harmonization of e-commerce laws and regulatory systems in south asia

23

Harmonization of e-commerce laws and regulatory systems in South Asia

II. HARMONIZATION OF E-COMMERCE LAWS ANDREGULATORY SYSTEMS IN SOUTH ASIA

By Pavan Duggal21

Introduction

Many believe the Internet to be full of natural anarchy, so that a system oflaw and regulation for the Internet seems contradictory. However, cyberspace is, infact, governed by a system of law and regulation called cyberlaw. There is no singleexhaustive definition of the term cyberlaw. One broadly accepted definition ofcyberlaw is a generic term that refers to all the legal and regulatory aspects ofInternet and the World Wide Web. Anything concerned with or related to or emanatingfrom any legal aspects or issues concerning any activity of people in cyberspacecomes within the domain of cyberlaw.

The first use of the term cyberspace was in 1984 by author William Gibson inhis science fiction novel Neuromancer. It described the virtual world of computers.Today, cyberspace is how most people describe the world of the Internet. Thoughfar from the immersive virtual reality of the fictional version, and often regarded asan overused buzzword, cyberspace has become synonymous with the Internet. However,cyberspace is not the World Wide Web alone.

The growth of electronic commerce has created the need for vibrant andeffective regulatory mechanisms, which would further strengthen the legal infrastructurethat is crucial to the success of electronic commerce. All of these regulatory mechanismsand the legal infrastructure come within the domain of cyberlaw.

Cyberlaw is important because it touches almost all aspects of transactionsand activities concerning the Internet, the World Wide Web and cyberspace. Cyberlawalso concerns everyone. As the nature and scope of the Internet is changing, it isperceived as the ultimate medium ever evolved in human history. Every activity incyberspace can and will have a cyber legal perspective. From the moment a personregisters a domain name, sets up and promotes his or her web site, and then conductselectronic commerce and has transactions on the site, various cyberlaw issues are

21 Advocate, Supreme Court of India; President, Cyberlaws.net; Member, Nominating Committee,ICANN; and cyberlaw consultant. The opinions, figures, and estimates are the responsibility of theauthor.

24

Harmonized development of legal and regulatory systems for e-commerce in Asia and the Pacific:current challenges and capacity-building needs

involved. Some people may not feel concerned about these issues today becausethey may feel that such issues do not have an impact or relevance to their cyberactivities. However, each person would eventually have to take note of cyberlaw forthe sake of his or her own benefit.

Awareness about cyberlaw has begun to grow. Previously, many technicalexperts felt that legal regulation of the Internet was not necessary. However, therapid growth of technologies and the Internet made it clear that no activity on theInternet can remain free from the influence of Cyberlaw. Publishing a web page isan excellent way for any commercial business or entity to increase its exposure tomillions of persons, organizations and governments worldwide. This feature of theInternet is causing much controversy in the legal fraternity.

Cyberlaw is also a constantly evolving process. As newer opportunities andchallenges are surfacing, cyberlaw is being modifying to fit the needs of the time.As the Internet grows, numerous legal issues arise relating to domain names, intellectualproperty rights, electronic commerce, privacy, encryption, electronic contracts,cybercrime, online banking, spamming and so on.

The arrival of the Internet and related technologies has made irreversiblechanges to the world today. In a world, which is moving steadily towards theinformation society and knowledge economy, it is essential that law must contributeits inputs to promote e-commerce. In 1996, the United Nations came up with theUNCITRAL Model Law on E-commerce. This law encouraged member states tolegislate various national laws and regulations in keeping with principles containedin the Model Law. In 2001, the United Nations drew up the UNCITRAL Model Lawon Electronic Signatures.

As cyberlaw develops around the world, there is a growing realization amongdifferent nation states that their laws must be harmonized and international bestpractices and principles must guide implementation. Many countries are trying toestablish harmonized legal regimes in order to promote online commerce.

However, in the subregion of South Asia, especially among members of theSouth Asian Association for Regional Cooperation (SAARC), India and Pakistan arethe two predominant players who have enacted e-commerce laws. India enacted theInformation Technology Act, 2000 while Pakistan promulgated the ElectronicTransactions Ordinance, 2002. All of the countries in the SAARC region have notyet enacted e-commerce laws at the time of this paper, the other SAARC membershad not yet enacted e-commerce laws.

