Electronic Data Interchange

This involves interchange of information by stakeholders at the same time. This is undertaken in the
following steps:

1. Creation of a document, which is to be shared

2. Converting the document into a standard form which is shareable.
3. Sharing of the file with various stakeholders.

Any electronic form of data is recognized.

Electronic Contracts and Agreements: Contracts can be of two types: Negotiable and Non-negotiable
(includes standard contract)

Agreements can also be of various types:

a. Click-wrap agreement: A clickwrap (also known as click-accept, click-to-sign, or clickthrough)

agreement is an online agreement that users agree to by clicking a button or checking a box
that says “I agree.” The act of signing via an electronic signature is replaced with the act of
clicking. Related agreement types include sign-in-wraps (where clicking “register” or “sign-
in” constitutes acceptance to the terms) or browse wraps (where using the site indicates
acceptance of terms).

b. Browse wrap agreement (This would describe a situation where one enters into an
agreement the moment one starts browsing or downloading some content. In this case,
there is no need to click on anything and there is a presumption that the terms and
conditions of the website would govern the concerned individual);

c. Shrink-wrap contract: The terms and conditions are available only once the agreement has
been entered into or once the article has been bought. There is a question with respect to its
enforceability.

They can be differentiated on the following factors:

1. Terms and conditions;

2. Acceptance;
3. Enforceability;
4. Conclusions of Contract.

Forrest v. Verizon Communications: In this case, the terms and conditions which have to be read
were argued to be inadequate. The court held that there was an obligation on part of the users to
read the terms and conditions. Therefore, the measure was not inadequate. So, if the user has not
read all the terms and conditions, they would still be liable under the agreement

Segal v. Amazon: Click-wrap agreement would be binding. Not reading the terms by scrolling down
is not a defence.
Speched v. Netscape: The browse-wrap agreement was not visible. The court held that it cannot be
said that this was an inadequate notice.

Electronic Record

Chapter III and Chapter IV give legal recognition to electronic records. Section 4 grants such legal
recognition while Section 5 deals with the legal recognition of electronic signatures. It states that
where any provides that information or any other matter shall be authenticated by affixing the
signature or any document shall be signed or bear the signature of any person then notwithstanding
anything contained in such law, such requirement shall be deemed to have been satisfied, if such
information or matter is authenticated by means of electronic signature affixed.

Electronic signature is a wider term than digital signature

Section 10A deals with the validity of contracts formed through electronic means. It states that
where in a contract formation, the communication of proposals, the acceptance of proposals, the
revocation of proposals and acceptances are expressed in electronic form or by means of an
electronic record, such contract shall not be deemed to be unenforceable solely on the ground that
such electronic form or means was used for that purpose.

Section 11 deals with attribution of electronic records. An electronic record shall be attributed to the
originator if it was sent by the originator himself, by a person who had the authority to act on behalf
of the originator in respect of that electronic record, by an information system programmed by or on
behalf of the originator to operate automatically.

Section 12 deals with the acknowledgement of receipt where the originator has not stipulated that
the acknowledgment of receipt of electronic record be given in a particular form or by a particular
method, an acknowledgement may be given by any communication by the addressee, automated or
otherwise. Another form of acknowledgment would be any conduct of the addressee, sufficient to
indicate to the originator that the electronic record has been received.

Furthermore, when the originator has stipulated that the electronic record shall be binding only on
receipt of an acknowledgment then the electronic record can be deemed to have never been sent by
the originator if there is no receipt of acknowledgement in such form.

In case no such stipulation is made then the originator has to give notice to the addressee that no
acknowledgement has been received by him and is no acknowledgement is received within a
reasonable time after that, the electronic record can be treated as never having been sent.

Section 13 deals with time and place of despatch and receipt of electronic record. It states that the
despatch of an electronic record occurs when it enters a computer resource outside the control of
the originator, save as otherwise agreed to between the originator and addressee. The provision
also stated that the address can designate a computer resource for the purpose of receiving
electronic records.

Furthermore, an electronic record is deemed to be despatched at the place where the originator has
his place of business, and is deemed to be received at the place where the addressee has his place of
business
Technology Transfer Agreement:
This is one way of disseminating information and technology so that the other party can make use of
the information with legal sanctity. One would have to define the technology (product/service) in
concern. Company specification along with the specification of the technology has to be described.
There may be cases where only certain portions may be licensed.

One has to make sure that the rights which have been assigned cannot be re-assigned again. So, the
nature and the re-assignability of the rights in concern have to be ascertained.

Licensor and Licensee Obligation have to be defined.

Warranty, Indemnity and Infringement clauses have to also be mentioned in there.

Information clauses are often present which specify disclosure requirements on part of the licensee
or the licensor. Termination is also undertaken at times and the circumstances under which the
agreement can be terminated are usually provided for in the agreement.

Disputes can often lead to litigation.

Therefore, agreements often provide for arbitration in order to avoid unnecessary litigation.

Chapter XII of Information Technology Act [Intermediaries

not to be liable in certain cases]
Section 79 states that there is exemption from liability of intermediaries in certain cases. It provides
that an intermediary shall not be liable for any third party information, data or communication link
made available or hosted by him.

This exemption from liability is available if [Section 79(2)]:

a. The function of the intermediary is limited to providing access to a communication system

over which information made available by third parties is transmitted or temporarily stored
or hosted.

b. The intermediary does not:

i. Initiate the transmission
ii. Select the receiver of the transmission, and
iii. Select or Modify the information contained in the transmission

c. The intermediary observes due diligence while discharging his duties under this Act and also
observed such other guidelines as the Central Government may prescribe in this behalf.

Section 79(3) provides that this exemption shall not apply if the intermediary has conspired or
abetted or aided or induced, whether by threats or promise in the commission of the unlawful act. It
also provides that upon receiving actual knowledge from authorities that that any information, data
or communication link residing in or connected to a computer resource controlled by the
intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously
remove or disable access to that material on that resource without vitiating the evidence.

IT (Intermediary Guidelines and Digital Media Ethics Code) 2021

Rule 2(v) states that a social media intermediary means an intermediary which primarily or solely
enables online interaction between two or more users and allows them to create, upload, share,
disseminate, modify or access information using its services.

Rule 3 mandates an intermediate to undertake due diligence while discharging its duties: (a) the
intermediary shall prominently publish on its website the rules and regulations, privacy policy and
user agreement. The intermediary shall inform the user of its computer resource not to host,
display, upload, modify, publish, transmit, store, update, or share any information that belongs to
any person and to which the user does not have any right. Any information which is defamatory,
obscene, infringes any IP right or violates any law for the time being in force.

Rule 3(d) mandates that an intermediary on whose computer resource the information is stored,
hosted, or published, upon receiving actual knowledge in the form of an order by a court of
competent jurisdiction, shall not host, store, or publish any unlawful information, which is prohibited
under any law.

EU Directives on E-commerce (The Regulations talk about intermediaries that merely act as conduits
and their liability would be limited. Article 13 in specific talks about the automatic storage of data)

Caching: It would not lead to liability for the intermediary since the data gets downloaded
automatically. The provisions states the service provider should not be made liable for the
automatic, intermediate and temporary storage of that information performed for the sole
purpose of making more efficient the information’s onward transmission to other recipients
of the service upon their request on the condition that: (a) the provider does not modify the
information; (b) the provider complies with conditions on access to the information; (c) the
provider complies with rules regarding the updating of the information, specified in a
manner widely recognised and used by industry. (d) the provider does not interfere with the
lawful use of technology, widely recognised and used by industry, to obtain data on the use
of the information; and
(e) the provider acts expeditiously to remove or to disable access to the information it has
stored upon obtaining actual knowledge of the fact that the information at the initial source
of the transmission has been removed from the network, or access to it has been disabled,
or that a court or an administrative authority has ordered such removal or disablement.

Laurence Godfrey v. Demon Internet Limited: Godfrey sued D, an Internet Service Provider, over a
newsgroup posting made available from D’s newsgroup servers in this jurisdiction. D sought
permission to amend its defence to rely, in mitigation of damages, on numerous allegedly
provocative postings previously made by P, including to other newsgroups apart from that in which
the posting complained of appeared. P resisted the amendment on the ground that it offended
against the rule in Scott v Sampson (1882) 8 Q.B.D 491 as bringing in inadmissible evidence of
particular acts of misconduct on the part of the P.

The Court first held that the ISP was not a publisher of the impugned statement within the meaning
of Section 1(2) and 1(3). The Court then proceeded with addressing whether the company took
reasonable care in disseminating the statement and whether it knew or had reason to know that its
act caused or contributed to the publication of the defamatory statement. The ISP argued that it
merely provides Internet access through which public postings are transmitted. The Court disagreed
by holding that the Defendants, whenever the Defendants transmit and whenever there is
transmitted from the storage of the Defendants news server a defamatory posting, publish that
posting to any subscriber to their ISP who accesses the newsgroup containing that posting. Thus
every time one of the Defendants’ customers accesses “soc culture thai” and sees that posting
defamatory of the Plaintiff there is a publication to that customer. [para. 33] For the Court, the ISP’s
act of providing access to the defamatory statement was analogous to a “bookseller who sells a
book defamatory of the Plaintiff.”.

