Rahul Matthan

A little while ago, a new website called Zookz, based in the tiny island nation of Antigua, was launched. It offered an unusual proposition – unlimited movie or music downloads for a monthly subscription of just $9.95. The website boasts a store of over 50,000 songs (including some that have never been authorised to be released through an online medium – such the Beatles) and over 1,500 movies. Yet it claims to be absolutely legal because of an unusual and almost completely unprecedented ruling of the WTO in an online gambling dispute.

More than a decade ago, an international trade dispute developed between Antigua and Barbados and their powerful neighbour – the United States of America. Antigua and Barbados were home to many online gambling sites that thrived on business from residents of the United States. The US government decided to block these sites – much to the chagrin of the many West Indian businessmen whose livelihoods depended on the dollars that flowed in from overseas. From an annual income of over a billion dollars, profits from online gambling in these island nations shrunk to less than $100 million. Antigua and Barbados took their dispute to the World Trade Organisation, claiming that this act of the US Government was a violation of the free trade agreement between the countries and, since several states in the US actually allowed gambling, the WTO agreed.

The US simply ignored the WTO decision.

Since then Antigua and Barbados have taken the US to the WTO courts three times, asking each time, why the US was ignoring the WTO trade ruling. On each occasion, the US simply refused to heed the directions of the international trade body. It was clear that even though the law was on their side, Antigua and Barbados had no teeth to enforce it and the US could continue to ignore, with impunity, the orders of the international trade arbiter. They needed leverage if they were to bring the US to the table.

So they dug into the statute books and invoked a powerful yet rarely used remedy – the remedy of cross-retaliation.

Since Antigua and Barbados had no effective trade sanctions in services, the lawyers for the island nations argued that they should be allowed to suspend their obligations to the United States on other elements of the free trade agreement. The WTO agreed and allowed Antigua and Barbados the right to impose sanctions on the US in respect of intellectual property equivalent to the annual level of trade loss due to the illegal actions of the US. The panel ruled that this was a sum of US$21 million (much less than the US$ 3.4 billion claimed by Antigua and Barbados but still more than the US$ 500,000 claimed by the US).

From a jurisprudential perspective, this decision has enforced the legal right of cross-retaliation – a powerful weapon in the hands of dimunitive nations trying to stand up to neighbourhood bullies. It has been invoked only once before by Ecuador, but has the game-changing potential to level the international playing field. And thanks to the antics of a little opportunistic company in St. Johns, its getting all the right sort of international media attention.

So is there any legal basis to the premise on which Zookz has been set up? Apparently not. The WTO decides disputes between nation states. By definition, WTO rulings do not give individuals or corporations any rights other than those which they derive from their country of residence. If Zookz is relying on the WTO ruling to infringe US copyrights, it needs to do so under the authority of the Government of Antigua. It appears that no such authority has been granted.

In fact, the government of Antigua released a press statement disclaiming any association with the website. It said “The Zookz.com web site is not operating under the authority or with the knowledge of the government of Antigua and Barbuda . More specifically, Zookz.com is not authorized by the government of Antigua and Barbuda , or by the World Trade Organization, to offer entertainment downloads in contravention of international law… Only the government of Antigua and Barbuda has the right to implement and oversee the intellectual property sanctions it was awarded by the WTO. As of this time, the government of Antigua and Barbuda has not authorized any person or entity to implement sanctions.”

Even if permission were to be granted, the Government would have to establish some mechanism for metered downloads to ensure that no more than the agreed value of suspension takes place. This is unlikely to find a place in the all-you-can-eat model that Zookz has dished out.

For all intents and purposes it appears that Zookz is going to be even more ephemeral than its Russian predecessor – AllofMP3 – the music website that offered downloads at incredibly cheap prices. But which was eventually squeezed out of business by thet economic pressure brought to bear on its payment gateways.

India has long been flagellated for its lack of data protection legislation. As one of the largest destinations for offshore outsourcing, the absence of a credible legislation was viewed as a significant weakness that would eventually stand in the way of serious outsourcing to the country. With each public incident of data theft, the clamour for a specific law dealing with data protection grew. Yet the government was reluctant to enact a detailed statute to deal with the issue.

