Tag Archives: Information Technology Act

Draft E-commerce Policy: The dawn of a new beginning

Data is the basic building block of everything we are trying to do in this age of Industry 4.0. Data is a valuable resource for any individual, corporation or the Government. Data can be used for analytical, statistical, business, security purposes among various other things. Keeping ‘data’ central to the idea of governing the e-Commerce industry in India the Department for Promotion of Industry and Internal Trade on February 23, 2019, published the ‘Draft e-Commerce Policy’ (“Draft Policy”).

The overall objective of the Draft Policy is to prepare and enable stakeholders to fully benefit from the opportunities that would arise from progressive digitalization of the domestic digital economy. The Draft Policy focuses on data protection, the State’s paternalistic attitude towards the use of the citizen’s data and cross border transactions. The Draft Policy intends to regulate some things beyond e-commerce i.e. it proposes to regulate technologies like AI, IoT, Cloud computing and Cloud-as-a-Service etc. On a holistic level, it is understood that these technologies empower e-commerce industry currently and are integral to its growth and therefore the Government intends to bring these technologies under the purview of the Draft Policy. The Draft Policy is a mix of visionary thought process, advanced technological solutions, putting in place digital infrastructure to support India’s digital economy etc.

DATA

The Draft Policy resonates the idea and intent of the legislature that is formulated under the Data Protection Bill, 2018 as far as the rights over data of an individual is concerned. The collective idea of the Draft Policy is to streamline the protection of personal data and empowerment of the users/consumers with respect to the data they generate and own. Though the question to be assessed here is whether this is the real intent of the Draft Policy?

The Draft Policy recognises the rights of an individual over its data by stating that “An Individual owns the right to his data” and therefore the use of an individual’s personal data shall be made only upon seeking his/her express consent. It further states that the data of a group is a collective data and therefore a collective property of that particular group; it extends this rationale to state that “Thus, the data that is generated in India belongs to Indians, as do the derivatives there from”. But the Draft Policy ends up categorising data of Indians as a collective resource and therefore a “national resource”.

The abovementioned intent of the Draft Policy is fair and strives to achieve the greater good of the country, but at what stake? If personal data belongs to an individual then this objective appears that the State wants to interfere with the personal rights of a person. The Draft Policy clearly states that “All such data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer’s consent”, what follows this point in the Draft Policy, restricts sharing of data with any third party in a foreign country even if the individual has consented to such sharing of the data.

The intent behind such restriction is that currently, India lacks stringent laws regarding cross-border flow of data. If there are no strict restrictions on cross-border flow of data Indian stakeholders will merely be engaged in back end processing of data for the EU / US based e-commerce entities without having the ability to create any high-value digital products. While the Government considers data as a national resource and compares it with coal, telecom spectrums etc. it ignores the fact that the inherent nature of personal data is that it belongs to an individual and not to the State, unlike coal.

The obvious reason as to why the State is taking such a stance is to eliminate issues related to consent asymmetry. But is this paternalistic attitude warranted?

If the Government is worried about foreign countries using our national resource i.e. data to their advantage it should put in place stringent data privacy and protection laws in India taking inferences from other countries.

DATA INFRASTRUCTURE

The Draft Policy takes forward the digital India initiative and intends put in place secure and digital infrastructure and encourage the development of data –storage facilities/ infrastructure including data centres, server farms, towers, tower stations, equipment, optical wires, signal transceivers, antenna etc.

The Government will add the above-mentioned infrastructure facilities in the  ‘Harmonized Master List’. This will enable regulation of the listed infrastructure in a more streamlined manner. Whereas the infrastructure will be put in place by various implementing agencies, while financing agencies may identify these as infrastructure that they may intend to support. This will facilitate achieving last mile connectivity across urban and rural India.

The Government by developing such data/digital infrastructure wishes to support India’s fast-growing digital economy and create employment.

EASE OF REGULATION

Given the interdisciplinary nature of e-commerce, it is important for the Government to tackle various regulatory challenges. The Draft Policy suggests formulating a Standing Group of Secretaries on e-Commerce (SGoS), which shall be an important body for tackling various legal issues emerging from various statutes such and Information Technology Act, 2000 and rules thereunder, the Competition Act, 2002 and the Consumer Protection Act, 1986.

