seek to further
augment the prohibition against the negligent disclosure of sensitive personal data or
information. In order for the rules to meet their purpose it is appropriate for the term,
“sensitive personal data” to be defined in the definition clause itself. The rules at present
do not contain such a definition, but only contain an illustrative list of what constitutes
“sensitive personal data”, under Rule 3. A more prudent approach may be first to define,
“personal data” and then to qualify what classes of personal data constitute, “sensitive
personal data”. The definition of “personal data” under the EU Data Protection Directive
No. 95/46/EC may be relied upon in this regard. Other recommended terms for definitions
are, the data subjects from whom information is gathered and/or processed.

1.2. The list which is contained under Rule 3, defines, “sensitive personal data or
information”, to consist of, “(i) password; (ii) user details provided at the time of
registration or therafter; (iii) information related to financial information such as Bank
account / credit card / debit card/ other payment instrument details of the users; (iv)
Physiological and mental health condition; (v) Medical records and history; (vi) Biometric
information; (vii) Information received by body corporate for processing, stored or
processed under lawful contract or otherwise; (viii) Call data records;”. This list may be
expanded to include political affiliations, memberships of organizations as well as sexual
orientation.

1.3. In regard to this list, sub-rule (vii) which reads as, “Information received by body
corporate for processing, stored or processed under lawful contract or otherwise” stands
out. When compared to the precision of the other sub-rules, sub-rule (vii) is overly broad
and would include all information which is gathered. It would advisable to qualify the term
by amending it to, “information which is capable of personally identifying a person,
individually or when aggregated”. It is also pointed out that sub-rule (vii) is also a

1
From the India Law and Technology Blog accessible at www.iltb.net
 departure from the approach of the rules as well as Section 43A, which only seeks to
protect, “sensitive personal data” as opposed to mere “personal data”. This also ties in
with the necessity to define, “personal data” and “sensitive personal data” separately.

1.4. It is also suggested that, browsing data which is also gathered and aggregated by
websites and search engines may be expressly included. This browsing data which
includes, IP Addresses, geographical data, search logs etc. though such data may not
individually constitute “sensitive personal data”, however, when it is aggregated it reveals
a detailed profile of a person. This can be data which already falls within the existing
classes, such as a “mental health condition” or may even fall outside, such as the person’s
political affiliation or sexual orientation. The proviso to Rule 3 which has a carve-out in
favor of releasing sensitive personal information under the Right to Information Act, 2005
is recommended to be maintained.

2. PRIVACY POLICY

2.1. Rule 4 contains the requirement of a privacy policy. The Rule states that the privacy
policy, must be “available for view of such providers of information”. Here is it important
for the rules to provide for the privacy policy to be prominently displayed and/or be easily
accessible. In most cases websites require subscription and the viewer to go through a
sign-up process. In such instances, websites usually do not display the terms of the
access as well as their privacy policy as done in a routine sign-up process. Hence, here
the viewer has not consented to the collection of personal data and should be notified of
the privacy policy by a clear link on the homepage of the website. In the absence of such
a clear notice to the viewer, the information gathering will be without consent.

2.2. It is also recommended that the rules to provide for the privacy policy to be drafted in
clear and comprehensible language. This is important since, most viewers may not
understand complicated legalese defeating the very purpose of a privacy policy.

2
From the India Law and Technology Blog accessible at www.iltb.net
 2.3. Rule 4 also provides for the contents of the privacy policy. It states that the policy should
provide for, “(i) type of personal or sensitive information collected under sub-rule (ii) of
rule 3”. If one looks at sub-rule (ii) all it provides for is, “(ii) user details provided at the
time of registration or therafter”. Hence by necessary implication, the privacy policy
which is made available will not contain the notice and treatment of the information
gathering of other classes of “sensitive personal information” as contained under Rule 3.
Similarly requirements which are contained under Rule 5, such as, “(6) body corporate or
any person on its behalf shall permit the users to review the information they had
provided and modify the same, whenever necessary”, are presently not required to be
reflected in the privacy policy. This certainly requires revision. In this respect it is
suggested that the Rule may be redrafted to state that the privacy policy should contain
and provide for information on all requirements imposed under the rules for the gathering,
collection, processing etc. of sensitive personal data.

