• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Scriboard® - Internet Law and Policy [India]
 

Scriboard® - Internet Law and Policy [India]

on

  • 398 views

Internet Law and Policy. Information Technology - Law and Compliance

Internet Law and Policy. Information Technology - Law and Compliance

Statistics

Views

Total Views
398
Views on SlideShare
396
Embed Views
2

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 2

http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Scriboard® - Internet Law and Policy [India] Scriboard® - Internet Law and Policy [India] Presentation Transcript

    • ‘Enforcing’ the Information Technology Act: Regulating Cyberspace – Version 2.0 Rodney D. Ryder Rodney D. Ryder Scriboard 1
    • Internet Security and Legal Compliance: Regulating Cyberspace – Version 2.0 Part 1 – Internet Law and Policy • Information Technology Act, 2000 • • Structuring a policy Current law in India Part 2 – Data Privacy and Information Security [Challenges and Strategies] • Data Protection legislation around the world [European Commission Directive and the UK Act; Data Protection model: the United States] Rodney D. Ryder Scriboard 2
    • The need for a national strategy Internet Law and Policy: New Media Regulation and India Rodney D. Ryder Scriboard 3
    • The Rise [and fall?] of Cyberspace • The Importance of Internet Architecture – ‘decentralised routing system’ – designed to carry messages from point to point even if intermediate communication exchanges are blocked, damaged or destroyed. <the dumb network> • ‘The net interprets censorship as damage, and routes around it’. John Gilmore, Lawless, The Economist, July 1995. • <Cyberspace>; <Neuromancer> and the “Network” [A place governed by its own laws - as introduced by William Gibson ] • “Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David Johnson, Stanford Law Review] • Benkler’s layers – the physical, the code and content [in communications theory] • Lessig <Code and other laws of Cyberspace> • Ryder <Regulating ‘Indian’ Cyberspace> • Goldsmith and Wu <Who Controls the Internet? The Illusions of a Borderless World> Rodney D. Ryder Scriboard 4
    • The ‘New Medium’ and the Law • The Information Technology Act, 2000 – in a phrase: ‘functional equivalence’ • ‘Electronic Commerce’ as an objective • Understanding the role of the medium – incidental [blackmail, stalking]; content [obscene or sensitive material]; integrity [unauthorised access and/or modification] • Adaptability and Enforcement of Indian law – lessons from the American experience [Adobe Systems v. Dmitry Skylarov] Rodney D. Ryder Scriboard 5
    • Structuring Information Systems Management • The Basics: the “machine” and the “medium” – What is a Cybercrime? • The criminal act – discovery [detection] and analysis • The Cybercrime Manual – fostering preparedness • Focussing on ‘relevant’ issues and appropriate classification of offences • Cyber forensics and the collection of evidence • Crisis management [internal and external] Rodney D. Ryder Scriboard 6
    • The Information Technology Act, 2000 • Chapter I: Preliminary [Definitions] • Chapter II: Digital Signatures and Electronic Signatures • Chapter III: Electronic Governance • Chapter IV: Attribution, Acknowledgement and Dispatch of Electronic Records • Chapter V: Secure Electronic Records and Secure Electronic Signatures • Chapter VI: Regulation of Certifying Authorities • Chapter VII: Electronic Signature Certificates Rodney D. Ryder Scriboard 7
    • The Information Technology Act, 2000 • Chapter VIII: Duties of Subscribers • Chapter IX: Penalties, Compensation and Adjudication • Chapter X: The Cyber Appellate Tribunal • Chapter XI: Offences • Chapter XII: Intermediaries not to be liable in certain cases • Chapter XIIA: Examiner of Electronic Evidence • Chapter XIII: Miscellaneous Rodney D. Ryder Scriboard 8
    • ‘Offences’ under the Indian Information Technology Act, 2000 • Tampering with computer source documents/‘code’ [Section 65]; • Transmission of Offensive Messages through Communication [Section 66A]; • Dishonest receipt of stolen computer resource or communication device [Section 66B]; • Punishment for Identity Theft [Section 66C]; • Cheating by personation using computer resource [Section 66D]; • Violation of Privacy [Section 66E] • Cyber Terrorism [Section 66F]; • Publishing or transmitting obscene material in electronic form [Section 67]; Publishing or transmitting of material containing sexually explicit act in electronic form [Section 67A]; Publishing or transmitting of material depicting children in sexually explicit act in electronic form [Section 67B]. Rodney D. Ryder Scriboard 9
    • ‘Duties’ under the Indian Information Technology Act • Duty of the Organisation “… maintain reasonable security practices and procedures” [Section 43A] – What is a reasonable Corporate Security System? [ISO 27001/27002] • “Offences by Companies” [Section 85] – “… every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company…” • Use of Organisation’s IT Resources should be governed by Internal IT Use and Security Policies Rodney D. Ryder Scriboard 10
    • E-Commerce and the Model Law - I • New Terms [and Issues]: Virtual Goods, Web hosting, Server [essence of business transactions remains the same] • Conventional law has not become obsolete... [a] ‘Online’ contracts are not different from ‘off line’; [b] Medium of a transaction is generally irrelevant for the law. • Traditional Legal concepts based on the existence of a tangible medium: ‘instrument’, ‘document’, ‘original’, ‘signature’… • Legal concepts based on geographic ‘dispatch’, ‘surrender’… Rodney D. Ryder Scriboard location: ‘delivery’, ‘receipt’, 11
    • E-Commerce and the Model Law - II Model Law: [a] to facilitate rather than regulate electronic commerce; [b] to adapt existing legal requirements; [c] to provide basic legal validity and raise legal certainty. Functional Equivalence: [a] Analyse purposes and functions of paper-based requirements [‘writing’, ‘record’, ‘signature’, ‘original’]; [b] consider criteria necessary to replicate those functions and give electronic data the same level of recognition as information on paper. Media and Technology Neutrality: [a] Equal treatment of paperbased and electronic transactions; [b] Equal treatment of different techniques [EDI, e-mail, Internet, telegram, telex, fax] Rodney D. Ryder Scriboard 12
    • E-Commerce and the Model Law - III – Party Autonomy: [a] Primacy of party agreement on whether and how to use e-commerce techniques; [b] Parties free to choose security level appropriate for their transactions – Article 7 [Signature]: Legal requirement is met in relation to a data message if: [a] a method is used to identify the signatory and to indicate his approval of the information contained in the data message; and [b] that method is as reliable as was appropriate for the purpose for which the data message was generated or communicated. – Article 8 [Original] Legal requirement is met by a data message if: [a] there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form, as a data message or otherwise; and [b] information is capable of being displayed to the person to whom it is to be presented. Rodney D. Ryder Scriboard 13
    • E-Commerce and the Model Law - IV • Article 9 [Evidence]: In any legal proceedings, nothing in the rules of evidence shall apply so as to deny the admissibility of a data message in evidence solely because it is a data message. Article 11 [Use of data messages in contract formation] Article 12 [Non-repudiation] Article 13 [Attribution of data messages] Article 14 [Acknowledgement of receipt] Article 15 [Time and place of dispatch and receipt] Articles 16 and 17 [Electronic commerce and carriage of goods] Rodney D. Ryder Scriboard 14
    • E-Commerce and the Model Law - V A data message is deemed to be sent when it enters an information system outside the control of the originator. A data message is deemed to be received: [a] If the addressee has designated an information system to receive the message, when the message enters the designated system; or [b] If the message is sent to an information system other than the designated system, when the addressee retrieves the message. Rodney D. Ryder Scriboard 15
    • ‘Jurisdiction’: Reading the Information Technology Act [I] • The relevance of physical location • Technology and the elimination of physical contact • Indian jurisdiction in cyberspace: a ‘simpler’ reading of section 75 [Indian Information Technology Act, 2000] • Wired [August 2000]: “Welcome to Sealand,…” Rodney D. Ryder Scriboard 16
    • ‘Jurisdiction’: Reading the Information Technology Act [II] • The simplistic view: is Cyberspace a place? • Direct interaction or through an agent [bot]? • The arcane exercise: where to sue? • Blurring vision: product or service • The basic paradigm: the absoluteness of boundaries • The relevance of physical location [‘lex situs’] • Targeting Rodney D. Ryder Scriboard 17
    • ‘Jurisdiction’: Reading the Information Technology Act [III] • Zippo Manufacturing Co. v. Zippo.com Inc. 952 F Supp 1119 [1997] the sliding scale test [‘… the nature and quality of commercial activity’] • Sliding – [a] entering into a contract, subsequently uploading files, Compuserve Inc. v. Patterson 89 F 2d 1257 (1996); [b] website, targeting users of a jurisdiction, Maritz Inc. v. Cybergold Inc 947 F Supp 1328 (1996) • Sliding – [a] Website not interactive, only contained general information Bensusan Restaurant Corp v King 937 F Supp 296 (1996); [b] ‘U-Hell’ website that described their experience with ‘UHaul’ U-Haul International Inc v. Osborne 1999 Us Dist LEXIS 14466 (1999); [c] Server only point of contact Pres-Kap Inc v. System One Direct Access Inc 636 So 2d 1351 (1994). Rodney D. Ryder Scriboard 18
    • ‘Jurisdiction’: Reading the Information Technology Act [IV] • Calder v. Jones 465 US 783 (1984) – ‘targeting’ [emerging as the dominant test – direct relationship or referral] • Metro-Goldwyn Mayer Studios Inc. v. Grokster Ltd. 243 F Supp 2d 1073 (2003) – ‘… the software had an impact or effect…’ • ‘Free Speech’ and the Internet: Dow Jones & Company v. Gutnick, (2002) 77 AJLR 255; [2002] HCA 256. [Callinan J, ‘… American legal hegemony’ [‘accessibility’; ‘reputation’] • Publication – a bilateral act? • Reasonableness – reputation in the forum, whether the publisher knew or ought to have known this, ‘extent’ of publication, extent to which the plaintiff is a subject. Rodney D. Ryder Scriboard 19
    • Internet Cases in India [I] • Vodafone Essar Ltd v Raju Sud [Bombay High Court; Summary Suit No. 3264/2009 Dated : 22 November, 2011] - subscriber, challenged the authenticity of computer generated bills which contained the charges. The Court held that, “printouts taken from the computer/server by mechanical process as contemplated under Sections 65 and 65-A of the Evidence Act is permitted, irrespective of the compliance with the requirement of Section 65-B of the Act”. • State v. Navjot Sandhu [Supreme Court of India, Case No. : Appeal [Crl.] 373-375 of 2004, Date of Judgement : 04/08/2005] - The Hon’ble Supreme Court when examining Section 65B, held that even when an affidavit/certificate under Sec. 65B is not filed it would not foreclose the Court from examining such evidence provided it complies with the requirements of Section 63 and 65 of the Evidence Act. • Super Cassettes v. MySpace Inc. [Delhi High Court; CS [OS] No. 2682/2008] - One of India’s first judgments on the issue of intermediary liability specifically on the point of copyright infringement of recordings of the plaintiff. • Rodney D. Ryder Scriboard 20
