Powers of State Governments Redefined by ITA 2008
With the passage of ITA 2008 (Amended ITA
2000), the role of State Governments in Cyber regulations has undergone a
significant change.
The Section 90 of
the Act which empowers State Government to make “Rules” for the purpose of
implementing the provisions of the Act assumes new meaning under ITA 2008.
In ITA 2000, the
section referred to powers required to be exercised under section 6 which
was in relation to e-Governance requirements such as filing of forms,
granting of licenses, receipt of money etc. There were not many other
powers conferred on the State Government. Hence it could be interpreted
that the powers of the State Government were intended to be used only for
giving effect to Section 6 and perhaps sections relating to the powers of
the Police.
Under ITA 2008, no change has been made to Section 90. However, the words
“..without prejudice to the generality of the foregoing power..” used in
Section 90 (2) assumes a greater meaning now since ITA 2008 envisages a lot
more responsibilities and powers to State Governments under the amended
provisions.
It is now no longer easy to restrict this section to only “Section 6” as it
appeared appropriate in the earlier version. Now there are several more
sections of ITA 2008 where State Government needs to exercise its powers.
One of the other sections under ITA 2008 which necessitates exercise of
power by State Government is section 6A regarding delivery of services by
service providers.
The provisions of
Section 7A regarding audit of e-documents also apply to the State
Governments and hence rules need to be framed for this purpose also.
Section 10 is another section under which rules are to be notified for use
of digital signatures or other approved forms of electronic signatures if
any.
Section 43 A which defines the liability of body corporates regarding
handling of sensitive personal information makes a reference to “reasonable
security practices and procedures specified in any law for the time being
in force”. Since the definition of “law” includes state laws and
ordinances, it is possible for State Governments to define reasonable
security practices for any class of users such as “Cyber Cafes”, “Hotels”,
“Educational Institutions” or even “Households”.
As regards the “Cyber Café Regulations”, there is however a conflict in
section 67 (C) where the Central Government alone has been vested with the
powers to preserve and retain information in a particular manner and format
for a specified duration. Presently some of the State regulations on Cyber
Cafes already specify such information and hence the State Governments need
to review the present notifications and modify them in accordance with the
ITA 2008.
More importantly, sections 69, 69 A and 69 B provide powers to State
Governments along with the Central Government to
a) Appoint an
officer or agency of the Government specially authorized to to intercept,
monitor, decrypt, block access to any content , collect traffic data or
information generated, transmitted, received or stored in any computer
resource.
b) to notify procedures and safeguards for exercising the powers as
indicated in the above paragraph
c) Define the term “traffic data”
It is of course
possible for the State Government to consider declaring any officer of the
Police department as an officer for the purpose of these sections. However,
since the Act has at different places mentioned the powers of the Police
where relevant and has used the words “any officer” in Section 69 and “any
agency of the Government” in sections 69 A and 69 B, it is perhaps the
intention of the legislature not to vest the powers under Sections 69, 69A
and 69 B with the Police either at the State level or with CBI or that
National Investigating Agency at the Central level.
The State Government has to therefore determine and notify which officer or
agency would be entrusted with the onerous responsibilities envisaged under
these three sections and the procedures, safeguards etc to be associated
with such appointment.
Further, under the modified Section 70, the appropriate Government can
declare any “facility of critical information infrastructure” as a
“protected system”. The State Government has to frame rules and procedures
to identify such systems, authorize appropriate persons in writing, how
they are to be accessed etc.
Under Section 78 of ITA 2008, now Inspectors will be authorized to
investigate cases falling under the Act, instead of the DSPs as per ITA
2000. State Governments which had presently set up Cyber Crime Police
Stations with statewide jurisdiction need to review the system and consider
if they need to declare more number of police stations as “Cyber Crime
Police Stations” especially since the number of offences falling under ITA
2008 shall be far more than in the case of ITA 2000.
Under Section 79 A, the Central Government may designate any department,
body or agency of the Central or State Government as “Examiner of
Electronic Evidence”. The State Government may have to therefore identify
and recommend which state level agency can be notified for this purpose.
State Governments will therefore be exercising far more powers under the
ITA 2008 than what was envisaged under ITA 2000. The powers also need to be
accompanied by several definitions, procedures, safeguards, appointment of
agencies etc.
In order to
effectively formulate a strategy for the State Governments, they need to
constitute an advisory body of experts which may be called the "Cyber Law
Advisory Group" so that detailed action plan can be drawn up.
Naavi
January 15, 2009
Other Articles on ITA 2008