25


India is an excellent example of how legal systems mature with the passage oftime in order to provide the required boost to e-commerce. This paper examines theexample of India in slightly more detail. E-commerce law in India is the IndianInformation Technology Act, 2000 and it demonstrates the need for other countriesto harmonize their legal systems to stay in tune with the rapidly growing requirementsof e-commerce.

The next sections provide an overview of the e-commerce laws and regulatorysystems in SAARC-member countries.

A. India

The Parliament of India passed its cyberlaw in the form of the InformationTechnology Act, 2000, which provides the legal infrastructure for e-commerce. TheAct received the assent of the President of India and became the law of the land on17 October 2000.

The objective of the Information Technology Act, 2000 would be to providelegal recognition for transactions carried out by means of electronic data interchangeand other means of electronic communication, commonly referred to as electronicmethods of communication and storage of information. The act would also facilitateelectronic filing of documents with various government agencies and further toamend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers BookEvidence Act, 1891 and the Reserve Bank of India Act, 1934 for related matters.

The Act thereafter stipulates numerous provisions in order to provide for thelegal framework so that legal sanctity is accorded to all electronic records and otheractivities carried out by electronic means. The Act further states that unless otherwiseagreed to, the acceptance of a contract expressed by electronic means of communicationshall have legal validity and enforceability. The Act would facilitate electronicintercourse in trade and commerce, eliminate barriers and obstacles to electroniccommerce that result from the celebrated uncertainties relating to writing and signaturerequirements over the Internet. The objectives of the Act also aim to promote anddevelop the legal and business infrastructure necessary for implementing electroniccommerce.

Chapter II of the Act stipulates that any subscriber may authenticate an electronicrecord by affixing his digital signature. It further states that any person can verifythe electronic record by the use of a public key of the subscriber.

26


Chapter III contains details about e-governance and provides, among otherthings, that where any law provides that information or other matters shall be inwriting, typewritten or printed form, then, notwithstanding anything contained insuch a law, that requirement should be satisfied if the information or matter is:

(a) Rendered or made available in an electronic form;

(b) Accessible to make it usable for subsequent reference.

That chapter also provides details about the legal recognition of digital signatures.The various provisions give further elaboration about the use of electronic recordsand digital signatures in government agencies. The Act also refers to publication ofrules and regulations in an Electronic Gazette.

Chapter IV gives a scheme for the regulation of certifying authorities. TheAct provides for a controller of certifying authorities who shall perform the functionof supervising the activities of certifying authorities as well as setting standards andconditions governing the certifying authorities. The controller also specifies thevarious forms and the content of digital signature certificates. The Act acknowledgesthe need to recognize foreign certifying authorities and it further details the variousprovisions for granting the license to issue digital signature certificates. The dutiesof subscribers are also covered. The Act also covers penalties and adjudication forvarious types of offences and mentions the power and qualifications for the adjudicatingofficer.

A provision in Chapter X foresees a Cyber-Regulations Appellate Tribunalwhere appeals against the orders passed by Adjudicating Officers could be referred.The tribunal would not be bound by the principles of the Code of Civil Procedure,but would follow the principles of natural justice and have the same powers asa civil court. Any appeal against an order or decision of the Cyber-RegulationsAppellate Tribunal would be made to the High Court.

Chapter XI covers various offences and stipulates that the investigation mustbe by a police officer only, and that officer should have the rank of deputy superintendentof police or higher. These offences include tampering with computer source documents,publishing obscene information in electronic form, breach of confidentiality andprivacy, misrepresentation, publishing a digital signature certificate that is false incertain particulars and publication for fraudulent purposes.

27


Hacking and penalties if found guilty have been defined in Section 66. Forthe first time, punishment for hacking has been designated as a cyber crime.

The Act also provides for constituting the Cyber-Regulations AdvisoryCommittee, which would advise the government about any rules or other matterconnected with the Act. The Act also has four schedules which amend the IndianPenal Code, 1860, the Indian Evidence Act, 1872, The Bankers Books EvidenceAct, 1891, The Reserve Bank of India Act, 1934 to make them conform with provisionsof the IT Act.

Overall, the Information Technology Act, 2000 is considered to bea commendable effort by the government to create the necessary legal infrastructureto promote and encourage the growth of electronic commerce.

B. Pakistan

Pakistan promulgated the Electronic Transactions Ordinance (ETO) in 2002with the purpose to recognize and facilitate documents, records, information,communications and transactions in electronic form and to provide for the accreditationof certification service providers.

