Blog‎ > ‎

Intermediary (ISP,Website Hosting,Facebook,Google,Banks,Stock Exchanges,Social Networking sites) Law in India

posted Feb 21, 2013, 5:35 AM by Prashant Mali
As per Section 2(1)(w) of the IT Act, 2000 (Indian Cyber Law) "Intermediary" with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes;
1. All Banks ,Insurance & Finance companies
2. All Stock Exchanges(NSE,BSE,MCX etc)
3. All ISP's(BSNL,MTNL,SIFY,Tikona etc)
4. All Telecom Companies(Airtel, Vodafone, Aircel, Reliance etc)
5. All Auction Sites(ebay.in,Quickr,mybid.in,Auto auction sites etc)
6. All ecommerce sites(flipkart,myntra,jabong,amazon etc)
7. All Payment gateways, payment agreegators
8. Search Engines,Social networking websites
9. cyber cafe(Any place where public surfing on internet is allowed)
10. to be interpreted an case to case basis
Responsibility of an Intermediary
The intermediary or person in-charge of computer resource shall be responsible for the actions of their employees also, and in  case of violation of the provision of the Act and rules made there under pertaining to maintenance of secrecy and confidentiality of Information or any unauthorised  monitoring or collection of traffic data or information, the intermediary or person in-charge of computer resource shall be liable for any action under the relevant provision of the laws for the time being in force.
(Under Clause 6 0f THE INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARD FOR MONITORING AND COLLECTING TRAFFIC DATA OR INFORMATION) RULES, 2009
 Intermediary to ensure effective check in handling monitoring or collection of traffic data or information.
The Intermediary or person in-charge of computer resources shall put in place adequate and effective internal checks to ensure that 
unauthorised  monitoring or collection of traffic data or information does not take place and extreme secrecy is maintained and utmost 
care and precaution is taken in the matter of monitoring or collection of traffic data or information as it affects privacy of citizens and also 
that this matter is handled only   by the designated officer of the intermediary or person in-charge of computer resource.
Destruction of records by Intermediary
   (1) Every record, including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed 
by the designated officer after the expiry of a period of nine months from the receipt of direction or creation of record, whichever is later, 
except in a case where the traffic data or information is, or likely to be, required for  functional requirements.
(2) Save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal proceedings the intermediary or 
the person in-charge of computer resource shall destroyed records pertaining to directions for monitoring or collection of information 
within a period of six months of discontinuance of the monitoring or  collection of traffic data and in doing so they shall maintain extreme 
secrecy.
Due diligence to be observed by Intermediary in India
The intermediary shall observe following due diligence while discharging his duties, namely :
(1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access or usage of the 
intermediary’s computer resource by any person. 
(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, 
display, upload, modify, publish, transmit, update or share any information that —
(a) belongs to another person and to which the user does not have any right to;
(b) is grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, pedophilic,  libelous, invasive of another's privacy, 
hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful 
in any manner whatever; 
(c) harm minors in any way;
(d) infringes any patent, trademark, copyright or other proprietary rights;
(e) violates any law for the time being in force; 
(f) deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive 
or menacing in nature;
(g) impersonate another person;
(h) contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of 
any computer resource;
(i)   threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or 
causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.
(3) The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of 
transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):
Provided that the following actions by an intermediary shall not amount to hosting, publishing, editing or storing of any such information as
specified in sub-rule (2) ―
(a) temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of 
such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another 
computer resource;
(b) removal of access to any information, data or communication link by an intermediary after such information, data or communication 
link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions
 of the Act;
(4) The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or 
been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such 
information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such 
information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and 
associated records for at least ninety days for investigation purposes.
(5) The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy 
for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage rights 
of the users to the computer resource of Intermediary and remove non-compliant information..
(6) The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.
(7)  When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are 
lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the 
purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of 
offences under any law for the time being in force, on a request in writing stating clearly the purpose of seeking such information or any 
such assistance.
(8) The intermediary shall take all reasonable measures to secure its computer resource and information contained therein following the
 reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and 
 procedures and sensitive personal information) Rules, 2011.
(9) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian 
Computer Emergency Response Team.
(10) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to
any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is 
supposed to perform thereby circumventing any law for the time being in force:
Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the 
acts of securing the computer resource and information contained therein.

(11) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which
 users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their 
complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources 
made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint.
To be Contd..

prashant.mali@cyberlawconsulting.com
Comments