News

Comments on Draft Amendments to IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 Invited

The Government of India notified the IT Rules in 2021 with an aim to address concerns regarding the lack of transparency and accountability among the intermediaries, who are exempted from liability for the acts of third parties under section 79 of the Information Technology Act, 2000. The Rules require the intermediaries to follow the procedures laid down in order to claim exemption.  

Highlights 

  • Introduction of Grievance Appellate Committee to hear appeals against the decision of the Grievance Officer- Sub-clause 3 to Rule 3 has been proposed, which provides for the establishment of the Grievance Appellate Committee. The Central Government shall constitute one or more Grievance Appellate Committees which consists of members as provided in the rule. Persons aggrieved by the order of the Grievance Officer may appeal to this Committee within 30 days of receipt of communication from the Grievance Officer. The Committee must dispose off the appeal within 30 days from the date of receipt of the appeal.
  • Under Rule 3(1)(a), intermediaries are required to not only publish the rules regarding their privacy policy and user agreements, they are also required to ensure compliance with the same.
  • Under Rule 3(1)(b), the intermediary was previously required to only inform the user of its computer resource not to host, display, upload, modify, publish, transmit, store, update or share the information listed under the rule. The amendment  requires that the intermediary causes the user not to share such information, without notifying the user about it.
  • Two clauses have been proposed to be added to sub-clause 1 of Rule 3 wherein the intermediary is required to take measures to allow access of their services to the users with a reasonable expectation of due diligence, privacy and transparency; and that the intermediaries are required to respect the rights of the citizens accorded to them by the Constitution of India.
  • Rule 3(2) provides that the Grievance Officer has to acknowledge the complaints sent to him within 24 hours and dispose them off within 15 days of receiving the complaint. The proposed amendment describes what is considered as a complaint and states that it includes suspension, removal or blocking of user or user accounts or any complaint or request for the removal of the information listed under Rule 3(1)(b). The proviso to this clause provides that complaints in the nature of the request for the removal of information or communication link must be redressed within 72 hours of reporting. Another proviso has been proposed that provides that the intermediary should adopt safeguards to prevent the misuse of the provision by the users.
  • An amendment has been proposed to Rule 4 which provides for rules for significant social media intermediaries. Under Rule 4(8)(b), when an action taken by an intermediary is disputed by the user who has created or uploaded the information, such complaints are to be decided by the Resident Grievance Officer within 15 days. The amendment proposed provides that the complaints under this rule shall be dealt as per Rule 3(2) which provides for redressal mechanisms to be followed by the intermediaries.

Impact 

A vital provision that has been proposed to be inserted is the constitution of the Grievance Appellate Committee, which allows the aggrieved persons to approach the committee, instead of filing an appeal in a court of law. It provides an alternative forum to regular courts to file appeals. Other proposed amendments are mostly clarificatory in nature and address gaps identified in the Rules.

News

CERT-In Issues FAQs to Address Queries on Cyber Security Directions

On 18th May 2022, the Indian Computer Emergency Response Team (CERT-In) released FAQs to address queries on Cyber Security Directions of 28.04.2022. 

The FAQs, consist of 44 questions that endeavour to clarify queries on the Cyber Security Directions to fast track operationalisation of these directions in the country. 

The FAQ consists of the following three primary sections: 

  • Section I: Basic Terminology and Scope of the Directions.
  • Section II: Directions under subsection (6) of section 70B of the IT Act, 2000.
  • Annexure-I: Explanation for Types of Cyber Security Incidents to be Reported to CERT-In.

Section I: comprises the basic terminology and scope of the directions. For instance, the objective for issuing the  Cyber Security Directions, the scope and applicability of the direction, the functions of CERT-In in the area of cyber security, the method of reporting and format for incident reporting, etc.

Section II comprises the nuances and explanations of the Cyber Security Directions, namely, areas the Cyber Security Directions cover, the benefit of the directions to the users in the country, the effect of the direction on the Right to Privacy of individuals, the time frame for reporting and information to be shared while reporting incidents, various applicability aspects of these Cyber Security Directions; and clarifications related to logging requirements, time synchronisation, and maintenance of specific information by entities, etc.

Annexure-I of the FAQs consists of an illustrative list of explanations of the types of incidents required to be reported to CERT-In.

News

Tamil Nadu Data Policy 2022 Unveiled

On 16th March 2022, the Tamil Nadu Government released Tamil Nadu Data Policy 2022 with the objective of aiding policy-making, improving implementation of schemes, encouraging value-added services and improving access to and quality of services.

As per the Policy, a State-level data governance committee, headed by the Chief Secretary, shall be responsible for providing strategic guidance for the data policy framework, while a data inter-departmental committee, headed by the Chief Executive Officer of Tamil Nadu e-Governance Agency (TNeGA), shall make the operational- level decisions as per the guidelines envisaged under the policy. The CEO of the TNeGA shall be appointed as the State’s Chief Data Officer.

The policy shall be applicable to all Public Authorities as defined under section 2(h) of the Right to Information Act, 2005 within the jurisdiction of Tamil Nadu state.  Additionally, it shall also apply to  all data and information created, generated, collected, and archived using public funds of Government of Tamil Nadu directly or through authorized agencies by various Departments / Organizations / Agencies and Autonomous bodies.

Policy provisions shall also concern to data that is recurring in nature and generated owing to automation (result output of their service delivery to citizens/business) of State user department process through various IT systems and to legacy data that is still available in non-machine-readable form.

While discussing Personal Data the policy maintained that “The Personal Data Protection Bill, 2019, [introduced in the Lok Sabha] that seeks to regulate data production and sharing is yet to become a law, but certain aspects of the Bill, like personally identifiable information and sensitive personal information, will be a factor to consider when we start using data produced in the government to solve the above challenges.”

The policy has also formulated rules governing access to non-open data. “Questions such as whether data are aggregated, who is going to use data, what data will be used for, whether data are personally identifiable, whether it has sensitive personal data are critical to determining access to the data.”

It is also maintained that the State shall  adopt a hybrid of state and centralised data storage mechanisms, and critical master data, like the family database, shall be stored centrally with appropriate safeguards and protection of personally identifiable information, such as removal of potentially identifiable characteristics and other statistical techniques. It has also been specified that data shall be published in machine readable formats, such as csv, xml and json, to minimise the use of PDFs.

It is pertinent to note that, while the Policy encourages dissemination and use of non-sensitive data freely, certain data shall be priced.  “The price of non-open data to be shared, if any, would be as per the policy of the Government of Tamil Nadu, and TNeGA shall be responsible for issuing instructions on data pricing.”