By: Anusua Debbarma, Modern Law College, Pune
Work from home policy was not very popular in India. But due to COVID-19 pandemic, the entire nation came to a halt which changed the conventional method of working. Companies started telecommuting to conduct business at an increasing rate which draws our attention to check the legal implication of this policy in the long run.
A well-defined work from home policy to keep all the legal compliances in check is essential. The Information Technology Act lays down the foundation of cyber law in India. Therefore, the focus of this article is on the Information Technology Act,2000 ( hereinafter referred to as “the Act”).
THE ROLE OF COMPANY AS INTERMEDIARY IN WORK FROM HOME
An intermediary is any person who on behalf of another person receives, stores or transmits any electronic data or provides any service concerning that data.1
In layman’s terms, an intermediary is a middle man or a bridge in an electronic transaction. All telecom service providers, cyber cafes, internet service providers, search engines, online payment websites, online auction sites, and electronic commerce websites are intermediaries.2
Similarly, in work from the home company provides an electronic platform for the exchange of data between its clients and the employees to conduct its business. Internet Service Providers (“ISP”) plus other bundled services like Email, Cloud and Virtual Private Network (“VPN”) facilitates data or hosts or temporarily stores data and secures the transmission. While companies are users of these services, they are still intermediaries because they control data and select the receiver of the data transmission.
Therefore, ISP is the mere conduit when it comes to data content or communication while the company is the data controller. In other words, they fall under two different categories of the intermediary. Certain liabilities may arise for these intermediaries in this policy which are explained below.
LIABILITIES OF INTERMEDIARY IN WORK FROM HOME POLICY
The key employees of the company can be held liable for any negligent act that violates the Information Technology Act. Any company that fails to protect any sensitive personal data and causes wrongful loss to its data subjects shall be liable to pay compensation.3
In Poona Auto Ancillaries Pvt. Ltd., Pune V Punjab National Bank & Others 4, the bank was found negligent due to lack of proper security checks against cyber-attacks and the bank was ordered to pay compensation of 45 lakhs rupees.5
It was one of the largest compensations to be awarded in the adjudication of IT dispute. Thus, to avoid paying hefty compensation companies must not be redundant with their security protocols.
Companies extracting any electronic information without acquiring the consent of the owner of that information 6 or for the breach of lawful contract by disclosure of sensitive data will be liable 7 for compensation and imprisonment. Thus, companies must acquire the written or electronic consent of the client, which is an essential step to initiate the WFH policy.
Companies must also attach an addendum to an existing employment agreement, or include a separate clause for this policy in their agreements to avoid any other contractual liability. The two most important factors that determine the quantum of penalty for an intermediary are “due diligence” and “actual knowledge“; they are discussed in the topic below.
SAFE HARBOR PROVISIONS FOR INTERMEDIARY
In the controversial case of baazi.com 8, the Delhi High Court held the intermediary criminally liable because there was no legislative guidance on the duties of an intermediary.
After the IT Amendment Act, 2008 section 79 (9) was included which provides an exemption from liabilities of the intermediary under certain conditions. Later, the Intermediary Guidelines 2011, was introduced to provide clarity on the duties of an intermediary.
Section 79  provides safe harbour protection only to those intermediaries that merely facilitate information by hosting and in any instance, it does not involve any modification of the data.
Sub-section (1) of section 79 refers to the information as third-party information that is made available by the intermediary in his capacity. And sub-section (2) states that the intermediary cannot initiate the transmission, select the receiver of transmission or modify the information contained in the transmission to qualify for exemption under this section.
In sub-section(2)(c) and subsection 3(b) of section 79 emphasis have been laid on “due diligence”11 and “actual knowledge”12. According to the Oxford dictionary, “due diligence means reasonable steps taken by a person or an organization to avoid committing a tort or an offense”. Sub-section(3)(a) of Section 79 further states that the intermediary shall not conspire, engage or abet the commission of any illegal act.
According to sub-section(3)(b) of section 79, the intermediary should also act expeditiously to remove or disable the access to illegal material, upon receiving the actual knowledge or on being notified by the Government or its agency without vitiating any evidence.
For the context of work from home, the illegal activity could be an inappropriate message which includes sexual harassment or defamation of a person or pornography shared by an employee on an open communication platform of the company. There is no specific definition of “actual knowledge” in the Act. However, in Myspace case13, the Delhi High Court has clarified that the knowledge must be specific and not constructive.
