The prolific growth of information and communication related technology has spawned myriad social media networking sites. However, the use of these technologies also presents new dangers for the privacy of individuals. Information is at the risk of being gathered without an individual’s knowledge. It may be reused for unauthorized purposes, retained for months and years, passed on to third parties, and published or circulated without permission. Increasingly, data available on social media sites is being used by several entities to track individuals’ preferences, interests, movements, networks and activities. The information that is gathered is widely used, among other things, to customize an individual’s email access as well as webpage that the individual may visit. This raises questions of privacy and data protection.

The Information Technology Act, 2000 (“IT Act”) was focused on the recognition of electronic records and facilitation of e-commerce. The emphasis of the Information Technology (Amendments) Act, 2008 was on Cyber Terrorism and to a significant extent, Cyber Crime. However, it also contains provisions that apply to data protection and privacy. The two statutes are collectively referred to as the IT Act.

The scope of this article is to highlight some of the important provisions of the IT Act relating to data protection and privacy vis-à-vis social media.

Data Protection

The IT Act (section 43) imposes civil penalties in the event of the commission of certain acts without the permission of the owner or person in charge of the computer or computer systems such as: (i) securing access (without permission); (ii) downloading or copying of data stored in a computer or computer system; (iii) introducing computer viruses; (iv) damaging computers and or data stored therein; (v) disrupting computers; (vi) denial of access; (vii) abetting such acts; or (viii) illegal charging for services on another’s account. The IT Act has included two additional violations (i) destruction, deletion and alteration of information residing on a computer and (ii) theft, concealment, destruction, alteration, (or to abet in the theft, concealment, destruction, or alteration), of any computer source code used for a computer resource with an intention to cause damage.

Further, the IT Act holds any “Body Corporate” possessing, dealing with or handling any “sensitive personal data or information” in a computer resource it owns, controls or operates, liable for negligence, if it fails to maintain “reasonable security practices and procedures[i]” and thereby causes wrongful loss or wrongful gain to any person. “Body Corporate” is defined in the IT Act as any company and includes a firm, sole proprietorship (sic) or other association of individuals engaged in commercial or professional activities

Apart from the Civil Penalties contained in the IT Act there also are criminal provisions, a few of which relate to data protection.

The IT Act provides that any act set out under section 43, if committed “dishonestly or fraudulently,” would amount to a criminal offence, punishable with imprisonment of up to three years or fine of a maximum of Rupees Five Lakh (approximately US$ 10,000) or both. The IT Act also makes the receipt or retention of a stolen computer resource or communication device punishable with imprisonment up to three years or with fine up to Rupees One Lakh or both. The term “computer resource” is defined under the IT Act as a “computer, computer system, computer network, data, computer database or software.” This provision applicable to the receiver of stolen computer resources, such as data and software, could prove to be substantially useful when faced with issues of data misuse or theft from a social networking site.

Under the IT Act the onus of implementing “Reasonable Security Practices” is on the business entity. “Reasonable security practices and procedures” are defined as “security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem it.” Therefore, social media sites would be required to show that they have adopted such practices in case there is a violation on their site to help mitigate their liability.

Confidentiality and Privacy

The IT Act provides for the protection of physical or personal privacy of an individual. Also, the IT Act contains provisions against the dissemination of personal information obtained without the individual’s consent through an intermediary or under a services contract, with the intent to cause wrongful loss or wrongful gain. The maximum punishment prescribed for this offence is three years imprisonment, or fine up to Rupees Five Lakhs or both. These provisions protect privacy and personal information to a certain extent. In particular, service providers on the Internet, social networking sites, companies, firms, individuals and other intermediaries need to exercise caution in the collection, retention and dissemination of personal data.

The IT Act makes the dishonest or fraudulent use of a person’s electronic signature or identity, password or any other unique identification feature punishable as theft with imprisonment of up to three years and fine up to Rupees One Lakh.

The statute further makes cheating by impersonation through a computer resource punishable with imprisonment of up to three years and fine up to One Lakh Rupees.

The liability of an intermediary under this section is limited in specific instances, i.e., if he provides access to communication systems for transmission or temporary storage of third party information, data or communication links made available or hosted by him. The intermediary should however observe due diligence and comply with the prescribed guidelines, while discharging his duties.

The IT Act imputes vicarious liability in case of offences by companies and provides substantial and relevant rights allowing victims to seek redress in cases of violations. As most of the offences under the IT Act are cognizable, this provision is a cause for concern for social media entities and their management.

In comparison to the laws of developed nations, India requires laws that define data based on utility and importance. Rules related to data extraction and data destruction needs to be improvised. Stringent and comprehensive laws for the protection of data are the need of the hour. In 2011, the Government of India proposed the “Right to Privacy Bill”. However, we still await the final and conclusive draft of the Bill. Until then, businesses must implement appropriate safeguard policies and maintain an awareness of compliance obligations

Vidhi Agarwal is a partner at LawQuest International, a general practice law firm in Mumbai, India. She with a Masters Degree in Law as well as Commerce is admitted as an advocate to the Bar Council of Maharashtra and Goa. Vidhi may be reached at vidhi@lawquestinternational.com.

Annu Sharma is an Associate at LawQuest. She has completed her LL.B from K.C. LawCollege, Mumbai. She holds a B.Sc Degree from K.C. College of Arts, Commerce and Science. She can be reached at annu@lawquestinternational.com

By Vidhi Agarwal and Annu Sharma

The authors and music composers who are left in the cold in the penumbral area of policy should be given justice by recognizing their rights when their works are used commercially separately from cinematograph film and the legislature should do something to help them.

In keeping with the spirit of the above view of Justice Krishna Iyer, both Houses of the Indian Parliament unanimously passed the Copyright Amendment Bill, 2012, bringing about considerable changes to the Copyright Act, 1957 (“Copyright Act”) in relation to, inter-alia, the rights of artists. The Bill received Presidential assent on June 07, 2012 and the Copyright (Amendment) Act, 2012 came into force on June 21, 2012 (“Amendment Act”).

