Dispute Resolution under IT Act

Tribunals and quasi-judicial bodies are a regular feature of the Indian judicial system, as they provide for
easier and less onerous methods for dispute resolution, especially disputes which relate to technical areas
and often require technical knowledge and familiarity with specialised factual scenarios.

Further, quasi-judicial bodies do not have the same procedural restrictions as proper courts, which makes
the adjudication of disputes easier.

The Information Technology Act of India, which regulates several important aspects of electronic
information, including the regulation of private electronic transactions as well as detailing civil and
criminal offences relating to computers and electronic information, contemplates a specialised
dispute resolution mechanism for disputes relating to the offences detailed under the Act.

The Act provides for the establishment of quasi-judicial bodies, namely adjudicating officers under
S.46, to hear disputes arising out of Chapter IX of the Act, namely, offences of a civil nature under S.43,
43A, 44 and 45 of the Act, as well as criminal offences described under Chapter XI of the Act. The
adjudicating officer has the power to both award compensation as damages in a civil remedy, as
well as impose penalties for the contravention of the Act and therefore has powers of both civil and
criminal courts. The first appellate body provided in the Act, i.e. the authority that any party not satisfied
by the decision of the adjudicating officer can appeal to, is the Cyber Appellate Tribunal, consisting of a
Chairperson and any other members so prescribed by the Central Government. The second appeal, if a
party is aggrieved by the decision of the Cyber Appellate Tribunal, may be filed before the High Court
having jurisdiction, within 60 days from the date of communication of the order.

Functioning of the Offices of the State Adjudicating Officers and the Cyber Appellate Tribunal
The office of the adjudicating officer is established under S.46 of the IT Act, which provides that the
person appointed to such a post must be a government officer of a rank not below that of a Director or an
equivalent rank, and must have experience both in the field of Information Technology as well as legal or
judicial experience. In most cases, the appointed adjudicating officer is the Principle Secretary to the
Department of Information Technology in the state. The decisions of these adjudicating officers
determine the scope and meaning of several provisions of the IT Act, and are instrumental in the
development of the law in this field and filling a lacuna regarding the interpretation of these important
provisions, particularly in areas such as data protection and privacy. However, despite the large number of
cyber-crime cases being registered across the country, there is a lack of available judgements on the
adjudication of disputes under Sections 43, 43A, 44 and 45 of the Act. Of all the states, only the websites
of the Departments of Information Technology in Maharashtra, Tamil Nadu, New Delhi, and Haryana
have reported judgements or orders of the Adjudicating Officers. The adjudicating officer in
Maharasthra, Rajesh Aggarwal, has done a particularly commendable job, having disposed of 51 cases
under the IT Act, with 20 cases still pending.

The first Cyber Appellate Tribunal set up by the Central Government is located at New Delhi. Although a
second branch of the Tribunal was to be set up in Bangalore, no efforts seem to have been made in this
regard.

The proper functioning of adjudicating officers and the Cyber Appellate Tribunal is particularly necessary
for the functioning of a just judicial system in light of the provisions of the Act (namely, Section 61)
which bar the jurisdiction of ordinary civil courts in claims below the amount of Rs. 5 Crores, where the
adjudicating officer or the CAT is empowered.
Analysis of Cases Filed under Section 43A
Section 43A of the Information Technology Act was inserted by the 2008 Amendment, and is the
principle provision governing protection of information held by intermediaries under the Act. Section
43A provides that “body corporates” handling “sensitive personal data” must implement reasonable
security practices for the protection of this information. If it is negligent in providing or maintaining such
reasonable security practices, the body corporate is to be held liable and must pay compensation for the
loss occurred. Rule 3 of the Draft Reasonable Security Practices Rules, defines sensitive personal data as
including – passwords, user details as provided at the time of registration or thereafter, information
related to financial information such as Bank account/ credit card /debit card /other payment instrument
details of the users, physiological and mental health conditions, medical records and history, biometric
information, information received by body corporate for processing, stored or processed under lawful
contract or otherwise and call data records.