3. COLLECTION OF INFORMATION

3.1. Rule 5 makes consent to be the very basis of the collection of the information. The
privacy policy is the notice of the terms, through which an information provider can grant
this consent. This goes back to the point, as to how the privacy policy has to be, (a)
prominently displayed; and (b) complete.

3.2. A comment is made in respect of Rule 4.4 on the point of data retention. Sub-rule 4.4 in
its present form states that, “body corporate or any person on its behalf holding sensitive
personal information shall not keep that information for longer than is required for the
purposes for which the information may lawfully be used”. In this regard it is suggested
that a specific retention period may be inserted which may be between 30 to 60 days.
Often websites and online service providers hold archival data which contains such
personal data to improve their service as well as to analyze their services. Here it may be
reasonable to allow a body corporate to hold sensitive personal data for a period not
exceeding 30/60 days from the date of the complete performance of the purpose for
which the data was gathered, collected etc.. Such a change may also aid national security

From the India Law and Technology Blog accessible at www.iltb.net 3

 requirements which may require the retrieval of such archived data. The rule should also
provide that at the end of such a period, the body corporate should destroy the data or
delete it in a manner making its retrieval impossible.

3.3. With regard to Sub-Rule (6) it will also be useful for the body corporate which gathers,
collects the sensitive personal information to provide the contact details of a person
alongwith an email address with whom a user can constant to review the information. This
person may be the designated privacy officer to comply with the provisions of the rules.

4. DISCLOSURE OF INFROMATION

4.1. The main focus of the regulations is preventing the unauthorized release of sensitive
personal data as provided under Rule 6. Rule 6(1) provides that the disclosure of the
information will require the prior permission of the user which has provided such
information. However, with regard to the disclosure of such information from one private
party to another, privacy policies generally reserve such rights in favor of the body
corporate which gathers such information. The rules with regard to the disclosure of such
information are broadly worded and since most users do not pay much attention to the
contents of such rules, they ostensibly grant consent without knowing the full extent of
such consent. Here is it advisable even when the disclosure of sensitive personal data is
made by the body corporate to a private third party, as it is authorized to do so under its
privacy policy a notification may be sent to the user whose information is so disclosed.

4.2. Rule 6(1) also contains a proviso which states that, “provided that the information shall be
provided to government agencies for the purpose of verification of identity, or for
prevention, detection, investigation, prosecution, and punishment of offences. The
government agency shall send a written request to the body corporate processing the
sensitive information stating clearly the purpose of seeking such information. The
government agency shall also state that the information thus obtained will not be
published or shared with any other person.”. Further Rule 6(2) provides that, “without

From the India Law and Technology Blog accessible at www.iltb.net

4
 prejudice to sub-rule (1) of Rule 6, any information shall be disclosed to any third party
by an order under law for the time being in force.”.

4.3. It is pertinent to point out that regulations already exist with regard to the interception
and monitoring of Information under the Information Technology Act, 2000. The
Information Technology (Procedure and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009 (hereinafter “Interception Rules, 2009”) provide
for a comprehensive and constitutionally sound framework for the disclosure of
information. Provisions of the Interception Rules, 2009 are formed under the constitutional
safeguards as enunciated under Peoples Union for Civil Liberties v. Union of India ,
[(1997) 1 S.C.C. 301 hereinafter PUCL case], popularly referred to as the telephone
tapping case. In the PUCL case the Hon’ble Supreme Court made clear procedural
guidelines for telephone tapping following which Rule 419A of the Telegraph Rules were
made. The Interception Rules, 2009 borrow heavily from Rule 419A of the Telegraph
Rules and it is suggested that the proviso be suitably amended to incorporate the
safeguards as contained under the Interception Rules, 2009.