POSITION BEFORE THE AMENDMENT ACT

The most significant and much debated provision in the Amendment Act is the right granted to authors and music composers in the works they create. Before the Amendment Act came into force, ownership of the copyright in underlying works in a cinematograph film was deemed to belong to the producer of the film, who is considered the owner of the copyright in a cinematograph film, unless there is a contract to the contrary between the authors / composers and the producer. Producers usually entered into contracts with the authors of the underlying works, getting such authors to assign the entire bundle of rights in such underlying works to the producer. As a result, many felt that such authors and composers were left in the lurch as the producers reaped all the benefits of such underlying works while authors and composers did not get what was rightfully due to them. The cases of shehnahi maestro Bismillah Khan and music composer Ravi have been quoted in the media as examples of how talented artists are deprived of their dues due to lack of legislative protection available to such artists, and therefore do not have the means to even pay for housing and medical care.

RIGHTS OF AUTHORS OF UNDERLYING WORKS

The Amendment Act seeks to protect the interest of such artists by including provisions granting certain rights to the authors and music composers of underlying works in a cinematograph film. The authors of underlying works incorporated in a cinematograph film may retain all the rights in their work except to the extent assigned for use in the cinematograph film. The assignment too has been subject to certain safeguards.

The authors of literary and musical works incorporated in cinematograph films, or sound recordings not forming part of the cinematograph film, have the right to receive royalties equal to the royalties received by the assignee of such rights, for utilization of such work in all forms other than communication of the cinematograph film to the public in cinema halls. The author can also assign the right to receive royalties to legal heirs or to a copyright society for collection and distribution. Any agreement that seeks to assign or waive the above right granted to authors of literary and musical works will be considered void.

Further, an assignment is not to be applicable to any medium or mode of exploitation of the work that did not exist or was not in commercial use at the time the assignment is made, unless the assignment specifically refers to such medium or mode of exploitation.

Moreover, an assignment of copyright in any work to make a cinematograph film or sound recording is not to affect the right of the author to claim royalties and consideration in case of utilization of the work in any form other than as part of the cinematograph film in a cinema hall.

RIGHTS OF PERFORMERS

The Amendment Act also grants certain rights to performers. Prior to the Amendment Act coming into force, although performers were granted certain rights, once a performer consented to the incorporation of his performance in a cinematograph film, the rights of the performance were deemed to have been waived.

As an initial matter, the Amendment Act has modified the definition of a performer. Earlier, a “performer” included “an actor, singer, musician, dancer, acrobat, juggler, conjurer, snake charmer, a person delivering a lecture or any other person who makes a performance.” The Amendment Act has added a proviso to state that, in a cinematograph film, a person whose performance is casual or incidental in nature and, in the normal course of the practice of the industry, is not acknowledged anywhere including in the credits of the film shall not be treated as a performer except for the purpose of attributing moral rights. Moral rights have been given the nomenclature of ‘Author’s Special Rights’ under the Copyright Act. They include the right to paternity which is the right to claim authorship of the work; and the right to integrity which is the right to restrain or claim damages in respect of any distortion, mutilation, modification or other act in relation to the said work if such distortion, mutilation, modification or other act would be prejudicial to the honour or reputation of the author.

The Amendment Act provides that the performer would have the right to make a sound recording or a visual recording of the performance and the right to broadcast or communicate the performance to the public except where the performance is already broadcast. Once a performer has, by written agreement, consented to the incorporation of his performance in a cinematograph film, he shall not object to the enjoyment by the film producer of the performer’s right therein unless there is a contract to the contrary. However, the performer is entitled to royalties where his performance is put to commercial use.

MORAL RIGHTS

The Copyright Act recognized certain special rights of the authors of a work. The moral rights of an author include the right to claim authorship of the work and the right to restrain or claim damages in respect of any distortion, mutilation, modification or other act in relation to the work if such distortion, mutilation, modification or other act would be prejudicial to his honour or reputation. The Copyright Act stated that the right to restrain or claim damages as above could also be exercised by the legal representatives of the author (but not the right to claim authorship).

The Amendment Act now permits the legal representatives of the author to also exercise the right to claim authorship of the work.

The Amendment Act also grants performers certain moral rights that were not granted to them under the Copyright Act. For example, the performer has the right to claim to be identified as the performer of his performance, except where omission is dictated by the manner of the use of the performance. The performer also has the right to restrain or claim damages in respect of any distortion, mutilation or other modification of his performance that would be prejudicial to his reputation.

COVER VERSIONS

Earlier, the Copyright Act provided that cover versions, if made following the conditions prescribed, were an exception to infringement. The Amendment Act has made it a separate right instead, by granting statutory licenses for such recording. Any person desirous of making a cover version, being a sound recording in respect of any literary, dramatic or musical work, where sound recordings of that work have been made by, or with the license or consent of, the owner of the right in the work, may do so subject to the conditions provided in the Amendment Act. No cover versions can be made until the expiration of five calendar years after the end of the year in which the first sound recording of the work was made. Royalty shall be paid for a minimum of fifty thousand copies of each work during each calendar year in which copies are made.

A BOON OR BANE?

There are various aspects with respect to the implementation of the above-mentioned rights of artists that remain unclear. The Amendment Act states that the authors of the underlying works will be entitled to receive royalties equal to the royalties received by the assignee of such rights, for utilization of such work in all forms other than communication of the cinematograph film to the public in cinema halls. However, the Amendment Act does not explicitly state who will be liable to pay the royalty to the authors of the underlying works. There is also lack of clarity on who would be liable to pay performers their royalties. Since the authors of the underlying works will be entitled to receive royalties equal to the royalties received by the assignee of such rights, one may assume that the assignee will be responsible for payment of royalties to the authors of underlying works. The assignee could be the producer of the cinematograph film. Or it can be argued that a broadcaster that is exploiting the cinematograph film is responsible for payment of royalties to the authors of underlying works. Still another option could be that it is the responsibility of copyright societies to collect royalties from the assignee and pay the same to the authors of underlying works. However, due to the lack of an express provision in relation to responsibility for payment of royalty, there is considerable confusion on this aspect of the Amendment Act. Therefore, contracts need to be structured and drafted in a manner that addresses these issues of payment of royalties and the rights and obligations of various parties involved.

