Harmonization of e-commerce laws and regulatory systems in South Asia
II. HARMONIZATION OF E-COMMERCE LAWS AND REGULATORY SYSTEMS IN SOUTH ASIA By Pavan Duggal 21 Introduction Many believe the Internet to be full of natural anarchy, so that a system of law and regulation for the Internet seems contradictory. However, cyberspace is, in fact, governed by a system of law and regulation called cyberlaw. There is no single exhaustive definition of the term cyberlaw. One broadly accepted definition of cyberlaw is a generic term that refers to all the legal and regulatory aspects of Internet and the World Wide Web. Anything concerned with or related to or emanating from any legal aspects or issues concerning any activity of people in cyberspace comes within the domain of cyberlaw. The first use of the term cyberspace was in 1984 by author William Gibson in his science fiction novel Neuromancer. It described the virtual world of computers. Today, cyberspace is how most people describe the world of the Internet. Though far from the immersive virtual reality of the fictional version, and often regarded as an overused buzzword, cyberspace has become synonymous with the Internet. However, cyberspace is not the World Wide Web alone. The growth of electronic commerce has created the need for vibrant and effective regulatory mechanisms, which would further strengthen the legal infrastructure that is crucial to the success of electronic commerce. All of these regulatory mechanisms and the legal infrastructure come within the domain of cyberlaw. Cyberlaw is important because it touches almost all aspects of transactions and activities concerning the Internet, the World Wide Web and cyberspace. Cyberlaw also concerns everyone. As the nature and scope of the Internet is changing, it is perceived as the ultimate medium ever evolved in human history. Every activity in cyberspace can and will have a cyber legal perspective. From the moment a person registers a domain name, sets up and promotes his or her web site, and then conducts electronic commerce and has transactions on the site, various cyberlaw issues are 21 Advocate, Supreme Court of India; President, Cyberlaws.net; Member, Nominating Committee, ICANN; and cyberlaw consultant. The opinions, figures, and estimates are the responsibility of the author. 24 Harmonized development of legal and regulatory systems for e-commerce in Asia and the Pacific: current challenges and capacity-building needs involved. Some people may not feel concerned about these issues today because they may feel that such issues do not have an impact or relevance to their cyber activities. However, each person would eventually have to take note of cyberlaw for the sake of his or her own benefit. Awareness about cyberlaw has begun to grow. Previously, many technical experts felt that legal regulation of the Internet was not necessary. However, the rapid growth of technologies and the Internet made it clear that no activity on the Internet can remain free from the influence of Cyberlaw. Publishing a web page is an excellent way for any commercial business or entity to increase its exposure to millions of persons, organizations and governments worldwide. This feature of the Internet is causing much controversy in the legal fraternity. Cyberlaw is also a constantly evolving process. As newer opportunities and challenges are surfacing, cyberlaw is being modifying to fit the needs of the time. As the Internet grows, numerous legal issues arise relating to domain names, intellectual property rights, electronic commerce, privacy, encryption, electronic contracts, cybercrime, online banking, spamming and so on. The arrival of the Internet and related technologies has made irreversible changes to the world today. In a world, which is moving steadily towards the information society and knowledge economy, it is essential that law must contribute its inputs to promote e-commerce. In 1996, the United Nations came up with the UNCITRAL Model Law on E-commerce. This law encouraged member states to legislate various national laws and regulations in keeping with principles contained in the Model Law. In 2001, the United Nations drew up the UNCITRAL Model Law on Electronic Signatures. As cyberlaw develops around the world, there is a growing realization among different nation states that their laws must be harmonized and international best practices and principles must guide implementation. Many countries are trying to establish harmonized legal regimes in order to promote online commerce. However, in the subregion of South Asia, especially among members of the South Asian Association for Regional Cooperation (SAARC), India and Pakistan are the two predominant players who have enacted e-commerce laws. India enacted the Information Technology Act, 2000 while Pakistan promulgated the Electronic Transactions Ordinance, 2002. All of the countries in the SAARC region have not yet enacted e-commerce laws at the time of this paper, the other SAARC members had not yet enacted e-commerce laws. 25 Harmonization of e-commerce laws and regulatory systems in South Asia India is an excellent example of how legal systems mature with the passage of time in order to provide the required boost to e-commerce. This paper examines the example of India in slightly more detail. E-commerce law in India is the