This article has been written by Vasu Manchanda and Jyoti dubey from the Faculty of law, DU.
Table of Contents
Technology law is coming up as the most sought after branch of the legal profession in India. In the wake of the current COVID-19 pandemic, the dependence on technology has grown manifold. The Chief Justice of India SA Bobde can be quoted as saying, “For those who have no access to technology, courts simply don’t exist during COVID-19.” This holds not only for the litigants but also for the litigators. A lot of practicing attorneys are experiencing a paradigm shift in how litigation is being conducted and are consequently upskilling themselves to keep pace with the technological advancements. With India offering one of the biggest markets of internet users, it has perhaps become the most favorite destination of tech companies around the world. Billions of dollars of investment in Reliance Jio, BYJU’S, among other Indian-based Technology companies, upsurge in the business of EdTech (portmanteau of education and technology) companies such as WhiteHat Jr, Vedantu, among others and coming in of various video streaming and web conferencing applications amidst the pandemic is well-documented.
This raises the need for law students to be future rather present ready as it is felt that no field of business or legal profession can operate without being dependent on the internet, which has become akin to electricity. With the coming up of the Internet of Things (IoT), could computing, and Artificial Intelligence (AI) software, the legislature, is finding it hard to keep pace, especially in the absence of an updated Information Technology Act, robust privacy law, and adequate safeguards to protect the data.
This article is a sincere attempt to keep aspiring technology lawyers abreast of the existing and proposed statutes pertaining to technology law. The acts, rules, and regulations that an aspiring technology lawyer must know are as follows:
The Bankers’ Book Evidence Act, 1891
This Act gives legal sanctity to the books of accounts/financial statements maintained in electronic form by the banks. The expression “bankers’ book” given under Section 2(3) of the Act after the amendment brought in by Section 93 of the Information Technology Act, 2000 (which now stands omitted), in addition to the ledger, register, account books, any other book used in the ordinary course of business, includes printouts of data stored in a disc, tape, floppy or any other form of an electromagnetic storage device. Such electronic records that are used in the ordinary course of business can be used as evidence in the courts by the virtue of this Act.
The Information Technology Act, 2000
This Act provides legal recognition to transactions carried out through electronic data interchange and other means of electronic communications which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and for matters connected therewith or incidental thereto. Major amendments were brought into the Act by the way of the Information Technology (Amendment) Act, 2008.
Information Technology (Certifying Authority Rules), 2000
These Rules were made by the Central Government to regulate the applications and other guidelines concerning the electronic signature as well as a digital signature, for Certifying Authorities. They specify the manner for granting of the license to the certifying authorities for issuing digital signature certificates, manner of creation and verification of digital signature certificates and authentication of information encrypted by means of digital signature in addition to laying down security guidelines for certifying authorities, among other requirements to be complied with by an applicant.
Information Technology (Certifying Authorities) Regulations, 2001
The Controller in the exercise of its powers conferred by clauses (c), (d), (e) and (g) of sub section (2) of section 89 of the Information Technology Act, 2000, after due consultation with the Cyber Regulations Advisory Committee and with the approval of the Central Government framed these Regulations. They specify the terms and conditions of the license that need to be fulfilled by the Certifying Authority to issue Digital Signature Certificates and the standards that need to be followed by the Certifying Authorities for carrying out its functions.
The Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003
These Rules specify the eligibility criteria that a person needs to meet in order to be appointed as an adjudicating officer, scope, and manner in which an adjudicating officer shall hold an enquiry and pass orders about payment of damages by way of compensation or impose such penalty depending upon the evidence produced.
The Information Technology (Other Standards) Rules, 2003
These Rules were framed by the Central Government in the exercise of the power conferred by clause (g) of sub-section (2) of section 87 read with sub-section (2) of section 20 of the Information Technology Act, 2000. They specify the standards that need to be observed by the controller to ensure that the secrecy and security of the digital signatures are assured.
Information Technology (Use of Electronic Records and Digital Signatures) Rules, 2004
These Rules provide for the filling of any form application or any other document referred to in clause (a) of sub-section (1) of section 6 of the Information Technology Act, 2000 with any authority, body or agency controlled by the Government; issuance of any permit, sanction, approval or license and the payment of required charges.
Information Technology (Security Procedure) Rules, 2004
The Central Government, in the exercise of the powers, conferred by clause (e) of sub-section (2) of section 87 read with section 16 of the Information Technology Act, 2000 framed these Rules. They specify the manner in which electronic records and digital signatures shall be deemed to be secure electronic records and secure digital signatures, respectively.
Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009
These Rules specify the procedure the government must follow to order the blocking of IP addresses. A designated officer shall be appointed by the Central Government to issue directions for blocking of access by public any information generated, transmitted, received, stored, or hosted in any computer resource under sub-section (2) of section 69 of the Information Technology Act, 2000.
Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009
These Rules specify the procedure the government must follow to monitor and collect traffic data or information for cyber security. They provide that the competent authority may authorize the competent agency of the government for monitoring and collection of traffic data or information generated, transmitted, received, or stored in any computer resource by issuing directions under sub-section (3) of section 69 of the Information Technology Act, 2000.
Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
These Rules specify the procedure the government must follow to intercept, monitor, and decrypt electronic information stored, generated, transmitted, or received in any computer resource. They specify that in the absence of an order issued by the competent authority, no person shall be authorized to carry out the interception or monitoring or decryption of any information generated, transmitted, received, or stored in any computer resource under sub-section (2) of section 69 of the Information Technology Act, 2000.
Information Technology (Intermediaries Guidelines) Rules, 2011
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
These Rules were notified by the Department of Information Technology on April 11, 2011. They apply to persons and body corporates in India and provide a list of items that are to be treated as “sensitive personal data,” including but not limited to credit/debit card information, biometric information, passwords, physiological, physical, and mental health conditions, among others. However, any information freely available in the public domain is not considered to be sensitive personal data. They provide guidelines that need to be adhered to by a body corporate while collecting, processing, and storing information and impose certain duties on them.
The Information Technology (Due Diligence Observed by Intermediaries Guidelines) Rules, 2011
These Rules were framed by the Central Government in the exercise of its power conferred by clause (zg) of sub-section (2) of section 87 read with sub-section (2) of section 79 of the Information Technology Act, 2000. They specify due diligence that intermediaries need to observe while discharging their duties.
Information Technology (Guidelines for Cyber Cafes) Rules, 2011
These Rules provide for setting up of an agency for registration of cyber café, identification of users by way of issues identity cards, and for the Cyber Cafes to record and maintain the required information of each user and accompanying person (if any) in the log register for a minimum period of one year and the inspection of cyber cafes and the computer resources established therein by an authorized officer.
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013
These Rules were framed by the Central Government in the exercise of their power conferred by clause (zf) of sub section (2) of section 87 read with sub section (5) of section 70(B) of the Information Technology Act, 2000. These Rules provide for the location, authority, constituency, functions, responsibilities, and functioning of The Indian Computer Emergency Response Team (CERT-In). In addition, it specifies the services that CERT-In would provide and the operations that it is authorized to conduct.
The Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013
Under these Rules, a “critical sector” has been defined to mean sectors, which are critical to the nation and whose destruction will have a debilitating effect on national security, public health, safety, or economy. These critical sectors have been classified as (a) banking, financial services and insurance, (b) power and energy, (c) transportation, (d) Information and Communication Technologies (ICTs), and (e) e-governance and strategic public enterprises. The Rules provide a basic framework for the protection of critical information infrastructure.
Information Technology (Recognition of Foreign Certifying Authorities not Operating Under Any Regulatory Authority) Regulations, 2013
These Regulations specify the criteria for the recognition of foreign authorities which do not operate under any regulatory authority, adjudge the validity of such recognition, hold any digital signature certificate issued before such recognition as invalid, and lay down the criteria for refusal, renewal, suspension or revocation of such recognition granted under the Information Technology Act, 2000.
Information Technology (Recognition of Foreign Certifying Authorities Operating Under Any Regulatory Authority) Regulations, 2013
These Regulations specify the criteria for the recognition of foreign authorities which operate under any regulatory authority in the country, adjudge the validity of such recognition, hold any digital signature certificate issued prior to such recognition as invalid and lay down the criteria for refusal, renewal, suspension or revocation of such recognition granted under the Information Technology Act, 2000.
Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016
These Rules were notified by the Central Government for the preservation and retention of information by intermediaries providing Digital Locker Facilities. It specifies how the digital locker system can be used by the subscriber, requester, and issuer, the role of digital locker service providers, and suspension and revocation of digital locker account, among other procedural aspects of the digital locker facilities.