There is also lack of clarity in the Amendment Act on how the royalty payable to the authors of underlying works is to be calculated. If there are multiple authors of an underlying work, will the royalty be equally divided between each of the authors and the assignee? Or will the assignee be entitled to 50% of the royalties and all the underlying authors share the remaining 50% of the royalties? Also, when there are music and lyric rights in a song, will the music and lyric rights be treated as separate underlying works, and therefore the music composer separately shares the royalty with the assignee for the music right and the lyricist separately shares the royalty with the assignee for the lyrics? None of these questions have been adequately addressed in the Amendment Act. The calculation of payment of royalty to performers too has not been expressly addressed in the Amendment Act.

Also, the Amendment Act has granted moral rights to performers. However, while the Amendment Act states that the legal representatives of authors of a work can exercise the moral rights, there is no mention in the Amendment Act of the legal representatives of performers being entitled to exercise such moral rights.

The Amendment Act will definitely have an impact on the entertainment industry. Producers may have to share their profits with underlying authors or they will need to pass on the responsibility of payment of royalties to the broadcasters. The agreements between broadcasters and producers and the underlying authors will have to be carefully drafted to address the issues of sharing of royalties between various artists and the assignee.    

The Amendment Act has been a step in the right direction to address the issues faced by the authors of the underlying works and to implement the observation made by Justice Krishna Iyer. However, the Indian legislature will need to frame rules to plug the deficiencies in the Amendment Act regarding the implementation of its various provisions.

Seema Sukumar is a Senior Associate

With J. Sagar Associates, based out of Bangalore. She can be contacted at seema@jsalaw.com.

By Seema Sukumar

By Dipankar Vig

In its genuine effort to restore the pro-arbitration regime in India, the Constitutional Bench of the Hon’ble Supreme Court of India has delivered a conclusive judgement on the role of Indian courts in international commercial arbitrations rendered in a foreign seat. (“Bharat Aluminum”).

The Arbitration & Conciliation Act 1996 (‘the Act’), an enactment based on the UNCITRAL model has always provided for two regimes of dispute resolution depending on the seat of arbitration. Part-I provides for the domestic as well as international arbitrations where the seat of arbitration is in India and Part-II contains provisions for recognition and enforcement of awards rendered in a foreign jurisdiction.

The Bharat Aluminum case has overruled the apex Court’s earlier interpretation laid down in the case of Bhatia International, which was subsequently upheld in the case of Venture Global Engineering and Indtel Technical Services.

1. Decision in Bhatia International, Venture Global and Indtel Technical Services

The Bhatia International ruling gave the Indian Courts a right to set aside an award made in a foreign seat. In Venture Global, applying the same principle, the Court set aside a London Court of International Arbitration (‘LCIA’) award rendered in London.

Therafter, in Indtel Technical Services, the Court held that it could appoint arbitrators in the case of a deadlock, even though the arbitration was to be conducted in a foreign seat.

1. Highlights of the Bharat Aluminum Case

1. Applicability of Part- I of the Act

The Hon’ble Supreme Court has categoricallly laid down that Part-I of the Act is applicable only to the arbitrations which take place within the territory of India and it would have no application to international commercial arbitrations rendered in a foreign seat. In other words, the Indian Courts will not be allowed to exercise their powers under Part-I of the Act in respect of arbitrations having a foreign seat.

2. Interim Reliefs by Courts

The Hon’ble Court further held that in a foreign seated international commercial arbitration, no application for interim relief would be maintainable under Section 9 or any other provision, as the applicability of Part-I of the Act is limited to all arbitrations which take place in Similarly, no suit for interim injunction would be maintainable in India, on the basis of an international commercial arbitration with a seat outside India.

3. No Annulment of Foreign Awards

The Hon’ble Court has clarified that the regulation of conduct of arbitration and challenge to an award would have to be done by the courts of the country in which the arbitration is being conducted. Such a court is then the regulatory court possessed of the power to annul the award.

Previously, a foreign award could be set aside on the ground that its enforcement would be opposed to “public policy”, in the context of Section 34 of the Act. However, subsequent to this judgement, a foreign award cannot be set aside in India under Section 34 of the Act.

4. Prospective Application
   

The Hon’ble Court also held that the amended position shall apply prospectively from the date of judgement i.e it shall apply only to arbitration agreements made after September 06, 2012.

By this landmark judgement, the Hon’ble Supreme Court has put an end to the unwelcome judicial interference in foreign seated arbitrations and has put to rest the host of inconsistent judicial decisions on arbitration.

Introduction

Companies today increasingly employ workers across multiple jurisdictions. For the sake of equality and efficiency a multinational prefers to apply a single uniform set of human resource (“HR”) standards to its entire global employee base. However, HR uniformity becomes difficult when different countries impose different HR laws. These dilemmas are especially troubling in the realm of employee privacy.

This article outlines the approaches to employee privacy pursued in the United States and European Union. Following that is a snapshot of employee privacy in India, which has not yet committed to the U.S. or EU approach. The discussion will examine which policy direction would be most beneficial for India. It will be shown that on balance, India’s best interests will be served by following the U.S. model, which fully protects employee privacy while preserving the regulatory flexibility India needs to attract and retain foreign direct investment.

Divergent Approaches to Privacy: European Union and United States

The European Union’s policy stance is clear: privacy is a human right and government involvement is a must. The European Privacy Directive of 1995 is a guidance document for the 26 EU nations, which all now have their own laws and enforcement arms—Data Protection Authorities. This heavily regulated approach, which requires companies that process data to register their activities with the government, creates serious concerns for multinational companies from the U.S. that operate under a much different, and perhaps more practical, approach.

Nuances between EU countries exist, but generally speaking in Europe employers cannot read workers’ private e-mails, and personal information cannot be shared by companies or across borders without express permission from the data subject. These types of regulations hamstring companies doing business in Europe with unending red tape that may or may not have any actual impact on the given individual, known in E.U. privacy parlance as the “data subject.” In fact, a study from the Ponemon Institute showed that despite the absence of stringent privacy laws in the United States, “U.S.-based multinational firms scored higher than their European counterparts on five of eight common privacy practices, including having a dedicated privacy officer and better data security.”

