Moneycontrol PRO
you are here: HomeNewsBusiness

Trade body Software Alliance finds privacy, cybersecurity issues in IT Rule tweaks

Software Alliance explained that when the requirement of "ensuring" users’ compliance requirement is applied to enterprise service providers there can be “significant privacy and cybersecurity concerns”

July 11, 2022 / 06:41 AM IST
Dev Information Technology: Dev Information Technology bags order for online integrated portal. The company has bagged order worth Rs 2.52 crore for online integrated portal for farmers (RajKisan Saathi) comprising of services related to agriculture, horticulture, seed certification, seed corporation, and agriculture marketing.

Dev Information Technology: Dev Information Technology bags order for online integrated portal. The company has bagged order worth Rs 2.52 crore for online integrated portal for farmers (RajKisan Saathi) comprising of services related to agriculture, horticulture, seed certification, seed corporation, and agriculture marketing.

The requirement in the proposed amendments to the IT Rules 2021 to “ensure” users’ compliance with a platform’s policies can lead to significant privacy and cybersecurity concerns, trade body The Software Alliance, whose members include Microsoft, Intel, Cisco and Salesforce, said in a written submission to the Ministry of Electronics and Information Technology (MeitY).

The comments were made in context to the proposed amendments the government plans to bring into the IT Rules 2021 because it feels that the original directions were not being complied with properly by a few SSMIs.

Apart from requiring intermediaries to ‘ensure’ compliance to policies, the draft amendment also proposes a new committee which can veto decisions made by grievance redressal officers of intermediaries.

To recap, in the IT Rules 2021, significant social media intermediaries (platforms with more than five million subscribers like Twitter, Facebook and Telegram) had to appoint grievance redressal officers, chief compliance officers and nodal contact persons.

Under IT Rules 10 and 11 of 2021, every intermediary has to appoint a grievance officer, and set up a grievance handling mechanism and handle grievances from users within a stipulated time frame. One of the reasons the government made while introducing the amendments was that a few intermediaries were not addressing grievances properly.

Close

Now that the government has proposed these amendments, the criticisms surrounding its text have been pouring in. In fact, industry body NASSCOM recently in their submission to the MeitY regarding the amendments said that it will cause “operational uncertainty for intermediaries operating in India".

Coming back to the Software Alliance’s submission, the trade body opined that the scope ‘ensuring’ users’ compliance, and also ‘cause’ users to not host, display, any ‘unlawful’ information may contradict the Supreme Court’s decision in the Shreya Singhal vs Union of India case.

“Intermediaries lose protection (safe harbour) if they do not remove unlawful content even after receiving “actual knowledge” regarding such content. In Shreya Singhal v. Union of India, the Supreme Court clarified that actual knowledge shall mean the receipt of a valid court order or official government order,” the Software Alliance said in its submission.

“It could lead to intermediaries being required to block even legitimate content to ensure compliance and impact free speech of users online,” it added.

Enterprise service providers

The Software Alliance explained that when this requirement for ensuring users’ compliance requirement is applied to enterprise service providers there can be “significant privacy and cybersecurity concerns”.

“While some social media platforms voluntarily implement filtering technologies, imposing a blanket requirement on enterprise service providers would result in numerous unintended – and potentially catastrophic – impacts,” they said.

The trade body explained that its members provide cloud-based tools and services to customers in healthcare, banking, energy and defence industries.

“Given the sensitivity of their customers’ data, enterprise cloud service providers design their systems so that they have limited – if any – visibility into the data they are hosting and/or processing on behalf of their clients,” the submission said.

“Imposing a filtering requirement on enterprise cloud service providers – e.g., infrastructure-as-a-service providers and platform-as-a-service providers - would thus, require them to reengineer their networks in ways that would create significant privacy and security concerns,” it added.

However, the body took into consideration MeitY’s clarification in a recent consultation meeting that the requirement to ‘ensure compliance’ would not amount to ‘pro-active monitoring’ or ‘pre-censorship’ of users content.

“While the clarification is appreciated, it is not legally binding. This means that companies cannot effectively rely upon it while planning their compliance and commercial operations. In this regard, we recommend that the MeitY incorporate this clarification into the text of the Draft Amendments, by making specific changes to the language of proposed Rules 3(1)(a) and 3(1)(b),” they asked.
Aihik Sur covers tech policy, drones, space tech among other beats at Moneycontrol
first published: Jul 11, 2022 06:41 am
Sections
ISO 27001 - BSI Assurance Mark