The Payment and Settlement Systems Act, 2007
This Act was issued to provide for the regulation and supervision of payment systems and to designate the Reserve Bank of India as the authority for that purpose and matters incidental thereto. Payment system under Section 2(1) (i) of the Act enables payment to be effected between a payer and a beneficiary by the virtue of debit card, credit card, smart card, money transfer, or similar operations and payment instruction as defined in the Act can be communicated by any authorization order or instrument in any form, including electronic means to give effect to a payment.
Framework for imposing monetary penalty on authorised payment system operators/ banks under the Payment and Settlement Systems Act, 2007
The RBI issued a framework for imposing a monetary penalty on authorised payment systems operators/ banks under the Payment and Settlement Systems Act, 2007 in the year 2016 to provide procedural guidance on levy of penalties under the Act. This framework was replaced by the RBI vide Circular dated January 10, 2020. The framework ensures transparency in regulatory actions in the FinTech sector and keeps a check on the wide discretionary powers exercised by the RBI under the Act.
Payment and Settlement Systems Regulations, 2008
These Regulations provide for submission of application for authorization for commencing or carrying out a payment system, grant of authorization of certificate, submission of returns, documents, etc. as maybe required by the banks in addition to the furnishing of accounts and balance sheets by every system provider.
The Board for Regulation and Supervision of Payment and Settlement Systems Regulations, 2008
These Regulations provide for the constitution of the Board for Regulation and Supervision of Payment and Settlements, and a Committee of the Central Board of Directors of the Reserve Bank of India. The Regulations pertaining to the procedure of carrying on a payment system, grant of authorization, furnishing of returns, furnishing of accounts and balance sheets by system providers, and determination of standards of payment systems.
The Copyright Act, 1957
This Act (as amended by the Copyright Amendment Act, 2012) governs the subject of copyright in India. Copyright is the right given by law to the creators of literary, musical, dramatic, computer programs, and a variety of other works. It grants economic incentives to the creators and encourages investments and efforts in fostering innovation, expanding knowledge, and utilising one’s intellect for the growth and development of oneself and the society at large. It is felt that the coming in of various social media and video streaming platforms has provided a massive opportunity for people to exhibit their literary, dramatic, and/or artistic creations, among others, which has further given rise to the possibility of infringement of such rights whether intentionally or unintentionally.
The Copyright Rules, 2013
These Rules lay down the procedure involved in the relinquishment of copyright by the owner of the work, issuance of compulsory license, extension, and cancellation of license, setting up of the copyright board and copyright societies, manner of determining royalties, granting of statutory licenses for cover versions and broadcasting of literary and musical works and sound recordings, among other procedural aspects.
The Trademarks Act, 1999
With the instances of cyber squatting, i.e., an act of obtaining fraudulent registration of a domain name with an intent to sell it to the lawful owner of the trademark at a premium, being on an unprecedented rise, the knowledge of the Trademark laws is inevitable. In the absence of robust cyber laws, cybersquatting cases are decided within the ambit of trademark laws by interpreting the principle of passing off concerning domain names.
The Digital Signature (Entity Rules), 2015
These Rules specify the procedure of the creation of digital signature and xml digital signature, the manner of authentication of information by means of digital signature xml digital signature, and verification of the digital signature, digital signature certificate, xml digital signature, and xml digital signature certificate in addition to laying down certain standards applicable to activities associated with the digital signature and xml digital signature functions, respectively.
The Electronic Signature or Electronic Authentication Technique and Procedure Rules, 2015
These Rules specify the procedure for authentication of an electronic record by an e-authentication technique using Aadhaar e-KYC (Know Your Customer) services and applicable use of asymmetric crypto system and hash techniques; thereby, leading to the issuance of Digital Signature Certificate by Certifying Authority.
The Cyber Regulations Appellate Tribunal (Procedure) Rules, 2000
These Rules specify the procedure for filing applications to the Cyber Regulations Appellate Tribunal established under section 48 of the Information Technology Act, 2000. It states that an applicant shall file an application with the Registrar for a prescribed fee, which shall undergo scrutiny before being registered.
E-Waste (Management and Handling) Rules, 2010
These Rules enumerate the responsibilities of the producer of electrical and electronic equipment, consumers, collection centers, dismantlers, recyclers, and the procedure of grant of authorization by the above-mentioned persons from the State Pollution Control Board or Pollution Control Committee of Union Territories. They also lay down the procedure for the storage of e-waste.