Data privacy in the United States is regulated in a sector-specific manner. The Federal Trade Commission (FTC) is the lead regulatory agency tasked with protecting consumer privacy rights through its authority to prohibit unfair or deceptive acts or practices. Laws are on the books that do require prior consent for certain personal information. For example, a U.S. employer must obtain the prior written consent of a job applicant to access the applicant’s credit report for purposes of completing the background investigation stage of the hiring process.

The current legal framework surrounding employment privacy law, including the National Labor Relations Act (“NLRA”), helps to refine HR privacy policies and provides ample safeguards against corporate abuse of private, or personal, information. And without a broad-based policy directive from the government, U.S. companies can do a more efficient and effective job of moderating how, when, why and what sensitive personal information is used.

For example, the National Labor Relations Board (“NLRB”) recently released its second report to help guide HR departments when crafting their social media/privacy policies. One point emphasized that such policies must be “narrowly tailored” so as not to prohibit union organizing activity protected under the NLRA. This means that even though the employee may surrender his or her privacy rights to certain information, the way in which the company can use such information is limited.

In the U.S. employee privacy is protected not only by the U.S. Constitution and federal statutes but state constitutions and state statutes. For example, states grapple with the subtleties of when and how an employer may interview job applicants and monitor employee email, Internet use, and physical space.

In the U.S. more than in the E.U., employers have legal obligations that compel them to engage in employee monitoring. For example, a U.S. employer may need to investigate the transmission of an item of sexually-oriented Internet humor among its employees to defend against claims of a “hostile work environment.” Alternatively, an employer may need to install a surveillance camera at a worksite parking lot to guard against potential liability from “security negligence” (the failure to ensure security for employees and others in the workplace).

Even when employer monitoring is not legally required it can be a necessary business practice. Banks commonly use surveillance cameras to guard against robberies. Companies in the business of transporting goods may need to track their vehicles with GPS location monitoring systems.

The U.S. government takes privacy seriously, but its approach differs from the European approach in large part because it relies more on self-regulating corporate codes of conduct. Only when a company deviates from an applicable code will a U.S. government agency intervene with an enforcement action. That way companies have the flexibility they need to adopt privacy policies appropriate for their particular situations.

India’s broader privacy framework

India’s labor laws do not at present address rights surrounding employee privacy, let alone follow the employee privacy policies of the E.U. or U.S. However, general privacy laws were set forth in the Information Technology Act of 2000 (“IT Act”), which provided legal recognition for e-commerce and sanctions for computer misuse. Subsequently, India has passed legislation in 2008 and then again in 2011 to further develop its broader privacy policy objectives.

In an attempt to broaden the enforcement scope of the law, India passed the IT (Amendment) Act of 2008, which incorporates two new sections of the IT Act: most notably, Section 43A to provide a remedy for persons whose personal data is compromised by a security breach.

Under section 43A, “bodies corporate,” which includes a corporation[s], firm[s], association[s], sole proprietorship[s], and any other associations or individuals engaged in “commercial or professional activities,” can be liable for failing to maintain “reasonable security practices and procedures” to protect “sensitive personal data and information.” “Sensitive personal data” was not defined in this Amendment. Furthermore, absent a contract, reasonable security practices and procedures were also not specifically defined and were left for the central government to prescribe. Following these Amendments, Section 43A fell under criticism for its broad definition of “body corporates” and absence of clarity on several other fronts, such as whether an Indian call center was required to obtain a foreign customer’s consent before collecting the individual’s personal data (the answer turned out to be no).

The latest announcement attempted to address some of this criticism, when in August 2011 the Government of India issued the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Privacy Rules”).

First, in order for a body corporate to comply with India’s privacy regime, it must implement security practices and procedures which include a “comprehensive documented information security programme and information security policies.” Such policies must contain managerial, technical, operational, and physical security control measures commensurate with the information assets being protected.

Second, the Data Privacy Rules define “sensitive personal data and information” to include:

• passwords;
• financial information such as bank accounts, credit and debit card details;
• physiological and mental health condition, medical records;
• biometric information;
• information received by body corporate under lawful contract or otherwise;
• user details as provided at the time of registration or thereafter; and
• call data records.

And lastly, India’s Data Privacy Rules also clarify that a body corporate must get the consent from the provider of information and identify the purpose for collecting such data.

Although India has made strides in clarifying its data protection and privacy policies, these efforts are far from complete and comprehensive given the challenges jurisdictions must face with international information exchange through social media and cloud computing.   First and foremost, the Data Privacy Rules are to include Indian companies only. Furthermore, an exemption was added for Indian outsourcing entities under contract with a legal entity outside of India.

Additionally, India’s definition of “sensitive personal data and information” is defined narrowly, and does not include information in the public domain or information accessible under the Right of Information Act. The Data Privacy Rules’ consent requirement is also less stringent than it appears at first glance. Under the rules, a body corporate must only receive consent from the person or entity that provided the information, not from the individual to whom the information relates.

The result is an Indo-centric policy that does not quite yet affect cross-border communication of multinationals. The Data Privacy Rules could be read as the Government of India’s attempt to demur on the issue of privacy protection in the global context. It is no surprise to see India take this stance given the impact such policies have on business, especially multinational companies that exchange information and data on a daily basis from one country to another. If a multinational with operations in a dozen countries were required to comply with a dozen different sets of privacy laws the potential liability and administrative burden would be potentially enormous. The risks may well discourage the company from investing in a certain nation.

India requires a high level of foreign investment to maintain adequate GDP growth. Any new layer of regulation that discourages such investment could be damaging to its overall economy. Therefore it would be strategically wise for the Indian government to keep regulatory burdens such as privacy laws as flexible and streamlined as possible.

Cultural Underpinnings of Privacy Policy

A nation’s culture forms the tenets of its privacy policy. In European nations individuals tend to be more skeptical of corporations than governments. For example, European employees have high expectations of privacy in the workplace, and personal information is preferably kept personal. The European emphasis on worker privacy may be a natural result of its traditionally left-leaning political orientation, which has long supported workers’ rights.

