Attracting Legislative Retribution by Deliberate Neglect and Apathy

Naavi has been trying to promote “Voluntary Compliance of Cyber Laws” since 2000 when ITA 2000 was notified. The slogan for “Cyber Law Compliance is the Corporate Mantra for Digital Era” was first stated by me in a CII seminar in Chennai in December 2000. Ever since, through various measures such as “Cyber Law Awareness Movements”, “ITA 2008 Compliance Drive” etc, the undersigned has tried to impress upon the Companies the importance of voluntary Cyber Law Compliance.

It is however sad to admit that the success of this campaign has not been anything to write about. Some companies started the compliance activity but could not sustain it since the conventional information security professionals have always considered that “Legal Compliance” is secondary to “Compliance to Technical standards” such as PCI DSS or ISO 27001 and after exhausting their efforts in technical security, they neither have energy nor money left apply legal compliance patch.

What companies and these professionals forget is that “Technical Compliance” is for the sake of pursuing a “Best Industry Practice” while “Legal Compliance” is for avoiding legal penalties. Technical Compliance is fashionable but legal compliance is life sustaining.

The object to pursue is therefore “Techno Legal Compliance” which is technically sound and also compliant with the legal provisions. Where the legal provisions are vague or inadequate, the better technical standards should prevail and vice versa.  Business prudence should therefore be to pick the best of the suggestions from the technical standards and legal prescriptions so that the security is defensible when charged with “Lack of Due Diligence” or “Negligence” when an incident results in a legal claim on the company.

Unfortunately, Indian Businessmen are by nature complacent and think that any legal problem can be tackled after the problem reaches a Court and there is no need for any pro-active measure to prevent and pre-empt a legal problem.

Some are so obsessed with the “All Is Well” syndrome that they think problems arise only for others and not for themselves. Some think that our Police are corrupt, Judiciary is ignorant and Lawyers are brilliant so that any problem can be tackled before it gets out of hand.

But this attitude was perhaps workable as long as the political system was also deeply corrupt so that things could be managed at the highest level. But after the demise of the UPA rule in the country and emergence of Mr Modi as the head of state, the freedom with which corrupt politicians worked around is slowly getting curbed. This has and will even more in the future percolate to the administrative layer where bureaucrats will also have to be less and less corrupt and start enforcing the law of the land.

It therefore does not pay to avoid   “Voluntary Compliance” of law as a deliberate business strategy. The strategy that “We will provide as much information security as is commercially feasible” which some institutions declare in their terms is a clear admission that they are deliberately under-securing their business for commercial considerations and such approach to security needs to be reviewed in the current “Less Corrupt” law enforcement context.

It is therefore necessary for all right thinking businessmen in different domains of activity such as Banking, NBFC, E Commerce, Health Care or any other sector to come together and formulate a “Legal Compliance Network” for their specific domain and guide the business managers. While they often come together for lobbying on commercial benefits, they fail to foresee the legal non compliance problem.

I have highlighted in the past that such lack of self regulation forced unwarranted legislation on UBER, OLA and other taxi aggregators. It also brought unwarranted attention on the E Commerce players such as Flipkart and Amazon. Now even the Health Care mobile app developers are facing the heat of such attention. If left unattended, the problems will not melt away. They tend to coagulate and cause an artery block sooner than later. Then there will be a need for a “By-pass” surgery to survive which could be crippling (Taxi Aggregators are already in this state) or worse result in some companies folding up.

In January 2016, India’s drug regulator namely the Drug Controller General of India has issued an order banning the online sale of medicines. (Refer article here)  Many online mobile app companies involved in such sales had and are still raising venture capital funding for such activities unmindful of the fact that there would be stiff resistance to their business even in the coming days.  Chemists have gone on strike and approached Courts to fight the online pharmacy activity as “Illegal”. (Refer here)

In view of these developments, the Union Minister of Commerce, Nirmala Sitharaman has already announced (Refer here) that the Government is working on regulating web pharmacies.

