“There have been too many cases of this happening…criminal liability specifically without categorizing what harm has been caused…One step back is to say the government wants someone to catch, and they feel that often they are not able to catch somebody. But the other side is like criminal liability seems too draconian,” observed Venkatesh Krishnamoorty from BSA, The Software Alliance, while speaking as a panelist at MediaNama’s MarketsNama conference on May 19, 2023.
MediaNama Editor Nikhil Pahwa posed a question on personal criminal liability imposed upon companies and whether it is something that needs to be addressed in the Digital India Act. The question was important in the context of challenges that arise for companies, service providers and platforms when they are faced with threats of legal proceedings in situations wherein a user has raised a complaint or if they fail to meet the requests of the enforcement agencies, and in other cases, which involve investigation of crimes conducted by third-party actors.
“…we’re seeing in regulation increasingly is that there’s a personal criminal liability aspect that seems to come in repeatedly for enterprises and companies. It’s happened in social media and the IT rules as well. Why do you have a situation of personal criminal liability in law? And this is something that needs to be addressed in the Digital India Act…founders are complaining about the fact that most of these are unicorn founders. So, they’re like, this state, this place, this case has been filed, a criminal case has been filed, and my name is there. So, at some level at police stations, the FIRs are just naming, like you’ve got criminal FIRs sort of being filed against founders on one level. But even in law itself, you’ve seen this change where there’s personal criminal liability for employees of the company,” Pahwa asked.
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
We have covered the initial part of the discussion wherein the panelists touched upon the inconsistencies in the practice of law and the broad nature of requests that roughen the cooperation between the two parties.
Note: Under Section 6 of the IT Rules 2021, any other intermediary other than a significant social media intermediary is required to meet due diligence requirements laid out under Section 4 of the rules. This includes appointing a Chief Compliance Officer who shall be responsible for ensuring compliance with the IT Act and rules and shall be liable in proceedings relating to any “relevant third-party information, data or communication link made available or hosted by that intermediary where he fails to ensure that such intermediary observes due diligence while discharging its duties”.
On the process of requesting data: Responding to Pahwa’s question, Shekhar, a discussant who has dealt with law enforcement agencies for over a decade, pointed out that the situation currently is not too informal or random. He states that initially, there was not enough awareness among law enforcement agencies on what kind of requests must be sent to which service providers, and companies did not know how to respond to some of these requests. But, according to Shekhar, the process is becoming more streamlined with every district having their own cyber cell, companies having their own platforms to register these complaints and ground-level cops becoming more tech-savvy.
As he discusses the procedural aspects of cooperation, Shekhar hints at certain formal and informal engagements with law enforcement agencies in cases where aspects of national security are involved. To this, Pahwa questioned whether these procedures must be codified in law and made public for greater transparency. One of the reasons for this is, there are greater chances of illegal requests for data being made, which have a direct impact on a user’s fundamental rights like privacy, for example, requests for real-time data of a citizen’s location.
As Pahwa pointed out, the most important question that needs attention in this discussion is, what prevents a company from sharing the live location data of an individual upon a law enforcement request? And will any company want to take on a law enforcement agency that can have potential criminal liability charges against an employee? While the discussants discussed various aspects of the procedure laid out under Section 91 of the Code for Criminal Procedure, there’s no substantial take on whether there’s any provision under law that may provide sufficient safeguards for users against potential infringement upon their rights.
On oversight mechanism for surveillance:
As the discussants touched upon the data that the government aims to access, formally or informally, they also talked about targeting end-user devices for surveillance, for example, the Pegasus case, wherein spyware was reportedly deployed against Indian journalists, activists and other citizens. When asked about what must an oversight mechanism for surveillance entail, panelist Krishnamoorty stated that one of the things that the Digital India Act must focus on is to provide provisions for “narrowly tailored” requests by the law enforcement agencies and the specifics of the safeguards for companies and individuals from misuse of these powers. These, he explains, must consider points like specifics of data to be accessed, safeguards and thresholds for real-time monitoring, interception and judicial oversight for such requests.
He also emphasises the need to align the framework for privacy laid out under the Puttaswamy judgment and the need for international cooperation agreements, specifically with respect to law enforcement under the Digital India Act.
“If there is any leeway for committee analysis or things that could compare different legislations, provisions for government to embark in those exercises, it may not come through an act, it won’t, but there could be provisions to do things around that,” he added.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- What Are The Problems That Companies Face When Law Enforcement Agencies Demand For Data? #NAMA
- “Should There Be Safe Harbour At All?”: 30 Talking Points From The Digital India Act Consultation
- Video: MarketsNama 2023, Delhi, 19th May
- How The IT Act Allows The Indian Government To Spy On Internet Connections