In the United States, by contrast, the culture is relatively more supportive of free enterprise and distrustful of government. Efforts to restrain government power can be traced as far back as the Federalist Papers.  Consequently, expectations of workplace privacy are viewed in a different light in America. For example, an American employer can be found liable for not investigating a claim of sexual harassment by one employee against another. In the context of an employee’s Internet privacy, the expectation is that emails, Facebook posts and Tweets from company computers are not private, and that work computers and mobile devices are monitored. On the other hand, American employers are legally required to maintain strict confidentiality for employee data such as credit reports and health care information, which could be damaging to workers if inappropriately accessed or misused.

So far India’s treatment of privacy protection has not followed the rigid, pervasive, pro-employee regulatory approach of the E.U. This may reflect a cultural preference for the more flexible, contextual, balanced approach of the U.S. If so, India’s instincts are good. As explained above, a fast-growing emerging economy is better positioned to attract foreign investment if it adopts legal standards that investors can readily meet. One way a nation can maintain such reasonable standards is to preserve flexibility in its privacy laws.

Conclusion

Technologies such as mobile telephones, cloud computing, and social networking have blurred the line between workplace and personal activity. As a result, it is now more difficult to safeguard employee privacy while protecting business interests.

One way to resolve this policy challenge is to adopt laws that definitively favor one side or the other. The EU approach does this by favoring employee rights through a strict and highly regulated privacy regime. However, this approach could rapidly multiply a company’s liability without necessarily producing any practical benefits for employees. At the same time, such an approach could discourage companies from investing in the employee-biased countries.

Given the fluid nature of the above technologies and the novel nature of the related issues of workplace privacy, it will take time and thoughtful discussion to strike the right balance between the privacy interests of labor and the business interests of management. In this complex and subtle legal environment a flexible approach would be more accommodating. Self-regulatory corporate codes of conduct, backed by the threat of government enforcement, have worked well to protect privacy so far. As long as these codes are permitted to evolve with changing business needs and privacy expectations they will likely continue to serve us well in the future.

For this reason the U.S. approach seems preferable for a country such as India. By relying on self-regulation implemented through HR policies, India may find that its employees enjoy just as much privacy protection as their counterparts in the EU. At the same time, India would not need to risk alienating foreign investors. Indeed, American and European companies alike could continue to invest in India without fear of increasing their India-based liability or triggering conflicts with their home country laws.

Michael Green is a Manager at the U.S.-India Business Council (USIBC) responsible for the Life Sciences and Legal Services portfolios. Michael can be contacted at mgreen@uschamber.com.  

Michael Green

The February 2011 decision of the Federal Court of Australia in Roadshow Films Pty Ltd v iiNet Ltd [2011] FCAFC 23–exonerated Australia’s second-largest internet service provider (“ISP”) from claims that it authorized primary copyright infringement of the works of a 34-member rightsholder conglomerate called the Australian Federation Against Copyright Theft. The decision represents a significant breakthrough in the field of liability for an internet-based intermediary (essentially any entity that receives, transmits and/or provides other services with regard to an electronic message over the internet) since-the lead opinion by Judge Emmett puts forward an innovative set of criteria for evaluating intermediary liability of ISPs. Paragraph 257 of Judge Emmett’s opinion captures these criteria in the following words:

“[W]hile the evidence supports a conclusion that iiNet demonstrated a dismissive and, indeed, contumelious, attitude to the complaints of infringement by the use of its services, its conduct did not amount to authorisation of the primary acts of infringement on the part of iiNet users. Before the failure … to suspend or terminate its customers’ accounts would constitute authorisation of future acts of infringement, the Copyright Owners would be required to show that at least the following circumstances exist:

(a) iiNet has been provided with unequivocal and cogent evidence of the alleged primary acts of infringement …

(b) The Copyright Owners have undertaken:

(i) to reimburse iiNet for the reasonable cost of verifying the …infringement alleged and of establishing and maintaining a regime to monitor the use of the iiNet service … and

(ii) to indemnify iiNet in respect of any liability reasonably incurred by iiNet as a consequence of mistakenly suspending or terminating a service on the basis of allegations made by the Copyright Owner.”

These criteria form a good point of departure for Indian copyright law, which is still struggling to answer some basic questions on how liability for copyright infringement should apply to ISPs.

In India, intermediary liability is addressed by the Information Technology (IT) Act, 2000, Section 2(1)(w), whichincludes ISPs in its definition of -‘intermediaries’. Section 79(3)(b) of the IT Act holds ISPs liable only if they have actual knowledge of infringing content or have received a notification to that effect by a government agency and the threshold of due diligence in acting expeditiously to remove content or disable access to it. This permits ISPs to be painted with the same brush as other online intermediaries such as websites, social networking portals and the like, which perhaps answer more faithfully to the definition of intermediaries in this context. This is particularly damaging since it leaves the door open for generalizations and characterizations to be made of ISPs when, certainly in terms of business models and incentive structures, ISPs bear little resemblance to online intermediaries that better fit the definition.- Separating ISPs from other online intermediaries has been fairly successful under 17 U.S.C. § 512(k)(1)(A) in the United States, which segregates ISPs from other types of intermediaries within a broad framework which sets out the conditions in which content posted by intermediaries online will not be considered infringing.

Even allowing for the deliberate vagueness necessary to bring all of Section 2(w) within its sweep, Section 79(3)(b) of the IT Act remains rudimentary at best from a substantive perspective, primarily because it does not recognize the significant compliance costs incurred by ISPs and the genuine dilemma for such service providers of being caught between intellectual property enforcement efforts and potentially losing a large proportion of their customer.

Charting a balanced way forward for the Indian law on intermediary liability is vital in light of Super Cassettes Industries Ltd v. MySpace Inc. 2011 (47) PTC 49 (Del), India’s first substantive decision on intermediary liability, which found the social networking website MySpace liable for authorizing copyright infringement of works by its users on an interpretation of Section 51(a)(ii) of the Copyright Act, 1957. Section 51(a)(ii) saves from infringement an intermediary who is not aware and has no reasonable ground for believing that the communication of the work would be infringing. This “knowledge and reasonable belief” standard (paragraph 47) applied in MySpace highlighted the acute need for a robust substantive standard on intermediary liability.