Indian Information Technology Act, 2000 and it demonstrates the need for other countries to harmonize their legal systems to stay in tune with the rapidly growing requirements of e-commerce. The next sections provide an overview of the e-commerce laws and regulatory systems in SAARC-member countries. A. India The Parliament of India passed its cyberlaw in the form of the Information Technology Act, 2000, which provides the legal infrastructure for e-commerce. The Act received the assent of the President of India and became the law of the land on 17 October 2000. The objective of the Information Technology Act, 2000 would be to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as electronic methods of communication and storage of information. The act would also facilitate electronic filing of documents with various government agencies and further to amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers Book Evidence Act, 1891 and the Reserve Bank of India Act, 1934 for related matters. The Act thereafter stipulates numerous provisions in order to provide for the legal framework so that legal sanctity is accorded to all electronic records and other activities carried out by electronic means. The Act further states that unless otherwise agreed to, the acceptance of a contract expressed by electronic means of communication shall have legal validity and enforceability. The Act would facilitate electronic intercourse in trade and commerce, eliminate barriers and obstacles to electronic commerce that result from the celebrated uncertainties relating to writing and signature requirements over the Internet. The objectives of the Act also aim to promote and develop the legal and business infrastructure necessary for implementing electronic commerce. Chapter II of the Act stipulates that any subscriber may authenticate an electronic record by affixing his digital signature. It further states that any person can verify the electronic record by the use of a public key of the subscriber. 26 Harmonized development of legal and regulatory systems for e-commerce in Asia and the Pacific: current challenges and capacity-building needs Chapter III contains details about e-governance and provides, among other things, that where any law provides that information or other matters shall be in writing, typewritten or printed form, then, notwithstanding anything contained in such a law, that requirement should be satisfied if the information or matter is: (a) Rendered or made available in an electronic form; (b) Accessible to make it usable for subsequent reference. That chapter also provides details about the legal recognition of digital signatures. The various provisions give further elaboration about the use of electronic records and digital signatures in government agencies. The Act also refers to publication of rules and regulations in an Electronic Gazette. Chapter IV gives a scheme for the regulation of certifying authorities. The Act provides for a controller of certifying authorities who shall perform the function of supervising the activities of certifying authorities as well as setting standards and conditions governing the certifying authorities. The controller also specifies the various forms and the content of digital signature certificates. The Act acknowledges the need to recognize foreign certifying authorities and it further details the various provisions for granting the license to issue digital signature certificates. The duties of subscribers are also covered. The Act also covers penalties and adjudication for various types of offences and mentions the power and qualifications for the adjudicating officer. A provision in Chapter X foresees a Cyber-Regulations Appellate Tribunal where appeals against the orders passed by Adjudicating Officers could be referred. The tribunal would not be bound by the principles of the Code of Civil Procedure, but would follow the principles of natural justice and have the same powers as a civil court. Any appeal against an order or decision of the Cyber-Regulations Appellate Tribunal would be made to the High Court. Chapter XI covers various offences and stipulates that the investigation must be by a police officer only, and that officer should have the rank of deputy superintendent of police or higher. These offences include tampering with computer source documents, publishing obscene information in electronic form, breach of confidentiality and privacy, misrepresentation, publishing a digital signature certificate that is false in certain particulars and publication for fraudulent purposes. 