    • Internet Cases in India [II] • Vinod Kaushik v. Madhvika Joshi [Adjudication Officer, Maharashtra. Complaint Case No. 2/2010] - the legality of accessing a spouse’s email account without their permission. Whether unauthorised access? • Eastern Book Company v. DB Modak [Supreme Court of India. Appeal [Civil] 6472 of 2004] - copyright protection available to electronic databases in India. • Dharambir v. Central Bureau of Investigation [Delhi High Court. 148 [2008] DLT 289] - the admissibility and reliability of digital evidence. • Societe des Products Nestle SA v/s Essar Industries, 2006 [33] PTC 469] – Admissibility of Electronic Evidence • Rodney D. Ryder Scriboard 21
    • Legal Issues and the ‘Cloud’ – I [Scenarios and Situations] • ‘Physical Location’ of the Data – [a] where is the data stored? [jurisdiction and legal governance of the data] [b] Dispute Resolution – in the event of conflict • Responsibility for the Data – Disaster Management [Indemnification? Insurance?] Is there liability coverage for the breach of privacy? What if the data center is hacked? • Intellectual Property – [a] Is the data protected under Intellectual; Property Law? How secure are trade secrets? What are the conditions under which the vendor grants third parties access to your data? Rodney D. Ryder Scriboard 22
    • Legal Issues and the ‘Cloud’ – II [Contracts and Enforcement] • Privileged User Access – Who has access and their backgrounds • Regulatory Compliance – Vendors must be willing to undergo audits and security certifications • Data Location • Security: the legal responsibility [Security Breach?] – [a] physical security; [b] operational security – ‘private cloud’ or the ‘utility model’; [c] programmatic or code-based security • Data Segregation and the use of Encryption • Recovery Rodney D. Ryder Scriboard 23
    • Privacy and the Internet Data Privacy and Information Security Rodney D. Ryder Scriboard 24
    • Privacy concerns A fundamental human right the right of the individual to be let alone • Information Privacy [data protection] - personal data • Bodily privacy - invasive procedures - search, drug testing; genetic testing; etc • Communications Privacy - mail, telephone, e-mail etc • Territorial privacy - domestic privacy; CCTV; ID checks etc “Public” aspects - surveillance, police powers and national security Rodney D. Ryder Scriboard 25
    • Growth of Importance of Privacy Overview - major International and US regulations HUMAN RIGHTS 1948 UN Universal Declaration of Human Rights 1970 US Fair Credit Reporting Act 1974 US Privacy Act 1976 International Covenant on Civil and Political Rights 1980 OECD Guidelines on Protection of Privacy 1980 US Privacy Protection Act 1995 European Commission Directive on Data Protection 1994 US Communications Assistance to Law Enforcement Act 1996 US Health Insurance Portability and Accountability Act 1998 US Children's Online Privacy Protection Act 1998 European Member States implement Directive 1999 US Financial Services Modernization Act Rodney D. Ryder Scriboard BUSINESS ISSUES 26
    • Privacy and Data Protection law in India There is no general privacy or data protection law in India: • Constitution Article 21 Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone” • International Covenant on Civil and Political Rights 1966 Article 17: No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. • Law of privacy [Tort Law] – Action for unlawful invasion of privacy Rodney D. Ryder Scriboard 27