4.4. In the absence of such an amendment, the proviso to Rule 6(1) and Rule 6(2) are liable to
be held ultra vires the PUCL holding in case of constitutional challenge. Rule 6(1) at
present is overbroad in as much it provides information to be disclosed for, “the purpose
of verification of identity, or for prevention, detection, investigation, prosecution, and
punishment of offences”. This categorization is broader than the categories which are
found in PUCL, the Telegraph Rules and more pertinently the Interception Rules, 2009.
The Interception Rules, 2009 making reference to Section 69 provide for the interception
or monitoring or decryption of information only in cases of, “necessary or expedient to do
in the interest of the sovereignty and integrity of India, defense of India, security of the
State, friendly relations with foreign states or public order or for preventing incitement to
the commission of any cognizable offence”.

4.5. Secondly the Interception Regulations, 2009 contemplate disclosure of information only on
the basis of an order from a high level functionary (Rule 3 of the Interception Regulations,

From the India Law and Technology Blog accessible at www.iltb.net

5
 2009) which is quite different from the general wording of, Rule 6(1) which presently
reads as, “be provided to government agencies”. There also a whole set of safeguards
such as, a review committee, a written order etc. which are found under the Interception
Regulations, 2009 and are missing under the proposed rules. These differences are
material since flowing from Supreme Court dicta even though privacy is not an absolute
right, the circumstances of its disclosure should be narrowly defined as per an established
procedure to prevent unauthorized disclosure. The absence of procedural safeguards
when interfering with privacy rights may cause body corporates to overenthusiastically
share data with government agencies to ward of prosecution. There are real dangers of
such orders being unauthorized, as demonstrated by the ongoing Ratan Tata privacy
litigation in the Hon’ble Supreme Court of India. Hence it is essential for procedural
safeguards to be present to maintain constitutional levels of privacy and prevent
unauthorized disclosure.

4.6. A point of differentiation/objection which may be made to above proposals, that the
Interception Regulations, 2009 applies in cases of real time interception which is based on
monitoring from the date of the order whereas the present disclosure will apply in case of
archived information. This difference only increases the need for safeguards as, (a) the
archive will reveal more amount of information which has been collected over a period of
time; (b) the nature of the information is not real time chatter which needs to be sifted
through but catalogued “sensitive personal data”.

From the India Law and Technology Blog accessible at www.iltb.net 6

Comments on Information Technology (Due diligence observed
2
by Intermediaries Guidelines) (Draft) Rules, 2011

Draft rules
under section 79
From the India Law and Technology Blog accessible at www.iltb.net
1. PREMISE OF THE GUIDLINES

1.1. The Information Technology (Due diligence observed by Intermediaries Guidelines) (Draft)
Rules, 2011 (hereinafter Draft Intermediary Rules, 2011) which are sought to be formed under
Section 79 seek to draw brightline rules for internet intermediaries to avail exemptions from
liability for the services facilitated by them. Before offering comments on the rules it is
pertinent to mention the background to their introduction as well as the changes to Section 79
through the 2009 amendment. The introduction of the rules as well as the amendments to
Section 79 were necessary due to the increased litigation against online service providers who
were arraigned as parties and co-accused in cases of unlawful or illegal conduct by end users.
This was most prominently on display in the highly publicized case of Avnish Bajaj v. NCT
Delhi [hereinafter bazee.com case].

1.2. Due to the bazee.com case there was demand for more clarity on the rules exempting
intermediaries from liability for illegal conduct of end-users. Section 79 was thereafter suitably
redrafted to remove several deficiencies and proceed on the premise of an intermediary not
being liable as long as it, (a) was not a source of the illegal content; (b) on receiving notice
took steps to cure the illegal activity or disable access to the illegal content. In this respect
Sec. 79(2)(c) states that the intermediary should, “observe due diligence while discharging his
duties and other such guidelines as the central government may prescribe”. Further Sec.
70(3)(b) provides that the intermediary shall be liable if, “upon receiving actual knowledge, or
on being notified by the appropriate government or its agency… the intermediary expeditiously
fails to expeditiously remove or disable access to that material or resource”. Hence, it is
essential for the rules to precisely define, (a) the sort of due diligence which should be
followed by an intermediary; (b) the framework and the timelines of providing the actual notice
and the intermediaries compliance.