27 Harmonization of e-commerce laws and regulatory systems in South Asia Hacking and penalties if found guilty have been defined in Section 66. For the first time, punishment for hacking has been designated as a cyber crime. The Act also provides for constituting the Cyber-Regulations Advisory Committee, which would advise the government about any rules or other matter connected with the Act. The Act also has four schedules which amend the Indian Penal Code, 1860, the Indian Evidence Act, 1872, The Bankers Books Evidence Act, 1891, The Reserve Bank of India Act, 1934 to make them conform with provisions of the IT Act. Overall, the Information Technology Act, 2000 is considered to be a commendable effort by the government to create the necessary legal infrastructure to promote and encourage the growth of electronic commerce. B. Pakistan Pakistan promulgated the Electronic Transactions Ordinance (ETO) in 2002 with the purpose to recognize and facilitate documents, records, information, communications and transactions in electronic form and to provide for the accreditation of certification service providers. The ETO grants legal recognition to electronic forms and gives legal recognition to electronic signatures. The ETO establishes the attributions regarding electronic documents and makes provisions regarding acknowledgement, receipt and so forth. There are provisions concerning certification service providers and the establishment of the Certification Council. The ETO defines certain offences such as violations of privacy of information and damage to the information system. It also limits the liability of network service providers in the absence of facilitation, aid and abetting. The ETO also amends certain existing laws in order to make national laws more amenable to e-commerce. The Qanun-E-Shahadat Order, 1984 was thus amended to allow electronic documents as evidence. C. E-commerce legislation in other South Asian countries Bangladesh has prepared a Draft Information Technology (Electronic Transaction) Act that incorporates provisions from the UNCITRAL Model Law on 28 Harmonized development of legal and regulatory systems for e-commerce in Asia and the Pacific: current challenges and capacity-building needs E-commerce, the Singapore Electronic Transactions Act and the Indian Information Technology Act, 2000. At the time of writing, Bhutan and Maldives had yet to develop legislative provisions relating to e-commerce. However, new regulations were being drafted in Maldives under the responsibility of the Ministry of Communication Science and Technology (MSCT) and the National Centre for Information Technology (NCIT) in cooperation with the business community. Nepal had proposed legislation concerning e-commerce pending before the Government. The Parliament in Sri Lanka passed the Information and Communications Technology Act, Number 27 of 2003. The ICT Act provides for the establishment of the national committee on ICT of Sri Lanka in order to set out of a national policy on ICT and prepare an action plan. The Act also calls for the appointment of a task force for ICT. There are also provisions for the establishment of the ICT agency of Sri Lanka to be charged with implementation of national policy related to both the public and private sectors and related matters. D. Analysis of other ICT and e-commerce elements Analysis of other elements related to ICT and e-commerce shows the diversity of approaches and a wide range in the scope and breadth of policy, laws and regulations. Much of the work concerning the legal and regulatory frameworks for e-commerce in South Asia has been done in India and Pakistan. Both countries have sought to legalize the electronic format and granted legality to electronic commerce transactions. India and Pakistan have provided for authentication of the electronic documents and records. However, the approaches have differed. India has enacted a technology specific law by stating that the authentication of electronic information can only be done by use of an asymmetric crypto-system and hash function or public key cryptography. Pakistan has taken the more pragmatic approach by not committing the mistake of making a technology specific electronic law. Instead, the law is technologically neutral and talks about the authentication of electronic records by electronic signatures as compared to digital signatures. Both India and Pakistan have relevant provisions relating to establishing the digital signature regime. India established the Office of Controller of Certifying Authority to head the digital signature regime. Pakistan entrusted this responsibility to the Certification Council. India has already granted licenses to five entities to act as certifying authorities to issue digital signature certificates. 29 Harmonization of e-commerce laws and regulatory systems in South Asia India has incorporated some aspects relating to cybercrime into its cyberlaw. Certain acts have been stipulated as cybercrimes with punishment in the form of imprisonment and fines. While India and Pakistan have covered some aspects in their e-commerce laws, there are still large areas that require appropriate attention. Additional objective examination of cyberlaws and e-commerce laws around the world shows that some extremely important issues need to be fully addressed by any nation. Related areas that concern ICT either directly or indirectly have been addressed by the other South Asian countries. 1. Telecommunication regulation policy In terms of a general overall framework or guideline in the form of a Telecommunication Regulation Policy, the countries of South Asia have a variety of situations. Bangladesh has a policy, but it does not include complete privatization. Public and private sector entities are supposed to work together. A licensing scheme remains. Bhutan has the Telecommunications Act, 2000 and it stipulates that the sole provider of telecommunications is state owned. In India, there are private and public holdings for the ICT industry. The four remaining South Asian countries have policies, but these would include more elements than just regulation. Maldives has the Telecommunications Policy covering 2001-2005. Nepal has had a Telecommunications Policy since 1996. Changes and reform concerning ICT in Pakistan began with the Pakistan Telecommunication (Re-Organization) Act 1996. As of 2004, Sri Lanka has had a National Telecommunications Policy. 