INFORMATION TECHNOLOGY BILL 1999

SCOPE & IMPLICATIONS

Anthony Lobo, Tata Consultancy Services, Mumbai

requisite infrastructure for E-Commerce. India is on the verge of enacting its own legislation to provide the This is an indication of its standing as an active member of the Internet community. Cyberlaws could be viewed from one angle as restrictive.seller will have the On the other hand, both buyer and confidence that issues like privacy, confidentiality, legal tender and prevention of fraud receive their due significance. This framework and commonality of understanding augurs well for the future of India’s ventures into e-commerce.

The paper takes a look at the fine print within the Information Technology Bill, 1999 and its relationship with the UNCITRAL Model Law and related legislation. It also attempts to go beyond a strictly legal perspective and examines how a value centred approach can help businesses and IT professionals reap the whirlwind of E-commerce while keeping their sights high

“For the development of a National Information Infrastructure and of establishment of private and public networks it is desirable to enact specific legislations covering the broad area of IT including communications……….

“It is important that the issue of electronic signatures is immediately addressed. Electronic Signatures will help in streamlining many internal processes, and will ensure easy authentication and verification of electronic communications with the public……

“Such legislation could also stipulate the creation of a certification system for electronic transactions applicable to email messages and banking operations, as well as shopping.”

Recommendations of IT Taskforce - XVI : Procedural Reengineering & Cyber-Laws

INTRODUCTION

November 4, 1999 marked an important milestone in India’s progress as a front line player in the application oftechnology, most specifically with regard to the Internet as a medium of global trade and commerce. 

Cabinet accorded approval to the Information Technology Bill, 1999 (IT Bill) to be It was on this date, that the Union taken up for discussion in Parliament. This clearance is a crucial step towards to the promulgation of the Bill and it is so timed as to herald the country’s march into the next millenium.

If I may be allowed to suggest, the title "The Information Technology Bill" appears to be a misnomer. Launching out from the directives of the IT Task Force the Bill straightaway proclaims itself as providing a legal framework for e-commerce. Indeed, it does succeed in becoming a fairly robust underpinning for “transactions carried out by means of electronic data interchange and other means of electronic communication” which ultimately are the focus of the proposed enactment.

The foregoing comment is because one might expect that draft legislation with such ‘broadband’ nomenclature to encompass a few more ramifications of Information technology. To break new ground, for instance, in evolving a policy on taxation, jurisdiction, privacy, IPR and copyright, contracts, money laundering and the like. But for that we shall have to wait a while, given the fact that these are vexing issues all over the globe. Canada, has recently published “Principles for Consumer Protection in Electronic Commerce” which besides spelling out measures for consumer protection, addresses issues like dispute resolution, privacy and unsolicited email. On the other hand the US Government is finding the going tough for its Cyberspace Electronic Security Act, with groups fiercely holding on to the Fourth Amendment.

All the same, it is no mean achievement for India to set before itself standards to measure up to, ideals that are held in regard the world over, but which seem to elude consensus in terms of implementation. In the long run, however, it will be such conformity and acceptance of norms that will bring a solid measure of confidence in commercial dealings on the individual, national and trans-national plane.

And finally, with all the glitz and hype surrounding e-commerce, it cannot be denied that the cornerstone of success in business is trust and faith between trading partners. Such trust, faith and confidence like the proverbial city of Rome cannot be built in a day.

THE I.T. BILL AT FIRST GLANCE

Among the significant elements in the IT Bill is the provision of legal effect to information and records in electronic form and the consequent upgradation in related legislation, principally the Indian Evidence Act, 1872, Indian Penal Code, 1869, Banker’s Book Evidence Act, 1891 and RBI Act, 1934.

Another advancement is the legality provided to digital signatures which would validate transactions and significantly reduce the chances of fraud. This is indeed a measure bound to reinforce Net-based trading.

An elaborate administrative as well as legal machinery is set out with the intent of controlling the issue and use of digital certificates. The Bill also lays down detailed guidelines for setting up a Cyber Regulations Appellate Tribunal on the likes of a similar body under the SEBI Act, 1992 to oversee infringements directly related to trading as well as various type of cyber crime which are listed out in much detail.

