The Asia Internet Coalition has accused the Nepali draft IT Bill of vague phrasing in its restrictions, empowering authorities indiscriminately, and of failing to understand the services it seeks to regulate. The submission has also made use of Indian law, including the Supreme Court’s striking down of Section 66A, to make its point on provisions of the Bill being prone to abuse by the government.

The submission points out flaws in data retention limitations set by the Bill, namely the legal and practical considerations for storing data. The other points in the Bill brought out are the vague phrasing in a number of provisions. These include the registration requirements placed on “social networks”, and the penal provisions with respect to “breaking privacy”. Provisions on intermediary liability dilute the protection of platforms that do not exercise editorial control over the dissemination of content, and places a burden of determination on such platforms.

On registration of social networks and Data retention

The Bill seeks to have a registration system for social networks, a class of entities too vague to be grouped together owing to the varied kinds of services available from platform online. The conditions to determine which entities require registration have not been made sufficiently clear.

Any legal provision that seeks to regulate the emerging online service industry on the basis of hard and fast categorisations and registration processes, may risk quick obsolescence.

A strict registration system should be retained for a situation where certain rights are afforded to the registered entities, which is not the case with social networks. The submission therefore argues for a self-regulatory model based on kinds of services provided, for the effective upkeep of regulations along with the technological developments in the sector.

The data retention requirement, similar fails to understand the nature of services being regulated. The requirement of data to be destroyed within 30 days is argued to be unworkable due to legal liability with respect to laws of other countries, as well as data being kept for litigation and requests from law enforcement agencies. Exceptions to such a requirement should include legal requirements to store data, including procedural issues such as taxation and audits. The submission also argues that de-identified data should also allowed to be stored, as this does not harm the privacy of users.

On Intermediary Liability

Section 68(1) of the IT Act states: “service providers are not liable for…criminal liability [that] arises from any fact or particulars only because they provided access to such information or data or link.” One of the conditions for this is that the service provider has “not selected the user by its own and the Service Provider did not select or altered the information its own.”… A proviso to this section states that “Service Provider’s liability is not exempted where the provider is aware the information, data or the link that infringes the provision of existing law or the service provider acts as an abettor of a crime and do assistance to commit such crime.”

A key problem with the draft legislation here is the introduction of ‘awareness’ as a consideration in holding intermediaries liable. The submission argues that this is a dangerous standard for determination of liability, because it places a burden on private parties to make a determination on lawfulness of the content being shared without a judicial determination. This may lead to a burden of monitoring and private adjudication, which is effectively a restriction on free speech.

The practicability of such a requirement is also a problem, with smaller entities and startups not equipped with the resources to carry out such heavy monitoring processes. The Manila Principles have been put forward by the submission as a model for drafting of provisions with regard to intermediary liability. This protects intermediaries from liability for third party content, and due process of law and transparency in requests for blocking of content.

On vague penal provisions and the Shreya Singhal judgment

Section 78 of the IT Act states: “Where anyone breaks the privacy of someone else’s private information that is in electronic form, as per the offence the person shall be liable to the punishment…”

The phrase “breaking privacy” remains vague, and as yet undefined in specific terms. The requirements of the provision are already met under different parts of the Bill, which opens up the vague phrasing of this penal provision to abuse by authorities. Criminal sanctions against online speech require strict framing of violations, which can limit their applicability in order to prevent their abuse to muzzle free speech.

Similarly, Section 87 of the Bill lays down penal sanctions for acts such as “teasing” and “confusing”, through social media. These phrases are left unexplained, but carry punishments of five lakh rupees and a possible year of imprisonment.

The provision does not specify the elements which would constitute such acts. Many kinds of content could be considered to be “teasing”, “insulting” or “creating difficulty”, based on the sensitivities of different people. It would be exceedingly challenging to develop judicial thresholds for offences of this nature.

It is here that the Indian Supreme Court judgment in Shreya Singhal is used to argue that the provisions remain “nebulous in meaning”. Section 66A of the Indian IT Act was struck down in this judgment for being open ended, undefined, and vague”. The submission argues that the online space should provide for a diversity of views, and that the criminal provisions pointed out “have a tangible impact on several fundamental freedoms of users, such as the freedom of speech, expression and right to privacy.”