Therefore, there are three main conditions for exemption from liabilities under this section. Firstly, the intermediary should not have any role in modification or control over the transmission of data. Secondly, the intermediary must follow “due diligence” as per the Guidelines14. Thirdly, the intermediary must not have any “actual knowledge” of any illegal activity or on being notified the intermediary has acted expeditiously.
VPN or Cloud is a user-generated service so there is no intervention in the transmission or modification of the data. Therefore, these network service providers come under the purview of section 79. The function of intermediary primarily depends on data, so it is important to understand the data protection laws in India in connection to this policy.
DATA PROTECTION LAWS IN INDIA FOR WORK FROM HOME
There is no specific legal framework governing data privacy in India. There are only a handful of data protection laws that can be inferred from the Information Technology Act, 2000 and other statutory laws.
To ensure data security companies started adopting independent measures due to the lack of stringent data privacy laws in the country. As a result, Data Security Council of India (“DSCI”) was established, it is a not-for-profit, industry body on data privacy in India, set up by National Association of Software and Service Companies (“NASSCOM”), committed to ensuring the safety of cyberspace by creating best practices, standards and initiatives in cybersecurity and privacy.
However, in the year 2017 the landmark judgment of Justice K S Puttaswamy (Retd.) & Anr. vs. The Union of India16, the Supreme Court of India finally held the right to privacy to be a fundamental right subject to certain restrictions. This judgement has set a pathway for data privacy laws to thrive in India.
Generally, complying with the data privacy laws is mandatory because sensitive data of clients remains at high risk of being leaked or even misused by the employees. A WFH policy shall be adhering to data privacy laws because workspace at home may not have the necessary data security controls installed like it is in an enterprise.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) are the most comprehensive data privacy law that is currently available in India but it has serious inadequacy. India’s Personal Data Protection Bill (“PDP Bill”) 2020 has been adopted from the European Union’s electronic commerce directive.
It will supersede the existing laws on receiving the final assent and cover all the regulatory compliances for data privacy. Major companies are already subject to data privacy requirements set out by DSCI so they already maintain certain practices required under the bill. But for other companies, this bill will set new standards of data privacy.
How is the PDP Bill Different?
The definition of “Sensitive Information”17 in the SPDI Rules is limited. It excludes a lot of personal information of data subjects from the safeguards of SPDI Rules. Such as cell phone number, electronic communication address or residential address or any such information which can be used to identify the person.
By excluding such information, it leaves the data subject exposed to commercial exploitation and online perpetrators. This drawback may have a higher impact during the practice of work from home. But under the PDP bill, data are classified and protected under three types: Personal Data, Sensitive Personal Data, and Critical Personal data.
The PDP Bill also provides the right of access to data or receive copies of data to the consumers or information providers in a timelier manner. Right to Deletion/Right to be forgotten is a data subject’s right to remove and alter personal data which is not explicitly mentioned in the SPDI Rules. While the PDP Bill will restrict the data fiduciary to disclose personal data as soon as the purpose for collecting the data is over.
Right to Complain is ambiguously provided under SPDI Rules. Grievance officer designated under the rules deals with information providers’ grievances while cyber-attack incidents are to be dealt with, separately under the Computer Emergency Response Team.
At the current magnitude of work from home practice, certain complications may increase making it inconvenient for the data subject under SPDI Rules to seek remedy under two different authorities. The PDP Bill will establish a single data protection authority to handle all the grievances of the information providers. The data subject’s right to withdraw consent is provided in the SPDI rules but as soon as the consent is withdrawn data fiduciary has the option to take away the goods of service for which the information was sought. A similar right is present in the PDP bill but it is specified that the consent to processing the data must be capable of being withdrawn.18
The term “Information Provider” in rule 6 of SPDI Rules, is not defined anywhere in the Act, which can either include the original data subject, the intermediary, or a third party who is selling the information. The SPDI Rules focuses on the process of collecting the information and not the use of that information, thus introducing ambiguity in the law.19
The PDP Bill codifies and brings necessary changes in the data privacy laws, but there are few flaws in the bill. This bill exempts the Government from data privacy restrictions. It imposes greater control of the Government over the Data Protection Authority and also induces heavy regulatory compliance on the intermediary. Therefore, an amendment to the bill is necessary for successfully improving data privacy laws in India.
What are the Data Privacy Solutions Available for Work from Home?
Recently, the National Centre of Excellence for Cybersecurity Technology and Entrepreneurship (“National CoE”), a joint initiative by DSCI and Ministry of Electronics & Information Technology of India released a compilation of cybersecurity companies’ products and strategies to create awareness and understanding of technology required for work from home.
