This report in Times of India suggests that there is a renewed PR exercise to
push through the proposed amendments to ITA-2000 as proposed last year. The
proposed amendments have been thoroughly analysed on this site and suggested as
"A Conception to to protect one offender" which turned out to be a "Gross
Dilution of the law in favour of Criminals". It is necessary to revisit some of
the aspects of the proposed amendments to understand why it is "Criminal
Friendly" and has to be scrapped. It may be reiterated that the proposed changes
are "Ultra Vires" the Act and can be questioned on procedural grounds.
Now let us see some of the statements made in the article.
Statement 1. Airtel should
be grateful that data-protection measures drafted last year by an expert
committee are yet to be enacted. The telecom major would have otherwise been
liable to pay damages up to Rs 1 crore to each of the top police officers and
bureaucrats whose call data records were found to have been accessed by an
imposter due to the company's lax security.
In its report submitted in August 2005, the
committee headed by the then information technology secretary, Brijesh Kumar,
drafted a provision saying: "If any body corporate, that owns or handles
sensitive personal data or information in a computer resource that it owns or
operates, is found to have been negligent in implementing and maintaining
reasonable security practices and procedures, it shall be liable to pay damages
by way of compensation not exceeding Rs 1 crore to the person so affected." Had
the government not been sitting on the Brijesh Kumar committee's report, each of
the officers affected by the leakage that came to light in New Delhi on Tuesday
would have had a statutory remedy, entitling him to claim whopping damages from
Airtel for its negligence. Besides proposing such civil liability for data
theft, the report defined a range of "computer related offences" liable to be
tried in a criminal court and punished with imprisonment up to two years.
Statement 3.In fact, some of the proposed offences would have
applied directly to the HSBC employee, Nadeem Kashmiri, who was arrested on
Tuesday in Bangalore on the charge of colluding with fraudsters in the UK to
divert funds from clients' accounts. According to the draft Bill, the accused is
liable to be punished with imprisonment up to two years if he or she
"Charges the services availed of by a person to
the account of another person by tampering with or manipulating any computer
resource;" "Provides any assistance to any person to facilitate access to a
computer resource in contravention of the provisions of this Act." In the
absence of specific data protection provisions, as available in countries like
US and UK, Bangalore police is relying mainly on general provisions of the
Indian Penal Code, which was enacted way back in 1860
It is clear from the tenor of the article penned in the name of Mr Manoj
Mitta, that the article accuses the Government of sitting on the recommendations
which were meant to tighten the laws and could have helped in conviction/fixing
liability in the case of the information leakage in Delhi and in the HSBC case.
In order to avoid any misunderstandings that may be generated from the report, I
would like to place my views on each of the above comments. This may be read
with the more detailed comments that are available in the document quoted at the
end of this article.
quoted in Statement 2 above is a reproduction of the proposed Section 43(2)
which is an addition to the present section 43. The terms "Sensitive
Personal Data" and "Reasonable Security Practices" are not defined along
with the proposed amendments and hence the recommendation is incomplete and
is of no practical value.
Secondly, this provision has to be viewed with the existing provisions which
it replaces both under Section 43 as well as under Section 79.
The current section 43 does state that
(Section 43) of ITA-2000 : If any person without permission of the owner or
any other person who is incharge of a computer, computer system or computer
accesses or secures access to such computer, computer system or computer
downloads, copies or extracts any data, computer data base or information
from such computer, computer system or computer network including
information or data held or stored in any removable storage medium;
provides any assistance to any person to facilitate access to a computer,
computer system or computer network in contravention of the provisions of
this Act, rules or regulations made thereunder,
he shall be liable to pay damages by way of compensation not exceeding one
crore rupees to the person so affected.
It is clear from the current
Section 43, that if any person suffers a damage on account of a mere
"access" of a computer "without the authority of the person in charge" or
"copies, extracts data", then he is entitled to the compensation of upto Rs
1 crore. This provision is not limited to "the data handler being negligent
or having not followed any reasonable security practice". Hence as far as
the victim is concerned, the current section 43 provides more protection
than the proposed section.
Supporters of the amendments will
jump to the conclusion that this provision is "Unfair to the data handler or
a data processor" since he is made liable without any limit on his "Due
Diligence". This is incorrect since Section 43 is to be read with the
section 79 which provides certain exemptions to the data handler or the data
processor provided that he is not having knowledge of the contravention and
that he has followed "Due Diligence". To be specific, let us see the exact
provisions of this existing Section 79.
For the removal of doubts, it is hereby declared that no person providing
any service as a Network Service Provider shall be liable under this Act,
rules or regulations made thereunder for any third party information or data
made available by him if he proves that the offence or contravention was
committed without his knowledge or that he had exercised all due diligence
to prevent the commission of such offence or contravention.