The ETO grants legal recognition to electronic forms and gives legal recognitionto electronic signatures. The ETO establishes the attributions regarding electronicdocuments and makes provisions regarding acknowledgement, receipt and so forth.There are provisions concerning certification service providers and the establishmentof the Certification Council.

The ETO defines certain offences such as violations of privacy of informationand damage to the information system. It also limits the liability of network serviceproviders in the absence of facilitation, aid and abetting.

The ETO also amends certain existing laws in order to make national lawsmore amenable to e-commerce. The Qanun-E-Shahadat Order, 1984 was thus amendedto allow electronic documents as evidence.

C. E-commerce legislation in other South Asian countries

Bangladesh has prepared a Draft Information Technology (ElectronicTransaction) Act that incorporates provisions from the UNCITRAL Model Law on

28


E-commerce, the Singapore Electronic Transactions Act and the Indian InformationTechnology Act, 2000.

At the time of writing, Bhutan and Maldives had yet to develop legislativeprovisions relating to e-commerce. However, new regulations were being drafted inMaldives under the responsibility of the Ministry of Communication Science andTechnology (MSCT) and the National Centre for Information Technology (NCIT) incooperation with the business community. Nepal had proposed legislation concerninge-commerce pending before the Government.

The Parliament in Sri Lanka passed the Information and CommunicationsTechnology Act, Number 27 of 2003. The ICT Act provides for the establishment ofthe national committee on ICT of Sri Lanka in order to set out of a national policy onICT and prepare an action plan. The Act also calls for the appointment of a taskforce for ICT. There are also provisions for the establishment of the ICT agency ofSri Lanka to be charged with implementation of national policy related to both thepublic and private sectors and related matters.

D. Analysis of other ICT and e-commerce elements

Analysis of other elements related to ICT and e-commerce shows the diversityof approaches and a wide range in the scope and breadth of policy, laws and regulations.Much of the work concerning the legal and regulatory frameworks for e-commercein South Asia has been done in India and Pakistan. Both countries have sought tolegalize the electronic format and granted legality to electronic commerce transactions.

India and Pakistan have provided for authentication of the electronic documentsand records. However, the approaches have differed. India has enacted a technologyspecific law by stating that the authentication of electronic information can only bedone by use of an asymmetric crypto-system and hash function or public keycryptography. Pakistan has taken the more pragmatic approach by not committingthe mistake of making a technology specific electronic law. Instead, the law istechnologically neutral and talks about the authentication of electronic records byelectronic signatures as compared to digital signatures.

Both India and Pakistan have relevant provisions relating to establishing thedigital signature regime. India established the Office of Controller of CertifyingAuthority to head the digital signature regime. Pakistan entrusted this responsibilityto the Certification Council. India has already granted licenses to five entities to actas certifying authorities to issue digital signature certificates.

29


India has incorporated some aspects relating to cybercrime into its cyberlaw.Certain acts have been stipulated as cybercrimes with punishment in the form ofimprisonment and fines.

While India and Pakistan have covered some aspects in their e-commercelaws, there are still large areas that require appropriate attention. Additional objectiveexamination of cyberlaws and e-commerce laws around the world shows that someextremely important issues need to be fully addressed by any nation. Related areasthat concern ICT either directly or indirectly have been addressed by the other SouthAsian countries.

1. Telecommunication regulation policy

In terms of a general overall framework or guideline in the form ofa Telecommunication Regulation Policy, the countries of South Asia have a varietyof situations. Bangladesh has a policy, but it does not include complete privatization.Public and private sector entities are supposed to work together. A licensing schemeremains. Bhutan has the Telecommunications Act, 2000 and it stipulates that thesole provider of telecommunications is state owned. In India, there are private andpublic holdings for the ICT industry.

The four remaining South Asian countries have policies, but these wouldinclude more elements than just regulation. Maldives has the TelecommunicationsPolicy covering 2001-2005. Nepal has had a Telecommunications Policy since1996. Changes and reform concerning ICT in Pakistan began with the PakistanTelecommunication (Re-Organization) Act 1996. As of 2004, Sri Lanka has hada National Telecommunications Policy.

2. Consumer protection22

India has the Consumer Protection Act 1986, however, nothing in the Actrefers explicitly to e-commerce consumers. It provides for the regulation of tradepractices, the creation of national and state level Consumer Protection Councils,consumer disputes redress forums at the National, State and District level to redressdisputes, class actions and for recognized consumer associations to act on behalf ofconsumers. The Act provides a detailed list of unfair trade practices, but it is notexhaustive.

