India’s I.T Advancement: An Insight Into New Privacy Laws

The new rules, issued by the Indian Department of Information Technology this month without much publicity, allow officials and private citizens to demand that Internet sites and service providers remove content that they consider objectionable by drawing from a long list of reasons.  

The new rule is section 43A of the Indian IT Act. It states "that a corporate shall have to obtain permission through letter or fax or email from each client before collection of sensitive information. Thus, BPOs will have to inform the client regarding purpose of usage before collection of such information, if they go by the new IT rules 2011." This would create additional work and potential hurdles for Indian suppliers obtaining consent from the customers of their clients.  

Critics say that the new regulations could severely curtail debate and discussion on the Internet, use of which has been growing quickly in India. The list of objectionable content is sweeping and, for instance, includes anything that “threatens the unity, integrity, defense, security or sovereignty of India, friendly relations with foreign states or public order.”  

One question, of course, is how the people of India cope with such restrictions. But another is what it means for platform companies like Facebook and Google who do business in India. Bajaj reports that they're expected to comply, and quickly: The rules require Internet “intermediaries” — an all-encompassing group that includes sites like YouTube and Facebook and companies that are host to Web sites or that provide Internet connections — to respond to any demand to take down offensive content within 36 hours. The rules do not offer a way for content producers to defend their work.  

If online restrictions on anything that offends anyone at anytime weren't provocative enough, catch this part of the new law, having to do with cyber cafes, already licensed by the government: "The screen of all computers, installed other than in Partitions or Cubicles, shall face 'outward', i.e. they shall face the common open space.  

This might sound interesting for many as the consumption of pornography is no more offence in India - if the police could still terrorise anyone, just by claiming that his mobile phone stored pornographic video, they were riding roughshod over his human rights.  

For, even if his phone had contained porn clips, the police would have had no leverage to extort money from the student. Consumption of pornography on a personal device is frowned upon by neither the Victorian-vintage Indian Penal Code ( IPC) nor the 21st Century legislation on Information Technology (IT). 

Both laws, separated by over 130 years, are unsparing towards the producer or supplier of obscene material. But when it comes to the consumer, neither law offers any scope to the police to make out even the lesser charge of abetting the alleged crime of obscenity. 

It is just as well that the laws are not prudish about consumption per se because mobiles have of late emerged as a major medium for pornography around the world, thanks to advances made by smart phone and 3G technologies. Mobiles can now match the capability of laptops in showing long videos of pornography, with the added advantage of offering greater privacy.  

The IT Act does, however, make the end user liable if it can be shown that he had more than just consumed pornography. The consumer would fall foul of the IT Act if he had shared the video with others. The three provisions relating to pornography forbid not just publishing but also transmitting.  

Section 67 of the IT Act imposes a penalty of imprisonment up to three years for publishing or transmitting obscene material in electronic form. Section 67A prescribes imprisonment up to five years for the same offence if the material in question contains "sexually explicit act or conduct". The penalty under Section 67B too goes up to five years as this provision deals with the aggravated offence of child pornography.  

The consumer would be vulnerable to one or the other of these pornography-related provisions even if he had shared the video only within his circle of friends. The very act of transmitting constitutes the offence. Thus, the consumer is safe so long as he is content receiving or downloading pornographic material.  

Besides shunning the temptation of sharing salacious videos, the consumer should be wary of misusing his mobile to invade somebody's privacy. Section 66E, one of the amendments made to the IT Act in 2008, introduced punishment up to three years for whoever "intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person". 

The rules notified under the IT Act last month make it clear that pornography can be safely consumed from one's home or from one's personal devices. But cyber cafes are required to block pornographic sites, evidently because of the danger of children gaining access to them. 

The laws are not prudish about porn consumption per se because mobiles have of late emerged as a major medium for pornography around the world, thanks to advances made by smart phone and 3G technologies. Mobiles can now match the capability of laptops in showing long videos of pornography, with the added advantage of offering greater privacy. 

The Indian data privacy rules bear strong resemblance to European rules in terms of data access, data retention and purpose limitation.  They also provide clarity as to the security standards expected of service providers.  In effect, they impose certain mandatory data privacy standards that outsourcers would normally impose contractually.  By doing so, they give outsourcers greater confidence that, when sending data to India, they will fulfil European data export rules to ensure "adequate" protection for their data.

However, there are key differences between Indian and European standards.  Outsourcers should not assume that their service provider's compliance with Indian data privacy rules will meet European requirements - it won't.  The outsourcer will still need to perform an appropriate level of due diligence and impose suitable contractual terms on its service provider in order to protect data." 

By Drishti Mishra, Legal Trainee