2. DEFINTIONS

2.1. The first suggestion is with regards to the definitions under Rules 2(b) and 2(c), which define
“blog” and “blogger” respectively. The definition of a blog defines a category of websites,

From the India Law and Technology Blog accessible at www.iltb.net 7

 which consist of a, “shared on-line journal where users can post diary entries about their
personal experiences and hobbies”. The definition of blogger further states that a, “blogger” is
a “person who keeps and updates a blog”. These definitions are linked to the definition of a
“user” under Rule 2(k) which states that a “user”, “means any person including blogger who
uses any computer resource for the purpose of sharing information…”. Since the definition of a
user would ordinarily include a blogger, there is no utility which is served from the definitions
contained under Rules 2(b) and 2(c). While it is acknowledged that there have been frequent
complaints against blogs with most of the blocked websites under the directions to block
website dated 13th July, 2006 being blogs, there is no rationale to treat blogs under a different
footing from other forms of websites.

2.2. It is also pointed out that the definition of a “user” under Rule 2(k) of the Draft Intermediary
Rules, 2011 marks a departure from the definition of an “originator” present under Sec. 2(za) of
the Information Technology Act, 2000. Though the two definitions employ different
expressions they both contain the same concept. Hence there is duplication in purpose though
differences in expressions which leads to inconsistency and ambiguity. It is suggested that the
definition of a, “user” may be removed in favour of an “originator” as it exists under Sec. 2(za)
of the Information Technology Act, 2000.

3. DUE DILIGENCE OBSERVED BY INTERMEDIARY

3.1. As previously set out the purpose of the present guidelines is to bring clarity to the
circumstances in which intermediaries can escape liability. Hence, Rule 3(1) which provides for
the intermediary to publish,”the terms and conditions of use of its website, user agreement,
privacy policy etc.” should be suitably amended to, “terms and conditions, user agreements and
other forms of legal agreements which provide an originator with notice as to the terms of the
access.”.

3.2. Rule 3(2) further provides for various classes of content which the intermediary shall not allow
the originator to, “use, display, upload, modify, publish, transmit, share or store”. The various
classes of content include, sub-rule (a) which contains a prohibition against content which,

From the India Law and Technology Blog accessible at www.iltb.net

8
 “belong to another person”, and sub-rule (d) which prohibits content which, “infringes any
patent, trademark, copyright or other proprietary rights”. This provides for a private right of
action, which is quite distinct from the scheme of Section 79 inasmuch it provides for the
intermediary to act in terms of a government notification (See Sec. 79(3)(b)). Moreover,
conferring such a private right of action in terms of enforcement of intellectual property rights
calls for a notice and take down system which should be provided in detail as provided under
Sec. 512 of the Digital Millennium Copyright Act as existing in the United States. This includes
provisions as to the specification of a valid take down notice which is not found under the Draft
Intermediary Rules, 2011. In the absence of such a detailed procedure, intermediaries will be
under an obligation to comply with requests to take down content from private parties which
may cause “chilling effects” on free speech. It is recommended that the referred sub-rules
should be deleted with a separate set of rules be made under the Copyright Act, 1957 and the
Trademarks Act, 2002 to accommodate the potential safe harbors in case of infringement of
intellectual property.