ISPs need to be more proactive than reactive in confronting copyright infringement and – owe a general duty to assist in copyright enforcement. However, guided by iiNet, this general duty should only extend to cases where other stakeholders such as internet users and the State regulatory agencies are not unreasonably prejudiced, whether on legal, economic or moral grounds. The iiNet guidelines show ISPs a feasible way out of the enforcement problem, especially since the fallout of the decision appears to have enabled ISPs to protect their business interests while complying with the law but making few, if any, changes to their -copyright enforcement commitments.

1. The iiNet decision

The seemingly onerous demands required by Judge Emmett to be met by copyright holders in order to get ISPs to aid in copyright enforcement indicates that the threshold of ‘authorisation’ – which is understood to be the grant or purported grant of the right to do the act complained of – is being met increasingly easily by ISPs. Indeed, the ingredients of authorisation identified by Judge Emmett in the excerpt from his opinion provided above – (i) the power to-control the means of infringement, (ii) making that means available to others and (iii) failure to take reasonable steps to limit infringement — are more in line with those recently outlined in Twentieth Century Fox v. Newzbin Ltd. [2010] EWHC 608 (Ch) (involving a website service that made copyrighted content available to its users) than those provided over two decades ago in CBS Songs v. Amstrad [1988] 1 AC 1013 (involving tape recording facilities that allowed buyers to create copies of copyrighted musical works), where, arguably, elements of these ingredients were present and yet not held to constitute authorisation.

In place of authorisation, Judge Emmett- correctly recognizes that in order to expect ISPs to side with enforcement rather than infringement, two main concerns need to be addressed. First, the holders’ claims must be based on strong, cogent evidence and not infringement notices, which are assertive and speculative. To this end, they must provide indemnity to ensure that when the ISP pulls the plug on infringing users, it is not held liable for doing the holders’ bidding. This addresses the fact that infringement surveillance mechanisms remain unreliable and terminating internet connections on the basis of mere allegations would violate procedural fairness (P. Yu, ‘The Graduated Response’ (2010) 62 Florida Law Review 1373). Second, ISPs must be compensated for the considerable costs likely to be incurred in surveillance, policing and data retention for the purpose of enforcement. This responds to the concern that enforcing holders’ copyrights would unfavourably skew ISPs’ profit structure, making it difficult to offer low-cost and quality service to users (Yu).

Judge Emmett – also wisely leaves these requirements open-ended by using the words ‘at least the following circumstances’, allowing for flexibility to be built into these requirements over time. The overall standard required to be met by copyright holders is a justifiably high one, indicating judicial cognizance of the extreme (and often disproportionate) nature of the measure of disconnection as an enforcement action (Yu) and a more balanced approach to enforcement by requiring from full confirmation of an infringement before taking enforcement action (see H. Travis, ‘Opting Out of the Internet in the United States and theEuropean Union: Copyright, Safe Harbors, and International Law’ (2008)

84 Notre Dame Law Review 331 -).

2. Passive-reactive to active-preventive ISPs

The articulation of pre-enforcement requisites to be fulfilled by copyright holders in iiNet could also be seen as going some way towards stabilising the position of ISPs vis-à-vis enforcement obligations. It assumes greater significance in the context of the recent shift from clearly defined ISP safe harbours to a co-operative model of graduated sanctions, which responds to the evolution of ISPs from being passive carriers of information to active managers of content, possessing direct enforcement means (Annemarie Bridy, ‘Graduated Response and the Turn to Private Ordering in

Online Copyright Enforcement’ (2010) 89 Oregon Law Review 81; -; Jeremy de Beer and Christopher Clemmer, ‘Global Trends in Online

Copyright Enforcement: A Non-Neutral Role for Network Intermediaries?’

(2009) 49 Journal of Jurimetrics 375). Indeed, in the present scenario in the U.S. for instance, while there is no affirmative requirement for ISPs to implement technological/monitoring measures to claim safe harbour protection (Yu), it would be difficult to do so without implementing some policy against repeat infringers (Bridy).

Interestingly, this trend has not been instigated purely by pressure from copyright holders. ISPs’ self-interest has also played an important role in the voluntary assumption of these responsibilities in at least two ways—first, the burden imposed by infringers’ file-sharing on ISPs’ network resources and second, the scope for synergy between holders (content suppliers) and ISPs (distribution networks) in offering an integrated product (Yu; de Beer/Clemmer).

3. When should ISPs owe a duty to prevent infringement?

If indeed ISPs’ self-interest suggests that complying with enforcement demands of copyright holders may not be onerous under some circumstances, the next question is of what these circumstances are. Given that the law protects copyright per se (rather than making protection contingent on a feasibility-of-enforcement analysis), ISPs should owe a general duty of co-operation to assist in copyright enforcement. However, this duty should only extend in circumstances where enforcement does not unreasonably prejudice other parties on legal, moral or economic grounds.

Legal grounds

One set of situations where unreasonable prejudice may be caused to users is where their individual liberties are violated without any procedural safeguards in place (Yu). This would cover cases where a user is disconnected from the internet on the basis of merely alleged infringement, where such a measure is not preceded by a formal notice of infringement, where disconnection is not an ‘appropriate, proportionate and necessary measure’ (Yu) and where the individual does not have an opportunity for judicial redress.

These concerns are addressed by the Digital Economy Act, 2010 (“DEA”) in the UK, which incorporates two important procedural guarantees as part of a graduated response—inserting a three-stage notification process to subscribers under Section 124A of the UK’s Communications Act, 2003 (which, ideally, should coalesce multiple infringements over the relevant period into a single notice rather than direct separate notices for every individual infringement; Bridy) and measures for an independent system for appeals by users (which would ensure fairness by adjudicating each case on its merits; Bridy), including a right to anonymity (Ofcom, Online Infringement of Copyright and the Digital Economy Act 2010:

Draft Initial Obligations Code (28 May 2010) -).

