The notification of the Information Technology Rules 2011 in April 2011 include new privacy and online publishing regulations, which could pose significant roadblocks for business operations with restrictive handling of personal data and information and introduction of stringent guidelines for intermediaries and cyber cafes.

Various rules under four broad categories introduced by the ministry of communication and information technology have evoked strong reactions from industry observers and overseas clients of IT and BPO companies.

With many believing that it could have a drastic impact on the entire business landscape, the privacy rules as well as guidelines for intermediaries have been criticised as unduly harsh by companies such as Google.

According to the Washington Post:

“The rules in India’s Information Technology Act govern the collection and use of personal information including banking and medical details. But business leaders in India and the United States worry that they add a cumbersome layer of disclosures such as obtaining written consent from each customer before collecting and using personal data.”

“Google has protested some sections of the rules, which make Internet intermediaries responsible for any objectionable content, which is defined as ‘harassing,’ ‘grossly harmful’ or ‘ethnically objectionable’.”

The changes stem from the April 2011 and now notified IT Ministry’s rules including the Information Technology (Electronic Service Delivery) Rules, 2011; the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011; the Information Technology (Intermediaries guidelines) Rules, 2011 and the Information Technology (Guidelines for Cyber Cafe) Rules, 2011.

Rules on intermediaries introduce strict online content control for own and third-party content

Under the Information Technology (Intermediaries Guidelines) Rules 2011, “intermediaries” of data are required to adhere to various duties and obligations and observe proper due diligence while dealing with information of third parties and in effect data that intermediaries themselves choose to publish.

According to the Information Technology Act Amendment Act 2008:

‘Intermediaries’ are persons who receive, store, transmit or provide any service with respect to an electronic record, such as telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes.

Third parties or “users” are defined widely in the Guidelines to include third parties and anyone using an intermediary to publish or even just host information: “any person who access or avail any computer resource of intermediary for the purpose of hosting, publishing, sharing, transacting, displaying or uploading information or views and includes other persons jointly participating in using the computer resource of an intermediary [sic]”.

According to the Intermediaries Guidelines Rules, intermediaries can be liable and:

“shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission” for any information from “users” that is “grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever”

The rules exclude “temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control”, subject to a 36-hour take-down provision after becoming or being made aware of the content.

Strict sensitive data and online privacy rules

ALMT Legal has issued a client alert late last month, with a particular focus on the privacy regulations.

Barring information available in the public domain or obtainable under the Right to Information Act, every organisation with commercial/professional objectives has to procure written consent from the person whose “sensitive personal data or information” is being used or collected.

Sensitive personal information could cover financial information, passwords, medical history, biometric information etc and a body corporate is required to adhere to (amongst others) the following regulations, according to ALMT:

“Personal information cannot be collected unless:

• it is for a lawful purpose and connected with the function or activity of the body corporate; and
• it is considered necessary for that purpose.
• While collecting personal information directly from the concerned person, steps should be taken to ensure that the person has reasonable knowledge of the following facts:
• the information is being collected;
• purpose for which the information is being collected;
• the intended recipients of the information; and
• the name and address of the agency that is collecting the information and the agency that will retain the information.

The personal information cannot be retained longer than is required for the purpose for which it may lawfully be used or is otherwise required under law.

The provider of personal information must be allowed to review the information and ensure that if found to be inaccurate or deficient, it shall be corrected or amended.

Disclosure of personal information to a third party will require prior written permission, unless agreed in the contract between the body corporate and the provider of the information, or the disclosure is necessary for compliance of a legal obligation.

The body corporate is required to provide a privacy policy for handling or dealing in personal information which must be available to the provider under a lawful contract. The policy will need to be published on the website of the body corporate.

Cyber Café registration

According to ALMT “cyber cafés are required to obtain registration with a unique registration number with an agency to be notified by the government. The cyber café will need to establish the identity of each user and keep a record of the same in a log register for one year. Further, it is required to maintain for one year back ups of the log records for each access or login by its users (including history of websites accessed)”.

Photo by Okko Pyykko