Since the advent of civilisation, man has always been motivated by the need to make progress and enhance the existing technologies. This has led to some groundbreaking developments that have been a launching pad for further progress. Of all the significant advances made by mankind to date, probably the most important of them is the development of the internet; although it must also be kept in mind that the internet’s rapid evolution has also raised copious legal issues. As the internet landscape grows shady in parts, countries throughout the world are resorting to different approaches towards controlling, regulating and facilitating electronic communication and commerce.

The internet and electronic-based trading systems are affecting all aspects of commercial/business entities. The internet revolution allows IT-centric management to make timelier and higher-quality decisions.

The internet has tested the limits of regulation, prompting some to declare “independence”[2] and yet others to declare it beyond the limits of governance.[3] In their book Who Controls The Internet, Jack Goldsmith and Tim Wu focus on state responses to the internet’s challenge to national sovereignty.[4] Goldsmith and Wu explore three main arguments. First, the internet is a medium like any other, and national governments continue to exercise control over the internet by exercising national law. Second, geography and government retain their central importance in the Internet despite continued globalisation. Third, an increasingly “bordered” internet is an important development.

When the preliminary draft version of India’s internet and e-commerce legislation was prepared it was called the Electronic Commerce Bill, in line with its prime objectives and duly referring to the Ministry of Commerce which produced it. With the creation of the Ministry of Information Technology, the draft Bill was rechristened with a rather generic title. The purpose of the Information Technology Act 2000 (the IT Act, enacted on 17 October 2000) was “functional equivalence” that electronic records and transactions would be accorded an equal weight in evidence law as “traditional paper records”.

The General Assembly of the United Nations, by resolution dated 30 January 1997, had adopted the Model Law on Electronic Commerce and recommended that all states should give favourable consideration to it when enacting or revising their laws.

The IT Act has been passed to give effect to the UN resolution and to promote efficient delivery of government services by means of reliable electronic records.

The IT Act, as originally enacted, contained various loopholes and lacunae. These grey areas were excusable since this was the first time such laws were introduced in India, and every law needs time to mature and develop. It was understood that the law would grow over a period of time and further amendments would be introduced to make it compatible with international standards. The nature of cyberlaw is such that we must consider any new development that may take place in the future. Since the internet has no boundaries, any person sitting in an alien territory can wreak havoc on India’s computer system. It is for this reason that there was a need to anticipate future threats well in advance. Thus a “futuristic aspect” of the law had to be considered.

The amendments: a reaction

The 2008 amendments to the IT Act were, to a certain extent, a reaction to recent developments (service provider liability issues, auction sites, sleazy video clips and so on). For the most part, offences under the Act have been made compoundable[5] – that is to say, the parties can settle the matter between themselves. This is a welcome development, as most crimes target specific individuals and it is appropriate for said individuals to resolve the situation.

The offences which have been made compoundable are the following:

  • Section 66: If a person dishonestly or fraudulently commits any act which damages the computer or the computer system, he or she shall be subject to a fine of up to 500,000 rupees or imprisonment for up to two years.
  • Section 66A: If any person sends, by means of a computer resource or electronic communication, any content which is grossly offensive or has a menacing character or which is not true but is sent to create nuisance, annoyance, criminal intimidation, hatred or ill will, etc, he or she shall be subject to imprisonment for up to two years, along with a fine.
  • Section 72: If a person is found in possession of confidential information such as an electronic record, book, register or correspondence, and he or she is found to disclose it to any third party without the consent of the person concerned, then he or she shall be subject to imprisonment for up to two years or a fine of up to 100,000 rupees, or both.
  • Section 72A: If any person, while providing services under the terms of the contract, secures access to any material containing personal information about another person, with the intent to cause wrongful loss or wrongful gain through disclosing the information without the person’s consent, or in breach of a lawful contract, he or she shall be subject to imprisonment for up to two years or a fine of up to to 500,000 rupees, or both.