The Court concluded that the ISP knew or had reason to know the impugned statement was
defamatory as the plaintiff had notified the company that he was not the true author of the
statement. Yet the Defendants chose not to remove the defamatory posting. Accordingly, it ruled
that the company did not have a viable defense under Section 1 of the Defamation Act.

Digital Millennium Copyright Act of 1998

The Digital Millennium Copyright Act (DMCA) was signed into law by 1 President Clinton on October
28, 1998. The legislation implements two 1996 World Intellectual Property Organization (WIPO)
treaties: the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty.

The three main updates were (1) establishing protections for online service providers in certain
situations if their users engage in copyright infringement, including by creating the notice-and-
takedown system, which allows copyright owners to inform online service providers about infringing
material so it can be taken down; (2) encouraging copyright owners to give greater access to their
works in digital formats by providing them with legal protections against unauthorized access to
their works (for example, hacking passwords or circumventing encryption); and (3) making it
unlawful to provide false copyright management information (for example, names of authors and
copyright owners, titles of works) or to remove or alter that type of information in certain
circumstances.

Section 5 and Section 12 limit the liability of intermediaries if certain conditions are met.

Cyber Crimes
Section 2(a) defines access with its grammatical variations and cognate expressions as gaining entry
into instructing or communicating with the logical, arithmetical or memory function resources of a
computer, computer system or computer network.
This is relevant in the context of Section 43(a) which penalises any person for accessing or securing
access to such computer, computer system, or computer network without the permission of the
owner or any other person who is in charge of a computer, computer system or computer network.

Section 43(b) penalises the downloading, copies or extracts any data, computer data base or
information from such computer, computer system or computer network including information or
data held or stored in any removable storage medium.

Section 43(c) penalizes the introduction or causing to be introduced any computer contaminant or
computer virus into any computer, computer system or computer network.

Section 43(i) penalizes the destruction, deletion, or alteration of any information residing in a
computer resource or diminishing its value or utility or affecting in injuriously by any means.

Section 43(e) penalizes the disruption or causing the disruption of any computer, computer system
or computer network.

These and other such acts shall make the person committing them liable to pay damages by way of
compensation to the person so affected.

Section 66 provides that if any person dishonestly or fraudulently does any act referred to in Section
43, they shall be punishable with imprisonment for a term which may extend to three years or with
fine which may extend to five lakh rupees.

Section 66A provides the punishment for sending offensive messages through communication
service. It includes any information which is grossly offensive or has menacing character; any
information which is known to be false but for the purpose of causing annoyance, inconvenience,
danger, obstruction, insult, injury, criminal intimidation, enmity, hatred persistently by making use of
such computer resource or a communication device.

Section 66C provides punishment for identity theft. It states that whoever, fraudulently or
dishonestly make use of electronic signature, password or any other unique identification feature of
any other person. Identity theft and impersonation are different. Section 66D deals with the latter
while Section 66E deals with the punishment for violation of privacy (private photos)

Kinds of Cyber-Crimes or wrongs:

Email-Bombing: It is form of net abuse that sends large volumes of email to an address that overflow
the mailbox, overwhelm the server where the email address is hosted in a denial-of-service attack
(for annoyance) or as a smoke screen to distract the attention from important email messages
indicating a security breach.

Data-Diddling: Section 43 covers this indirectly. Data Diddling is a form of computer fraud involving
the intention falsification of numbers in data entry. It often involves the inflation or understatement
of income or expenses to benefit a company or individual when completing tax or other financial
documents.

Denial of Service: Section 69, 69A, and 69B are relevant in this context.
Computer Virus: Section 43 defines computer virus as any computer instruction, information, data
or programme that destroys, damages, degrades or adversely affects the performance of a computer
resource or attaches itself to another computer resource and operates when a programme, data, or
instruction is executed or some other event takes place in that computer resource.

Logic Bomb: It is a piece of code intentionally inserted into a software system that will set off a
malicious function when specified conditions are met. For example, a programmer may hide a piece
of code that starts deleting files should they ever be terminated from the company.

Trojan Horse: It is a type of malware that disguises itself as a legitimate code or software. Once
inside the network, attackers are able to carry out any action that a legitimate user could perform,
such as exporting files, modifying data, deleting files, or otherwise altering the contents of the
device.

Web-jacking: It refers to illegally seeking control of a website or o a system. The hackers implant a
fake website, which, when opened, will take you to another fraudulent website, where the attackers
try to extract sensitive information. The crucial data can range from simple account password to
credit card details.

Physical damage to Computer; Identity Theft

Cyber-Stalking: This involves continuously harassing a person by sending unwanted messages or

obscene content. This can be simply described as harassment over the cyber-space.

Phishing: It is a cybercrime in which a target or targets are contacted by email, telephone, or text
message by someone posing as a legitimate institution to lure individuals into providing sensitive
data such as personally identifiable information, banking and credit card details, and passwords.

Cyber-bullying:

Cyber-Terrorism: Whoever with the intent to threaten the unity, integrity, security or sovereignty of
India or to strike terror in the people or any section of the people by:

a. Denying or cause the denial of access to any person authorised to access computer resource
b. Attempting to penetrate or access a computer resource without authorisation or exceeding
authorised access
c. Introducing or causing to introduce any computer contaminant.

It also includes knowingly or intentionally penetrates or accesses a computer resource without

authorisation or exceeding authorised access, and by means of such conduct obtains access to
information, data or computer data base that is restricted for reasons of the security of the State or
foreign relations; or any restricted information, data or computer data base, with reasons to believe
that such information, data or computer data base so obtained may be used to cause or likely to
cause injury to the interests of the sovereignty and integrity of India, the security of the State,
friendly relations with foreign States, public order, decency or morality, or in relation to contempt of
court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of
individuals [Section 66F]
Section 67 provides for punishment for publishing or transmitting obscene material in electronic
form. This includes any material which is lascivious or appeals to the prurient interest or its effect is
such as to tend to deprave and corrupt persons who are likely to come across it. It attracts a
punishment of imprisonment of 3 years and with a fine which may extend to five lakh rupees.

Section 67A gives punishment for publishing or transmitting of material containing sexually explicit
act in an electronic form. The punishment is for 5 years with fine upto ten lakhs.

Section 67B provides punishment for publishing or transmitting of material depicting children in
sexually explicit act in electronic form. This includes publishing or transmitting material which
depicts children engaging in sexually explicit act or conduct or in obscene manner. The provision also
criminalises conduct which facilitates abusing children online. The punishment is for 5 years with
fine upto ten lakhs.

Section 67C provides for preservation and retention of information by intermediaries.

Admissibility of the electronic evidence

Prior to the IT Act

Roop Chand v. Mahavir Prasad: The court held that the evidence in the form of tape recorder is
admissible in the court as evidence.

S. Pratap Singh v. State of Punjab: Given the possibility of tampering of tape recording, tape
recorder should not be admissible. However, the court held that tape recording would be admissible
as evidence.

The tape recorded conversation can be erased with ease by subsequent recording and insertion
could be superimposed. However, this factor would have a bearing on the weight to be attached to
the evidence and not on its admissibility. Ultimately, if in a particular case, there is a well grounded
suspicion not even say proof, that the tape recording has been tampered with that would be a good
ground for the court to discount wholly its evidentiary value as in Pratap Singh v. State of Punjab, AIR
1964 SC 72.

in the case of Ram Singh v. Col. Ram Singh, AIR 1986 SC 3, following conditions were pointed out by
the Apex Court for admissibility of tape recorded conversation:
a) the voice of the speaker must be duly identified by the maker of the record or by others who
recognize his voice. Where the maker has denied the voice it will require very strict proof to
determine whether or not it was really the voice of the speaker
b) The accuracy of the tape recorded statement has to be proved by the maker of the record by
satisfactory evidence direct or circumstantial.
c) Every possibility of tempering with or erasure of a part of a tape recorded statement must be
ruled out otherwise it may render the said statepment out of context and, therefore, inadmissible.

d) The statement must be relevant according to the rules of Evidence Act.

e) The recorded cassette must be carefully sealed and kept in safe or official custody.
f) The voice of the speaker should be clearly audible and not lost or distorted by other sounds or
disturbance.

State of NCT v. Navjot Sindhu: The court dealt with the evidentiary value of printouts and digital
documents as secondary evidence. If a document has been certified then it would be admissible as
secondary evidence. The court laid down certain guidelines for this.