In the very last session of Parliament in the end of 2008, the government of India finally approved a swathe of amendments to the Information Technology Act, 2000 including some very significant insertions to give effect to the concept of data protection in India. These amendments currently form the basis of the data protection law in the country today.

The only provision under the old IT Act 2000 which dealt with unauthorized access and damage to data was Section 43. Under that section, penalties were prescribed in respect of any person who downloads copies or extracts data from a computer system, introduces computer contaminants or computer viruses into a computer system or damages any data residing in a computer system.

Under the new amendments, a new section – Sections 43-A – has been inserted specifically for this purpose. While at first this provision appears to address several of the long standing concerns relating to data protection in India, there are several insidious flaws that could affect the development of a data protection jurisprudence in the country.

In the first instance, these provisions do not deal with non-electronic data. While it could, and probably is, being argued that, given the legislative focus of this statute it would be inappropriate to include protection for forms of data, to many who look to the new provisions introduced in the IT Act 2008 as the answer to the data protection concerns that the country has been facing all these years, their enthusiasm must be tempered as these new provisions provide only half a solution.

Most international data protection statutes distinguish between levels of personal data – specifying different forms of protection for personal information and sensitive personal information. The new provisions of the IT Act make no such distinction. Section 43-A applies to all “sensitive personal data or information” but does not specify how personal data which is not deemed to be sensitive, is to be treated.

Under most interntational data protection statutes, the person in “control” of the data is liable for the consequences of disclosure, loss or unauthorized access to such information. This ensures that liability is restricted to ony those who actually have the ability to control the manner in which the data is used. Under the new provisions of the IT Act, mere possession of information and its subsequent misuse would render any person who possesses this data liable to damages.

Section 43-A specifically places liability on a body corporate only if such body corporate has been negligent in implementing its security practices and procedures in relation to the data possessed, controlled or handled by it. The choice of language here is significant. The statute specifically refers to the term “negligence” in relation to the security practices and procedures as opposed to stipulating a clear, pass-fail type obligation to conform. There is a significant legal difference between “negligence to implement” and “failure to implement”. While the former can only result in a breach if the body corporate that was required to follow reasonable security practices with regard to the data in its possession or control does not perform the required action and it can be proved that a reasonable man in the same circumstances would have performed the required action. If a body corporate is to be made liable under the provisions of this Section, it is not enough to demonstrate that security procedures were not followed – but in addition it has to be proved that the body corporate was negligent.

The provisions of Section 43 originally capped the total liability for a breach at Rs. 5,00,00,000. The original text of Section 43-A had the same limitation of liability in respect of its data protection provisions. Before the bill was passed into law, this limitation was removed and now a breach of Section 43-A is not subject to any limitation of liablities.

Section 43-A makes a reference to “reasonable security practices and procedures” and stipulates that a breach has been caused only if such practices and procedures have not been followed. There are three methods by which reasonable security practices and procedures can be established:

• By agreement;
• By law; and
• By prescription by the Central Government.

As there is no law in India which sets out an appropriate definition for the term and since it will be some time before which the Central Government comes out with necessary regulations it would appear that the only option available is for the parties to arrive at an agreement as to how the sensitive personal data and information exchanged under their contract is to be handled.

As a corollary, till such time as the government establishes the necessary rules in relation to these security practices and procedures, if a body corporate does not enter into an agreement with the person providing the information as to the reasonable security practises and procedures that would apply, the body corporate cannot be brought within the purview of this section for any loss or damage to data.

In order to be a truly effective data protection statute, the IT Act 2008 must include provisions relating to the collection, circumstances of collection, control, utilization and proper disposal of data. At present the statute is silent about these aspects. In many ways the statute addresses the particular concerns of companies or corporate entities looking for protection in relation to data outsourced to any other corporate entity for processing. Within these specific parameters the statute works well. However it does little to protect the average citizen of the country from the theft of personal data. Until we have statutory recognition of these issues, we will not be able to say that we have an effective data protection law in India.

Sometime in the course of this year, the Indian government has promised to conduct auctions for 3G spectrum. If they make good on their promise, they will finally have completed a process that has started and stopped far more times than was required.