All the decisions of appointed adjudicators are available for an analysis of Section 43A are from the
adjudicating officer in Maharashtra, Mr. Rajesh Tandon, who despite having no judicial experience, has
very cogent analysis and knowledge of legal issues involved in the cases, which is commendable for a
quasi-judicial officer.

One class of cases, constituting a major chunk of the claims, is where the complainant is claiming against
a bank for the fraudulent transfer of funds from the claimants account to another account. In most of these
cases, the adjudicating officer examined the compliance of the bank with “Know Your Customer” norms
and guidelines framed by the Reserve Bank of India for prevention of banking fraud and, where such
compliance was found to be lacking and information which allowed the bank accounts of the complainant
was allowed to be accessed by fraudsters, the presumption is that the bank was negligent in the handling
of “sensitive personal information”, by failing to provide for reasonable security practices and
consequently was liable for compensation under S.43A, notwithstanding that the complainant also
contributed to compromising certain personal information by responding to phishing mails or divulging
information to other third parties. These instances clearly fall within the scope of Section 43A, which
protects “information related to financial information such as Bank account/ credit card /debit card /other
payment instrument details of the users” as sensitive personal data from negligent handling by body
corporates. The decisions of the adjudicating officer must be applauded for placing a higher duty of care
on banks to protect informational privacy of its customers, given that they are in a position where they
ought to be well equipped to deal with intimate financial information and holding them accountable for
lack of proper mechanisms to counter bank fraud using stolen information, which reflects in the
compensation which the banks have been liable to pay, not only as indemnification for losses, but also
punitive damages.
In Nirmalkumar Bhagerwal v IDBI Bank and Meenal Bhagerwal, the sensitive financial information of
the complainant, namely, the bank statement, had been accessed by the complainants wife. In holding the
bank to be liable for divulging the same, and that access to personal information by a spouse is also
covered under S.43A, the officer seems to have imputed the loss of privacy on account of such negligence
as ‘wrongful loss’ which deserves compensation. One anomalous decision of the officer was where the
operator of an ATM was held liable for fraudulent credit card transactions in that Machine, due to
“reasonable security practices” such as security personnel or CCTV footage, and therefore causing the
loss of “sensitive personal data”. However, it is difficult to see how ATM operators can be held liable for
failing to protect sensitive information from being divulged, when the case is simply of a person
fraudulently using a credit card.
Another class of cases, generally linked with the above cases, is complaints against cell phone providers
for divulging information through falsely procured Sim Cards. In such instances, the officer has held that
by negligently allowing the issuance of duplicate sim cards, the phone company has led to the access of
sensitive personal data and thus caused wrongful loss to the complainant. This interpretation of Section
43A is somewhat confusing. The officer seems to have interpreted the provisions of Section 43A to
include carriers of the information which was originally sent through the computer resource of the
banking companies. In this way, they are imputed the status of “handlers” of sensitive personal
information, and their communications infrastructure through which the information is sent is the
“computer resource” which it operates for the purpose of the Act. Therefore, through their negligence,
they are abetting the offence under 43A.

For example, in the case of Sanjay Govind Dhandhe v ICICI and Vodafone, the officer remarked that –“A
SIM card is a veritable key to person’s sensitive financial and personal information. Realizing this, there
are clear guidelines issued by the DOT regarding the issuance of SIM cards. The IT Act also intends to
ensure that electronic personal and sensitive data is kept secured and reasonable measures are used to
maintain its confidentiality and integrity. It is extremely crucial that Telecom companies actively follow
strict security procedures while issuing SIM cards, especially in wake of the fact that mobiles are being
increasingly used to undertake financial transactions. In many a case brought before me, financial frauds
have been committed by fraudsters using the registered mobile numbers of the banks’ account holders.”
Therefore, intermediaries such as telecom companies, which peripherally handle the data, are also liable
under the same standards for ensuring its privacy. The adjudicating officer has also held telephone
companies liable for itemized phone bills as Call Data Records negligently divulged by them, which again
clearly falls under the scope of the Reasonable Security Practices Rules.