    • The [Indian] Information Technology Act, 2000 Information Technology Act 2000 • Section 43 [a] Penalty for unauthorised access to a computer system • Section 43 [b] Penalty for unauthorised downloading or copying of data without permission • Section 72 Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned, disclosing such information to another person Rodney D. Ryder Scriboard 28
    • Current law in India • Public Financial Institutions Act of 1983 codifies confidentiality of bank transactions • ISPs prohibited from violating privacy rights of subscribers by virtue of the licence to operate granted by the Department of Telecommunications • A general data protection law in India? National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date Rodney D. Ryder Scriboard 29
    • Possible approaches to Data Protection Data Protection Worldwide Rodney D. Ryder Scriboard 30
    • Data Protection legislation worldwide NONE PENDING AFGHANISTAN CENTRAL AFRICAN REPUBLIC CHAD CHILE CHINA CHRISTMAS ISLAND COCOS [KEELING] ISLANDS COLOMBIA COMOROS CONGO ALBANIA ALGERIA AMERICAN SAMOA ANDORRA ANGOLA COOK ISLANDS COSTA RICA COTE D'IVOIRE CROATIA CUBA CYPRUS CZECH REPUBLIC DENMARK DJIBOUTI DOMINICA DOMINICAN REPUBLIC EAST TIMOR ECUADOR EGYPT EL SALVADOR EQUATORIAL GUINEA ERITREA ESTONIA ETHIOPIA FALKLAND ISLANDS [MALVINAS] FAROE ISLANDS FIJI FINLAND FRANCE FRENCH GUIANA FRENCH POLYNESIA FRENCH SOUTHERN TERRITORIES GABON GAMBIA GEORGIA GERMANY GHANA ANGUILLA ANTARCTICA ANTIGUA AND BARBUDA ARGENTINA ARMENIA ARUBA AUSTRALIA AUSTRIA AZERBAIJAN BAHAMAS BAHRAIN BANGLADESH BARBADOS BELARUS BELGIUM BELIZE BENIN BERMUDA BHUTAN IN PLACE GIBRALTAR GREECE GREENLAND GRENADA GUADELOUPE GUAM GUATEMALA GUINEA GUINEA-BISSAU GUYANA HAITI HEARD ISLAND AND MCDONALD ISLANDS HOLY SEE [VATICAN CITY STATE] HONDURAS HONG KONG HUNGARY ICELAND INDIA INDONESIA IRAN IRAQ IRELAND ISRAEL ITALY JAMAICA JAPAN JORDAN KAZAKSTAN KENYA KIRIBATI KUWAIT KYRGYZSTAN LAO PEOPLE'S DEMOCRATIC REPUBLIC LATVIA LEBANON LESOTHO LIBERIA LIBYAN ARAB JAMAHIRIYA LIECHTENSTEIN EUD or ‘ADEQUATE’ LITHUANIA OURG LUXEMBOURG MACAU MACEDONIA MADAGASCAR MALAWI MALAYSIA MALDIVES MALI MALTA MARSHALL ISLANDS MARTINIQUE MAURITANIA MAURITIUS MAYOTTE MEXICO MICRONESIA, FEDERATED STATES OF MOLDOVA, REPUBLIC OF MONACO MONGOLIA MONTSERRAT MOROCCO MOZAMBIQUE MYANMAR NAMIBIA NAURU NEPAL NETHERLANDS NETHERLANDS ANTILLES NEW CALEDONIA NEW ZEALAND NICARAGUA NIGER NIGERIA NIUE NORFOLK ISLAND NORTH KOREA NORTHERN MARIANA ISLANDS NORWAY OMAN PAKISTAN PALAU PALESTINIAN TERRITORY, OCCUPIED PANAMA PAPUA NEW GUINEA PARAGUAY PERU PHILIPPINES PITCAIRN POLAND PORTUGAL PUERTO RICO QATAR REUNION ROMANIA RUSSIAN FEDERATION RWANDA SAINT HELENA SAINT KITTS AND NEVIS SAINT LUCIA SAINT PIERRE AND MIQUELON SAINT VINCENT AND THE GRENADINES SAMOA SAN MARINO SAO TOME AND PRINCIPE SAUDI ARABIA SENEGAL SEYCHELLES SIERRA LEONE SINGAPORE SLOVAKIA SLOVENIA SOLOMON ISLANDS SOMALIA SOUTH AFRICA SOUTH GEORGIA SOUTH KOREA SPAIN SRI LANKA SUDAN SURINAME SVALBARD AND JAN MAYEN SWAZILAND SWEDEN SWITZERLAND SYRIAN ARAB REPUBLIC TAIWAN TAJIKISTAN TANZANIA, UNITED REPUBLIC OF THAILAND TOGO TOKELAU TONGA TONGA TRINIDAD AND TOBAGO TUNISIA TURKEY TURKMENISTAN TURKS AND CAICOS ISLANDS TUVALU UGANDA UKRAINE UNITED ARAB EMIRATES UNITED KINGDOM UNITED STATES [safe harbor] US MINOR OUTLYING ISLANDS URUGUAY UZBEKISTAN VANUATU VENEZUELA VIET NAM VIRGIN ISLANDS, BRITISH VIRGIN ISLANDS, U.S. WALLIS AND FUTUNA WESTERN SAHARA YEMEN YUGOSLAVIA ZAMBIA ZIMBABWE BOLIVIA BOSNIA AND HERZEGOVINA BOTSWANA BOUVET ISLAND BRAZIL BRITISH INDIAN OCEAN TERRITORY BRUNEI DARUSSALAM BULGARIA BURKINA FASO BURUNDI CAMBODIA CAMEROON CANADA CAPE VERDE CAYMAN ISLANDS Rodney D. Ryder Scriboard 31