As the DEA implementation strategy correctly acknowledges, the educative and rehabilitative functions of these procedures must also be taken seriously and preliminary infringement notices in particular must outline, in simple language, the nature of the alleged infringement, possible corrective measures and legal options in terms of challenging the alleged infringement (Ofcom Draft Code; Yu).

Further, in line with the iiNet conditions, the DEA recognises that procedural fairness also requires that allegations of infringement should be based on credible evidence and not mere allegations. This is this important from a procedural perspective and anchoring infringement allegations to credible evidence also increases the likelihood that the eventual enforcement measure will be proportional to the infringement (Yu).

To this end, a ‘quality assurance report’ for infringement reports has been proposed, which would require holders to reveal measures taken to assure the integrity, accuracy and legality of evidence of infringement (Ofcom Draft Code). This system would impart sufficient flexibility to allow copyright holders to develop the necessary technical measures while preserving scope for intervention vis-à-vis the substance of the reports, either by Ofcom or by the appellate body (Ofcom Draft Code).

Another legal safeguard that may need to be contemplated relates to the appellate body. Even where infringement notices are based on credible evidence, since the case against the user is of infringement, the adjudicating authority must be willing to consider defences to copyright infringement (Yu). Additionally, given the criticality of internet access to many ISP users, the adjudicating authority should give due weight to the absolute nature of internet disconnection and the possibility for alternative arrangements for internet access (Yu).

These provisions should go a long way towards placating concerns of procedural fairness in the enforcement process, especially if further reforms such as mandatory requirements for ISPs to disclose their copyright enforcement practices (including any invasive technological monitoring measures used) to their users (Bridy). ISPs could then be justifiably required to use the means at their disposal to assist in enforcement.

Economic and moral grounds

There is a further reason for requiring ISPs to assist in copyright enforcement—since ISPs benefit indirectly from infringement (through more users and greater usage) and exercise greater control than in the past over user content, they should also bear fair share of responsibility for assisting with enforcement (Yu; Bridy).

However, this responsibility depends on the ISP’s scale because as unreasonable as it is to allow large ISPs with several thousands of users to be unaccountable for infringement by those users, it is equally unreasonable to require, say, a small ISP to incur significant costs to comply with legislation designed to address infringement which it does not notably contribute to (Ofcom Draft Code).

A balance between these extremes could be attempted along the lines of Section 124C(5) of the UK’s Communications Act under which a moving target threshold can be set to identify ‘qualifying’ ISPs. The flexibility in this measure would ideally allow a regular review of the threshold to ensure that infringing users are not out of the reach of enforcement by migrating to smaller ISPs that perpetually remain below the threshold (Ofcom Draft Code). This is supplemented by Section 124M(3)(a) which allows scope for ISPs to claim costs of enforcement from copyright holders, reflecting another of the iiNet conditions.

While this threshold establishes a workable basis for determining which ISPs should owe a duty to assist in copyright enforcement, there remains the possibility that, in practice, enforcement actions by ISPs will disproportionately target small users. This is because the economic loss to ISPs resulting from these users being bumped off the network for infringement is likely to be far lesser than if large users with deep pockets are disconnected (Yu).

Even if such open discrimination is not practiced, there could be interference by ISPs with the principle of network neutrality (requiring no restrictions on internet content accessible to users) by using technological measures to restrict/prohibit certain types of bandwidth-intensive activities (de Beer/Clemmer). While such measures would broadly appear to be in aid of copyright enforcement, they would do so by unreasonably prejudicing that demographic of users.

To that end, there is a need to ensure that copyright enforcement by ISPs (though more an obligation than a duty in such cases) does not so discriminate between infringers, possibly by strengthening procedural safeguards for users and allowing a broad scope for the adjudicating authority to scrutinise ISPs’ enforcement policies.

Eashan Ghosh graduated with Distinction Honours on the Bachelor of Civil Law (B.C.L.) programme at the University of Oxford in 2011 and is a multiple gold medalist on the B.A. LL.B. (Hons.) programme at the National Law School of India University (NLSIU), Bangalore. He is currently an Associate with Fidus Law Chambers, a leading Indian intellectual property law firm, and practices intellectual property law at the Delhi High Court.

By Eashan Ghosh

FOREIGN TRADE POLICY

The Foreign Trade Policy of India, issued by the Ministry of Commerce and Industry, Government of India, contains provisions for the development and regulation of foreign trade by facilitating imports into, and exports from, India. In furtherance of this objective, the Foreign Trade Policy grants incentives in the form of special focus initiatives and sectoral initiatives. The Foreign Trade Policy also imposes restrictions on the import and export of certain categories of goods, services, and technologies. Export of dual use items is one such area where restrictions are imposed to protect India’s national security and foreign policy goals and objectives, objectives of global non-proliferation, and India’s obligations under treaties to which it is a State party.

In 2010, the Foreign Trade (Development & Regulation) Act, 1992 was amended to include a new chapter dealing with controls on export of specified goods and services. According to the new provisions, no goods, services or technology notified under the legislation shall be exported except in accordance with the Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005. The relevant section of this legislation states that no person shall export any material, equipment or technology knowing that such material, equipment or technology is intended to be used in the design or manufacture of a biological weapon, chemical weapon, nuclear weapon or other nuclear explosive device, or in their missile delivery systems.

SCOMET LIST

Pursuant to the above, under the Foreign Trade Policy of India, dual use items have been given the nomenclature of SCOMET i.e. Special Chemicals, Organisms, Materials, Equipment and Technologies. Appendix 3 of Schedule 2 of the Export Policy has put in place a regulatory framework embodying an exhaustive list of goods, services and technology, export of which is subject to fulfilment of conditions contained therein.

The SCOMET list in Appendix 3 has been divided into 8 categories of items. Category 0 in Appendix 3 deals with nuclear material, nuclear-related other materials, equipment and technology. Category 1 deals with toxic chemical agents and other chemicals. Category 2 deals with micro-organisms and toxins. Category 3 deals with material, materials processing equipment and related technologies. Category 4 deals with nuclear related other equipment, assemblies and components, test and production equipment and related technology, not controlled under Category 0. Category 5 deals with aerospace systems, equipment including production and test equipment, related technology and specially designed components and accessories thereof. Category 6 is currently reserved, and Category 7 deals with electronics, computers, and information technology including information security. Each of these categories is further broken down into various sub-categories.