Section 22A was inserted into the Evidence Act. Section 35 of the Indian Evidence Act was amended.
Section 29A was introduced in IPC to define electronic evidence or record in the same manner as the
IT Act. Section 192 was amended.

Forgery and Fabrication of electronic record is prohibited. The IPC was amended in order to bring it
in compliance with the IT Act. Section 81A talks about the presumption of gazettes in the electronic
form. If any document is in an electronic form and a digital signature has been affixed into it then it
would be presumed that the document is genuine. Section 85A talks about presumption as to
electronic agreement. The court shall presume that every electronic record purporting to be an
agreement containing the electronic signature of the parties was concluded by affixing the electronic
signature of the parties.

Section 85B states that the Court shall presume unless contrary is proved, that the secure electronic
record has not been altered since the specific point of time to which the secure status relates.
Section 88A provides that the court may presume that an electronic message, forwarded by the
originator through an electronic mail server to the addressee to whom the message purports to be
addressed corresponds with the message as fed into his computer for transmission but the court
shall not make any presumption as to the person by whom such message was sent.

Electronic Governance: It involves not just the relationship between the government and the citizen
but includes the electronic work undertaken between government departments. E-governance is
about the use of information technology to raise the quality of the services governments deliver to
citizens and businesses. It is hoped that it will also reinforce the connection between public officials
and communities thereby leading to a stronger, more accountable and inclusive democracy.

Section 42 and 42A of the IT Act deals with penalization of illegal extraction of data and information.
One of the objectives of the enactment of the IT Act was national security besides protection of
privacy. But the primary objective is national security as the central and state government can
empower authorities to collect and intercept data and information.

Online Dispute Resolution

This is a kind of adjudication which is conducted online. There are various ways of resolving disputes
online: negotiation, mediation, etc. The mode of ODR is through various means like video
conferencing, text messaging, email, discussion boards, audio conferencing.

Blind Bidding: This is another way of resolving disputes. The parties attempt to put forth their
demands without knowing the other party’s position. The moment there is an overlap between their
positions or the average of their demands is used to resolve the dispute. There is none of the usual
paraphernalia associated with mediations – no position statements, no plenary sessions, no one-to-
ones, no waiting around, only emails. There are three bidding rounds. If there is a match, the figure
is revealed and the process ends in agreement (subject to the terms of a binding settlement
document). If there is no match, the parties proceed to round two. If there is still no agreement,
then in round three the mediator will either announce a match, or he will say whether the parties
are within a specified sum apart (for example £30,000)

Online Negotiation/Mediation: This is another method under ODR. Negotiation involves both the
parties attempting to resolve the dispute on their own. Mediation involves the participation of a
third party which mediates between the parties in a dispute for resolving a dispute.

Online Arbitration: It also involves a third party but it adjudicates on the dispute rather than just
helping the parties to resolve the dispute on their own. Any document with digital signature would
be considered as legally valid. Any award which is given under online arbitration may be enforceable
as per Section 36 of CPC.

Reasons for using ODR:

a. Justice
b. Fast, private and efficient
c. Consumer trust

Problems with ODR:

a. Disruption of technology
b. Lack of awareness and technical knowledge
c. Lack of a conducive environment

Tele-Medicine: This involves o

nline consultation with doctors and medical practitioners. This can be live or pre-recorded. Audio
and visual systems are employed for the purposes of tele-medicine.

Section 70(b)

The intermediary would not be liable for the act of the users. If the intermediary is not manipulating
the message or content, they would not be liable as per Section 79 of the IT Act.

Cyber café is defined under Section 2(na) of the IT Act which states that it refers to any facility from
where access to the internet is offered by any person in the ordinary course of business to the
members of the public.

IT (Guidelines for Cyber Café Rules) Rules, 2011

Rule 2(j) defines a user as a person who avails or accesses the computer resource and includes other
persons jointly participating in availing or accessing the computer resource in a cyber café.

Rule 4 deals with the identification of user which states that they cyber café shall not allow any user
to use its computer resource without the identity of the user being established. The intending user
may establish his entity by producing a document which satisfy the users to the satisfaction of the
Cyber Café. These include Driving License, Aadhar, School ID, Passport, PAN Card, etc.

Rule 4(2) requires the Cyber Café to keep a record of the user identification document by either
storing a photocopy or a scanned copy of the document duly authenticated by the user. Rule 4(3)
states that he may be photographed by the Cyber Café using a web camera installed on one of the
computers for establishing the identity of the user. Rule 4(4) states that a minor without photo
identity card shall be accompanied by an adult with any of the documents as required.

Rule 5 deals with the maintenance a log register for a minimum period of one year with details of
user such as the name; Address, Gender; Contact Number etc. The Cyber café has to prepare a
monthly report of the log register showing date-wise details on the usage of the computer resource.
The cyber café owner shall be responsible for storing and maintaining backups of the following log
records.

Rule 6 provides that the partitions of cubicles built or installed inside the Cyber Café, shall not
exceed four and half feet in height from the floor level.

Rule 7 provides for the inspection of cyber café.

IT (The Indian Computer Emergency Response Team and Manner of Performing Functions and
Duties) Rules, 2013

Rule 2(c) defines computer emergency response as coordinating action during cyber security
emergencies, providing incident response services to user, publish alerts concerning vulnerabilities
and threats, and offer information to help improve cyber security.

Rule 2(g) defines cyber incident as any real or suspected adverse event that is likely to cause or
causes an offence or contravention, harm to critical function and services across the public and
private sectors by impairing the confidentiality, integrity, or availability of electronic information,
systems, services or networks resulting in unauthorised access, denial of service or disruption,
unauthorised use of a computer resource, changes to data in information without authorisation, or
threatens public safety, undermines public confidence, have a negative effect on the national
economy, or diminished the security posture of the nation.

Rule 2(h) defines “cyber security incident” as any real or suspected adverse event in relation to cyber
security that violates an explicitly or implicitly applicable security policy resulting in unauthorised
access, denial of service or disruption, unauthorised use of a computer resource for processing or
storage of information or changes to data, information without authorisation.

Rule 9 provides the kind of services that can will be provided by CERT (Indian Computer Emergency
Response Team). It includes response to cyber security incidents; prediction and prevention of cyber
security incidents; analysis and forensics of cyber security incidents.

Rule 11 states that it shall address all types of cyber security incidents which occur or are expected
to occur in the country but the level of support given by CERT-in will vary depending on the type and
severity of the incident.
Dakshina’s Portion

Move from agrarian economies to industrialised economies to service economies to information

economies. The measure of an economic superpower is its output. The dominant model of
industrialised economies in 19 th and early 20th centuries was based on specialisation, mechanisation,
and economies of scale.

Subsequent to World War II, there was a shift to service economies. Industrialised economy focused
on the kinds of goods that could be produced while service economy focused on what can be
provided. Information society gradually came into being. Information societies build upon systems
that allow information to be collected, stored and processed.

[Bit is a truncation of the term “binary digit” which is simply 0 and 1. The computer reads, processes,
and responds to commands using a 4 step process called Von Neumann architecture. Digital notation
in bits can transmit all types of information using American Standard Code for Information
Interchange.]

An example of how revolutionary this process is can be understood by the transformation of the
music industry. From vinyl records, there was a shift to cassettes to compact discs to MP3 Sound
Compression technique. Two aspects of this switch were: cutting out middlemen and making it non-
rivalrous in nature. Atomic Goods are rivalrous in nature and digital goods are non-rivalrous in
nature.

Rivalrous goods are those whose consumption by one consumer prevents simultaneous
consumption by other consumers. On the other hand, non-rivalrous goods are mostly intangible and
they tend to be informational goods. Payment from on demand shifted to payment like utilities
which are streamed based upon monthly subscription.

Example: The manner in which Theft is defined under Section 378 of IPC reflects an emphasis on
tangible goods and the product of a colloquial understanding of theft and valuable goods. Whoever,
intending to take dishonestly any movable property out of the possession of any person without that
person’s consent, moves that property in order to such taking is said to commit theft.

Section 66C of the IT Act deals with punishment for identity theft. Section 66 in general along with
Section 43 deal with digital data. Move from toms to bits is affecting our traditional property values
and are undermining the traditional model for enforcing property rights. There are two other effects
which are undermining legal settlement:

a. Digital Covergence: Digitalisation converges different types of content into a single category
of digital information.
b. Ease of Cross Border data Transfer: Questions on jurisdiction, authority of lawmakers, courts
and law enforcement bodies.

Internet
IT is a telecommunications network and is described as a network of networks. It consists of various
networks which are connected with each other enabling the sharing of data and information. JCR
Licklider was looking into how to use wires to connect expensive mainframe computers. After the
launch of Sputnik, Advanced Research Projects Agency (ARPA) was created. JCR Licklider and other
at ARPA created the first computer network ARPANET. It was a communication system for
computers. ARPANET became a reality in 1969. It was different from the modern day internet as it
was closed and a single network.