Attention needs to be drawn to a departure in this Bill from some of the other Net related legislation. The Information Technology Bill, 1999 specifically allows the disrupting of any e-message in the interests of sovereignty, integrity and security of State as well as in the interests of friendly relations with foreign states or public order.

GETTING TO GRIPS WITH THE I.T. BILL

Part I - Preliminary : Scope and applicability.

There will be no application of this enactment to “Negotiable instrument”, Power of attorney, Trust, Will, Contract for sale of Immoveable property which still require ratification by hand. All relevant terminology is defined like digital signature, Certifying Authority, hash function, key pair, computer system. E.g.

Digital signature means a signature affixed in an electronic form consisting of transformation of an electronic record using an asymmetric crypto system and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can determing whether the transformation was created using the private key that corresponds to the signer’s public key; and whether the initial electronic record has been altered since the transformation was made.

Part II - Electronic Records and Digital Signatures

Legal validity is now provided to electronic records and digital signatures both in government and commercial sectors. Rules on retention of electronic records and relating to digital signatures to be prescribed by Central government.

Part III - Electronic Records

Attribution of records, acknowledgement of receipt, time and place of despatch and receipt of electronic record pertaining to originator and addressee whether individual or body corporate.

Part IV - Secure Electronic Records and Secure Digital Signatures

Application of security procedure to records by means of digital signatures.

Part V - Regulation of Certifying Authorities

Controller of Certifying Authorities & his office to supervise, lay down standards, specify form and content of Digital Signature Certificates (DSCs). Controller as Repository of all DSCs. Rules governing application for, renewal, rejection, suspension of licence to issue DSCs. Power of Controller to ensure compliance. Reasons of State to permit interception. Power to investigate similar to Income Tax authorities. Power to search and have access to computer facilities.

Certifying Authority to ensure security and reliability of digital signature. Certifying Authority to notify revocation or suspension of certificate if any or any occurrence which may affect integrity of his computer system.

Part VI - Digital Signature Certificates

Certifying Authority to issue Digital Signature Certificate to eligible applicants holding functional key pair. DSC may be suspended in public interest and due notification carried out.

Part VII - Duties of Subscribers

Subscriber to generate key pair securely. Proper publication is the term of acceptance for DSCs. Subscriber deemed to have accepted a DSC if he rightfully holds the private key and has made representations to the Certifying authority that information in DSC is true. Subscriber to exercise reasonable care of private key.

Part VIII - Penalties and Adjudication

Penalty of upto Rs 10 Lakhs for computer crime relating to unauthorised access, copying, contamination by virus, damage or disruption, denial of access directly or indirectly, charges services availed to another (form of hacking!). Penalty upto Rs 25,000 for crime not specified above.

Adjudicating officer with powers of Civil Court similar to Cyber Regulations Appellate Tribunal and proceedings as per IPC. Penalty to be conditional on amount of loss/gain due to the default and its repetitive nature.

Part IX - Cyber Regulations Appellate Tribunal (CRAT)

Presiding officer of CRAT to be High Court Judge or Grade I Member of Indian Legal Service of 3 years standing.

To hear appeals against Orders made by Adjudicating Officer within 45 days. Not bound by Code of Civil Procedure (CCP). Powers equivalent to Civil Court under CCP. Can summon, examine on oath, require production of documents or electronic records, receive evidence on affidavits, issue commissions for examination of witnesses/records, review own decisions, dismiss for default or decide ex parte.

Except High Court, no court can hear a suit or appeal against Adjudicating Officer or CRAT. Also contravention before or after adjudication proceedings can be compounded by the Controller within the maximum fine.

Part X - Offences : Computer Crime

Concealing, destroying or altering source code invites a fine of upto Rs 2 lakhs and/or three years imprisonment.

Publishing obscene material tending to deprave and corrupt would lead to two years imprisonment and/or fine of Rs 25,000. Second or subsequent conviction draws imprisonment of upto five years and fine upto Rs 50,000.