3.3. Further sub-rules 3(2)(b) and 3(2)(g) provide for blocking content which, “is harmful,
threatening, abusive, harassing, blasphemous, objectionable, defamatory, vulgar, obscene,
pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically
or otherwise objectionable, disparaging, relating or encouraging money laundering or gambling,
or otherwise unlawful in any manner whatever” and “causes annoyance or inconvenience or
deceives or misleads the addressee about the origin of such messages or communicates any
information which is grossly offensive or menacing in nature;” respectively. Both these
categories are overbroad and go beyond the blocking of content which is contemplated
specifically under Section 69A. It is again stressed that the provisions of Section 69A have
been evolved keeping in mind the fundamental rights of right to life as well as the right to
freedom of expression and going beyond them would vest extraordinary powers of censorship
on private intermediaries. In this respect these sub-rules may be omitted and a reference may
be made to the Information Technology (Procedure and Safeguards for Blocking for Access of
Information by Public) Rules, 2009 (hereinafter the Blocking of Information Rules, 2009).

9
From the India Law and Technology Blog accessible at www.iltb.net
3.4. The Blocking of Information Rules, 2009 provide for an elaborate and well defined mechanism
for blocking information and it also contains safeguards for preventing a chilling effect on free
speech. In Rule 3 of the Blocking of Information Rules, 2009 specifically provides for the
appointment of a “designated officer” through a notification in the Official Gazette for the
purpose of issuing directions for blocking access. The Draft Intermediary Rules, 2011 go much
beyond this in Rule 3(4) when it states, that “the intermediary upon obtaining actual knowledge
by an authority mandated under law for the time being in force…” should block access to the
information. This provision does not only go beyond the concept of the “designated officer” but
due to its generality is susceptible to abuse. It is strongly recommended that Rule 3 may be
completely redrafted keeping in view the concerns of infringement of the right to speech and
expression.

3.5. With regard to Rule 3(9) of the Draft Intermediary Rules, 2011 it is suggested that the rule may 11
be completely deleted as it is broader than the well defined set of rules which have been
formed under Sec. 69 of the Information Technology Act. For the reasoning to this suggestion
attention is invited to paragraph 4.3 and 4.4 of the previous section where a substantially
similar provision is analyzed and recommended for deletion.

3.6. With regard to Rule 3(14) it is recommended that the rule may be suitably redrafted to include
the complete contact details of a person or an agent who is designated as the compliance
officer for the purposes of the rules. It is also recommended that the proposal of maintaining an
online registry of such compliance officers may be contemplated by the Ministry of Information
Technology.

From the India Law and Technology Blog accessible at www.iltb.net 10

Information Technology (Guidelines for Cyber Cafe) Rules, 2011
3

Draft rules
under section 79
From the India Law and Technology Blog accessible at www.iltb.net
1. Licensing vis-à-vis Registration

1.1. The Information Technology (Guidelines for Cyber Cafe) Rules, 2011 (hereinafter Draft
Cyber Cafe Rules, 2011) which are sought to be formed contemplate for the mandatory
registration of Cyber Cafes when they provide for in Rule 2(h) a “licensing authority”
which, “means an agency designated by the appropriate government to issue licenses to
cyber cafes for their operation”. Rule 3 further provides that, “appropriate government
will notify an agency to issue licenses to cyber cafes”. This provision of mandatory
licensing is strongly recommended for deletion since it will hamper the ongoing efforts
to improve internet penetration in the country. Cyber Cafes constitute an important
facility in non-metro cities and rural clusters where computer facilities are not routinely
available. By making a mandatory licensing regime, the costs as well as the compliance
issues will increase threatening the penetration of internet in rural and semi-rural
areas.

1.2. Also under the existing powers of State Governments to make rules to govern Cyber
cafes, out of the 4 states which have such rules, viz. Karnataka, Andhra Pradesh,
Gujarat and Maharashtra; only Gujarat and Maharashtra require for the prior licensing of
cyber cafes. Hence licensing should be seen as an exception rather than the rule with
most states not even having rules regulating Cyber Cafes. In this respect most state
governments already have local laws which are variations of the Shops and
Establishments Act in compliance with which Cyber Cafes are allowed to function. By
making compulsory licensing under the Draft Rules, there will be an added layer of
regulation increasing the difficulty of opening a Cyber Cafe.