The internet works on Open Architecture principles. There were multiple computer networks after
the ARPANET which created frustration and communication difficulties. There was a need for a
network of networks. Cerf/Bob Kahn created the TCP (Transmission Control Protocol) / IP (Internet
Protocol). There was a need for unique identification or IP Address for every digital device. This is
because the TCP protocol breaks down data into pockets which are then transmitted to various
devices. IP Address was needed to enable connection between user’s browser and server hosting
the website. There was a need for home broadband router to the ISP. ISP sends data packets to the
internet backbone.

Network Access Points enable smooth flow of data packets across the internet backbone.
Management and flow of data packets backbone and NAP is controlled by Router. Router checks
data packets for correct IP address and network. Three key aspects of the TCP/IP:

a. TCP works on best effort basis

b. Route taken by discrete packets may differ from other packet (network capacity v.
geography)

The data travels through optic wires which are laid across continents and countries, which allows the
data for travel at the speed of light. The data could take a direct or a circuitous route but the
difference is usually not felt.

Broadband Router (Home) (Device) -> ISP (Data packs) -> Internet Backbone (Telecom networks ->
Network Access Points (Router)

The World Wide Web

It created by Sir Tim Berners Lee. There are 4 layers of internet architecture: The transmission layer,
computer layer, software layer, the content layer. Benkler simplified this into 3 layers: physical
infrastructure layer, logic infrastructure layer, and content layer. When we talk of web, we talk of
the regulation of web content while when we talk of internet, we talk about the regulation of the
infrastructure.

In India, there is a disparity in Internet usage between urban and rural areas. There is a digital
divides on other grounds as well such as geographic inequities. There is a gender disparity as well.
99% of all internet subscribers use the top 10 ISPs. Jio is dominant with almost half of the market
share belonging to it.

Janet Reno v. American Civil Liberties Union: The internet is not a physical or tangible entity, but
rather a giant network which interconnects innumerable smaller groups of linked computer
networks. Small networks are ubiquitous. Some networks are closed networks, which are not linked
to other networks. The resulting whole is decentralized, global medium of communication or
“cyberspace” that links people, institutions, corporation, and governments around the world. The
Internet has its origins in 1969 as an experimental project of the ARPA and was called ARPANET. The
network allowed researchers across the country to access directly and to use extremely powerful
supercomputers located at a few key universities and laboratories.

A communication sent over this redundant series of linked computers could travel any of a number
of routes to its destination. Thus, a message sent over to Washington DC, could travel through a
computer in Alto Palto. At the same that ARPANET was maturing, similar networks developed to link
universities, research facilities, and universities, which were also linked together later. No single
entity controls the internet. The World Wide Web is a series of documents stored in different
computers all over the Internet. Documents contain information stored in a variety of formats,
including text, still images, sounds, and video. An essential element of that Web is that any
document has an address.

Net Neutrality

Net neutrality refers to the concept of non-discrimination of internet traffic by intermediary

networks on any criterion. The network should be neutral to all the information being transmitted
through it. All communication passing through a network must be treated equally independent of its
content, application, service, device, sender or recipient address. It is best described as a network
design principle. This term was coined by Professor Tim Wu. The idea is that a maximally useful
public information network aspires to treat all content sites and platforms equally. This allows the
network to carry every form of information and support every kind of application.

For other proponents, Net Neutrality means ensuring that all end users are able to access the
Internet content, applications and services of their choice at the same level of service quality, speed,
and price, with no priority or degradation based on the type of content, application or services.
Under this view, data is transmitted on a “best effort basis, with limited exceptions.

Modern routers can help to prioritise traffic with low latency threshold (such as VOIP and streaming
media) over traffic with high latency threshold (such as music download). ISPs support network
traffic management techniques which allow them to utilise resources efficiently and attract software
and hardware investment. Critics argue that it can lead to discrimination against certain applications

Activities that can be a violation of Net Neutrality:

a. Blocking/filtering specific content applications [Eg: Comcast interference with Bit Torrent];
b. Access Tiering or Fast Lanes (Usually reserved for partners which pay for the additional
speed. An example of this is the 2014 Agreement between Netflix and Comcast];
c. Throttling- Throttling is when an internet service provider intentionally slows down the
speed of an internet connection. It may do this to help manage network congestion, to give
paid prioritization to certain sites or users. [Eg: Mendocino Complex Fire incident in 2018
and throttling of Santa Clara Fire Department’s mobile data;
d. Zero Rating: This happens when an Internet Service Provider attaches zero rating/no costs to
a particular website/apps. [Eg. Vodafone Plans in UK allowing unlimited streaming of social
 media, video and audio streaming.] It can ring fence certain content suppliers. It can make
IPSs gatekeepers.

Regulating Net Neutrality [Arguments against Regulation]

i. It is a market, unjustifiable interference is not required. It might affect investments in

telecom industry. It is fancy form of “price regulation”. [Robert Hahn and Scott Wllsten,
‘The Economics of Net Neutrality’].
ii. Regulation should only be there if there are clear signs of market failure. Do not fix what
is not broken [Gerald Faulhaber, ‘Economics of Net Neutrality: A review’]
iii. There is no evidence to show that ISPs will charge in a manner that is discriminatory /
harmful [Gary Becker, Dennis Carlton and Hal Sider, ‘Net Neutrality and Consumer
Welfare’]
iv. These rules are proposed under assumption that ISPs will harm competition by
disadvantaging rivals.
v. There is no need for Net Neutrality as competition regulations will take care of it [FTC
Commissioner Maureen Ohlhausen, 2016 paper, ‘Antitrust over new Neutrality: Why we
should take competition in broadband seriously.]

[Arguments for Net Neutrality]

i. Sir Tim Berners Lee had a 2006 blog entry. It argued that Open Architecture of the
Network is foundational. Net Neutrality protects open architecture. Markets won’t work
if gate keepers have to make decisions about a new piece of technology. Net Neutrality
is not just about markets and market power.
ii. Mandating principles of net neutrality is crucial for protection of fundamental rights and
competition and innovation. A few players in the market cannot have control over
access to internet as it has vital democratic and cultural functions and should be
considered a public good. Everyone should have open access to it. [Lucie Audibert and
Andrew Murray, 2016 paper, ‘A principles approach to net neutrality]

Legal Framework Governing Net Neutrality in USA

A. For Net Neutrality Regulations: Introduced when democrats in power; Open Internet Rules;
Supported by free internet advocates
B. Against Net Neutrality Regulations: Introduced during Republicans in power; Internet
Freedom Order; Supported by ISPs.

Debate in USA started began after the FCC success of regulating Comcast and blocking of Bit Torrent.
FCC introduced rules to codify and safeguard principles of internet openness. FCC adopted the Open
Internet Report Order, 2010. It contains 3 internet rules designed to preserve free and open
internet:

1. Transparency (broadband providers must disclose information regarding network

management practices and commercial terms of their broadband services)
2. No blocking lawful content, apps, services, devices or websites
3. No unreasonable discrimination with lawful network traffic
Unreasonable interference – websites slowing down or degraded in quality

In a 2010 order, the Court of Appeal overturned the last two rules but upheld the requirements of
transparency. Obama called upon the FCC to protect Net Neutrality and set out 4 bright lines:

a. No blocking
b. No throttling
c. No paid prioritization

However, this was overturned when Trump came to power and appointed Ajit Pai as FCC
Commissioner.

Net Neutrality Regulation in EU

2010 Ministerial declaration from Council of Europe: Users should have greatest access to internet
based content, applications and services of their choice. There may be however legitimate
exceptions to his principle – such as combating cyber-crimes, network stability and resilience.
However, exceptions need to be justified by overriding public interest. 2012 BEREC study: Contracts
that allowed the ISPs to restrict services like VOIP. BEREC launched a public consultation to examine
transparency and traffic management to preserve Net Neutrality.

EC proposed the EU Net Neutrality Regulation 2015 [Regulation on Open Internet Access]

Article 3 provides that end users shall have the right to access and distribute information content,
applications, and service, and use terminal equipment of their choice. No form of blocking, slow
down, altering, restriction, or degradation are allowed under this rule.

Article 4 deals with transparency measures for ensuring open internet access. Providers of Internet
access services shall ensure that any contract which includes internet access services shall have a
clear and comprehensible explanation as to any volume limitation, speed and other quality of service
information, clear explanation of the remedies available to the consumer in accordance with the
relevant regulations among other things.

Article 5 states that national regulator authorities shall closely monitor and ensure compliance with
Articles 3 and 4 and shall promote the continued availability of non-discriminatory internet access
services at levels of quality that reflect advances in technology.

Background to Net Neutrality in India

In late 2014, use of VoIP (Voice over Internet Protocol) apps such as Viper, Skype was becoming
popular on mobile phone devices. This threatened conventional telecom companies which created a
differential rate for voice calls over the internet.