Misrepresentation of facts for licence or DSC would entail two years imprisonment and/or fine of upto Rs 1,00,000.

Breach of confidentiality in terms of disclosure of access secured to any electronic record, etc would be punished with upto two years imprisonment and/or fine of upto Rs 1,00,000.

Publishing of False DSC would invite upto two years imprisonment and/or fine of upto Rs 1,00,000.

Failure to furnish document/report to Controller or Certifying Authority would result in fine upto Rs 1,50,000. Not filing returns in time would entail fine of Rs 5,000 per day of continuation of failure.  Failure to maintain books of accounts would entail fine of Rs 10,000 per day of failure continuing.

Company officials would be liable for corporate offences unless it is proved that such contravention was without the official’s knowledge or he had exercised all due diligence to prevent the occurrence.

Publication of fraudulent DSC entails imprisonment upto two years and/or fine of upto Rs 1,00,000.

Any offence committed outside India by any person irrespective of his nationality and involving a computer network located in India would invite penal action under this Act.

Access or attempt to access a “protected system” so declared by Govt invites imprisonment of upto ten years.

Hardware involved in act of contravention are liable to be confiscated, unless the person in possession is not found responsible.

Part XI - Network Service Providers(NSP) not to be liable in certain cases

If NSP proves that an offence was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence he shall not be held liable under the Act.

Part XII - blank

Part XIII - Miscellaneous

Police officer - Dy Supt of Police - may enter any public place to search and arrest without warrant anyone reasonably suspected of committing/having committed. Code of Crim. Procedure to apply.

Provisions of this Act would be in addition and not in derogation of provisions of any other enactment.

Centre may direct States as to this Act.

Anything done by officials in good faith shall not attract legal proceedings.

Any difficulty in giving effect to provisions may be removed by Central Govt and the order ratified by Parliament.

Central Govt may make rules to carry out provisions of the Act such as Licences to Certifying Authorities, regarding Cyber Regulations Appellate Tribunal’s operations etc which would be ratified by Parliament.

Cyber Regulations Advisory Committee of officials and non-official experts would be constituted soon after enactment to assist with regarding rules and framing of regulations

Regulations may be made in consultation with this committee, such as for recognition of foreign Certifying Authority, etc

As with Centre, State Govt may make Rules as required which will be then ratified by State Legislatures.

AMENDMENTS to Indian Penal Code, 1860 Indian Evidence Act, 1872 : Banker’s Book Evidence Act, 1891 and Reserve Bank of India Act, 1934.

RELATION WITH OTHER ENACTMENTS

It is in the fitness of things, that the IT Bill largely relies on the Model Law on Electronic Commerce from the United Nations Commission on International Trade Law (UNCITRAL) for basic definitions and for spelling out the transition from paper to electronic transactions. As such our Bill appropriates almost all 15 Articles of Part One with regard to electronic commerce in general, application of legal requirements to data messages and specifications governing communication of data messages. However, Articles 11 & 12 on formation and validity of contracts and recognition by parties of data messages dealing with declaration of will do not have effect.

Part Two of the Model Law and its Articles 16 and 17 with regard to actions related to contracts of carriage of goods and Transport documents find no place in the IT Bill. Also missing is an addition to article 5 which was adopted by the UN in 1998, in terms of the vital concept of “incorporation by reference” when dealing with legal recognition of data messages. This is a situation where certain terms and conditions, although not stated in full but merely referred to would have the same degree of legal effectiveness as when fully stated.

The UNCITRAL Draft Rules, 1998, are incorporated in the IT Bill’s stipulations on Issuance of Digital Certificates and the authority governing them.

Another very significant influence on the present legislation is the Singapore Electronic Transactions Act, 1998 (SETA). It is the SETA which is acknowledged for the most part as the basis of the draft Electronic Commerce Act, 1998 which had been commissioned by the Union Commerce Ministry.

If we may point to any legal parallel for the current IT Bill under review it would be this excellently drafted Act. Sources have it that it is the handiwork of international legal experts. In stark contrast to the IT Bill, the E-Commerce Act, 1998 is carefully annotated, with source of legislation and detailed comments, something sorely missed in the version of the IT Bill presently available on the Net.