2. Consumer protection 22 India has the Consumer Protection Act 1986, however, nothing in the Act refers explicitly to e-commerce consumers. It provides for the regulation of trade practices, the creation of national and state level Consumer Protection Councils, consumer disputes redress forums at the National, State and District level to redress disputes, class actions and for recognized consumer associations to act on behalf of consumers. The Act provides a detailed list of unfair trade practices, but it is not exhaustive. 22 Consumers International Asia Pacific Office, Asia Pacific Consumer Law, www.ciroap.org/apcl 30 Harmonized development of legal and regulatory systems for e-commerce in Asia and the Pacific: current challenges and capacity-building needs Similarly, Maldives has had a consumer protection act since 1996 23 and Nepal has a consumer protection act, but there is no provision for e-commerce consumers. The Consumer Protection Act, 1998 of Nepal came into force on 13 April 1999 and establishes the Consumer Protection Council. Pakistan has consumer protection acts in some provinces, but with no provision for e-commerce consumers. Sri Lanka has a Consumer Protection Act 1979, which is not yet applicable to e-commerce, but policy to do so exists. The Act provides for consumer protection, regulation of internal trade and the establishment of fair trade practices. The Act creates the Office of Commissioner of Internal Trade with wide powers to permit creative, effective and expeditious intervention in the market place to ensure protection of consumers and fair trading. The Act was amended in 1980, 1992 and 1995. The 1980 amendment introduced a new feature, the Consumer Protection Fund. 3. Protection of intellectual property Five countries in South Asia are party to the World Intellectual Property Organization (WIPO) Convention: Bangladesh acceded in 1985; Bhutan acceded in 1994; Maldives joined in 2004; Nepal joined in 1997; and Sri Lanka joined in 1978. Bhutan and Nepal are also members of the Paris Union. Bangladesh, and Sri Lanka are members of both the Paris Union and the Berne Union. As of this writing, Sri Lanka was the only country in South Asia to become party to the Trademark Law Treaty in 1996. 24 Bangladesh Copyright Law, 2000 does provide for IT protection. The Copyright Act of India provides protection to computer programs, but specifically excludes computer software from the ambit of its protection. The Copyright (Amendment) Act, 1992 of Pakistan provides protection to computer programs. Sri Lanka provides protection under Code of Intellectual Property Act Number 52 of 1979 as amended by (Amendment) Act 13 of 1997. Computer software is protected by copyright law as described in the Code of Intellectual Property Act 23 Refer to www.maldiveisle.com/consumerprotectionactofmaldives.htm 24 World Intellectual Property Organization, Treaties and Contracting Parties, www.wipo.int/treaties/en/ 31 Harmonization of e-commerce laws and regulatory systems in South Asia and Act Number 14 of 2000. 25 However, it appears that the protection does not extend to computer programs/databases. 4. Cybercrimes and cyber-evidence Cybercrime and the acceptance of cyber-evidence have become major concerns for all countries as part of globalization and the spread of e-commerce. However, there are some basic issues yet to be resolved, such as types of computer crime, set of procedural powers, specific definitions and scope of cybercrime, lack of a common understanding about the problem and how to respond, issues of sovereignty, problems of dual criminality and the limits of treaties that may not include necessary investigative powers. The draft IT Act of Bangladesh appears to contain provisions that are similar to the India IT Act. There are sections of the India IT Act that make punishable such actions as hacking, tampering with computer source codes and publishing or transmitting obscene information. It had been reported in 2002 that a Computer Crimes Act has been drafted in Sri Lanka. 26 E. Recommendations There are several issues that need to be addressed in order to have harmonization of legal and regulatory systems for e-commerce that could be acceptable to all countries in South Asia: 1. Telecommunication liberalization 2. Recognition of electronic documents 3. Consumer protection for e-commerce consumers 4. Electronic funds transfer 5. Dispute resolution 6. Liability of Internet service providers (ISP) 25 University of Colombo Computer Science Society, CompSoc Today, vol. 1, Issue 2 (June 2002). www.cmb.ac.lk/stud-acti/Clubs/compsoc 26 Ibid. 32 Harmonized development of legal and regulatory systems for e-commerce in Asia and the Pacific: current challenges and capacity-building needs 7. Domain names 8. Intellectual property protection 9. Privacy 10. Cybercrime Addressing these issues by creating e-commerce laws in each South Asian country would help promote the growth of an e-commerce regime in South Asia. However, clearly having such laws