In 2014, Zuckerburg tried to lobby for the launch of Internet.org – Facebook’s zero-rating platform
by meeting the PM. Facebook had lanched this Ericsson, MediaTek, Nokia, Opera, Qualcomm, and
Samsung with the stated mission of making internet access available for everyone. It was launched
in India in partnership with Reliance Communications.
The app was launched in six states- Tamil Nadu, Maharashtra, Andhra Pradesh, Gujarat, Kerala, and
Telangana with partners including mainstream news media sites, job search sites, sports,
dictionaries, and even Wikipedia.

In this backdrop, TRAI released a consultation on OTT (Over the Top) services in March 2015.
According to TRAI, the paper set out to consider whether changes were required in the current
regulatory framework that enabled all internet data to be treated in the same way. The
recommendations in the paper essentially allowed for differential pricing of OTT services subject to
NN principles.

Net Neutrality is globally understood as a network principle of equal treatment of data packets
moving across the IP networks. It has been used more broadly to describe the open and non-
discriminatory nature of the network.

Save the Internet campaign included technology policy advocacy groups, and even members of a
comedy group. Their website allowed a user to click a link to create a default email to TRAI with pre-
loaded responses to all 20 questions. The user could then change or alter the answers as they saw
fit. Eventually, due to viral social campaign, over a million responses were sent to TRAI. The Telecom
ministry approved TRAI’s recommendations and differential pricing was prohibited. Therefore, there
was a prohibition of discriminatory tariffs for data services.

Content was defined in the regulations as all content, applications, services and other data, including
its end-point information that can be accessed or transmitted over the internet. Discriminatory
tariffs were defined as different tariffs charged by a service provider for services or content used by
the consumer.

Internet Governance

It reflects different perspectives, approaches, and policy interests. Telecommunications specialists

see Internet governance through the prism of the development of a technical infrastructure.
Communications specialists emphasise the facilitation of communication. Human rights activists
view Internet governance from the perspective of freedom of expression, privacy and other
fundamental human rights. Lawyers focus on jurisdiction and dispute resolution. Politicians, on the
other hand, will focus on issues important to the public-techno-optimism and threats.

World Summit on the Information Society (WSIS) came up with the following definition of Internet
governance: Internet governance is the development and application by governments, the private
sector, and civil society, in their respective role, of shared principles, norms, rules, decision-making
procedures and programmes that shape the evolution and use of the Internet.

The term ‘information society’ and ‘information and communication technology’ are more
comprehensive than ‘internet’ – encapsulate global digital development.

There is some controversy over the term ‘governance’ because of its implication and the difference
between governance as a core government function v. governance of affairs of any institution,
including, non-governmental ones.
Etymology of Cyber Law Terms: The prefixes e-/virtual/cyber/digital/net are used to describe various
ICT/Internet developments. They are often used interchangeably. E-commerce, cyber-crime, virtual
for currency, digital for divide has basically the same implication. E is the abbreviation for electronic.
Cyber is said to be a metaphor for the military for defending the battle space.

Virtual relates to the intangible nature of the Internet. Virtual introduces the ambiguity of being
both intangible and potentially, non-existent. Virtual reality could be both an intangible reality and a
reality that does not exist. The terms is not used in policy language and international documents.

Schools of Thought (Regulating the Information Society)

1. Cyberlibertarianism: It is also known as Cyber Utopianism. John Perry Barlow in 1996 dealt
with the Declaration of Independence for Cyberspace. “The internet is inherently extra-
national, inherently anti-sovereign.” These scholars believe that states can only enforce laws
within their jurisdiction subject to a few extra-territorial application of law. The cyberspace,
is a separate sovereign space where real world laws and real world governments were of
little to no effect. When a person is in cyberspace, they are in a new sovereign space where
laws of any real world jurisdiction are no longer valid. Since a person in cyberspace has no
corporeal personality, to imprison or physical goods to confiscate. This led to the belief that
traditional laws are incapable of being enforced in cyberspace.

The problem with this was put forth by Prof Chris Reed which was called the “cyberspace
fallacy”. It challenges Barlow’s argument that traditional lawmakers and law enforcement
bodies are of no effect and have no means of enforcement as the body of the users and their
equipment can be subject to regulation and citizens of cyberspace still retain their real world
existence. Wherever legal jurisdictions have dealt with the issue of cross border harm, they
have proven effective and internet shall be no different.

2nd content of this group is that real world law enforcement bodies lack legitimacy to
interfere in the operations of the sovereign cyberspace. There is a belief that a border exists
between real space and cyberspace. David Johnson and David Post set out legal
interpretation of the cyberlibertarian contention (regulation founded upon traditional state
sovereignty cannot function effectively in cyberspace) in their paper “Law and borders: The
rise of law in Cyberspace”. Regulatory arbitrage can be relevant in this context. It involves
choosing a regulatory mechanism when more than one is available to a person which
undermines the effectiveness of the legal system.. They believe that the decentralised and
incorporeal nature of cyberspace meant that only possible regulatory system was one that
developed organically with the consent of majority of cyberspace citizens. For instance,
pornography is banned in the UK but may be legal in the US. A person residing in UK may
view porn from US-Based web servers.

2. Cyberpaternalism: This group believes that cyberspace is not immune from a regulatory
intervention of real world regulators. Joel Reidenberg identified new models and sources of
rules being created.
a. Contractual agreements with internet service providers
 b. Network Architecture ( which is human made and in our control)
c. Technical standards which could function like geographic borders
d. Lex Infomatica consists of laws imposed on participants. Primary sources of rule
making in this are technology developers and customs through which uses of
technology evolve.
So, rather than being unregulable due to the inherent design, internet is actually capable of
regulation because of its design or architecture.
The cyberpaternalists argue that the State can indeed regulate the users on the internet
indirectly by seeking to control or mandate changes in the network architecture.
Regulation can happen through mandating changes in the network architecture itself or self-
regulating activities of network designers. 4 modalities that control human behaviour: law,
social norms, market, architecture. [Lawrence Lessig, “Code and Other Laws of Cyberspace”]

3. Network Communitarianism: Both cyberpaternalism and cyberlibertarians are techno-

deterministic and assume code is deterministic of actions. But Code is not purely a design or
architectural tool. It also has social and communication functions – philosophy behind
network communitarianism. It was propounded by Andrew Murray in his book “Regulation
of Cyberspace”. He relies on two European theories to arrive at this model: Actor Network
Theory (ANT) and Social Systems Theory (SST).
ANT is a theory which explains the role of non-humans in any social situation. For instance,
any transaction or interaction between two human beings would be different if they sit in a
luxury restaurant versus a tea stall. The internet as a shared network allows people who are
culturally diverse and geographically remote to connect and interact- therefore, internet is
not merely a communication tool but equally a cultural tool.
SST attempts to study the flow of information within complex systems of social
communication. Both these theories map and study complex process of social interactions
in a connected environment. Andrew Murray advises to rethink the dot from the
cyberpaternalism model of Lawrence Lessig. Dot plays an active rule in regulatory process
and not a passive role (subject of external regulatory forces) - the dot therefore, is not a
isolated one but an active matrix and therefore, the “dot” should not be seen merely as a
mere individual but the individual as part of a wider community.
Both these theories illuminate much of our understanding of communications and social
interaction in a networked environment such as the internet. Hence, regulation in the online
world is different from the real world.
However, gatekeepers can act as a hurdle because they can cut communication between
micro-communities. These gatekeepers can do so by controlling the pinch points between
the networks. Therefore, regulation of intermediaries becomes important.

Intermediary Regulation

Intermediaries online play a very important role in the democratic discourse process. Eli
Pariser coined the term filter bubble, which is said to occur when information does not flow
freely. A filter bubble or echo chamber results in intellectual isolation. Filter bubbles can
cause people to receive less information about contradictory view points and this result in
intellectual isolation. This is problematic for symbiotic regulation which thrives on free flow
of information and democratic discourse. Internet thus becomes centralized with the power
resting in the hands of a few gatekeepers.

Micro gatekeepers also have an impact on democratic discourse but have limited impact.
They do not sit at the interface of communities and are less important.

Authority gatekeepers are high traffic sites that affect discourse. There are important but are
not critical because they do not act as information brokers between communities and
groups. Example: Instagram, Twitter, Wikipedia.

Macro Gatekeepers: They control access choke points. They control flow of information
across communities – search engines, ISPs, major platforms like FB, designers of operating
systems. These gatekeepers can use cod to coerce outcomes.

Platforms

An undertaking operating in two or multi-sided markets, which uses the internet to enable
transactions between 2 or more distinct but interdependent groups of users so as to
generate value for atleast one of the groups. Digital platforms provide a technological basis
for delivering or aggregating services content from service / content providers to end users.
They have a growing influence in elections world over. In response, governments across the
world are proposing ways to regulate them. German law on “obviously illegal” hate speech
removal, UK Committee to treat platforms as publishers, UK Telecom regulator ofCom (social
media platforms to have an independent regulator.