It would be noteworthy to look at a few major points of divergence between the two existing pieces of ecommerce legislation available.

A FEW MAJOR DIFFERENCES IN TWO DRAFT E-COMMERCE LAWS

Our analysis thus far draws all its resources from the internet, in particular for the actual text of the draft legislation. The IT Bill is at http://www.mit.gov.in/it-bill.htm , while the draft E-Commerce Act, 1998 is available at http://commin.nic.in/doc/ecact.htm and finally the UNCITRAL Model Law on Electronic Commerce is at the following page http://www.uncitral.org/english/texts/index.htm.  In terms of resource material there is an interesting set of background papers called the Cyber Law Series from DOE available at http://www.allindia.com/gov/doe/default.asp

CAN WE REALLY LEGISLATE COMPLIANCE & CONFORMITY

Given the foregoing discussion, what could a layman expect as answers to e-commerce related questions found in a popular magazine :

Is an agreement on the Net-which is not on paper - a contract ?

How do you tax a product that has been ordered and delivered over the Net ?

How important is it to disclose your real identity on the Net ? Should privacy supersede all else?

How do you, as a consumer, trust the authenticity of goods bought over the Net ?

How can vendors feel secure about their intellectual property rights in these expanding markets ?

Should companies use the personal data collected from consumers - beyond the extent for which it has been collected?

(PC-Quest 8/99)

At the risk of being termed simplistic, we may suggest that cyber laws such as the IT Bill are only as effective as the extent of consciousness and education of the populace they set out to govern. For every law, sooner or later there will appear a loophole, the bounds of which are as elastic as the fertile mind of the hacker or deviant can stretch them. While the scroll of honour in IT the world over comprises scores of Indian scientists and whiz kids, it would not be long before the crooked and unscrupulous Indian vyapari also learnt new tricks at the crossroads where business meets cyberspace.

The education and consciousness one is referring to is not just limited to Primary and Secondary but rather to what has been termed as “internetship”, almost on the lines of citizenship. It is a civic response to the new frontier where there is respect for justice and fairplay.

And it would be a fallacy to concede that such a mindset cannot be inculcated in young minds and propagated to netizens in general. For instance, no one would miss out on an opportunity to learn to combat a virus or worm, whether by defence or offense or both. In the same way it should not take too much to bring the same person around to realise how seemingly unlimited resources, like the Net, should and can exist for one and all.

For several years now, computer education in the West has included a fair sized component which introduces students in college to the social implications of technology. In India this would be the opportune moment to initiate steps in this direction. The burgeoning magazine market for one, could take the lead by carrying columns where such issues can be debated.

In the final analysis, in spite of our best efforts, we will continue to live in a fallible world and we will have to cohabit with scamsters, fraudsters and their likes. The challenge is to force a paradigm shift which by turning the equation around will keep such elements in the minority.

Laws and enactments can at best serve as deterrents. It is only an enlightened citizenry, appreciative of the intent and spirit of cyber law which will stand as a self-motivated sentinel keeping watch as buyer meets seller in the global market place.

In conclusion : The Information Technology Bill, 1999, built on the sound foundation of the UNCITRAL Model Law indeeds augurs well for the future of e-commerce in India. It is now up to the Indian citizen and businessman to capitalise on this Archimedean lever and catapult himself to greater heights.

In the words of Richard O Mason, commenting on the “Application of ethics to Information Technology Issues” in Communications of the ACM, Vol 38 No 12:

“The ethics of being online, using tools such as email, and infusing of information technology into our lives in areas ranging from business process reengineering to installing large-scale systems are, arguably among the most important ethical issues of our time.

As good citizens in this information age we must be able to identify the crucial moments-of-truth in which our behaviour as information professionals shapes the direction our society will take. By understanding the facts of each case, drawing on ethical traditions for guidance, and doing this with a concern for the broader implications of our actions, we can create the kind of ethical society we want. This is the challenge of our times.

back to india_gii's home page