22 Consumers International Asia Pacific Office, Asia Pacific Consumer Law, www.ciroap.org/apcl

30


Similarly, Maldives has had a consumer protection act since 199623 and Nepalhas a consumer protection act, but there is no provision for e-commerce consumers.The Consumer Protection Act, 1998 of Nepal came into force on 13 April 1999 andestablishes the Consumer Protection Council.

Pakistan has consumer protection acts in some provinces, but with no provisionfor e-commerce consumers.

Sri Lanka has a Consumer Protection Act 1979, which is not yet applicable toe-commerce, but policy to do so exists. The Act provides for consumer protection,regulation of internal trade and the establishment of fair trade practices. The Actcreates the Office of Commissioner of Internal Trade with wide powers to permitcreative, effective and expeditious intervention in the market place to ensure protectionof consumers and fair trading. The Act was amended in 1980, 1992 and 1995. The1980 amendment introduced a new feature, the Consumer Protection Fund.

3. Protection of intellectual property

Five countries in South Asia are party to the World Intellectual PropertyOrganization (WIPO) Convention: Bangladesh acceded in 1985; Bhutan acceded in1994; Maldives joined in 2004; Nepal joined in 1997; and Sri Lanka joined in 1978.Bhutan and Nepal are also members of the Paris Union. Bangladesh, and Sri Lankaare members of both the Paris Union and the Berne Union. As of this writing,Sri Lanka was the only country in South Asia to become party to the Trademark LawTreaty in 1996.24

Bangladesh Copyright Law, 2000 does provide for IT protection. The CopyrightAct of India provides protection to computer programs, but specifically excludescomputer software from the ambit of its protection. The Copyright (Amendment)Act, 1992 of Pakistan provides protection to computer programs.

Sri Lanka provides protection under Code of Intellectual Property ActNumber 52 of 1979 as amended by (Amendment) Act 13 of 1997. Computer softwareis protected by copyright law as described in the Code of Intellectual Property Act

23 Refer to www.maldiveisle.com/consumerprotectionactofmaldives.htm24 World Intellectual Property Organization, Treaties and Contracting Parties, www.wipo.int/treaties/en/

31


and Act Number 14 of 2000.25 However, it appears that the protection does notextend to computer programs/databases.

4. Cybercrimes and cyber-evidence

Cybercrime and the acceptance of cyber-evidence have become major concernsfor all countries as part of globalization and the spread of e-commerce. However,there are some basic issues yet to be resolved, such as types of computer crime, setof procedural powers, specific definitions and scope of cybercrime, lack of a commonunderstanding about the problem and how to respond, issues of sovereignty, problemsof dual criminality and the limits of treaties that may not include necessary investigativepowers.

The draft IT Act of Bangladesh appears to contain provisions that are similarto the India IT Act. There are sections of the India IT Act that make punishable suchactions as hacking, tampering with computer source codes and publishing or transmittingobscene information.

It had been reported in 2002 that a Computer Crimes Act has been drafted inSri Lanka.26

E. Recommendations

There are several issues that need to be addressed in order to have harmonizationof legal and regulatory systems for e-commerce that could be acceptable to allcountries in South Asia:

1. Telecommunication liberalization

2. Recognition of electronic documents

3. Consumer protection for e-commerce consumers

4. Electronic funds transfer

5. Dispute resolution

6. Liability of Internet service providers (ISP)

25 University of Colombo Computer Science Society, CompSoc Today, vol. 1, Issue 2 (June 2002).www.cmb.ac.lk/stud-acti/Clubs/compsoc26 Ibid.

32


7. Domain names

8. Intellectual property protection

9. Privacy

10. Cybercrime

Addressing these issues by creating e-commerce laws in each South Asiancountry would help promote the growth of an e-commerce regime in South Asia.

However, clearly having such laws in place, which stipulate for the variousissues as listed above, does not provide the only way to success in terms of achievinggrowth of e-commerce. Once a law is in place, an extremely important role isplayed by entities entrusted with implementation of existing laws enacted by theparliament. In this regard, the role of government as enforcer of laws must be keptin mind. In addition, countries such as Bangladesh, Bhutan, Maldives, Nepal andSri Lanka would need to prepare solid drafts of e-commerce law in their respectivecountries.