Under this section "Network
Service Provider" means an "Intermediary" who is defined as
with respect to any particular electronic message means any person who on
behalf of another person receives, stores or transmits that message or
provides any service with respect to that message;
Under the current provisions
therefore, Airtel can claim to be an intermediary and if they prove that the
contravention has been committed without their knowledge and they have
exercised all "Due Diligence", they would not be held liable. In the instant
case therefore the victims can claim damages on Airtel and Airtel has to
produce evidence and satisfy the court that they should be protected under
Section 79 since they had exercised "Due Diligence". The Court can determine
with reference to the evidence produced whether the precautions taken by
Airtel are sufficient to be called "Due Diligence".
Now we shall look at what the new
amendments propose under Section 79.
Section 79 ( Proposed):
“Intermediary” shall not be liable under any law for the time being in
force, for any third party information, data, or link made available by him,
except when the intermediary has conspired or abetted in the commission of
the unlawful act.
provisions of sub-section (1) shall apply in circumstances including but not
limited to where
Intermediary’s function is limited to giving access to a communication
network over which information made available by third parties is
transmitted or temporarily stored; or
(b) The intermediary: (i)
does not initiate the transmission, (ii) does not select the receiver of the
transmission, and (iii) does not select or modify the information contained
in the transmission.
provisions of sub-section (1) shall not apply if, upon receiving actual
knowledge of, or being notified by the Central Government or its agency that
any information, data or link residing on a computer resource controlled by
the intermediary is being used to commit the unlawful act, the intermediary
fails expeditiously to remove or disable access to that material on that
Further the explanation
continues to state :
shall include, but not limited to, telecom service providers, network
service providers, Internet service providers, web-hosting service
providers, search engines including on-line auction sites, online-market
places, and Cyber Cafes
Under these provisions it is clear that Airtel would be doubly protected
a) It is an intermediary without any doubt and is "not liable under any
law". Note the use of the word "Any Law". This means that the protection
under the amended ITA-2000 (If it becomes effective) protects Airtel from
IPC as well as Indian telegraph Act.
b) In order to make Airtel liable, the victims need to prove that Airtel has
conspired and abetted in the commission of the offence. Without second
thought even I would state that no such allegation can be made on Airtel.
Hence Statement 1 made by the author of the article in Times of India is
boarne out of a wrong reading of the provisions of the propsoed amendments.
If the author thinks that the new provisions give better protection and
Times of India Editor thinks this is true, perhaps they need to check their
inference once again. I believe that they have been taken for a ride
by those who have planted this article.
The reason why such an anomaly exists in the proposed amendments is perhaps
because of the reason that the "Amendments were Engineered by vested
interests who wanted to protect some intermediaries caught by the Delhi
Police in an earlier case and booked under both ITA-2000 and IPC". Without
the change of legislation as suggested it woudl not have been possible
to protect the concerned individuals and hence the Brijesh Kumar Committee
(called the "Expert Committee") was set up to suggest changes that could
protect the concerned individuals.
Now for the statement 3 made by the author of the article stating that the
HSBC fraudsters would not be punishable unless the amendments were made
applicable. It is clear to any one who goes through the current Section 43
that the civil liabiltiy upto RS one crore for each of the victims is
provided under the section. The amendments does not increase this
The current provisions under Section 66 also apply to the HSBC case and
makes every person involved including the foreign nationals punishable with
imprisonment of upto 3 years. Bangalore Police has already filed an FIR on
this ground (though the police have wrongly added Section 72 which is not
However it must be remembered that under the amendments proposed for Section
66, the person who has committed the offence will be liable only
If any person,
dishonestly or fraudulently, without permission of the owner or of any
other person who is incharge of a computer resource provides any assistance
to any person to facilitate access to a computer resource in contravention
of the provisions of this Act, rules or regulations made thereunder;
In order to apply this section Police will have to prove "Dishonesty" and
"Fraud" even before they charge Mr Nadeem Kashmiri. More over under the
amendments, the punishment under the section is limited to 2 years and
Police cannot consider the offence as "Cognizable" even by extending the
CRPC provisions and arrest the person. They will have to first prove in the
court that Nadeem had fraudulently assisted other fraudsters (Who are
abroad) before arresting him. In fact Nadeem would have been the happiest
person if the amendments had come into force. HSBC would have been the
sufferer. This unimaginative proposal from the "Expert" committee makes one
believe that the proposed amendments will make ITA-2000 "Criminal Friendly".
Now I would like the TOI Editor to give his comments on whether it would be
right to consider that the article
"Changes in IT Act would've cost Airtel" by Manoj
Mitta which appeared today is in fact a planted story to push the amendments
to ITA-2000 which is anti-industry, anti-consumer and pro-criminals.
[Please see the more detailed comments for further
explanation on why I am forced to use such strong words]