Now yet another front on which such new regulation is expected is in the area of E Commerce.  Today’s Times of India reports  that the Consumer Affairs Ministry has shared with the Commerce Ministry that 46 e-commerce comnirmala_sitharamanpanies  did not respond to e-mails sent to them for redressal of Consumer Grievances. In the same breath the Ministry has come out with a statement that they would come out with “Rules and Regulations” to regulate the E Commerce industry. (Refer here)

Let’s admit the fact. Our bureaucrats would be too happy to formulate new rules and regulations so that the “License Raj” in e-commerce prevails and booms even of E-Commerce withers.

The responsibility for leading the Government to such a situation lies with the industry which does not consider voluntary self regulation that can make the Government regulation redundant.

There is also a Consumer Protection Bill (A more detailed analysis of the same would be presented separately) that is being introduced in the Parliament to replace the Consumer Protection Act which will also make some significant changes to the lives of the E Commerce players.

I squarely blame the industry for its non-compliance of existing laws,and providing an excuse to the Government for introducing multitude of regulations.

For example, the current Consumer Protection Act automatically applies to E Consumers since “Business done with electronic documents” is nothing different from “Business done with paper documents” and hence all laws applicable for paper based business is also applicable to E-Commerce. Further under Section 79 of ITA 2000/8, E Commerce companies need to ensure that no offences are committed with the use of any message that passes through/processed by them unless they can prove that they have exercised “Due Diligence”.

One of the aspects of “Due Diligence” is providing a “Grievance Redressal mechanism” on the website. If the Government now finds that some E Commerce companies donot have a working Grievance Redressal sysem, it si only the tip of the ice berg. There are many more non compliance issues which if identified, will make these businesses uncomfortable.

And, it will not be just 46 E Commerce companies which are non compliant with laws. Almost all of them are non compliant with the basic aspects of Section 79 of ITA 2000/8 and common consumer law.

Most of these web based businesses donot provide their identity in the form of physical office address to which legal notices can be sent. They donot declare who are their promoters nor their grievance redressal officer. They provide a TOS in electronic form which is not a full fledged disclosure. Many donot provide proper Privacy Policies. Topping it all is the lack of or inadequacy of grievance redressal systems.

Some of these deficiencies can be attributed to the fact that the business managers are ignorant of the laws and are preoccupied with other business priorities. Some are however not because of ignorance but solely because they donot care.

Naavi attributes this to “Technology Intoxication” that makes them blind to the regulatory requirements.

Unfortunately, it is this callous attitude that irks the regulators and makes them wield the stick in the form of new regulations. Once the regulations are out and they start pinching, the businessmen will start complaining that  Government is curbing business through bad laws and cry infringement of their rights.

Now all Taxi aggregators have become “Taxi Operators” and consumers have also lost out in the process because competition is being stiffed out. The “Kala-Peela Taxi Driver’s syndrome” will soon come to the OLA and UBER companies also since they feel empowered that they have been “Licensed to Exploit” and any new entrant will find the barrier to entry too stiff to break. This is the re-entry of license raj in E Business.

Once E Commerce was the entry point for low resource wielding entrepreneurs who could just start any business by just opening a web site. Soon, there will be a plethora of regulations that makes it difficult for small and micro businesses to enter business dominated by the license wielding giants.

We can expect such  license raj in all E Business activities starting with the E Pharmacies and E Commerce.

I however believe that Mr Modi is conscious of the “Ease of Doing Business” concept and If the E-Business industry wakes up from their slumber, they may still be able to work with the Government to avoid setting in of a new license raj in E Commerce which will be detrimental to growth in competition and end up more anti consumer than what it tries out to be.

Will they?…. Oh ..are they listening? or happy counting their Venture fund contributions?

Naavi

Related Article:

Online Pharmacies form an association

Office of Online Pharmacy raided

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.