Veblen goods are those goods for which demand increases as the price increases. These are
typically high quality goods that are well made. The information associated with them is
incomplete in the minds of the public with limitation of time. 1950s Herbert Simon work
showed how Homo Economicus (an economic actor who is always rational and self
interested) model is flawed.

Economist Richard Thaler and lawyer Cass Sunstein 2013 model of regulation “libertarian
paternalism” also called nudge. There are two premises of this theory – human beings are
poor decision makers; choice architect. Choice Architect is a ‘government or person of
influence who can present choices to people and engage in the process of nudging’. It has
the responsibility for organizing the context in which people makes decisions. Nudging is the
rearranging of default positions to encourage good decisions. There has been a debate over
the role of choice architects since people have limited time and rationality which makes
them really important

Algorithmic Regulation
Algorithms do not see code as a fixed architecture but a flexible detector of unacceptable
behaviour. Algorithmic regulation has a discursive learning pattern – it learns what
permissible and impermissible behaviour is. Algorithms are coded procedures for
transforming input data into a desired output based on specific calculations. Algorithmic
decision making involves the use of algorithmically generated knowledge systems to execute
decisions. Algorithmic regulation employs regulatory governance systems that use
algorithmic decision making.

A concern with algorithmic regulation is that human bias can seep into its decision making
and the algorithm could make decisions which racially profile people or discriminate against
minorities. Regulatory governance is an intentional attempt to manage risk or change
behaviour to achieve a pre-specified goal.

Algorithms may be fixed or adaptive. An example of fixed algorithm is twitter’s sensitive

content algorithms while an example of adaptive algorithms is FB’s terrorism detection
software. Problem with algorithmic decision-making is that the designers set the parameters
of acceptable behaviour. This kind of decision making happens in a black box.

Policy Approaches to Cyber Regulation

● There is also a debate over adopting a narrow approach in cyber regulation as

opposed to a broad approach which accommodates the differences between various
countries.

● Some argue that self-governance should be the mode of regulation rather than the
intervention of the government.

● National v. International Law Perspectives: Example Internet Corporation for

Assigned Names and Numbers (ICANN)

● Multilateral v. intergovernmental regulation: There are multiple stakeholders and

bodies operating in the sector. For instance: ICANN, WSIS, IGF, ITU. These bodies are
constituted by civil society, nation states, representatives from the business sector,
technical community members. This allows for multiple groups to be represented.
The developed countries, however, want the regulation of the internet to be
structured with regulation based on an intergovernmental framework which consists
of nation states only within an UN based group. This would make the decision-
making more structure.

● Decentralised v. Centralised structure of internet governance: Governance of the

internet through decentralised approach is argued to be better because it better
reflects the concerns and interests multiple stakeholders involved in it. Proponents
of a centralised structure argue that it becomes difficult to follow and account for
developments happening across various regulators and stakeholder bodies.

● Technical v. Policy Coherence

● Old real v. New Cyber Approach

 ● Holistic Approach and Prioritisation – Technological convergence and less
politicisation.

Scope of Internet Governance

The World Summit of the Information Society (WSIS) came up with the following definition of
Internet governance: “Internet governance

Jurisdiction

There is a need to respond to real and immediate disputes arising out of online activity.
Governments are under pressure to regulate online activities such as child pornography. It is
necessary to ensure protection of local, legally compliant business from unfair competition online.
Inadequate allocation of regulatory responsibility undermines the effectiveness of existing
substantive laws. Allocation of regulatory responsibility is based on the territoriality principle and
notion of statehood.

Jurisdiction comes from the latin word “juris dicto” meaning administration of justice. It means legal
power, right or authority to regulate. It may refer to physical territory of the state or sometimes over
matters outside its territory. Jurisdictional rules determine what nexus is required between the state
and the activity or the person (whose action is in question) for an entitlement to regulate. It depends
on private/civil or public/criminal nature of dispute. In Public international law, jurisdiction is
claimed on the basis of territoriality principle. In private international law, there has to be a link with
the right of the state to claim.

Online Defamation

Dow Jones v Gutnick - The question that arose for consideration was “ whether internet publication
is considered as publication within a national jurisdiction”? The magazine published an article and
placed a copy of the same online, which raised a number of allegations against Mr.Gutnick as an
entrepreneur. The article was published in the US State of New Jersey, but was read widely in
australia. The High Court of Australia finally held that defamation is to be located where the damage
to reputation occurs. So, in a case of online defamation, ordinarily the tort of defamation occurs
where the material is downloaded from the web server as it is there where the damage is done.

Dr. Lutchansky v Times Newspapers( Multiple Publication Rule)- Dr. L alleged defamation by the
newspaper for publishing an article online which accused him of money laundering. The defendant
claimed that the defamation suit was time-barred since 1 year had expired.The claimant argued that
every subsequent time the material was accessed by the reader was a fresh “publication”. The Court,
allowing the claim held that each time an online material is accessed by a person amounts to a fresh
publication with a limitation period of its own.

Single Publication Rule - See Sec 9, Defamation Act,2013- for purposes of limitation, any cause of
action against the person for defamation with respect to the subsequent publication, the limitation
period shall be calculated from the date of first publication only. ( Legislatively overruled Dow Jones
v Gutnick and Dr. Lutchansky v Times ).
Section 9 of the Defamation Act 2013 applies if a person:

(a) publishes a statement to the public;

(b) Subsequently publishes (whether or not to the public) that statement or a statement which
is substantially the same

Jameel v. Dow Jones Inc – Golden Chain case: This case was about an article publishing details
about financing Osama Bin Laden’s activities. This article was available on the Wall Street Journal’s
website. The article had a link to the list of 20 people accused of being financers. The list also had
two brothers who filed a case in the UK alleging defamation. The court of England refused to
exercise jurisdiction. According to the court, the stakes were very low and would amount to an
abuse of the court process since only two people not related to the case had opened the link.
Therefore, the damage to reputation was minimal.

Intermediary Liability in Online Defamation

Godfrey v. Demon Internet Services: Certain deepfakes were put on a website. The person affected
had requested the defendant to remove the defamatory content. While the defendant refused to do
so and the thread eventually collapsed on its own but a lot of people had seen the defamatory
content on the thread. Could Demon Internet Services claim defences under Section 1 of the
Defamation Act 1996?

Information society providers not expected to actively monitor content they carry/host but liability
may arise on failure to act once they have been made aware of the defamatory material

Electronic Commerce Directive 2000 aims to remove obstacles to cross border online services in EU
and provide legal certainty for businesses and consumers.

UK Electronic Commerce (EC Directive) Regulations 2002: Regulations 17-19 are important

Article 12, EC Directive, 2000 provides for mere conduit defence. Where an information society
service is provided that consists of the transmission in a communication network of information
provided by a recipient of the service, of the provision of access to a communication network,
Member States shall ensure that the service provider

Article 13 EC Directive, 2000 deals with Caching or cached content. Where an information society
service is provided that consists of the transmission in a communication network of information
provided by a recipient of the service, the Member States shall ensure that the service provider is
not liable for the automatic, intermediate, and temporary storage of that information, performed for
the sole purpose of making more efficient the information’s onward transmission to other recipients
of the service upon their request on condition that:

(a) The provider does not modify the information

(b) The provider complies with conditions on access to the information.
Bunt v. Tiley: Internet Service Provider. Bunt had been defamed by two people. He initiated three
other internet service providers on the ground that they had allowed the two people to publish
defamatory content. The EC had dismissed the case on the ground that the ISPs fall under the
definition of information society service and were protected by regulations meant to save them.

Metropolitan International School c Design Technica Corporation: The claimant argued that the
Google preview of the search engine carried the defamatory content. The EC stated that Google was
not a publisher and it would not be liable as a publisher or intermediary. However, at the same time
it would not be protected under the safe harbour protections available to intermediaries. Google
does not have control over the content available in the Internet and cannot take down content.

Tamiz v. Google: The court held that there is no agency or employment relationship with the
Bloggers.com website or bloggers on the concerned website. Google would have no liability as
publishers but the court also noted that liability for defamation can arise if Google is made aware of
the defamatory content and it chooses to do nothing about it.

Section 5 of the Defamation Act states what happens when action for defamation is brought against
the operator of a website in respect of a statement posted on the website. It is a defence for the
operator to show that it was not the operator whose posted the statement on the website. The
defence can be defeated if the claimant shows that it was not possible for the claimant to identify
the person who posted the statement; the claimant gave the operator a notice of complaint in
relation to the statement; and the operator failed to respond to the notice of complaint in
accordance with any provision contained in regulations.

Defamation (Operators of Website) Regulations 2013 deals with regulation of operators.