Any person in India desirous of exporting any item mentioned under the SCOMET list has to obtain the requisite license for export from the Director General of Foreign Trade (“DGFT”) unless export is prohibited or is permitted without licence subject to fulfilment of conditions, if any, as indicated for any specific category or item. The licensing authority for items in Category 0 under the SCOMET list is the Department of Atomic Energy and the applicable guidelines are notified by the Department under the Atomic Energy Act, 1962.

Apart from the license required for export of specified goods, services and technology, the SCOMET guidelines also make it mandatory for all companies and their subsidiaries registered in India, and all other business entities operating in India and involved in the manufacture, processing and use of SCOMET items, to obtain permission of the Central Government before entering into any arrangement or understanding that involves an obligation to facilitate or undertake site visits, on-site verification or access to records or documentation, by foreign governments or foreign third parties, either acting directly or through an Indian party.

LICENSE AND OTHER FACTORS

Application for licence to export items covered under the SCOMET guidelines are considered on a case-to-case basis. Some of the factors considered by the DGFT before granting an export license are the end use of the SCOMET items being exported, credentials of the end user, credibility of the declarations of end use and integrity of chain of transmission of the items from supplier to end user. Further, the DGFT also assesses the export control measures instituted by the recipient state, the capabilities and objectives of programmes of the recipient state relating to weapons and their delivery, applicability to an export licence application of relevant bilateral or multilateral agreements to which India is a party and assessed risk that the exported items will fall into hands of terrorists, terrorist groups, and non-State actors.

There are some exceptions to the requirement of end use certifications. Licences for export of items under the SCOMET guidelines, other than those under Category 0, 1 and 2, solely for purpose of display or exhibition does not require any end use or end user certifications. The guidelines also state that export licence shall not be granted for display or exhibition of technology for items under Categories 0, 1 and 2. Licences for export of items under the guidelines for display or exhibition abroad are subject to a condition of re-import within a period not exceeding 6 months. Exporters can apply for an export licence for such items exhibited abroad, if the exhibitor intends to offer that item for sale during the exhibition abroad, as such sale is not permitted without a valid licence.

The DGFT also has the power to impose additional end-use conditions as may be stipulated in licences for export of items that bear possibility of diversion to, or use in development or manufacture of, or use as, systems capable of delivery of weapons of mass destruction.

TECHNOLOGY UNDER SCOMET

One of the items under the SCOMET list on which there has been a lot of debate and discussion is Technology. Appendix 3 defines “Technology” as, follows:

Except as otherwise provided for against any item in the SCOMET List, information (including information embodied in “software”) other than information in the ‘public domain’, that is capable of being used in:

1. the development, production or use of any goods or software;
2. the development of, or the carrying out of, an industrial or commercial activity or the provision of a service of any kind.

Explanation: When technology is described wholly or partly by reference to the uses to which it (or the goods to which it relates) may be put, it shall include services which are provided or used, or which are capable of being used, in the development, production or use of such technology or goods.”

Technology under the SCOMET guidelines is not covered in a stand-alone category. While Category 7 does deal with information technology including information security, a review of the sub-categories of Category 7 cover only items like data processing security equipment, authentication and key loader equipment etc. There are references to technology under the other categories of the SCOMET guidelines. For example, under Category 0, technology refers to technology and software for the development, production or use of prescribed substances or prescribed equipment specified in sub-category OA and OB. Under Category 3 dealing with material, materials processing equipment, and related technologies, technology refers to technology for the development, production or use of items in 3A (dealing with stealth materials) and 3B (dealing with materials processing and production equipment, related technology and specially designed components and accessories therefor). Category 5 dealing with aerospace systems, equipment including production and test equipment, related technology and specially designed components and accessories thereof refers to technology related to the development, production, testing and use of items listed in some of the other sub-categories of Category 5.

From a perusal of the above provisions, it can be seen that the SCOMET provisions contain reference to technology is always in relation to development, production or use of a product listed therein. Thus, as mentioned, technology per se is not covered under a separate category but has to be read with a specified product category listed under SCOMET. Therefore, on a plain reading of the SCOMET provisions, it seems that if a product does not fall within the ambit of the SCOMET provisions, technology for the development, production or use of such product is not likely to fall within the purview of the SCOMET provisions.

However, any technology can have many uses. It is possible that an exporter, if a layman, is not likely to forsee all possible uses of the technology. In such a case, if the exporter does not obtain an export license for a certain technology that he is exporting, and one of the uses of that technology is for development of an item falling under the scope of the SCOMET guidelines, the DGFT has the power to impose strict penalties for export of items in contravention of the provisions of the Foreign Trade Policy, which may include confiscation of the items by the adjudicating authority and fines upto five times the value of the items.

The lack of clarity in the SCOMET guidelines on whether technology per se is covered, and how export of technology is to be dealt with, has lead to a lot of confusion amongst exporters. Although the Foreign Trade Policy provides a mechanism for making clarification applications for obtaining clarity on the provisions of SCOMET, clarification applications to the DGFT inevitably get held up for months without any progress or response. While the DGFT has stipulated a time line of 2 months for processing of export license applications, they have not prescribed any timeline for clarification applications. The lack of any obligation on the DGFT to revert within a stipulated time frame provides no relief to an exporter suffering due to the ambiguous nature of the provisions.

Considering the SCOMET guidelines have been included in the Foreign Trade Policy with the intention of protecting India’s national security, we can only hope that all ambiguity on what is included in the SCOMET list is cleared at the earliest.

Seema Sukumar is a Senior Associate, and Garima Jhunjhunwala is an Associate

With J. Sagar Associates, based out of Bangalore. Seema can be contacted at seema@jsalaw.com and Garima can be contacted at garima.jhunjhunwala@jsalaw.com.

By Seema Sukumar and Garima Jhunjhunwala