Additionally, the Draft Policy states that “All e-Commerce websites and application available for downloading in India must have a registered business entity in India as the importer on record or the entity through which all sales in India are transacted”.

SIGNIFICANT HIGHLIGHTS OF THE DRAFT POLICY

  • The Government intends to continue charging custom tariffs on any digital goods being traded electronically (imposing custom duties on electronic transmissions). Whereas the Government is strict on its stance of not accepting the permanent moratorium on custom tariffs for goods (including digital goods) traded electronically as proposed by the WTO.
  • The Draft Policy states that there should technological standards put in place for emerging technologies like IoT, AI etc.
  • The Draft Policy introduces a term, namely ‘Infant Industry’ under which small scale entities facing entry barriers to enter the market will be integrated with market keeping data as a central to this integration. This will also help strengthen platforms like ‘e-lala’ and ‘Tribes India’.
  • The Government intends to establish technology wings in each Government department.
  • The Government intends to streamline the process of importing goods in India and harmonise the functions of various administrative bodies involved in the process of import of goods in India.
  • A body of industry stakeholders will be created that shall identify ‘rogue websites’. These rogue websites will be added to ‘Infringing Website List’ (IWL). IWL will enable the ISPs to remove or disable these websites. It will also enable payment gateways to curtail the flow of payments to or from such rogue websites. Search engines will be able to efficiently remove such rogue websites identified in the IWL.
  • There shall be no trade mark infringement and customers at large shall not be deceived by using deceptively similar trademarks. In case an e-Commerce entity receives a complaint about a counterfeit/fake product which is manufactured with intent to deceive the customers. The e-Commerce entity shall convey such misuse of the trademark within 12 hours from receiving the complaint to the trade mark owner. Whereas in case any prohibited goods/products have been sold on any e-commerce platform the entity operating such e-Commerce platform shall delist such products within 24 hours from receiving such complaint.
  • Any non-compliant e-Commerce entity will be not be given access to operate in India.
  • All e-Commerce sites/apps available to Indian consumers shall display prices in INR and must have MRPs on all packaged products, physical products and invoices generated.
  • In the view of misuse of ‘gifting’ route, as an interim measure, all such parcels shall be banned, with exception of life-saving drugs.
  • Details of sellers shall be available for all the products sold online.
  • Sellers shall provide undertaking regarding genuineness of any product sold online.
  • In case of a counterfeit product is sold to a consumer, the primary onus to resolve such an issue will be of the seller but the intermediaries shall return the money paid to them by the customer and the marketplace shall seize to host such products on their platforms.
  • The intermediaries shall curtail piracy on their platforms.
  • An integrated system that connects Customs, RBI and India Post to be developed to better track imports.
  • The Draft Policy also intends to simplify the processes involved in export of goods by doing away with redundant requirements such as the need to procure Bank Realisation Certification

Once the final e-Commerce policy is enacted what will be interesting to see is whether Government opts for ease of governance or ease of doing business.

Overall this Draft Policy is a positive step towards making India one of the most prominent digital economies in the world, especially considering the strict stance the Government has taken during the WTO negotiations by not accepting the permanent moratorium on waiving custom duties on digital goods sold through electronic transmission. The Government intends to boost the local and home grown e-Commerce business entities and to provide a level playing field for MSMEs by retaining the rights to impose tariffs on electronic transmission through e-Commerce. Certain issues regarding data/personal data of an individual still needs a deep intellectual thinking, integrated with a practical approach from the Government before implementing a sector-wide policy, especially keeping in mind that at the end of the day personal data belongs to an individual and the use of such personal data shall be the decision of the respective individuals and not of the State.

Author: Manas Ingle, Associate, NovoJuris Legal

Social media, Fake news: Govt is proposing amendments to Intermediary Guidelines under Information Technology Act

The Ministry of Electronics and Information Technology on 24 December, 2018 released the Draft Information Technology (Intermediary Guidelines) (Amendment) Rules, 2018 (the “Draft Intermediary Rules”) and has invited comments and suggestions from all stakeholders on the same.