A Norwich Pharmacal order is a court order for the disclosure of documents or information that is
available in the United Kingdom and Ireland. It is granted against a third party which has been
innocently mixed up in wrongdoing, forcing the disclosure of documents or information. By
identifying individuals the documents and information sought are disclosed in order to assist the
applicant for such an order in bringing legal proceedings against individuals who are believed to have
wronged the applicant.

The following things have to be considered –

1. Jurisdiction: US, UK, Aus, India

2. Liability: Intermediary Liabilities, Individual Liability

Keith Smith v. Williams: In 4 of the 11 cases, the court decided to pass an order which mandated
revealing the identity of the social media handles since

The case involved unemployed ex-teacher Tracy Williams falsely accusing a former UKIP candidate,
Michael Keith Smith, of being a sexual offender and racist bigot.[8] Williams had posted as Gosforth.
The court ordered her to pay £10,000 plus costs. Although the accusations were made in a Yahoo
discussion group with about 100 members, damages were awarded as the remarks were available
throughout the world
Applause Store Productions v. Raphael: There was a fake profile created on social media which
contained a lot of private and personal information. A facebook group was also created titled
“Whether Mr. Matthew has ever lied to you”. The group contained a lot of incriminating and
damaging material. The identity of the person who created the fake profile and group came to be
revealed. The court considered about how to overcome the holding of the Jameel case. Around 6
people had seen the concerned content. The court found that the statements to be damaging to the
reputation of the plaintiff. It is important to note that the court had observed that it is difficult to
assess how many people had seen the concerned content. The court awarded 15,000 pounds in
damages

Bryce v. Barber:

Chris Cairns v. Modi: The case revolved around two tweets created by Lalit Modi which stated that
the plaintiff had been banned from being involved in the event due to their association with match-
fixing. The tweets were later deleted. However, the plaintiff sued the defendant. The court
disregarded the argument that a miniscule number of people saw the tweet on the ground that the
risk was larger than the specified number of people seeing the content and it would have reached
wider circulation due to the content being capable of being searched on the internet. Therefore, the
court awarded 90,000 pounds in damages to the plaintiff

Jurisdiction in India

Section 19 and Section 20 of the CPC are relevant. Section 16 states that suits shall be filed in the
court within the local limits of whose jurisdiction the immovable property is situated. However, this
section is not that relevant given that most matters in cyber law are intangible in nature

Section 19 states that where a suit for compensation for wrong done to the person or to the
movable property can be instituted in the courts where the wrong was done within the local limits of
the jurisdiction of one Court or where the defendant resides, or carries on business, or personally
works for gain, within the local limits of the jurisdiction of the court.

Escorts Ltd v. Tejpal Singh Sisodia (2019 Delhi HC): The company sold tractors and had a registered
office in Haryana. The defendant resided in Udaipur. He tweeted something regarding the plaintiff
against which the latter brought a case of defamation. The court stated that there is a question of
territorial jurisdiction. The court looks at the following factors:

a. Convenience of Parties: It is relevant that if the court took jurisdiction, it should not lead to
significant inconvenience to the parties or their harassment. It noted that both the parties
were not resident in Delhi.
b. Harassment of Defendant & Libel: The court stated that the court taking a case within its
jurisdiction should not lead to the harassment of the defendant.
c. Registered Office of Company (of the defendant): The court held that the case can be
instituted in courts in whose jurisdiction the registered office of company lies. [Para 45]

The court refused to take cognizance of the matter. The court stated just because the Prime Minister
is residing in Delhi and some of the people related to Escorts are residing in Delhi, it cannot take
jurisdiction of the matter. The court relies on Indian Potash case to hold that a plaintiff can rely on
the loss arising out of defamation as a valid ground to take jurisdiction of a matter in a given matter.
The court noted that ordinarily a wrong to the reputation of a company would be done at its
registered office. However, in today’s day and age, with businesses of a company spreading acorss
countries and at least within the country, the company may have a reputation not only at the place
of its residence, i.e. its registered office but at such places where the company carries on business
and or where the goods and services are sold. However, the court noted that the wrong would have
occurred only at a single jurisdiction.

Section 19 of the CPC is relevant for attracting jurisdiction only if the wrong was committed in a
jurisdiction other than where the defendant resides. Otherwise if the wrong and residence of the
defendant are the same, then there would be no option to bring a case in any jurisdiction other than
where that one. The court will look at the place where maximum damage has occurred in case the
harm has occurred in multiple places

Ajay Pal Sharma v. Udaiveer Singh:

Section 66A of the Information Technology Act 2000 and Shreya Singhal Case

Section 66A provides that any person who sends, by means of a computer resource or a
communication device – Any person who sends, by means of a computer resource (a) any
information that is grossly offensive or has a menacing character; or (b) any information which he
knows to be false for the purpose of causing annoyance, inconvenience etc. shall be punished with
imprisonment for a term which may extend to three years.

The court held that this provision is unconstitutional under Shreya Singhal case on the ground that it
gives the government very wide ambit to restrict the liberty of individuals and the fact that “grossly
offensive” was not defined.

Intermediary

Section 2(1)(w) of the IT Act defines an Intermediary means any person who on behalf of another
person receives, stores or transmits that record or provides any service with respect to that
electronic record and includes telecom service providers, network service providers, internet service
providers, web-hosting service providers, search engines, online payment sites, online-auction sites,
online-market places and cyber cafes.

Physical network intermediaries are required to get a license from the Department of Telecom under
Section 4 of Indian Telegraph Act, 1885. The proposed telecommunications bill attempted to cover
online intermediaries. It tried to divide online intermediaries into social media intermediaries and
significant social media intermediary (SSM).

Section 79 of the IT Act provides for exemption from liability in certain cases such as third party
information, data, or communication link made available or hosted by him. However, the
intermediary must not initiate the transmission, select the receiver of the transmission, and select or
modify the information contained in the transmission. The function of the intermediary is limited to
providing access to a communication system for which information made available by third parties is
transmitted or temporarily stored or hosted. The intermediary must not have conspired or abetted
or aided in the commission of the unlawful act. It must assist the government in dealing with such
acts upon receiving actual knowledge.

Section 79 wants social media intermediaries to act as a mere conduit and not as publishers.

There are various kinds of liabilities that intermediaries can be subjected to:

1. Monetary liability
2. Criminal
3. Non-Monetary liability such as injunctions

Amazon Seller Services Ltd v. Amway: It was argued that Amazon was acting beyond its capacity as
intermediary in the sale of goods.

The Intermediary must observe due diligence while discharging its duties under the Act.

Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

Rule 3(1)(d) states that an information, on whose computer resource the information is stored,
hosted or published, upon receiving actual knowledge shall not do so on receiving actual knowledge
in the form of an order by a court. One of the provisos of the provision provides the act of removal
or disabling of access to any information, data or communication link within the categories of
information specified in this clause. Therefore, it provided certain editorial control which is not
provided within the main act and it is argued that this beyond the capability of a delegated
legislation.

Myspace v. Super Casettes: The court said that the share button on the site of an intermediary does
not amount to transmission because the control still remains with the user and it still acts as a
conduit.

The due diligence requirement for Intermediaries under Section 79(2)(c) have been provided under
IT (Intermediary Guidelines and Digital Media Ethics Code) 2021. In Christian Louboutin Sas v. Nakul
Bajaj said that the requirements of due diligence are limited to what has been provided in the
regulations. However, the position has not been settled by the courts.

Rule 3 of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 deals with the
due diligence requirements by intermediaries. Rule 3(1)(d) provides for actual knowledge, which is
distinct from constructive knowledge. The basis for imputing actual knowledge under the provision is
court orders and govt. agency notices. The provision also required that any information which has
been removed or access to which has been disabled, the intermediary shall, without vitiating the
evidence in any manner, preserve such information and associated records for one hundred and
eighty days for investigation purposes,

There is a grievance redressal mechanism that has to be adopted by intermediary which requires the
intermediary to acknowledge the complaint within 24 hours and also if the complaint is against any
content which exposes private photos involving nudity or impersonation with respect to the
complainant, then the intermediary has to take all reasonable and practicable measures to remove
or disable access to such content which is hosted, stored, published or transmitted by it.

The government can issue guidelines to intermediaries for blocking unlawful content under Section
69 and Section 79. The consequences for not obeying Section 79 are that Safe Harbour will be taken
away but the non-adherence of order under Section 69 will lead to penal consequences.

Rule 4 provides for additional due diligence that is required to be observed by a significant social
media intermediary (which is any social media intermediary with more than 5 million users).

Rule 4(4) provides that intermediaries have to endeavour to employ tech based measures including
automated tools to proactively identify content that depicts rape / CSA imager or is exactly identical
to previously disable content pursuant to a court order / government notice. There are three
conditions to proactive filtering:

a. Measures to be proportionate
b. Appropriate human oversight and periodic review of intermediary’s use of automated tools
c. Automated tools to be evaluated for fairness, accuracy, propensity for bias, discrimination
and impact on privacy of users.