1.3. It is also highlighted that the rules at present do not provide for the conditions of such
licensing and in the absence of such conditions onerous conditions may be imposed. It is
suggested instead of licensing a compulsory registration procedure may be established
for the operation of cyber cafe. The registration may be with regard to the proprietor of

From the India Law and Technology Blog accessible at www.iltb.net

11
 the establishment as well as the details of the establishment itself. This will impose a
lower compliance cost on cyber cafes as well as ensure the operation of the Cyber Café
Rules, 2011. In this regard an online registration may be followed up by a physical visit
by a registration officer with each cyber café having its unique registration number.

2. Identification of Users

2.1. The provisions with regard to the identification of users are recommended to
maintained in their present form however it is recommended that the provisions
governing the access of children to cyber cafes, as provided under Rule 4(3) be
omitted. The reason for this is children may not be carrying photo identity cards as well
as being accompanied by a guardian may be onerous. It is also pointed out that Rule
4(3) mentions, “children” and not “minors” with the age being left undefined.

3. Log Register

3.1. The provisions with regard to maintenance of log registers are unduly onerous and it
also poses substantial risks as to the privacy of cyber café users. When the visitor logs
maintained as per Rule 5(1) are matched against the surfing history which is maintained
under Rule 5(3), then it will provide substantial and sensitive personal information of
cyber café visitors. Cyber Café visitors are occasional as well as regulars. In case of
regular Cyber Café visitors such information which is gathered over a period of 6
months as contemplated under Rule 5(3), when aggregated will reveal a detailed surfing
history of the visitor.

3.2. Further Rule 5(2) which contemplates the Cyber Café to prepare a monthly report of the
log register and submit it to the licensing agency when coupled with Rule 7(1) which
authorizes a police officer to inspect a cyber café and its records, renders a real
likelihood of privacy invasion. To safeguard against this privacy harm there are no
safeguards which are incorporated in the present rules beyond unwarranted disclosure

From the India Law and Technology Blog accessible at www.iltb.net 12

 to third parties. However, this is in complete violation of the right to privacy,
interference with which is only allowed under a definite set of circumstances as laid
down by Supreme Court dicta and the regulations formed under the IT Act as
highlighted in Paras 4.3 to 4.5 on pages 6 and 7.

4. Physical Layout of the Cyber Cafe

4.1. Rule 6 which provides for the physical layout of the Cyber Cafe is contrary to liberal
notions of privacy in shared spaces and is recommended for deletion. Rule 6(1) whereas
requires the length of partitions of computer cubicles not to exceed four and a half feet,
would render the online activity of any cyber cafe user open to unobstructed view of a
person standing near the cubicle. In some settings it may even allow a person sitting on
the next terminal to view the activity in the adjoining one.

4.2. This would certainly decrease the business of cyber cafes as India is a highly inquisitive
society and there would be a constant fear of eavesdropping and leakage of information.
Even routine emails or chats contain information of an incredibly personal nature and
mandating the length of the partitions is similar calling for an abolition of phone booths.
Moreover, if the provisions on user logs are properly implemented there is no purpose
which is served from moderating the expression of a cyber café user through the
peering eyes and the quick judgment of strangers.

4.3. Rule 6(5) is also reccomdend for deletion as filtering software has not yet achieved
precision and it causes the omission of legal content which may contain terms related to
pornography, obscenity and/or terrorism. For instance, filtering software is liable to
prevent results of academic research and literature when searching on topics which
contain related terms to pornography, obscenity and/or terrorism. Moreover, the
Hon’ble Bombay High Court in its Order dated 13.2.2002 in Writ Petition No. 1611 of
2001 has stated that site blocking without objective guidelines is not feasible or
constitutionally maintainable.

From the India Law and Technology Blog accessible at www.iltb.net

13
Acknowledgments are given to the Center for Internet and Society and the Medianana Blog who
have raised similar concerns on the draft rules.

Apar Gupta
Partner, Accendo Law Partners
E-215, Third Level, East of Kailash, New Delhi - 110062
Email apar@accendolaw.com • Mobile 9990000256

From the India Law and Technology Blog accessible at www.iltb.net