in place, which stipulate for the various issues as listed above, does not provide the only way to success in terms of achieving growth of e-commerce. Once a law is in place, an extremely important role is played by entities entrusted with implementation of existing laws enacted by the parliament. In this regard, the role of government as enforcer of laws must be kept in mind. In addition, countries such as Bangladesh, Bhutan, Maldives, Nepal and Sri Lanka would need to prepare solid drafts of e-commerce law in their respective countries. There might be opportunities for this group of countries to learn from the experiences of India and Pakistan. However, the Indian experience has shown that it is easy to enact law on paper. However, it is extremely difficult to enforce laws in actual practice. There are numerous challenges that require appropriate awareness among citizens about e-commerce laws. This is so because at the end of the day, the e-commerce laws are basically targeted to protect and help those citizens. It is also necessary for all nations in South Asia to ensure that there is adequate training of the relevant departments and government officials who would draft and implement policies relating to e-commerce. There is an urgent need in countries of South Asia to ensure that their lawmakers and policy makers are appropriately sensitized about the various nuances and legal issues that impact e-commerce. This is important in order to prevent the passage of some policy which may have no relation to the existing realities. The result might be implementation that is likely to create more obstacles or harm than achieve any good. There is an urgent need to sensitize and educate the judiciary in South Asia about the various nuances and peculiarities of e-commerce laws. This is so because the judiciary, composed of judges, tribunals, lawyers and the like, play an extremely important role in the actual interpretation of the written provisions of the e-commerce laws. Due to historical reasons, the Internet has not fully penetrated into the heart 33 Harmonization of e-commerce laws and regulatory systems in South Asia and rural areas of South Asian countries. As such, the proliferation of Internet growth is primarily limited to metropolitan areas, urban and semi-urban areas. In a number of SAARC-member countries today, villages still do not have Internet connectivity. There is an growing requirement to ensure adequate development of infrastructure in South Asia. That means there is a need to spend a lot of money on telecommunications and related infrastructure facilities. This would enable further growth of e-commerce in South Asia. F. Law enforcement and cyberlaw Another issue that requires attention is the fact that law enforcement agencies and the police need to be duly trained about the various issues relating to e-commerce laws. While some acts have been designated as cybercrimes in India, with punishment by imprisonment and fine, a large number of cybercrimes that have already emerged still have not been regulated by the e-commerce laws of South Asian countries. Since the enactment of the Information Technology Act 2000 in India, there is the start of some awareness about cyberlaw and cybercrime related issues. However, given the vast size of the country and the enormity of the task at hand, all existing actions have had virtually minimal impact. There is a need for the government to come up with strong training and awareness programmes on all related issues pertaining to cyberlaw and cybercrime. The crucial sectors, that are to be targeted have to be identified as a matter of policy and then appropriate programmes have to be targeted. The Government needs to target all statutory authorities who have been constituted under the Information Technology Act for training and orientation. These statutory authorities include the Adjudicating Officers as well as the various Certifying Authorities. Adjudicating Officers are the relevant statutory authorities who have been given the power to grant damages by way of compensation up to the amount of Rs. 10 million, if certain specified unauthorized acts take place pertaining to computers, computer systems or computer networks. At present the Adjudicating Officers in India are not aware about how to proceed in adjudicating claims for damages by way of compensation. This is due to the way in which the Central Government by means of notification, has only stipulated the Information Technology Secretaries of different states as the Adjudicating Officers. By designating technocrats to perform quasi-judicial functions, without giving them appropriate training or orientation, only leads to complications 34 Harmonized development of legal and regulatory systems for e-commerce in Asia and the Pacific: current challenges and capacity-building needs of problems. This has resulted in a scenario where the adjudicating officers are not oriented to perform their quasi-judicial functions. The Government of India also needs to plan and implement special awareness and orientation programmes for police officers. The Information Technology Act 2000 stipulates that cybercrime in India shall only be investigated by a police officer not below the rank of Deputy Superintendent of Police (DSP). Given the practical reality where a DSP in India, as a high