The medium, not the machine

It is important to remember that the internet is principally a medium, which can be regulated by focusing on different areas. To be effective, a law must apply to, or regulate, one or more of the following aspects: the physical (the wires, hardware, the device itself); the digital (the code or the “spectrum”); and content (whether prohibited socially censored comments or proprietary material).

Data privacy and information security

In view of recent concerns about the operating provisions in the IT Act related to data protection and privacy, in addition to contractual agreements between the parties, the existing sections (43, 65, 66 and 72A) have been revisited and some amendments and/or more stringent provisions have been provided for in the Act. Notable among these are:

  • section 43(A), related to the handling of sensitive personal data or information with reasonable security practices and procedures;
  • the gradation of severity in computer-related offences under section 66, covering those committed dishonestly or fraudulently and punishment; and
  • the addition of Section 72 A for breach of confidentiality with the intent to cause injury to a subscriber. This is recognised as a sufficient protection under the EC Directive.[6]

Contractual agreements are those which are signed between parties where one party provides services on the basis of the contract signed. There is always a provision, in any contractual agreement, not to leak any information which is imperative for the running of the business. According to section 72 (A), anyone found leaking any information relating to a third person, without his or her consent, shall be punished with imprisonment or a fine of 500,000 rupees.

Section 79: safe harbour

Section 79 of the IT Act 2000 (amended in 2008) provides for an exemption to an intermediary. The meaning of the term “intermediary” has been defined under section 2(w) of the IT Act. According to the IT Act, any individual who, on behalf of another, receives, stores and transmits information, or provides any other service with respect to that information, comes under the category of an intermediary. This also includes internet service providers such as Twitter or Facebook, which are restricted to receiving, storing and transmitting information about individuals to their listed friends, subscribers and followers. Such intermediaries merely act as a platform for people to communicate with one another.

Section 79 of the IT Act exempts an intermediary from liability in certain circumstances. The prerequisites have been mentioned in the IT Rules on Intermediaries and are as follows:

1.   An intermediary must not be held liable for third-party content, information or data hosted by it if:

  • the function of intermediary is limited to providing access to a communication system;
  • the intermediary did not initiate the transmission;
  • the intermediary did not select the receiver of the transmission;
  • the intermediary did not select or modify the information contained in the transmission; and/or
  • the intermediary observed due diligence while discharging his/her duties under this Act.

2.   The intermediary did not conspire, abet, aide or induce the commission of the unlawful act.

3.   The intermediary has never had the knowledge of, nor has it been sent a notice to remove, the objectionable material, nor has it failed to remove it on request.

Anyone would safely assume after reading section 79 that social networking sites would not be held liable for unwarranted content that has been uploaded onto their respective websites. However, this is not the case because under the Information Technology (Intermediaries Guidelines) Rules 2011, Rule 4(4), the intermediary is bound to take action within a reasonable amount of time to remove the objectionable content from its servers if the objectionable content is brought to the notice of the intermediary. The meaning of “reasonable amount of time” has not been defined and is therefore left to interpretation by the courts.

Now we will examine the various legal issues (below) that apply to social networking sites, as well as their users, in India.

1. Defamation

In India, the defamation law protects the reputation of a person. According to section 499 of the Indian Penal Code 1860 (the Penal Code), anything that has been put in writing, either in electronic or print form, which is not true and which offends an individual will amount to defamation. The punishment for defamation has been provided under section 500 of the Penal Code, which stipulates a prison sentence of two years or a fine or both.