An ‘Intermediary’ under the Information Technology Act, 2000 is any person who on behalf of another person stores or transmits that message or provides any service with respect to that message. An Intermediary cannot knowingly host, publish or initiate the transmission, select the receiver of transmission, or select or modify the information therein. Thus, this would include telecom service providers, internet service providers, web-hosting service providers, search engines, online-payment sites, online auction sites, online market places, and also social media platforms, which seem to be the primary subject of the proposed amendment.

The Draft Intermediary Rules seeks to address the calling attention motion on “Misuse of Social Media Platform and spreading of fake news” admitted in the Rajya Sabha during the monsoon session this year. Thus, in order to strengthen the legal framework and make the social media platforms accountable the following amendments and new provisions are proposed under the Draft Intermediary Rules. Whilst the changes bring in more strict compliance from intermediaries and might drive the cost of compliance fairly high as well, it remains yet to be seen how many of these proposed changes make it to the final amendments.

Due Diligence obligations of the Intermediaries:

The Draft Intermediary Rules prescribes the following due diligence measures to be taken by Intermediaries:

Restriction on the proliferation of certain information by users

  • The Draft Intermediary Rules already requires Intermediaries to publish rules and regulations, privacy policy and user agreement, and such rules must inform the users[1] not to host, display, upload, modify, publish, transmit, update or share such information. The Draft Intermediary Rules however includes information which promotes cigarettes or any other tobacco products or consumption of intoxicant including alcohol and Electronic Nicotine Delivery System (ENDS) & like products that enable nicotine delivery in the list except to the extent permissible under the Drugs and Cosmetics Act, 1940.
  • The Intermediary is also required to inform its users at least once every month that in cases of non-compliance with rules and regulations, the Intermediary has the right to immediately terminate the access or usage rights of the users and remove non-compliant information.

Intermediaries to assist Government Agencies

  • Intermediaries with more than 50 Lakh users in India, or those Intermediaries specially notified by the government must be a registered company in India, have a permanent registered office in India, and appoint a nodal person of contact and alternate senior designated functionary for 24×7 coordination with law enforcement agencies in India.
  • The Intermediary must assist any government agency, security of the state, cyber security agency (those legally authorised) in matters of cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and those upon a lawful order. Such assistance must be provided within 72 hours and can be extended to tracing out the originator of information on its platform.
  • The government can seek the information about unlawful acts from the intermediaries by court order or by being notified by the government itself and the parameter to judge unlawful activities would be Article 19(2) of the Constitution, which would include inter alia, interests of the sovereignty and integrity of India, security of state, friendly relations with foreign states public order, decency or morality, etc. The timeline to comply with this is 24 hours, and such information and records must be preserved by the Intermediaries for at least 180 days for investigational purposes (or longer if court or government agency prescribes).

Intermediaries to develop internal mechanisms to tackle unlawful information

  • The Intermediary is required to use the help of technology based automated tools or appropriate mechanisms that should be deployed with appropriate controls for a proactive identification and removal or disabling of unlawful information or content.

Author: Mr. Avaneesh Satyang

 Sources: Invitation for Comments/Suggestions:

http://meity.gov.in/content/comments-suggestions-invited-draft-%E2%80%9C-information-technology-intermediary-guidelines

Draft Intermediary Rules:

http://meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf

[1] A ‘User’ under the Draft Intermediary Rules means any person who accesses or avails any computer resource of intermediary for the purpose of hosting, publishing, sharing, transacting, displaying or uploading information or views and includes other persons jointly participating in using the computer resource of an intermediary.

Regulatory Update: Ministry of Electronics and Information Technology- Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018.

The Ministry of Electronics and Information Technology (MEITY) vide notification dated 22nd May, 2018 has notified the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 (“Rules”) which shall come into force on the date of publication in the Official Gazette.

The Rules detail the responsibilities to be met by various organisations which have a protected system. “Protected System” means any computer, computer system or computer network of any organisations notified under section 70 of the Act, in the official gazette by appropriate Government.