Mobile Data Management (“MDM”) is application software that can identify and monitor the employee’s device and its web activities, secure connection to the enterprise via any network, and even track the location of the device or wipe data remotely from the device. It mostly does not require any server installation and works on any ISP reducing the cost of network setup.
For example, 42Gears, Accops HySecure, etc. Apart from MDM, there are other latest technologies available in the market. Ashield provides authentication of the user and secures the network using quantum-resistant crypto or double-layered protection with artificial intelligence.
It can identify and mitigate data security threats on its own. Unified Threat Management Solution developed by WiJungle that can prevent data leakage, assess data vulnerability, manage bandwidth and protect the device from malware or any kind of intrusion in the network. FileSync is a software that provides digital file transfer solution for organizations to protect their sensitive files and achieve regulatory compliance.20
General awareness of such technologies is pertinent to work from home. But according to cybersecurity experts ever since the first lockdown in march, the cyber-attacks have drastically increased.21 Therefore, the legislature must act expeditiously to improve the data privacy laws and cater to the needs of the present situation in India.
A company as an intermediary in work from home must follow all the obligations under the Intermediary Guidelines Of the Act. The consent of the clients must be taken before implementing the WFH policy. Safe harbour provision can exempt those intermediaries from liabilities that do not modify the information and only facilitates or hosts information temporarily.
Upgrading data security by using advanced technologies and creating cybersecurity risks awareness are highly recommended. Work home policies must be well-defined and included in the employment agreements of the companies. Companies with work from home policy in their agreements need to be vetted by legal experts to prevent liability. However, bringing a few changes in the Personal Data Protection Bill can lead to long-term success in ensuring data privacy in India
- S.2(1)(w), Information Technology Act,2000
- S.2(1)(w), Information Technology Act,2000
- S.43, Information Technology Act,2000.
- Poona Auto Ancillaries Pvt. Ltd., Pune v. Punjab National Bank, HO New Delhi & Others, Complaint No. 4 of 2011(Information Technology Secretary,25/02/2013)
- See also Judgements, available at https://www.itlaw.in/judgements/ last seen on 18/07/2020
- S. 72, Information Technology Act,2000
- S.72A, Information Technology Act,2000
- Avnish Bajaj v. State of Delhi(NCT) (2005) 3 Comp LJ 364 Del, 116 (2005) DLT 427, 2005 (79) DRJ 576
- S.79, Information Technology Act,2000
- S.79(2)(c),Information Technology Act,2000.
- S.79(3)(b),Information Technology Act,2000
- Myspace Inc. v. Super Cassettes Industries Ltd FAO(OS) 540/2011, C.M. APPL.20174/2011, 13919 & 17996/2015
- R.3, Intermediary Guidelines,2011
- DSCI, NASSCOM, Data Protection Practices of Indian IT/ITES industry Survey of 2008, available at https://www.dsci.in/sites/default/files/documents/resource_centre/Data%20Protection%20Practices%20of%20Indian%20IT-ITES%20industry.pdf last seen on 29/08/2020
- Justice K S Puttaswamy (Retd.) & Anr. v. The Union of India Writ Petition Civil 494/2012
- S.3, The Information Technology (Reasonable Security Practices and Procedures And Sensitive Personal Data or Information) Rules,2011
- H. Walia, S. Chakraborty, Indian Data Protection laws and Regulations 2020, Interpretation Comparative Legal Guide Blog, available at https://iclg.com/practice-areas/data-protection-laws-and-regulations/india, last seen on 20/07/2020
- B. Bindhari, R. Sane, “Analysing the Information Technology Act (2000) from the viewpoint of protection of privacy”, The Leap Blog, available at https://blog.theleapjournal.org/2016/03/analysing-information-technology-act.html last seen on 23/08/2020
- National Centre of Excellence for Cybersecurity Technology Development & Entrepreneurship, Security Use Cases & Solutions For Work From Home, available at https://www.dsci.in/sites/default/files/documents/resource_centre/Security%20use%20Cases%20%26%20Solutions%20for%20Work%20from%20Home.pdf, last seen 29/08/2020
- D. Sengupta, Cyber Attacks in India surge since Lockdown, The Economic Times (25/07/2020) https://economictimes.indiatimes.com/tech/internet/cyber-attacks-in-india-surge-since-lockdown/articleshow/76591994.cms?from=mdr last seen on 19/07/2020