Key reports released by the Standing Committee on Information Technology

This blogpost summarizes some of the key reports that have been released by the Standing Committee on Information Technology since its inception.

Since its inception, the Standing Committee on Information Technology (“SCIT”) has released 305 reports. Out of these, 55 reports were on different subjects and 14 reports were on different Bills referred to the SCIT. In this blogpost, we have summarized four key reports released by the SCIT.

A. 39^th report of the SCIT on the ‘Communication Convergence Bill, 2001’: [1]

The Communication Convergence Bill, 2001 (“CCB”) was introduced in the Lok Sabha on 31 August, 2001.[2]

The backdrop of the introduction of the CCB was the phenomena of blurring regulatory lines between multiple emerging industries: information technology, the Internet, telecommunications, and television.[3] Provision of different kinds of services over the existing infrastructure and the enhancement of existing technologies so as to provide a wide variety of services is known as communication convergence.[4] This is the phenomena that allows one today to view text, audio, and audio-visual content on the internet on any device which can use IP such as a smartphone, tablet, smart TV, PC or laptop. In theory, these devices receive the same content; however, in reality there are often differences between the networks over which the device connects and the software and hardware design of each device, such as wireless data connections, satellite, hard line telecom or cable wires, and even electrical systems.[5]

Instead of different regulatory authorities dealing with different media, such convergence in the media was sought to be regulated with the creation of a single regulatory authority. This would help develop the communication sector in a competitive manner, and ensure that market dominance in a converged environment is suitably regulated.[6]

At the time of its introduction, India was only the second Asian country to introduce a Bill on this topic, with the first being Malaysia. The proposal under CCB is similar to what was done in the UK with the creation of Ofcom, which inherited the regulatory onus of five different bodies in broadcasting, television, radio, and postal sectors.[7]

The notable features of CCB which were analysed by the SCIT were:

1. Repeal of five existing laws: The CCB sought to repeal the Indian Telegraph Act, 1885; Cable Television Networks Act, 1995; Indian Wireless Telegraphy Act, 1933; the Telegraph Wires (Unlawful Possession) Act, 1950; and the Telecom Regulatory Authority of India Act, 1997.
2. A super regulator: The CCB sought to form a Communications Commission of India (“Commission”). The Commission would be established as the regulatory authority in convergence of information technology, communications and broadcasting, and be responsible for managing the spectrum, granting of licenses and enforcing their conditions, determining tariff rates, and ensuring a competitive marketplace.
3. Five license categories: These would enable service providers to offer a range of services within each category, namely: (i) network infrastructure facilities; (ii) network services; (iii) network application services; (iv) content application services; and (v) value added network application services (such as internet services and unified messaging services).
4. Regulate communication: The Commission was tasked with regulating the carriage as well as the content of communications. It had wide-ranging powers under the CCB to regulate content in any form and media. Content was itself encapsulated in a wide definition: ‘any sound, text, data, picture — still or moving, other audio-visual representation, signal or intelligence of any nature or any combination thereof, which is capable of being created, processed, stored, retrieved or communicated electronically.’
5. Spectrum Management Committee (“SPC”): The CCB sought the Central Government responsible for coordination with international agencies in respect of matters relating to spectrum management and also for allocation of available spectrum for strategic and non-strategic or commercial purposes through a SPC with the Cabinet Secretary as its Chairman. On this point specifically, the SCIT thought that the Cabinet Secretary with his diverse responsibilities and pre-occupations may not be able to devote the required time and attention in chairing the SPC which may result in avoidable delay in spectrum allocation.
6. Appellate Tribunal: The CCB sought to create a “Communications Appellate Tribunal” to adjudicate disputes arising under the legislation. The Telecom Regulatory Authority of India and the Telecom Disputes Settlement and Appellate Tribunal respectively, would stand dissolved and proceedings pending before them would have been transferred before the Commission.
7. Communications interception: Chapter XV of CCB laid down rules controlling the interception of communications for security purposes.

The CCB was shelved after it lapsed with the dissolution of the Lok Sabha in 2004.[8] Discussions around the CCB resurfaced again in 2013 and 2014, [9] and it was sought to be introduced in the Parliament again as the CCB, 2014.[10] However, it was ultimately shelved due to turf wars between the regulatory bodies it sought to merge.[11] Instead, to promote convergence on an ad-hoc basis, the MeitY and the Ministry of Communications are allotted to the same minister, like it is presently under Hon’ble Minister Ravi Shankar Prasad.

B. 49^th Report of the SCIT on “Functioning of Centre for Development of Advanced Computing”:[12]

This report was released by the SCIT on 02 August 2007. The Centre for Development of Advanced Computing” (“C-DAC”) is an autonomous scientific body of the erstwhile Department of Information Technology (“DeitY”), which is today under the Ministry of Electronics and Information Technology (“MeitY”). It was set up in 1988 as a society registered under the Societies Registration Act, 1860. It has been carrying out research & development (“R&D”) in the following areas (i) high performance computing/ super-computing; (ii) grid & cloud computing; (iii) multi-lingual computing and heritage computing; (iv) software technologies including free and open source software; (v) professional electronics, VLSI and embedded systems; (vi) cyber security and cyber forensics; (vii) health informatics; and (viii) education & training in said areas.

As per the SCIT’s report, C-DAC had centres/labs in 11 cities across the country. Its governance structure at the time consisted of the following three bodies: (i) Governing Council (“GC”) which is the highest decision making body; (ii) Technical Advisory Committee (“TAC”) which provides technological directions; and (iii) Coordination Committee (“CC”) which acts as a single window, clearing house in respect of interaction between DIT and C-DAC. Since then, this has evolved to have a Director-General, the 3 abovementioned bodies, a Management Board and Finance & Accounts Committee.

The report made several important recommendations at the time:

1. The three bodies need to have frequent meetings at regular intervals as the endeavours of C-DAC are in frontier IT technologies where time is of utmost essence, and major issues should not be delayed to the detriment of national interest.
2. The staffing requirements of the headquarters (also referred to as the Corporate Office) was required to be strengthened, to ensure effective supervision of the units as well as co-ordination among the different labs/centres. The proposal pending before the Ministry of Finance should be taken up without further delay.
3. Funding of C-DAC by the DIT has been insufficient. Due to reduced allocation of funds, there has been slow down of progress/achievements in several rapidly changing areas where timely and critical quantum of investments is necessary. Funding should be released for future proposals promptly.
4. The pending proposal of setting up a commercial arm of C-DAC should be hastened, to ensure effective tie up between R&D and commercialisation and enhance its lab to market efforts. C-DAC should also explore tying-up with other government research organisations for commercialisation of their technologies.
5. In order to deal with the issue of manpower attrition, in the interest of functioning of C-DAC and to ensure retention of the best scientific talent, provision should be made for special salary compensation/allowance, scheme/package for personnel deployed in such high-end technology areas. Some other measures could be to: (i) ensure a conducive and strongly motivational work environment; (ii) provide challenging assignments; (iii) provide some kind of patent sharing arrangement with contractual safeguards; (iv) once proposed commercial arm of C-DAC is in place, provide some kind of revenue-sharing arrangement.
6. The cyber security tools built by C-DAC are not capable of tackling cybercrimes online and are not meeting international standards. Cyber security being a need of the hour needs to be prioritised and robust technologies need to be built keeping in line with international standards.
7. Multi-lingual products which are yet to find favour with State governments should be standardised and linguistic resources should be established in respect of all scheduled languages. Customisations should be provided, in line with the requirements of the respective states, so that access to these tools and products can be increased.
8. In order to mitigate the issue of lack of requisite standards of skilled graduates, C-DAC has training centres and industry-oriented education programmes. However, to scale this, e-learning solutions should be explored and the network of training centres should be expanded.
9. A Rural Health Management Information System to improve the reach, spread and efficacy of primary health care needs to be built to the millions in our rural areas.

C. 50^th Report of the SCIT on the’ Information Technology (Amendment) Bill, 2006’:[13]

In August 2005, an Expert Committee formed under the chairmanship of the Secretary, Department of Information Technology (present-day MeitY) submitted its report to the government. On the basis of this report, the Information Technology (Amendment) Bill, 2006 was introduced in the Lok Sabha on 15 December 2006, and referred to the SCIT. The SCIT made the following key observations/recommendations in its report released in August 2007:

1. Jurisdiction: The SCIT questioned an expert about how Indian state could assert jurisdiction over computer resources located outside India, which had been used to commit a cyber offence against India. It was suggested that India can join a global treaty addressing this issue such as the Convention on Cyber Crime or Group 7. A CBI representative submitted before the Committee that without joining such a treaty, it will be difficult for India to book the perpetrator of cybercrime sitting abroad. The DIT informed the committee that India was already addressing this through mutual legal assistance treaties. It said that India is also a member of the Japanese government’s initiative for mutual exchange of information regarding cybercrimes, the ‘Cyber Crime Technology Information Network System’.

Recommendation: Entering into ‘piece meal’ MLATs with countries is not enough. India should frame a convention on cybercrimes under the United Nations, and gather international support for such a treaty with the help of the Ministry of External Affairs, Law and Justice and Home Affairs.

2. On intermediary liability: The SCIT questioned many expert witnesses on the issue of definition of an intermediary. It sought to understand how network service providers can qualify as intermediaries, and whether intermediaries could be subject to civil liabilities like conspiracy and abetment.  Specifically, the CBI submitted before the SCIT that the removal of the words ‘due diligence’ was a matter of concern. However, the DIT assured the SCIT that the words ‘due diligence’ will be included in the guidelines that will be passed by the central government.

Recommendation: (a) Definition of intermediaries should be re-examined to remove any ambiguity while interpreting the definition and role of intermediaries; (b) There should be a definite obligation on intermediaries if their platform is abused to transmit obscene/objectionable content; (c) The words ‘due diligence’ should be re-inserted in the IT Act.

3. Quantum of damage through compensation: The DIT had included an amendment raising the penalty for negligence in implementing ‘reasonable security practices and procedures’ under the IT Act from INR 1 crore to INR 5 crore. The SCIT had questioned the DIT as to how it arrived at this figure of INR 5 crore, especially in view of “at least a thousand crore-rupee flourishing IT industry”. The DeitY mentioned that it had initially suggested a figure of INR 25 crores, but after consulting industry members, the figure of INR 5 crores was considered to be sufficient.

Recommendation: The penalty amount should be increased to INR 25 crore, as it will ‘send a right message to stakeholders across the globe’. The adjudication process for determining the compensation amount payable to the user should also be simplified.

4. Data protection provisions: The SCIT highlighted that many industry representations had pointed to the lack of data protection provisions in the IT Act. It made a specific reference to the following issues:

(a) Inclusion of a definition of sensitive personal data, similar to the European Union’s data protection directive; (b) Lack of any kind of definition of privacy; (c) No provision to grant protection to data as an intellectual property, and (d) Lack of a provision specifying a fixed period for retention of data.

Recommendation: There should be a specific provision in the Bill for protection and retention of data, and to define and protect persona privacy.

5. Child pornography: The SCIT referred to submissions made by CBI and some other stakeholders about inclusion of child pornography under section 67A (which punishes publishing/transmitting sexually explicit content). The DIT informed the SCIT that it would include a new provision for section 67A which would have strict penalties for pornography, and would automatically child pornography. The DIT also agreed that pre-offence ‘grooming’ i.e. enticing the child online or showing pornography to the child will also be a criminal offence.

Recommendation: The term child pornography should be included in section 67A, along with a separate provision that classifies ‘grooming’ a child for such purposes as a criminal offence.

6. Powers of interception: In the proposed amendment for section 69 of the IT Act, the power of interception was given to the central government, and not state government. However, the CBI submitted to the SCIT that since ‘public order’ and ‘police’ fall under the State List in the Constitution of India, state governments should have powers for interception. They have similar powers under the Indian Telegraph Act, 1885.

Recommendation: (a) State government should be given interception powers under the IT Act; (b) An emergency provision for interception similar to the Indian telegraph Act should be added; (c) Interception should be allowed for any cognizable offence.

7. Adjudication process: The SCIT dealt with the issue of appointment of IT secretaries of state governments as ‘adjudicating officers’ under the IT Act. Some witnesses had submitted before the SCIT that IT secretaries don’t have the time or expertise to deal with such matters. The DIT submitted that these IT secretaries have both technical and legal procedure related knowledge, as some of them gave acted as sub-divisional magistrates or district magistrates previously.

Recommendation: The Ministry of Law and Justice and the Cyber Appellate Tribunal will study and suggest changes required in the process of appointment of adjudicating officers.

8. Setting up of special courts: Some witnesses submitted before the SCIT that the lack of ‘special courts’ for dealing with cyber-law related issues is one of the reasons for the IT Act remaining ineffective. However, the DIT said that the adjudicating officers under the IT Act were like special courts only. Additionally, even the Ministry of Law and Justice told the SCIT that the number of cases registered under the IT Act were too few (60 in 2003, 68 in 2004 and 179 in 2005), and could easily be handled by ordinary courts only.

Recommendation: The magistrates/judges trying cyber-law related cases should undergo basic training programmes to understand and effectively handle such cases.

9. Separate legislation for electronic fund transfer: Multiple representations, including from the Legislative Department, were made about enacting a separate legislation for electronic fund transfers- an ‘EFT Act’. However, the DIT informed the SCIT that RBI had already drafted a ‘Payment and Settlement System Bill’, so there was no need for a separate legislation for digital payments.

Recommendation: SCIT to be appraised of developments made on this front.

52^nd report of the SCIT on ‘Cyber Crime, Cyber Security and Right to Privacy’:[14]

Key recommendations made in these Report were:

1. Increase in cyber-crime cases and preparedness to tackle the issue: Noting that India stood fifth amongst the list of countries reporting the maximum number of cyber-crimes, and expressing concern over the significant percentage of crimes in the Indian cyber-space, the Committee felt that it is imperative that preparedness to face challenges emanating from any kind of cyber-attack should be 100%.

Recommendation: To prioritise National Critical Information Infrastructure Protection Centre (“NCIIPC”), a designated agency for protecting the critical information infrastructure in the country, and implement its cyber security programmes expeditiously.

2. Cyber-crime and data collection:  Noting that there are multiple agencies are involved in data collection and maintenance, such as the National Crime Records Bureau (“NCRB”) under Ministry of Home Affairs (“MHA”), Reserve Bank of India (“RBI”), Central Bureau of Investigation (“CBI”), and DeitY, this leads to an absence of any centralised monitoring system and centralised maintenance of data relating to cyber fraud.

Recommendation: In order to concretise its cyber security strategies, the Committee felt that there should be one single, centralised cell/agency to deal with all cases of cyber-crime/threat in the country, including on the point of data maintenance and collection. This will help in studying the pattern of occurrences the crimes as well as prevent recurrence of same kind of crimes with newer strategies. Further, a Joint Working Group (“JWG”), which worked out the details of the roadmap for cyber security cooperation recommended the setting up of permanent mechanism for Public Private Partnership.

3. Funding and human resources constraints: Noting that shortage of cyber security experts/auditors/IT skill in the country and sub-optimal utilisation and budget cuts of funds for research & development are matters of concern.

Recommendation: Concerted efforts towards training and placement of personnel need to be undertaken, as well as towards optimal utilisation of funds towards specialised research. This should also be done towards establishing more cyber-crime cells and labs.

4. Threat from imported electronics/IT products and hosting of servers outside India: Noting the risks associated with imported electronics/IT products and hosting of websites/servers outside India, the Committee emphasised that all efforts should be made with due promptitude to create the infrastructure for testing and hosting of servers in India.

Recommendation: To enhance the capacity of the Standardisation Testing and Quality Certification (“STQC”) for the Indian Common Criteria Certification Scheme (“IC3S”) for testing of IT products. Additionally, DeitY should lay down provisions for mandatory certification for all imported electronics/IT/telecom products and have certification centres in each State/UT specifically at all the airports/naval docks/ international borders. The Committee also recommended that the DeitY should host more and more servers in India and have stringent measures to safeguard the indigenous servers.

5. Concerns with upcoming technology: Noting that the National e-Governance Programme (“NeGP”) was an ambitious project, for which DeitY planned to use ‘cloud computing’, there need to be certain precautions, standards, and guidelines on security leading to the legal and technological challenges and risks.

Recommendation: The Committee recommended that the DeitY studies the instances of cyber security breaches in NeGP projects and remains extra vigilant with the usage of the new ‘cloud’ technology which was still at a nascent stage, so as to keep security issues on priority.

6. International cooperation: Noting that international cyber security cooperation arrangements with organizations engaged in similar activities, in the form of Memorandum of Understandings (“MoUs”) and Mutual Legal Assistance Treaty (“MLATs”) and efforts to contribute to global cyber jurisprudence in various international for key to ensuring international cooperation on cyber crime and addressing cross-border challenges with cyber-security.

Recommendation: Enter into MOUs, MLATS, and exchange programmes with more countries and redouble efforts for engaging in dialogue and pioneering cyber jurisprudence.

7. Legal and policy measures: Noting that the Cyber Crisis Management Plan (“CCMP”) mandated that all government entities are to continuously assess their IT systems and networks and report the cyber security incidents to Computer Emergency Response Team (“CERT-In”) within one hour of occurrence of the cyber-attack incident or noticing the incident. Further, the DeitY stated that the existing legal frame work under the IT Act, 2000 addressed all aspects related to cyber-crimes in a comprehensive manner with adequate compliance and deterrent provisions and there was no need to amend the same to address National Cyber Security Policy (“NCSP”).

Recommendation: The Committee recommended that in view of this being a dynamic area and in light of everyday developments, there should be put in place a mechanism to periodically review the CCMP and the provisions of the IT Act, 2000.

8. National Cyber Security Policy: Noting that the NCSP 2013 which created a framework for a collective response to cybersecurity, and aimed to facilitate creation of secured computing environment and guide stakeholders’ actions for protection of cyber space by outline 47 objectives. However, the NCSP did not depict any deadline/target and lacks detailed picture/road map for achieving all its goals, though the DeitY assured implementation of the major programmes within a year.

Recommendation: The Committee urged the DeitY to chalk out the definite targets/time frame on priority objectives along with allocating responsibilities of different agencies involved and ensure that the implementation addresses the urgent need of dealing with the cyber security threats and the need to build capacity in the country in terms of infrastructure, preventive and protective legal actions, grievance redressal mechanism, evaluation and compliance verification for imported IT product, certification, awareness, etc.

9. Cyber security and right to privacy: Noting that in the absence of any dedicated legislation on privacy and data protection, the IT Act, 2000 (as amended in 2008) along with IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules notified in 2011 contain provisions on data privacy and data protection. The absence of a dedicated legislation was a point of extreme concern in view of the enormous amounts of data processed every day, especially in projects like the UIDAI, as this jeopardises the privacy of citizens.

Recommendation: Given the complex nature of the cyber space and the complexity of balancing cyber security and right to privacy, the Committee recommended that the DeitY in collaboration with other Ministries and multi-disciplinary professionals/experts should work on a dedicated legislation on privacy and data protection.

10. Grievance redressal mechanism: Noting that the redressal mechanism regarding cyber-crime involves reporting to the local police stations or cyber-crime cells of law enforcement agencies, such redressal of cyber-crimes is dealt with at the state level. However, not all states have a separate cyber-crime cell and there is no centralized system/cell for monitoring cyber-crime.

Recommendation: The Committee recommended that there should be a cyber-crime cell in each State as well as in each District and Block. Additionally, there should be a centralized system/cell for monitoring cyber-crime, which would real-time track the details of registration and disposal status of cyber-crime throughout the country.

11. Cyber Appellate Tribunal: Noting that the Cyber Appellate Tribunal (earlier known as Cyber Regulations Appellate Tribunal), the forum for addressing grievances against orders of the Adjudicating Officer passed under the IT Act, 2000, has only one Bench. The Act provides for setting up Benches in other parts of the country which has not yet been done. The Committee also noted the low rate of disposals of appeals and the high number of pending appeals, which the DeitY attributed to lack of manpower.

Recommendation: The Committee recommended that adequate manpower must be deployed at the earliest so that appeals pending in the Tribunal are disposed of expeditiously. Additionally, other benches of the Tribunal must be setup, as and when need arises.

Authored by Saumya Jaju, Associate with inputs from Arpit Gupta, Senior Associate

[1] https://eparlib.nic.in/bitstream/123456789/65643/1/13_Information_Technology_39.pdf

[2] http://ijlt.in/wp-content/uploads/2015/09/Communication-Convergence-Bill-2001.pdf.

[3] https://www.csis.org/analysis/us-india-insight-reviving-convergence-bill

[4] https://www.mondaq.com/india/broadcasting-film-tv-radio/16955/the-communications-convergence-bill-indias-tryst-with-destiny

[5] https://www.ofcom.org.uk/__data/assets/pdf_file/0020/53426/hol-media-convergence.pdf.

[6] http://www.nwmindia.org/Law/Commentary/convergence_bill.htm

[7] https://www.ofcom.org.uk/about-ofcom/website/regulator-archives

[8] https://www.thehindubusinessline.com/info-tech/coming-a-super-regulator-for-broadcasting-it-and-telecom/
article20918554.ece1

[9] https://indianexpress.com/article/business/business-others/narendra-modis-convergence-bill-end-turf-wars-for-good-convergence-says-rahul-khullar/

[10] https://www.livemint.com/Industry/JTOvPYfE0Ixk1y4jT3qAdO/DoT-begins-work-on-convergence-policy-for-communications-sec.html

[11] https://www.livemint.com/Politics/jqJCPIZrOk6t6GbXBwkVAJ/New-Bill-proposes-repeal-of-all-4-laws-that-govern-telecom-s.html

[12] https://eparlib.nic.in/bitstream/123456789/63023/1/14_Information_Technology_49.pdf.

[13] https://eparlib.nic.in/bitstream/123456789/63025/1/14_Information_Technology_50.pdf.

[14] https://eparlib.nic.in/bitstream/123456789/64330/1/15_Information_Technology_52.pdf.