ranking police officer, is already burdened with other critical issues and pressing problems and responsibilities, cybercrime investigation and prosecution becomes an extremely low priority for them. There is no orientation given to the police officers in an organized, systematic basis. Special training programmes are needed for those police officers who are designated to deal with cybercrime. For the legal profession, there are various areas, which require maximum capacity-building. Lawyers in India are not very aware of information technology legal provisions and there is a compelling need to educate them. Lawyers need to be trained appropriately about various relevant issues relating to e-commerce law and the technical nuances of the law. Judges also need to be duly trained about the various legal issues pertaining to the Information Technology Act, 2000. People in the lower and middle level judiciary are almost completely unaware of the various nuances and other technical details concerning such e-commerce laws. This area needs to be seriously and urgently addressed. Cyberlaw training also needs to be given to the government departments and the relevant officers engaged in e-commerce and e-governance activities. This is essential, as the preamble of the Information Technology Act specifically states that the objective of this law is to promote e-commerce and electronic filing of documents with government agencies. Nothing much has been done to facilitate access by consumers to the tribunal court alternatives for e-commerce disputes. The Indian e-commerce law has only provided that one statutory authority be established, namely adjudicating officers. At the time of writing, only one case has been filed in India before the adjudicating officer for grant of damages by way of compensation under the Indian Cyberlaw. This industry and the public at large have been generally unaware of the provisions and remedies stipulated under the law. Until such time as the government 35 Harmonization of e-commerce laws and regulatory systems in South Asia starts massive capacity-building programmes and initiatives, the situation is likely to continue to remain the same. Various institutes in India conduct courses on cyberlaw for lawyers, students and other professionals. However, most of these courses are pure commercial ventures and the quality of knowledge and awareness imparted is not up to the standard and often leaves much to be desired. With the media reporting cyberlaw related issues, as well as various cases conducted under the law, awareness about crimes conducted over the Internet has been slowly increasing. As time flies fast, e-commerce continues to grow with each passing day. However, a look at the existing laws shows that it will take a large amount of time and effort for South Asian countries to effectively put their legal regimes in agreement with the existing international best practices and procedures. G. Concluding observations This study has suggested that there is a need to improve Internet density, and this could be achieved through the entry of private parties into the field of telecommunications. This should be encouraged as a matter of policy. Greater cooperation among SAARC-member countries could enable exchange of information and experiences related to the establishment and successful implementation of e-commerce legal and regulatory systems. Increased regional cooperation and negotiation of treaties between SAARC- member countries would ensure protection of legitimate e-commerce interests. Along these lines, there is a need to establish a regional mechanism on jurisdiction. This would ensure that in the event any e-commerce contracts would be violated, the jurisdiction of the victim/consumers country would prevail. The countries of South Asia could also benefit by coming to a joint agreement on the issue of ISP liability. Comprehensive dissemination of information should be made to the public about existing e-commerce laws. Education and training for officials in enforcement agencies, the judiciary, the police force, and so forth is needed with a top priority given to the various legal issues relating to e-commerce. There is an urgent and compelling need to set up an intergovernmental recommendatory body to help South Asian countries without laws to make e-commerce laws as soon as possible. Some existing laws in South Asian countries might need modification to meet international standards. One way to help would be through 36 Harmonized development of legal and regulatory systems for e-commerce in Asia and the Pacific: current challenges and capacity-building needs propagation of existing model laws, such as UNCITRAL Model Laws on E-Commerce and Electronic Signatures. The urgent requirement at this time is to ensure that countries in South Asia that have not yet enacted e-commerce laws consider how to learn from and take advantage of the good work already done in other countries of the region. There are no benefits from duplication of effort, but governments need to take into account international principles and best practices so that they can be incorporated in their e-commerce legal regimes. As a result, their e-commerce laws and regulatory frameworks would be in agreement with international best practice and evolving legal trends and developments around the world.