A database of
millions of customers including their contact details are found freely
accessible online and are available for sale at a very nominal price at various
online social media platforms has brought a serious and basic question in
focus- who all can be held responsible and accountable for such unauthorize and
illegal acts?
Prima facie, the person who is selling the
database is responsible under the eyes of law, but do the technology services
providers or the platform where such database is been listed, owes any
obligation to the customers and can be held responsible for unauthorize acts by
a third party on their platform?
The technology
service providers or the online platform operators are commonly known as “Intermediaries”.
In India, these
technology service providers or Intermediaries are governed by the provisions
of Information Technology Act, 2000 (“IT
Act”) along with Information Technology (Intermediaries Guidelines) Rules,
2011 (“Intermediary Rules”)
Section 2 (1) (w) of
the IT Act define intermediary as follows:
Intermediary with
respect to any electronic messages means any person who on behalf of another
person receives, stores or transmits that messages or provides any service with
respect to that messages and includes:
Ø Telecom
service providers;
Ø Network
service providers;
Ø Internet
service providers;
Ø Web
hosting service providers;
Ø Search
engines;
Ø Online
payment sites;
Ø Online
auction sites;
Ø Online
market places; and
Ø Cyber
cafes
The intermediaries
play a very important role in the enforcement of various provisions under the
IT Act. In any technology services, there are multiple players involved in
provision of services such as setting up web page or website, ISP providing
internet connectivity, service provider for registration of domain name and
hosting the domain, different service provider for uploading the web pages etc.
The present definition of intermediaries is broad enough to encompass every
technology service provider involved in any manner in transmission, retention
or hosting of electronic records. The IT Act places substantial burden on the
intermediaries as briefed below:
1.
Section
67C: Intermediaries to preserve and retain the information as
prescribed under the IT Act and any intentional or knowingly contraventions are
punishable with 3 years’ imprisonment and fine;
2.
Section
69: Intermediaries are required to comply with an order passed by
the Central or State Government directly or through designated agency for
granting access or securing access to the computer resource containing the
information or intercepting, monitoring or decrypting encrypted data or provide
information stored in a computer resource. Failure to assistance to the said
Government or its designated agency is punishable with 7 years’ imprisonment
and fine;
3.
Section
69A: An intermediary may be directed by the order of the Central
Government to block access by the public or cause to be blocked for access by
public, any information generated, transmitted, received, stored or hosted in
any computer resource, which such intermediary has to comply with. Failure to
do so would entail maximum imprisonment of 7 years’ and fine;
4.
Section
69B: The Central Government may direct an intermediary to provide
technical assistance and extend all facilities to its designated agency or authority,
to enable online access or to secure and provide online access to the computer
resource generating, transmitting, receiving or storing such traffic data or
information, as required by such agency and non-compliance with such order may
be prosecuted and the intermediary may be punished with 3 years’ imprisonment
and fine;
5.
Section
70B: CERT-IN may call for information or give directions to
intermediaries and any intermediary fails to comply with such directions may be
punished with 1 year imprisonment and fine;
6.
Section
72A: An intermediary who discloses personal information obtained
while providing services under the terms of lawful contract, with the intent to
cause or knowing that he is likely to cause wrongful loss or wrongful gain,
without the consent of the person concerned, or in breach of a lawful contract,
may be punished with 3 years’ imprisonment or fine of maximum Rs. 5 lakhs or
with both. With respect to compliance with Section 72A, the intermediary is
required to comply with the guidelines set out in the IT (Reasonable Security
Practices And Procedures And Sensitive Personal Information) Rules 2011, which
sets out the procedure for collection, retention, use and dissemination of
sensitive personal information pertaining to users.
Section 79 of the IT
Act exempts the intermediary from any liability under the IT Act from
prosecution for third party actions, on fulfillment of the following requisite:
a.
That the intermediary’s role is
limited to providing access to a communication system, which is used by third
parties to transmit, store or host information;
b.
That the intermediary did not
initiate the transmission, and did not select the receiver of transmission and
also did not select or modify the information forming part of such
transmission;
c.
That the intermediary observed due
diligence and complied with the guidelines set out by the Central Government,
while discharging its duties under the IT Act
However, the
intermediary cannot claim exemption under Section 79 of the IT Act on the
following conditions:
a.
An intermediary is involved in the
commission of an unlawful act, either through conspiring, abetting or aiding
such act or had induced, whether through threats or promises or otherwise the
commission of the unlawful act;
b.
An intermediary, after having received
actual knowledge, by itself or through notification from the appropriate
Government or its agency, that any information, data or communication link
residing in or connected to a computer resource controlled by the intermediary,
is being used to commit an unlawful act, fails to expeditiously remove or
disable access to that material on that resource, without vitiating the
evidence in any manner.
An intermediary is
required to act on information received about violation of any laws within 36
hours of such receipt and the intermediary is required to ensure that removal
of content from a website or computer resource would not affect the evidentiary
value of such content.
Moreover, the
intermediary is requisite to demonstrate due
diligence and publish rules & regulations, data privacy & protection, usage
policy and user agreement for access or usage of the intermediary’s online
platform or computer access along with details of grievance officer who has
to dispose of the matter within one month from date of receipt of complaint.
With ongoing
evolution in the business world, the technology service providers are part and
parcel of each and every business & their role as intermediary has
increased manifold.
To know further
details and other legal aspects of intermediaries including the data privacy
& usage policy, user rights, compliance under IT Act & Regulations,
please connect with us at admin@equicorplegal.com / +91 8448824659
Comments
Post a Comment