Spectrum is a scarce commodity and the government (and more particularly the Finance Ministry) is interested in securing the highest possible price when it allows this precious commodity to be used by private parties. The Ministry of Telecom, on the other hand, is concerned with the growth of telecom (and particularly broadband) in the country. From the perspective of the DoT, a high reserve price will keep bidders away from the auction. Or at the very least, will result in only the largest telcos putting in bids for pan-India spectrum. The other telcos, including some of the newer entrants who have yet to roll out operations, will be forced to concentrate their energies on the few circles where they stand a greater chance of winning spectrum, rather than spreading their resources thin by trying to bid for all 22 circles. Or in the alternative, they will stay out of the auction completely and try and work out some arrangements with the winners of the 3G Auctions once the dust has settled.

But will it be possible for licensees entitled to 2G spectrum to provide 3G services even though they have not participated in the 3G auctions?

Earlier this year, two of the country’s CDMA operators, Reliance and Tata announced the launch of their wireless broadband offerings. They began to sell USB data cards that provided internet connectivity at broadband speeds. These devices operate on the existing cellular networks of these operators and use EVDO technology in the 800 MHz band. The CDMA operators are able to provide 3G services because the 800 MHz spectrum, has already been licensed to CDMA operators. For them, it was a simple question of upgrading the quality of their networks and providing customers with access to data services along the existing network. GSM operators are not as fortunate. 3G services over GSM networks use W-CDMA equipment which operates over the 900 MHz and the 1800 MHz bands, spectrum that has not yet been provided to the operators for their 2G networks. If they are to provide 3G services, the GSM operators will need to wait till the government releases this spectrum to them.

The obvious consequence of this is that the CDMA operators will steal the march over the GSM operators in the rollout of 3G services. What is more interesting, for the purposes of this discussion, is that this development establishes the principle, albeit implicitly, that 3G services can be rolled out under the existing UAS license. This implies that all the conditions of the existing license will apply to holders of 3G spectrum in the same way that it currently does for the 2G players.

So how does this help the existing 2G licensees. For one, existing 2G licensees will not be obliged to bid for 3G spectrum in order to provide 3G services. Under the UAS license there is no distinction between 2G and 3G data services. There is reference to data services but no reference to the speeds of throughput as a distinguishing characteristic between the different types of services. That being the case, 2G licensees should be able to provide 3G services under the existing UAS license, by entering into intra-circle roaming agreements with the successful bidders in the 3G auction. These agreements will be legal under the terms of the existing license (which was recently amended to allow intra-circle roaming) and will allow 2G providers to utilise the 3G spectrum of other operators for the benefit of their existing customers. The DoT is also likely to announce spectrum sharing regulations further to the report of the Spectrum Allocation Committee – portions of which have been leaked to the Press. Should these regulations come into existence, 2G licensees will have yet another opportunity to provide 3G services even though they have not obtained spectrum through the auction.

All this is good. There is a need for broader penetration of modern telecom services in this country. The only way this will be achieved is through a more intelligent utilisation of scarce resources. Strategies such as roaming and spectrum sharing will facilitate more optimal utilisation of spectrum. If the government will allow this to happen, there could be little to complain about.

What worries me is that this is unlikely to happen. The government has made it abundantly clear that its primary focus is the maximisation of revenues from the 3G auction. This is unlikely to be achieved if 2G licensees are able to offer 3G services without participating in the auction. Not only will most licensees opt out of the auction, they will likely enter into agreements with those that plan to participate to reflect their post auction spectrum sharing arrangements. It will be in the interests of the government to ensure that only those who have bid and won 3G spectrum will be allowed to deploy 3G services in order to ensure that as many operators as possible, participate in the auction.

The 3G auction information memorandum indicates that the UAS license is going to be amended as part of the 3G auction process. If the government is in revenue maximisation mode, these amendments are likely to be aimed at plugging these loopholes to ensure higher revenue from the auction. It is likely that the amendments will create a separate license regime for 3G spectrum. In which case the government would have delivered on its intention to keep alive the goose that lays the Golden Eggs – never mind that it sets the growth of broadband back a couple of year