There is an obligation on the intermediary to identify the first originator of the information.
However, it is difficult to identify the first originator which does not cover cross posting and sharing
of content.

Consumer Protection (E-Commerce) Rules, 2020

Rule 2(b) defines “e-commerce entity” as any person who owns, operates or manages digital or
electronic facility or platform for electronic commerce, but does not include a seller offering his
goods or services for sale on a marketplace e-commerce entity.

Furthermore, “inventory e-commerce entity” under Rule 2(f) means an e-commerce entity which
owns the inventory of goods and services and sells such goods or services directly to the consumers
and shall include single brand retailers and multi-channel single brand retailers. They cannot avail
safe harbour.

“Marketplace e-commerce entity” has been defined as Rule 2(g) as an e-commerce entity which
provides an information technology platform on a digital or electronic network to facilitate
transactions between buyers and sellers.

An entity could be operated as both.

Kunal Bahl v. State of Karnataka (2020): Liability was sought to be imposed on Snapdeal for the
medicines being sold on its platform as it did not have a license to do so. It was, however, argued
that it was only a marketplace e-commerce entity and was eligible for safe harbour. The High Court
quashed the proceedings on the ground that Snapdeal was an “intermediary” under s. 2 (1)(w) of the
Information Technology Act 2000 (IT Act) and in view of the safe-harbor for intermediaries under s.
79 of the IT Act, was not liable for such unauthorized sale on its platform by a third-party seller.
Flipkart Internet Private Ltd v. State of NCT Delhi: Only court orders count towards standard of
knowledge for e-commerce intermediaries. The court clarified in this case that the nature of
contested affairs in IP matters cannot be determined only by courts and intermediaries cannot be
expected to make determinations about the validity of claims. The standard of knowledge for e-
commerce intermediaries would then be court orders.

Rule 4 deals with the duties of e-commerce entities. It requires e-commerce entities to appoint a
nodal person of contact or an alternate senior designated functionary who is resident in India to
ensure compliance with the provisions of the Act or the rules made thereunder.

E-commerce entities are required to provide information such as the legal name, principal
geographic address of the HQ, contact details etc. in a clear and accessible manner. They are
prohibited from adopting any unfair trade practice and have to establish an adequate grievance
redressal mechanism.

Christian Louboutin v. Nakul Bajaj: This case dealt with the question of value added services.

It was held that if a platform is adding value to a product, it would not be a mere intermediary.
There was a distinction between active and passive intermediaries. The holding of this case was
corrected in the following case.

Amazon Seller Services v. Amway: The Delhi HC held that the rationale of Section 69 for violation of
law cannot be imposed on the intermediary. The court held that Amway could not show that
Amazon was not interfering in the product. Furthermore, the employment of value added services
cannot be used as a means of disqualifying an entity from protection as an intermediary.

Functional Equivalence: The UNCITRAL Model Laws [Model Law on Electronic Commerce] rely on a
‘functional equivalent approach', which is based on an analysis of the purposes and functions of the
traditional paper- based requirement with a view to determining how those purposes or functions
could be fulfilled through electronic commerce techniques. The MLEC was the first legislative text to
adopt the fundamental principles of non-discrimination, technological neutrality and functional
equivalence that are widely regarded as the founding elements of modern electronic commerce law.
The principle of non-discrimination ensures that a document would not be denied legal effect,
validity or enforceability solely on the grounds that it is in electronic form.  The functional
equivalence principle lays out criteria under which electronic communications may be considered
equivalent to paper-based communications. In particular, it sets out the specific requirements that
electronic communications need to meet in order to fulfil the same purposes and functions that
certain notions in the traditional paper-based system - for example, "writing," "original," "signed,"
and "record"- seek to achieve.

Features of the IT Act

1. Certifying Authority: DSC (Digital Signature Certificate)

 2. CCA (Controller Certifying Authority): Regulates CAs. It provides them license and regulates
the working of Certifying Authorities Section 17 and Section 18 deals with the appointment
and the functions of the controller. It also includes certifying public keys of CA, laying down
the standards to be maintained by them, specifying the form and content of an electronic
signature certificate and the key, specifying the form and manner in which accounts shall be
maintained by the Certifying Authorities.

3. Adjudicating Tribunal: TDSAT (The Telecom Disputes Settlement and Appellate Tribunal).
Section 48 deals with this. Adjudicating Officers deal with disputes of less than 5 crores
(Section 46) and the civil court will deal with disputes more than 5 crores. Section 61 bars
the jurisdiction of the civil court where the adjudicating officer has been granted authority.
An order by the AO can be appealed before the Adjudicating Tribunal. Section 62 provides
that an appeal for the decision of the TDSAT lies before the High Court.

4. Subscriber : User

5. Various rules have been notified under the IT Act, 2000

a. IT (Reasonable security practices and procedure…) Rules

6. The Act adopts a long arm approach which allows jurisdiction over an out of country
defendant besides extending to the whole of India. This in distinct from the geographic
internet theory wherein a person overseas uses the internet to produce harmful effects, it
would entitle the local sovereign to regulate the effects.

In 2008, there was an amendment in the Act in light of the 26/11 Mumbai attacks. Technological
neutrality changes were made like change of ‘digital signature’ to ‘electronic signature’.

Section 2(p) defines “digital signature” as authentication of any electronic record by a subscriber by
means of an electronic method or procedure in accordance with the provisions of Section 3 while
Section 2(ta) defines “electronic signature” as authentication of any electronic record by a subscriber
by means of the electronic technique specified in the Second schedule and includes digital signature.

7. Indian Computer Emergency Response Team (ICERT): Section 70A provides for the
notification of the national nodal agency in respect of Critical information Infrastructure
Protection. Section 70B provides for the ICERT to serve as national agency for the incident
response.

Chapter III- statutory basis for E-Governance in India.

DATA PROTECTION

Schedule 1, UK DPA, 1998 - Similar to the EU GDPR.

 - Principle 8 forbids personal data from being transferred to a country or territory outside the
EEA unless that coEntry ensures an adequate level of protection for the rights and freedoms
of data subjects.

Sec 43A, IT Act,2000

- extends only to body corporates and not natural persons. Sensitive personal data not
defined in the Act and amount of compensation not specified either. Also see Section 72A,
IT Act, 2000.

Rahul Matthan is extremely critical of these Rules

- their scope limited to merely Section 43A

- Not a comprehensive code on data protection.

- The Rules are doing what should be done by a legislation- whether ultra vires?

The definition of “ Sensitive personal data” is criticised because it provides protection to only certain
kinds of information for purposes of data protection while other personal information is equally
necessary to secure.

Further, such distinction is not consistent with the international principles. See how wide the
definition of “personal information” under EU GDPR is.

Section 72 criticised for lack of a proper framework.

The Digital Personal Data Protection Bill, 2022 - to provide for processing of personal data that
recognises both the rights of individuals to protect their personal data and the need of data
fiduciaries to collect data for lawful purposes.

Rights of Data Principles -

(i) Right of Erasure,

(ii) Right of Grievance Redressal,

(iii) Right of Correction,

(iv) Right to nominate,

(v) Right to be forgotten and

(vi) Right to Data portability and

(vii) Right to information about personal data;

1. Entire Section 16 to be deleted - serves no purpose by fixing duties upon the rights of the
data principle.
2. Section 19- Data Protection Board of India - only carries adjudicatory functions and no
regulatory functions
3. “Child” definition - legal age of consent is 18. In GDPR, the age of consent is 16.
 4. “Harm” definition - mere personal data breach is no cause of action. Definition of harm is
very specific and narrow in scope.
5. No concept of anonymisation in the Bill - many data breaches occur due to non-
anonymisation of data.

Review and Appeal mechanism

S.22(1) – the Board may review its order, acting through a group for hearing larger than the group,
which held proceedings in a matter under S.21.

*Discussion on Whole Time Directors and Non-Executive Directors* – Discussed regarding SEBIs
function in a neutral and independent manner.

There is an AO which adjudicates and imposes penalty. Thereafter there is appeal to the SAT.

SAT consists of
1. Chief Executive - qualifications, appointment
2. Search cum selection committee – membership?
3. Board Memberships
4. Appointment and Removal of Board Members.

Section 16: Duties of data principal – duty to comply with provisions of all applicable laws while
exercising rights under the Act. Possibility to harass individuals on the basis of this Act.

Section 7 talks about consent of data principle:

- Problem with this provision is that selective withdrawal of consent does not exist. e.g. direct
marketing by telephone companies provided.

Section 8 deals with deemed consent, there is no talk of prior notice.

(illustration – ‘A’ shares her name and mobile number with a Data Fiduciary for the purpose of
reserving a table at a restaurant. ‘A’ shall be deemed to have given her consent to the collection of
her name and mobile number by the Data Fiduciary for the purpose of confirming the reservation).

Read Section 8 and 7 as whole.