The concept of defamation on the internet is not new. In the case of Gutnick v Dow Jones,[7] the publisher Dow Jones was taken to court in Australia because of an article, considered defamatory in Australia, that appeared on Barron’s Online, the website for the American weekly newspaper published by Dow Jones. The High Court of Australia held that, under the existing principles of defamation law, the legal proceedings should be undertaken in the place where the communication is received, not where the communication is sent from. This same principle is applied equally to internet communications, despite the new nature of the technology. In this case, involving information published on the internet in the United States and read in the State of Victoria, Australia, the suitable jurisdiction for a court action was Victoria.[8]

Dow Jones was held liable because it was the publisher of the article. As a comparison, let us imagine that an individual who has a Twitter account with over 10,000 followers writes content, pertaining to a celebrity, that is defamatory. Such content is being uploaded live without being reviewed by any Twitter employee. Twitter – as with other social networking websites – merely provides a platform for individuals to connect with one another. Therefore the question arises, would defamation laws that have been applied to defamatory content on non-social networking sites such as newspapers and TV channels also apply in the case of social network sites like Twitter?

Each day an average of 400 million tweets get uploaded on to the Twitter website. Since it is not humanly possible for Twitter or any other social networking site to review so much content, the site would also not be in any position to remove defamatory content on its own. If, once the content has been brought to Twitter’s attention, the site owners fail to remove the content in a reasonable amount of time, then it is Twitter’s company executives, along with the individual who has tweeted the defamatory content, who would be held responsible.[9]

2. Threatening messages/offensive communication

Messages on social networking sites of a threatening or intimidating nature can also cause grievous harm and injury to the intended recipient/target. In such cases, under section 66A of the IT Act, such an offence may lead to a prison sentence of up to three years, as well as a fine, for the individual who has committed the offence of sending threatening messages to other individuals.

In August 2012, certain incendiary and false information concerning the Assam riots were uploaded by individuals on social networking sites, which caused fear among northeasterners living in the southern states of India.

The government asked the social networking sites, including Twitter, to remove the content, to which Twitter complied. But what if Twitter, as an intermediary, had not complied with the government and had not removed the content in accordance with the guidelines prescribed under the IT Act? In that situation, Twitter would have been held criminally responsible for the act, along with the individual who committed the offence of sending incendiary and false messages. In this case, Twitter would not have been able to invoke the defence of section 79 of the IT Act.

3. Confidential information/data protection

In India, there is no legislation on data protection and data privacy. But under section 66C of the IT Act, there is some relief provided to companies and individuals whose personal data and privacy have been violated. Messages that reveal personal details of others without their consent could amount to an offence under section 66C. A social networking site could be brought in as a defendant in a legal case, if it fails to remove such confidential information about the individual from its servers.

Drawbacks of the new legislation

The amendments ignore existing international classifications of cybercrimes. The Council of Europe’s Convention on Cybercrime[10] identifies the following as offences which should be incorporated into substantive criminal law. The most relevant provisions are:

•          offences against the confidentiality, integrity and availability of computer data and systems:

•          illegal access (Article 2);

•          illegal interception (Article 3); and

•          data interference (Article 4);

 •         computer-related offences:

•          computer-related fraud (Art. 8);

•          content-related offences:

•          racial hatred, obscenity and other classifications; and

•          offences related to infringements of copyright and related rights (Article 10).

 

[1] The authors would like to thank Dipankur Sharma and Kshitij Parashar for their help in researching this article.

[2] In February 1996, John Perry Barlow issued a manifesto called A Declaration of the Independence of Cyberspace (available at <http://w2.eff.org/Misc/Publications/John_Perry_Barlow/barlow_0296.declaration.txt>.

[3] Johnson, David R /Post, David G. “Law and Borders - The Rise of Law in Cyberspace”, 48, Stanford Law Review 1367 – 1402 [1996].

[4] Who Controls the Internet? Illusions of a Borderless World, Oxford University Press.      

[5] Section 77A provides that the “offences under sections 66, 66A, 72 and 72A may be compounded by the aggrieved person”.

[6] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) available at <http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML>.

[7] Dow Jones & Company Inc v Gutnick [2002] HCA 56.

[8] Ibid.

[9] Rule 4(4) of the Information Technology (Intermediaries Guidelines) Rules 2011, Information Technology Act 2000 [Amended 2008].

[10] See Convention on Cybercrime available at <http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>