Opinion Too much information

Three sets of the IT rules that have been tabled have important implications related to freedom of expression and privacy.

The Information Technology Act has a provision for safeguarding “sensitive personal data or information” (SPDI) maintained by companies. These companies are required to adhere to “reasonable security practices and procedures” (RSPP),and are liable to compensate for any loss due to negligence in maintaining such procedures. The act further states that RSPP will be determined by an agreement between the individual whose data is being maintained and the company holding the data. In the absence of such an agreement,the company will comply with such RSPP as notified in rules. The act also authorises the Central government to define what SPDI is.

The first set of rules defines SPDI as passwords,financial information,physical and mental conditions,sexual orientation,medical records and biometric information. It also lays down security practices and procedures. Interestingly,the rules require the data holder to share sensitive information with government agencies on a written request for the purpose of investigation,prevention and prosecution of offences. This requirement raises two issues. First,the RSPP will become relevant only in the absence of an agreement between the data holder and the data owner. Therefore,the facility of government agencies to obtain such information can be overruled by a private agreement. Second,the safeguards for accessing personal data are different from those in other laws. The IT rules just require a written request and an undertaking that the data will not be shared further. In contrast,the Criminal Procedure Code requires a magistrate to sign a search warrant. Interception of phone calls and Internet communication requires sanction from the Union or state home secretary.

The second and third sets of rules deal with the liability of intermediaries. The act specifies that an intermediary will not be liable for any third-party information,data or communication link made available by it. For example,an email service or an Internet service provider is not liable for data transmitted by it,and a web host for data stored by it. If the intermediary receives actual knowledge of any such information being used for an unlawful act,it is required to block access or remove the information.

The second set of rules now wants intermediaries to ensure that their terms of use require prohibition on certain content such as those that are grossly harmful,blasphemous,defamatory,obscene,hateful,disparaging,relating or encouraging money laundering or gambling,etc. There are three ways in which these rules affect the freedom of speech. First,some of these items such as “blasphemous” and “grossly harmful” are ambiguous and undefined. Second,these rules prohibit the posting of certain content on the Internet while it may be lawful in other media. For example,a “blasphemous” article may be permitted in print,but the rules might prohibit the same article from being reproduced in its Internet edition. Third,the rules may infringe the right to speech guaranteed under Article 19(1) of the Constitution. Several of the criteria that are prohibited in the rules do not fall under Article 19(2),which provides the list of circumstances in which the right may be curtailed.

The third set of rules requires cyber cafés to maintain a log of users with photos and the list of websites visited. As some of this data is personal in nature,this requirement may have negative implications for the privacy and personal security of users.

The rules also prescribe standards for seating layout in a cyber cafe and require a board announcing that users should not visit pornographic sites. Interestingly,the act defines a cyber cafe as a place where Internet access is offered to the public in the ordinary course of business. This may imply that airport lobbies and coffee shops that offer Wi-Fi access may have to comply with the seating conditions,or may have to discontinue such services.

These rules may be examined by the committee on subordinate legislation. An MP can also demand a discussion and move amendments till the end of the budget session 2012. Given the important issues that are raised in these rules,it would be interesting to see whether Parliament exercises its oversight function in examining and deliberating on them. It is noteworthy that no rule has so far been amended by Parliament in the 14th Lok Sabha.

The writer is with PRS Legislative Research,express@expressindia.com