A new set of rules will now determine your behavior online the worldwide web as also the security of your personal data but are they effective? CNBC TV18’s Menaka Doshi spoke to Rediff Chairman Ajit Balakrishnan, also a member of the department of I-T Committee to review the I-T Act 2000, and Bill Cook, Chairman of DLA Piper’s Global Communications, e-commerce and Privacy Group to examine these rules - both from the point of view of an individual's freedom of speech and personal data security as well as from a corporate compliance burden point of view.
Rewind to 2004- Avnish Bajaj the co-founder of Baazee.com, was arrested and faced criminal prosecution when a student attempted to sell a pornographic clip on the auction website. That landmark case highlighted the rather open ended liabilities of intermediaries such as online auction site or even search engines. Liabilities that have since been limited under Section 79 of the IT Act 2000 but to save the intermediaries has the government sacrificed the freedom of speech of individual users?
Beware because if your utterings on the worldwide web are ‘grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, pedophilic, libelous, invasive, hateful, disparaging’ or even ‘menacing’, it could mean the death of your online avatar.
New rules say any such offensive material must be disabled within 36 hours of a complaint by the offended. The intermediary can also terminate your access upon non-compliance with its user agreement and privacy policies and if requested by the government, it can even share your identity details. And by the way, intermediary includes telecom, network, internet, webhosting service provider, search engines, online auction sites, online payment sites, online market places and cyber cafes. So is this the coming of a Nanny State?
Doshi: To belabor the point- are individual internet service providers or intermediaries of different kinds going to define grossly harmful, blasphemous, defamatory, anything that harms minors in any way? I don’t want to keep dwelling on the same issue but this seems loosely worded and therefore open to abuse. Do you believe that its jurisprudence that will set it right or do you believe in fact the rules itself need to be reviewed before we proceed on their implementation?
Balakrishnan: These specific definitions about each of these, in my humble opinion, should not be embodied in law because as technology evolves, these definitions of what constitutes grossly harmful, etc will evolve. I think you should leave it to the courts to define it. If you become an omnipresent god–like-person who can see into next 50 years on what kind of harms can come to people, then you can formulate such a law. In real life, human beings are the ones who draft regulations. As we speak, for example when I was part of the committee who created this Act- Section 79, social networking sites were just emerging. So all the challenges that they have brought we were not even aware. So you have to tread a balance between overly legislating and being over exact when there is no exact science when you put things into words and law.
Cook: I agree with Ajit that any transition from criminal exposure to civil exposure is certainly beneficial to the parties involved. The problem that I see is that this imposes a new role on the intermediaries that they haven’t really had before in terms of trying to be the arbiter of the standard that has no precision or specificity. So the question that I would have here is and I totally agree the courts will resolve a lot of that ambiguity- the question that presents is what happens in the interim? What do the intermediaries do as these complains come in? How do they resolve them and what if honestly they don’t believe that the material is offending? It puts them in a position where they have no frame of reference to really apply, a lot of that makes sense and that is clearly well-intentioned.
In a world of hacker attacks and data vulnerability, the new rules also lay down the law regarding collection, use, disclosure, transfer and storage of personal data but in a characteristically Indian style. What that means is - yes, a corporate needs explicit permission from the provider to collect and use data except who is the provider - that is undefined. It is also a departure from controller and processor- terms used in developed jurisdiction such as EU.
Cook: Provider could mean the customers, the internet service providers. It could mean outsourcing companies that are their customers or it could mean the employees and the customers of the companies that they are supporting. We just don't know. Hopefully, it will be the former and the provider will be the party that has privity with the recipient of the data as opposed to the upstream providers which would be their employees and customers. Because it would be hard to imagine that the Indian Government, Ministry of Communications and Information Technology would have intended that the consequence of these new rules- which we believe were intended to preserve and enhance the integrity of the outsourcing business industry in India- would have been to expand burden on that industry to a point where it would make it uncompetitive with like industries in other countries around the world.
Doshi: So like Mr. Balakrishnan, you are again hoping for the best case interpretation of the terminology used in the set of rules but in fact that terminology is open to the worst case interpretation which means that for a BPO company using my individual data - they need to get consent from me by e-mail or fax or in writing. That's good news for me because I don't want anybody misusing my data but its very bad news for the BPO industry or any equivalent industry that does use data to run its daily business.
Cook: I think whoever obtained your data is going to have a responsibility for providing terms and conditions under which the data can be collected and used. But I don't think that in the end, the burden-that you have correctfully identified as being a potential burden on the outsourcing industry, on the BPO industry- is likely to be the end result because India is very smart. The government is smart enough to know that it doesn't want to establish an anti-competitive environment for one of the major industries and an industry that is so uniquely tied to India. But unfortunately, as the government moves into new areas that it can’t afford to not regulate, it does so with a certain level of uncertainty about how much specificity they want to have. Now, for us as lawyers, lack of specificity is something that we really fear and dislike because more certainty, the easier it is to advice clients and have it complied with the law. But I think here the government is just testing the waters.
Doshi: I want you to comment on this part of the debate but I am also going to add one aspect to this and it may not be strictly comparable - but the fact is that in the recent past- with Google a few days ago, with Sony a few weeks ago - we have seen personal data tremendously vulnerable. I understand those are hacker attacks and its very different from what these rules set out to do. But do you believe that these new rules and I am looking at it only from an individual, user of the net point of view, go the full way to help ensure that (a) my freedom of speech is maintained and (b) that the security of my personal data is also maintained?
Balakrishnan: Instead of looking at some of these pieces of legislation as abstractions - remember the social context under which the data security thing was provided - again it is like the Baazi thing that led to intermediaries being defined. There was an event a few years ago – that alleged one of the outsourcing providers- I believe somewhere in Pune- an employee who allegedly used a credit card of one of the principal user in England and used it to allegedly buy things online on a British e-commerce site. At that time there was a tremendous uproar. So I think at that time all parties were concerned that a USD 50 billion a year outsourcing industry would be jeopardized unless you had regulation which reassured your customers, your clients abroad as well as the ultimate end users of those clients that having data in India would not in anyway jeopardize their business. So I think the data security provisions were brought in based on the pressure exerted by NASSCOM and its members and very correctly so. They wanted a regulatory system which will provide reassurance to all others.
Doshi: What do you make of these rules from the individuals point of view?
Cook: I couldn't agree more with Ajit. The proper role of government is to lay a framework for the responsibility of all the parties involved in the transactional relationship.
Doshi: Do you think this is an effective framework?
Cook: I do. I think that as an initial starting point, it has got all the essential elements and the refinements that you are talking about and that Ajit has indicated will come in time or in fact the way the process will play out. So you can't expect government to anticipate every aspect of the relationship, every use, every permutation and then legislate and put that down in a set of rules. It's unrealistic.
That said - the government needs to do a lot more to implement these new rules effectively including clarifying ambiguous terminology and appointing auditors to review corporate security practices. You and I have some heavy reading to do as well. Let's we be found guilty if being harmful, harassing or even menacing online.