The Digital information security in healthcare Act, 2018
The Government is planning to bring in this Act to provide for the establishment of National and State eHealth Authorities and Health Information Exchanges; to standardize and regulate the processes related to the collection, storing, transmission, and use of digital health data; and to ensure reliability, data privacy, confidentiality and security of digital health data and such other matters related and incidental thereto.
Telemedicine Practice Guidelines
The Central Government released the Telemedicine Practice Guidelines to lay down the requirement that needs to be complied with by registered medical practitioners to provide teleconsultation services in India. Providing teleconsultation remotely even to patients located in different states has been legalized. However, the doctors need to display their registration number in all communications exchanged with the patient. Such communication by way of prescription and fee receipts can take place over mail or Whatsapp, among other specified mediums. Also, as a precautionary measure, it has been stated that prescribing medicines for chronic diseases should be avoided during teleconsultation, and if inevitable, it should be done only via video while the prescription can be sent via any electronic medium.
General Data Protection Regulation (GDPR)
The GDPR is the primary law that regulates the protection of the personal data of European Citizens. It applies to each member state of the European Union (EU) and aims to create more consistent protection of personal and consumer data across the EU nations. It requires the companies to require the consent of subjects for data processing, anonymization of the collected data, and provide data breach notifications, among other statutory requirements. Failure to comply with the GDPR can subject companies to fines and penalties.
The Personal Data Protection Bill, 2019
This Bill was introduced by the Ministry of Electronics and Information Technology. It aims to provide for the privacy of individuals of their personal data and establish a Data Protection Authority of India. It stipulates how personal data shall be processed, collected, used, stored, disclosed, and transferred. It proposes to protect personal data concerning characteristics’ traits, identity, and attributes, in addition to sensitive personal data such as sexual orientation, biometric data transgender status, among others of a natural person.
Consumer Protection Act, 2019
This Act was brought into force on 20th July, 2020, to empower the consumers even in cyberspace by enacting a swift redressal mechanism and protecting their rights as enumerated under Section 2(9) of the Act through its various provisions. In addition, it establishes the Central Consumer Protection Authority to protect, promote and enforce the rights of consumers by way of conducting investigations into alleged violations of consumer rights, ordering a recall of unsafe goods and services, and imposing penalties on manufacturers, publishers, and endorsers.
Consumer Protection (E-Commerce) Rules, 2020
These Rules were framed by the Government of India to complement the Consumer Protection Act, 2019 by regulating the e-commerce transactions and activities, in addition to laying down duties and liabilities of such e-commerce entities, inventory e-commerce entities, marketplace e-commerce entities, and sellers.
The Delhi Geo-spatial Data Infrastructure (Management Control, Administration, Security and Safety) Act, 2011
This Act was passed by the Legislative Assembly of National Capital Territory of Delhi to create, update, manage, disseminate, and share geospatial data, geo-spatial map, geospatial system, geo-spatial application, and geo-spatial portal of the land revenue records, public utilities, and property details by entrusting the responsibility to the GeoSpatial Delhi Limited so that the same can be utilized for better planning and management by the departments, corporations, boards of the Government of the National Capital Territory of Delhi, public authorities, public and private agencies, and local bodies.
The National Cyber Security Policy, 2013
This policy was issued by the Department of Electronics and Information Technology, Ministry of Communication and Information Technology. It aims at protecting the private and public infrastructure from cyber attacks. It provides a mechanism for sharing and analyzing information about the vulnerability, threats, and cyber attacks as it was felt by the policy makers that security solutions cannot be built without coordinated responses or threat intelligence.
National Strategy for Artificial Intelligence (AI)
NITI Aayog released a discussion paper titled ‘National Strategy for Artificial Intelligence.’ It proposes setting up – Centre of Research Excellence (CORE) focused on developing a better understanding of existing core research and pushing technology frontiers and International Centers of Transformational AI for developing and deploying application-based research. Also, it recommends the creation of a multi-stakeholder marketplace, creation of large foundational annotated date sets, partnership and collaboration among stakeholders, spreading awareness regarding the benefits of AI, and supporting AI-based startups in India.
While the Government has tried to cover all the facets of the legal-technology sector, in the absence of a revamped Information Technology Act and robust privacy law, the battle is only half won. The need to have adept knowledge of the existing technology law statutes, to sensitize the general public of their rights and hold the miscreant data-oriented companies liable, is imperative.
Note: The above-mentioned list of statutes is only illustrative and not exhaustive and is in no particular order.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: