Comments on the Information Technology (Guidelines for Cyber Cafe) Rules, 2011
This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.
I Preliminary
1.1 This submission presents preliminary clause-by-clause comments from the Centre for Internet and Society (“CIS”) on the Information Technology (Guidelines for Cyber Café) Rules, 2011 that were notified by the Central Government in the Gazette of India vide Notification GSR 315(E) on 11 April 2011 (“Cyber Café Rules”).
1.2 This submission is for the consideration of the Committee on Subordinate Legislation of the Fifteenth Lok Sabha. In its 21st Report, the Committee on Subordinate Legislation presciently noted that:
“…statutory rules ought to be framed and notified not only in time but utmost care and caution should also be exercised in their formulation and finalization so as to get rid of any avoidable discrepancies. As far as possible, the aim should be to prevent needless litigation arising subsequently from badly framed rules.” [See the 21st Report of the Lok Sabha Committee on Subordinate Legislation presented on 16 December 2011 at pr. 2.1]
Unfortunately, the Cyber Café Rules have been poorly drafted, contain several discrepancies and, more seriously, may impinge upon constitutionally guaranteed freedoms of Indian citizens. The attention of the Committee on Subordinate Legislation is accordingly called to the following provisions of the Cyber Cafe Rules:
II Validity of the Cyber Cafe Rules
2.1 The Cyber Cafe Rules are made in exercise of powers granted under section 87(2)(zg) read with section 79(2) of the Information Technology Act, 2000 (“IT Act”). Read together, these delegated powers invest the executive with the power to frame rules for exempting cyber cafes from liability for any third party information, data or communication link if they comply with Central Government guidelines. The empowerment made by section 87(2)(zg) of the IT Act pertains to:
“the guidelines to be observed by the intermediaries under sub-section (2) of section 79”
Sections 79 (1) and (2) state:
“79. Exemption from liability of intermediary in certain cases. – (1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link made available or hosted by him.
(2) The provisions of sub-section (1) shall apply if—
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hasted; or
(b) the intermediary does not—
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission;
(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf.”
2.2 Hence, section 79(2) permits the Central Government to prescribe guidelines for cyber cafes to comply with in order to claim the general exemption from liability granted by section 79(1) of the IT Act. The Cyber Cafe Rules constitute those guidelines. However, the liability from which cyber cafes may be exempted extends only to “any third party information, data, or communication link made available or hosted” by users of cyber cafes. In other words, the liability of cyber cafes (the exemption from which is supposed to be controlled by the Cyber Cafe Rules) is only in respect of the information, data or communication links of their users. No liability is assigned to cyber cafes for failing to collect identity information of their users. Therefore, the Cyber Cafe Rules made under the power granted by section 79(2)(c) of the IT Act cannot make cyber cafes liable for user identification information. In accordance with sections 79(2)(c) and 79(1) read with section 87(2)(zg) of the IT Act, the Cyber Cafe Rules may legitimately deal with the duties of cyber cafes in respect of any information, data or communication links of their users, but not in respect of user identification. However, the thrust of the Cyber Cafe Rules, and the pith of their provisions, is concerned solely with registering and identifying cyber cafe users including collecting their personal information, photographing them, storing their personal information and reporting these non-content related details to the police. There is even a foray into interior design to dictate the height limits of furniture inside cyber cafes. All of this may be a legitimate governance concern, but it cannot be undertaken by the Cyber Cafe Rules. To the extent that the Cyber Cafe Rules deal with issues beyond those related to any information, data or communication links of cyber cafe users, the Rules exceed the permissible limit of delegated powers under section 79(2) and 87(2)(zg) of the IT Act and, consequently, are ultra vires the IT Act.
III Clause-by-Clause Analysis and Comments
Rule 2 - Definitions
3.1 Rule 2(1)(c) of the Cyber Cafe Rules defines a cyber cafe in accordance with the definition provided in section 2(1)(na) of the IT Act as follows:
““cyber cafe” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public”
This definition of a cyber cafe is overbroad to bring within its ambit any establishment that offers internet access in the course of its business such as airports, restaurants and libraries. In addition, some State Road Transport Corporations offer wi-fi internet access on their buses; and, Indian Railways, as well as Bangalore Metro Rail Corporation Limited, plans to offer wi-fi internet access on some of its trains. These will all fall within the definition of “cyber cafe” as it is presently enacted. The definition of “cyber cafe” should be read down to only relate to commercial establishments that primarily offer internet access to the general public for a fee.
Therefore, it is proposed that rule 2(1)(c) be amended to read as follows:
“notwithstanding anything contained in clause (na) of sub-section (1) of section 2 of the Act, and for the purposes of these rules only, “cyber cafe” means, any commercial establishment which primarily offers access to the internet to members of the general public for consideration for any purpose but does not include any educational or academic institution, office or place where access to the internet is restricted to authorised persons only.”
3.2 Rule 2(1)(e) of the Cyber Cafe Rules defines “data” in accordance with the definition provided in section 2(1)(o) of the IT Act. However, the term “data” is not used anywhere in the Cyber Cafe Rules and so its definition is redundant. This is one of several instances of careless drafting of the Cyber Cafe Rules.
Therefore, it is proposed that the definition of “data” in rule 2(1)(e) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.
3.3 Rule 2(1)(g) of the Cyber Cafe Rules defines “intermediary” in accordance with the definition provided in section 2(1)(w) of the IT Act. While all cyber cafes are intermediaries, not all intermediaries are cyber cafes: there are different categories of intermediaries that are regulated by other rules under the IT Act. The Cyber Cafe Rules make no mention of any other category of intermediaries other than cyber cafes; indeed, the term “intermediary” is not used anywhere in the Cyber Cafe Rules. Its definition is therefore redundant.
Therefore, it is proposed that the definition of “intermediary” in rule 2(1)(g) be deleted and the clauses in sub-rule (1) of rule 2 be accordingly renumbered.
Rule 3 - Agency for Registration of Cyber Cafes
4.1 Rule 3 of the Cyber Cafe Rules, which attempts to set out a registration regime for cyber cafes, as follows:
“3. Agency for registration of cyber cafe. – (1) All cyber cafes shall be registered with a unique registration number with an agency called as registration agency as notified by the Appropriate Government in this regard. The broad terms of registration shall include:
(i) name of establishment;
(ii) address with contact details including email address;
(iii) whether individual or partnership or sole properitership or society or company;
(iv) date of incorporation;
(v) name of owner/partner/proprietor/director;
(vi) whether registered or not (if yes, copy of registration with Registrar of Firms or Registrar of Companies or Societies); and
(vii) type of service to be provided from cyber cafe
Registration of cyber cafe may be followed up with a physical visit by an officer from the registration agency.
(2) The details of registration of cyber cafe shall be published on the website of the registration agency.
(3) The Appropriate Government shall make an endeavour to set up on-line registration facility to enable cyber cafe to register on-line.
(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.”
CIS raises two unrelated and substantial objections to this provision: firstly, all cyber cafes across India are already registered under applicable local and municipal laws such as the relevant State Shops and Establishments Acts and the relevant Police Acts that provide detailed information to enable the relevant government to regulate cyber cafes; and, secondly, the provisions of rule 3 create an incomplete and clumsy registration regime that does not clearly establish a procedure for registration within a definite timeframe and does not address the consequences of a denial of registration.
4.2 At the outset, it is important to understand the distinction between registration and licensing. The state may identify certain areas or fields of business, or certain industries, to be regulated by the conditions of a licence in the public interest. These may include shops selling alcohol or guns; or, industries such as telecommunications, mining or nuclear power. Licences for various activities are issued by the state for a limited term on the basis of need and public interest and licensees are permitted to operate only within the term and conditions of the licence. Failure to observe licence conditions can result in the cancellation of the licence and other penalties, sometimes even criminal proceedings.
Registration, on the other hand, is an information-gathering activity that gives no power of intervention to the state unless there is a general violation of law. The primary statutory vehicle for achieving this registration are the various Shops and Establishments Acts of each State and Union Territory and other municipal registration regulations. For example, under section 5 of the Delhi Shops and Establishments Act, 1954, an establishment, which includes shops, commercial establishments and places of public amusement and entertainment, must fulfil the following registration requirements:
“5. Registration of establishment. – (1) Within the period specified in sub-section (5), the occupier of every establishment shall send to the Chief Inspector a statement in a prescribed form, together with such fees as may be prescribed, containing
(a) the name of the employer and the manager, if any;
(b) the postal address of the establishment;
(c) the name, if any, of the establishment,
(d) the category of the establishment, i.e. whether it is a shop, commercial establishment, residential hotel, restaurant eating house, theatre or other place of public amusement or entertainment;
(e) the number of employees working about the business of the establishment; and
(f) such other particulars as may be prescribed.
(2) On receipt of the statement and the fees, the Chief Inspector shall, on being satisfied about the correctness of the statement, register the establishment in the Register of Establishments in such manner as may be prescribed and shall issue, in a prescribed form, a registration certificate to the occupier.
(3) The registration certificate shall be prominently displayed at the establishment and shall be renewed at such intervals as may be prescribed in this respect.
(4) In the event of any doubt or difference of opinion between an occupier and the Chief Inspector as to the category to which shall after such enquiry, as it may think proper, decide the category of each establishment and the decision thereto shall be final for the purpose of this Act.
(5) Within ninety days from the date mentioned in column 2 below in respect of the establishment mentioned in column 1, the statement together with fees shall be sent to the Chief Inspector under sub-section (1).”
Besides the registration regime, the Shops and Establishments Acts also enact inspection regimes to verify the accuracy of all registered information, the maintenance of labour standards and other public safety requirements. These are not addressed by the Cyber Cafe Rules.
4.3 In addition to the various Shops and Establishments Acts which prescribe registration procedures, all premises within which cyber cafes operate are subject to a further licensing regime under the various State Police Acts as places of public amusement and entertainment. For example, a cyber cafe is deemed to be a “place of public amusement” under section 2(9) of the Bombay Police Act, 1951 and therefore subject to the licensing, registration and regulatory provisions of the Rules for Licensing and Controlling Places of Public (Other than Cinemas) and Performances for Public Amusement including Cabaret Performances, Discotheque, Games, Poll Game, Parlours, Amusements Parlours providing Computer Games, Virtual Reality Games, Cyber Cafes with Net Connectivity, Bowling Alleys, Cards Rooms, Social Clubs, Sports Clubs, Meals and Tamasha Rules, 1960. Similar provisions exist in Delhi.
In view of these two-fold registration requirements under the Shops and Establishments Acts and relevant Police Acts, creating yet another layer of registration is unwarranted. The Cyber Cafe Rules do not prescribe any new registration requirement that has not already been covered by the Shops and Establishments Acts and Police Acts. Multiple overlapping legislations will create confusion within the various departments of the relevant government and, more importantly, will result in non-compliance.
4.4 Without prejudice to the preceding comments relating to already existing registration requirements under the Shops and Establishments Acts and Police Acts, rule 3 of the Cyber Cafe Rules are very poorly drafted and do not fulfil the requirements of a valid registration regime. Most State governments have not notified a registration agency for cyber cafes as required by the Cyber Cafe Rules, probably because appropriate provisions under the Shops and Establishments Acts already exist. No time-limit has been specified for the registration process. This means that the (as yet non-existent) registration agency may delay, whether out of inefficiency or malice, a registration application without consequences for the delay. This not only discourages small and medium enterprises to hinder economic growth, it also encourages corruption as cyber cafe operators will be forced to pay a bribe to receive their registration.
4.5 Furthermore, rule 3(4) of the Cyber Cafe Rules, which calls on the Central Government to notify rules made by State governments, reads as follows:
“(4) The detailed process of registration to be mandatorily followed by each Registration Agency notified by the Appropriate Government shall be separately notified under these rules by the central Government.”
This nonsensical provision, which gives the Central Government the power to notify rules made by State governments, prima facie violates the constitutional scheme of division of legislative powers between the Union and States. Rules that have been made by State governments, the subject matter of which is within the legislative competence of the State legislatures, are notified by those State governments for application within their States and no separate notification of these rules can be done by the Central Government.
Therefore, it is proposed that rule 3 be deleted in entirety and the remaining rules be accordingly renumbered.
Rule 4 - Identification of User
5.1 Rule 4 of the Cyber Cafe Rules attempts to establish the identity of cyber cafe users. This is a legitimate and valid exercise to prevent unlawful use of cyber cafes. Sub-rule (1) of rule 4 reads as follows:
“(1) The Cyber Cafe shall not allow any user to use its computer resource without the identity of the user being established. The intending user may establish his identify by producing a document which shall identify the users to the satisfaction of the Cyber Cafe. Such document may include any of the following:
(i) Identity card issued by any School or College; or
(ii) Photo Credit Card or debit card issued by a Bank or Post Office; or
(iii) Passport; or
(iv) Voter Identity Card; or
(v) Permanent Account Number (PAN) card issued by Income-Tax Authority; or
(vi) Photo Identity Card issued by the employer or any Government Agency; or
(vi) Driving License issued by the Appropriate Government; or
(vii) Unique Identification (UID) Number issued by the Unique Identification Authority of India (UIDAI).”
The use of credits cards or debit cards to verify identity is specifically discouraged by the Reserve Bank of India because it directly results in identity theft, fraud and other financial crimes. Online credit card fraud results in large losses to individual card-holders and to banks. The other identity documents specified in rule 4 will suffice to accurately establish the identity of users.
Therefore, it is proposed that the use of credit or debit cards as a means of establishing identity in rule 4(1)(ii) be deleted and the remaining clauses in sub-rule (1) of rule 4 be accordingly renumbered.
5.2 Rule 4(2) of the Cyber Café Rules compels the storage of photographs and other personal information of users by cyber cafés:
“The Cyber Cafe shall keep a record of the user identification document by either storing a photocopy or a scanned copy of the document duly authenticated by the user and authorised representative of cyber cafe. Such record shall be securely maintained for a period of at least one year.”
While this submission does not question the requirement of storing user information for the purposes of law enforcement, this rule 4(2) does not prescribe the standards of security, confidentiality and privacy that should govern the storage of photographs and other personal information by cyber cafes. Without such a prescription, cyber cafes will simply store photographs of users, including minors and women, and important personal information that can be misused, such as passport copies, in a file with no security. This is unacceptable. Besides endangering vulnerable user information, it makes identity theft and other offences easier to perpetrate. If cyber cafes are to collect, store and disclose personal information of users, they must be bound to strict standards that explicitly recognise their duties and obligations in relation to that personal information. In this regard, the attention of the Committee on Subordinate Legislation is called to CIS’ submission regarding the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Therefore, it is proposed that rule 4(2) be amended to read as follows:
“Any information of any user collected by a cyber cafe under this rule shall be collected, handled, stored and disclosed in accordance with the provisions of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, for a period not exceeding six months from the date of collection of that information.”
5.3 Sub-rule (3) of rule 4 allows cyber cafe users to be photographed:
“(3) In addition to the identity established by an user under sub-rule (1), he may be photographed by the Cyber Cafe using a web camera installed on one of the computers in the Cyber Cafe for establishing the identity of the user. Such web camera photographs, duly authenticated by the user and authorised representative of cyber cafe, shall be part of the log register which may be maintained in physical or electronic form.”
Since the identity documents listed in rule 4(1) all contain a photograph of their owner, the need for further photography is unnecessary. This provision needlessly burdens cyber cafe owners, who will be required to store two sets of photographs of users – their photographic identity documents in addition to individual photographs, and invades the individual privacy rights of users who will be exposed to unnecessary photography by private cyber cafe operators. Granting a non-state entity the right to take photographs of other individuals to no apparent gain or purpose is avoidable, especially when no measures are prescribed to regulate the safe and lawful storage of such photographs. Without strict safety measures governing the taking and storing of photographs of users, including minor girls and women, the Cyber Cafe Rules leave open the possibility of gross misuse of these photographs.
Therefore, it is proposed that sub-rule (3) of rule 4 be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.
5.4 Sub-rue (4) of rule 4 reads as follows:
“(4) A minor without photo Identity card shall be accompanied by an adult with any of the documents as required under sub-rule (1).”
Regulating a minor’s access and use of the internet may serve a public good but it cannot be achieved by law. Information deemed unsuitable for minors that is available via other media, such as video, television or magazines, is not legally proscribed for minors. The law cannot and does not regulate their availability to minors. The protection of minors is an overriding public and jurisprudential concern, but law alone cannot achieve this end. Most minors do not possess photographic identity documents and rule 4(4) will, if implemented, result in internet access being taken away from minors. Restricting a minor’s ability to access useful, educational and other harmless content available on the internet is harmful to the public interest as it discourages education and awareness.
Therefore, it is proposed that rule 4(4) be amended to read as follows:
“A minor who does not possess any of the identity documents listed under sub-rule (1) of this rule may provide the name and address of his parent or guardian prior to using the cyber cafe.”
5.5 Rule 4(5) of the Cyber Cafe Rules states that a user “shall be allowed to enter the cyber cafe after he has established his identity.” However, since rule 4(1) already addresses identity verification by specifically preventing a cyber cafe from “allow[ing] any user to use its computer resource without the identity of the user of the user being established,” this rule 4(5) is redundant.
Therefore, it is proposed that rule 4(4) be deleted and the remaining sub-rules of rule 4 be accordingly renumbered.
5.6 Rule 4(6) of the Cyber Cafe Rules states:
“(6) The Cyber cafe shall immediately report to the concerned police, if they have reasonable doubt or suspicion regarding any user.”
This provision is legally imprecise, poorly drafted and impossible to enforce. The nature of doubt or suspicion that is necessary before contacting the police is unclear. A cyber cafe may doubt whether a customer is able to pay the bill for his internet usage, or be suspicious because of the length of a person’s beard. Requiring the police to be called because someone is doubtful is ridiculous. Furthermore, reasonableness in law is a well-established concept of rationality; it is not open to interpretation. “Reasonable doubt” is a criminal law threshold that must be reached in order to secure a conviction. Reporting requirements must be clear and unambiguous.
Therefore, it is proposed that rule 4(6) be deleted.
Rule 5 - Log Register
6.1 Rule 5(3) of the Cyber Cafe Rules states:
“(3) Cyber Cafe shall prepare a monthly report of the log register showing date- wise details on the usage of the computer resource and submit a hard and soft copy of the same to the person or agency as directed by the registration agency by the 5th day of next month.”
This provision is akin to telephone tapping. If phone companies are not required to report the call histories of each of their users and cable television providers not required to report individual viewing preferences, there is no reason for cyber cafes to report the internet usage of users. There may be instances where public interest may be served by monitoring the internet history of specific individuals, just as it is possible to tap an individual’s telephone if it is judicially determined that such a need exists. However, in the absence of such protective provisions to safeguard individual liberties, this sub-rule (3) is grossly violative of the individual right to privacy and should be removed.
Therefore, it is proposed that rule 5(3) be deleted and the remaining sub-rules of rule 5 be accordingly renumbered.
Rule 7 - Inspection of Cyber Cafe
7.1 Rule 7 of the Cyber Cafe Rules provides for an inspection regime:
“An officer autnorised by the registration agency, is authorised to check or inspect cyber cafe and the computer resource of network established therein, at any time for the compliance of these rules. The cyber cafe owner shall provide every related document, registers and any necessary information to the inspecting officer on demand.”
The corollary of a registration regime is an inspection regime. This is necessary to determine that the information provided during registration is accurate and remains updated. However, as stated in paragraphs 3.2 – 3.4 of this submission, a comprehensive and more easily enforceable registration and inspection regime already exists in the form of the various Shops and Establishments Acts in force across the country. Those provisions also provide for the consequences of an inspection, which the Cyber Cafe Rules do not.
Therefore, it is proposed that rule 7 be deleted.
IV Summary
8.1 In sum:
(a) Under the delegated powers contained in section 87(2)(zg) read with section 79(2) of the IT Act, the Central Government does not have the competence to make rules for identifying cyber cafe users including collecting, storing and disclosing personal information of cyber cafe users nor for prescribing the interior design of cyber cafes and, to the extent that the Rules do so, they are ultra vires the parent statute;
(b) The attention of the Committee on Subordinate Legislation is invited to the following provisions of the Cyber Cafe Rules which require amendment or annulment:
- Rule 2(1)(c);
- Rule 2(1)(e);
- Rule 2(1)(g);
- Rule 3(1);
- Rule 3(4);
- Rule 4(1);
- Rule 4(2);
- Rule 4(3);
- Rule 4(4);
- Rule 4(5);
- Rule 4(6);
- Rule 5(3); and
- Rule 7.
(c) The Cyber Cafe Rules are extremely poorly framed, rife with discrepancies and will give rise to litigation. They should be selectively annulled and, to prevent a repeat of the same mistakes, new rules may be framed in concert with experts, professional organisations and civil society in a democratic manner.
8.2 CIS would like to conclude by taking this opportunity to present its compliments to the Committee on Subordinate Legislation and to offer the Committee any assistance or support it may require.