    • Industrialised Countries Legislation timeline Norway Personal D Reg Act Finland Personal DP Act In force 14 April 2000 In force 1 June 1999 Sweden Personal Data Act Denmark Act on Processing f PD In force 24 October 1998 In force 1 July 2000 Belgium Data Protection Act Ireland - In force 1 Sep 2001 Germany Data Protection Act United Kingdom Data Protection Act In force 23 May 2001 In force 1 March 2000 Austria Data Protection Act Luxembourg - In force 1 January 2000 Canada PIP&ED Act Commenced 1 Jan 2001 Italy Data Protection Act Mexico eCommerce Act Netherlands Law on Protection PD ct In force 8 May 1997 In force 7 June 2000 In force 1 Sep 2001 France - United States [includes] CPP Act 1984 VPP Act 1988 COPP Act 1998 Hong Kong Personal Data [Privacy] Australia Privacy Act Spain Data Protection Act In force 20 Dec 1996 In force 21 Dec 2001 In force 13 January 2000 In force 21 April 2000 Taiwan Computer Processed DP New Zealand Privacy Act Portugal Personal DP Act In force 11 August 1995 In force 1 July 1993 In force 27 October 1998 Switzerland Data Protection Act South Korea eCommerce Act In force 1 June 1999 In force January 1999 Eastern Europe Estonia [96] Poland [98] Solovak [98] Slovenia [99] Hungary [99] Czech [00] Latvia [00] Lithuania [00] HIPA Act In force 14 April 2001 GLB Act In force 1 July 2001 ‘General’ Act Rodney D. Ryder Scriboard Under consideration Greece Protection Processing In force 10 April 1997 32
    • Possible approaches to Data Protection Data Protection in Europe Rodney D. Ryder Scriboard 33
    • European Data Protection Directive • Directive 95/46/EC of the European Commission • Now implemented in almost all Member States e.g. UK previously - UK Data Protection Act 1984 now - UK Data Protection Act 1998 [in force March 2000] [“DPA”] Rodney D. Ryder Scriboard 34
    • UK DPA 1998 - The Eight Principles 1. Personal data must be processed fairly and lawfully 2. Personal data must be collected and used only for notified purposes. 3. Personal data must be adequate, relevant and not excessive. 4. Personal data must be accurate and, where necessary, kept up-todate. 5. Personal data must only be retained for as long as is necessary to carry out the purposes for which it is collected. 6. Personal data must be processed in accordance with the rights of data subjects as set out under the 1998 Act. Rodney D. Ryder Scriboard 35
    • UK DPA 1998 - The Eight Principles 7. Appropriate technical and organisational measures must be in place to protect against unauthorised access, amendment or loss of personal data. There must be a contractual obligation, in writing, upon any data processor to comply with the relevant legislation and to ensure that such measures have been put in place. 8. Personal information must not be transferred out of the European Economic Area ["EEA"] unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data. Rodney D. Ryder Scriboard 36
    • Transfers of Personal Data from Europe to India The Eighth Principle Personal information must not be transferred out of the European Economic Area ["EEA"] unless the receiving country ensures "an adequate level of protection" for the rights and freedoms of the data subjects vis-à-vis the processing of personal data. Rodney D. Ryder Scriboard 37
    • Alternative Grounds: “Seventh-Principle” type contract Notwithstanding lack of country adequate status, a Data Controller can nevertheless conclude there is adequate protection in respect of a particular transfer if: There is sufficient protection for individual data subjects Having regard to: - nature of data being transferred; - purposes for processing; - security measures in place; - individual rights to redress if things go wrong Note - all of these could be covered in a Seventh-Principle type contract Rodney D. Ryder Scriboard 38
    • Any questions? Rodney D. Ryder Scriboard 39
    • Legal Services Technology, Media and Communications Technology, Media and Communications ‘Enforcing’ the Information Technology Act Regulating Cyberspace – Version 2.0 Rodney D. Ryder rodney@scriboard.com