Constitution of Information Security Steering Committee

The Rules mandate that an organisation having a Protected System shall constitute an Information Security Steering Committee (ISSC) whose chairman shall be the Chief Executive Officer/ Managing Director/ Secretary of the organisation (Rule 3 (1) (a)). The composition of the ISSC as mentioned Rule 3 (1) (b) shall be as follows:

  • IT Head or equivalent;
  • Chief Information Security Officer (CISO);
  • Financial Advisor or equivalent;
  • Representative of National Critical Information Infrastructure Protection Centre (NCIIPC);
  • Any other expert(s) to be nominated by the organisation.

The ISSC shall be the apex body and its responsibilities (as mentioned under Rule 3(2)) shall be as follows:

  • All the information security policies of a Protected System has to be approved by the ISSC.
  • Any significant change in the network configuration which has an impact on the Protected System shall be approved by ISSC.
  • It is mandatory that each significant change in the application(s) of the Protected System shall be approved by ISSC.
  • A mechanism has to be established which ensures timely communication of the cyber incident(s) related to Protected System to the ISSC.
  • Protected System shall be validated for assessment after every 2 (two) years.

The Rules also lay down certain roles and responsibilities for the organisations having a Protected System (as mentioned under Rule 3(3)). Some of the key responsibilities are as follows:

  • Nominate an officer as CISO whose roles and responsibilities shall be as per the latest Guidelines for Protection of Critical Information Infrastructure (“Guidelines”) and “Roles and Responsibilities of CISOs of Critical Sectors in India” released by the (NCIIPC);
  • Plan, establish, implement, operate, monitor, review, maintain and continually improve Information Security Management System (ISMS) of its system as per the latest Guidelines released by the NCIIPC or an industry accepted standard duly approved by the said NCIIPC;
  • Ensure that the network architecture of Protected System shall be documented;
  • The same shall be reviewed at least once a year, or whenever required, or according to the (ISMS);
  • Plan, develop, maintain and review the documents of inventory of hardware and software related to Protected System;
  • Ensure that the vulnerability/threat/risk (V/T/R) analysis for the cyber security architecture of Protected System shall be carried out at least once a year. Further the (V/T/R) analysis shall be initiated whenever there is significant change or upgrade in the system, by intimation of the same to ISSC;
  • Plan, establish, implement, operate, monitor, review, and continually improve Cyber Crisis Management Plan (CCMP) in close coordination with NCIIPC;
  • Ensure conduct of internal and external Information Security audits periodically.
  • Establish a Cyber Security Operation Center (C-SOC) using such tools and technologies to implement preventive, detective and corrective controls to secure against advanced and emerging cyber threats.
  • The records of unauthorised access, unusual and malicious activity, if any, shall be documented;
  • Establish a Network Operation Center (NOC) using tools and techniques to manage control and monitor the network(s) of Protected System.
  • Plan, develop, maintain and review the process of taking regular backup of logs of networking devices, perimeter devices, etc. and services supporting “Protected System” and the logs shall be handled as per the ISMS as suggested.

The Rules also lay down responsibilities of the CISO towards NCIIPC (As mentioned under Rule 4). They are as follows:

  • CISO shall maintain regular contact with the NCIIPC and will be responsible for implementing the security measures.
  • CISO shall share inform the NCIIPC, whenever there is any change, and incorporate the inputs/feedbacks suggested by the said (NCIIPC)- with regard to details of Critical Information Infrastructure (CII), details of ISSC, network architecture of the Protected System., etc.
  • CISO shall establish a process, in consultation with the NCIIPC, for sharing of logs of “Protected System” with NCIIPC to help detect anomalies and generate threat intelligence on real time basis.
  • CISO shall also establish a process of sharing documented records of Cyber Security Operation Center (related to unauthorised access, unusual and malicious activity) of Protected System with NCIIPC to facilitate issue of guidelines, advisories and vulnerability, audit notes etc. relating to Protected System.
  • CISO shall establish a process in consultation with NCIIPC, for timely communication of cyber incident(s) on Protected System to the said NCIIPC.

Available at:

http://meity.gov.in/writereaddata/files/NCIIPC-Rules-notification.pdf