There might be opportunities for this group of countries to learn from theexperiences of India and Pakistan. However, the Indian experience has shown that itis easy to enact law on paper. However, it is extremely difficult to enforce laws inactual practice. There are numerous challenges that require appropriate awarenessamong citizens about e-commerce laws. This is so because at the end of the day, thee-commerce laws are basically targeted to protect and help those citizens.

It is also necessary for all nations in South Asia to ensure that there is adequatetraining of the relevant departments and government officials who would draft andimplement policies relating to e-commerce. There is an urgent need in countries ofSouth Asia to ensure that their lawmakers and policy makers are appropriately sensitizedabout the various nuances and legal issues that impact e-commerce. This is importantin order to prevent the passage of some policy which may have no relation to theexisting realities. The result might be implementation that is likely to create moreobstacles or harm than achieve any good.

There is an urgent need to sensitize and educate the judiciary in South Asiaabout the various nuances and peculiarities of e-commerce laws. This is so becausethe judiciary, composed of judges, tribunals, lawyers and the like, play an extremelyimportant role in the actual interpretation of the written provisions of the e-commercelaws. Due to historical reasons, the Internet has not fully penetrated into the heart

33


and rural areas of South Asian countries. As such, the proliferation of Internetgrowth is primarily limited to metropolitan areas, urban and semi-urban areas.

In a number of SAARC-member countries today, villages still do not haveInternet connectivity. There is an growing requirement to ensure adequate developmentof infrastructure in South Asia. That means there is a need to spend a lot of moneyon telecommunications and related infrastructure facilities. This would enable furthergrowth of e-commerce in South Asia.

F. Law enforcement and cyberlaw

Another issue that requires attention is the fact that law enforcement agenciesand the police need to be duly trained about the various issues relating to e-commercelaws. While some acts have been designated as cybercrimes in India, with punishmentby imprisonment and fine, a large number of cybercrimes that have already emergedstill have not been regulated by the e-commerce laws of South Asian countries.

Since the enactment of the Information Technology Act 2000 in India, there isthe start of some awareness about cyberlaw and cybercrime related issues. However,given the vast size of the country and the enormity of the task at hand, all existingactions have had virtually minimal impact. There is a need for the government tocome up with strong training and awareness programmes on all related issues pertainingto cyberlaw and cybercrime. The crucial sectors, that are to be targeted have to beidentified as a matter of policy and then appropriate programmes have to be targeted.

The Government needs to target all statutory authorities who have beenconstituted under the Information Technology Act for training and orientation. Thesestatutory authorities include the Adjudicating Officers as well as the various CertifyingAuthorities. Adjudicating Officers are the relevant statutory authorities who havebeen given the power to grant damages by way of compensation up to the amount ofRs. 10 million, if certain specified unauthorized acts take place pertaining to computers,computer systems or computer networks. At present the Adjudicating Officers inIndia are not aware about how to proceed in adjudicating claims for damages by wayof compensation.

This is due to the way in which the Central Government by means of notification,has only stipulated the Information Technology Secretaries of different states as theAdjudicating Officers. By designating technocrats to perform quasi-judicial functions,without giving them appropriate training or orientation, only leads to complications

34


of problems. This has resulted in a scenario where the adjudicating officers are notoriented to perform their quasi-judicial functions.

The Government of India also needs to plan and implement special awarenessand orientation programmes for police officers. The Information Technology Act2000 stipulates that cybercrime in India shall only be investigated by a police officernot below the rank of Deputy Superintendent of Police (DSP). Given the practicalreality where a DSP in India, as a high ranking police officer, is already burdenedwith other critical issues and pressing problems and responsibilities, cybercrimeinvestigation and prosecution becomes an extremely low priority for them. There isno orientation given to the police officers in an organized, systematic basis. Specialtraining programmes are needed for those police officers who are designated to dealwith cybercrime.

For the legal profession, there are various areas, which require maximumcapacity-building. Lawyers in India are not very aware of information technologylegal provisions and there is a compelling need to educate them. Lawyers need to betrained appropriately about various relevant issues relating to e-commerce law andthe technical nuances of the law.

Judges also need to be duly trained about the various legal issues pertainingto the Information Technology Act, 2000. People in the lower and middle leveljudiciary are almost completely unaware of the various nuances and other technicaldetails concerning such e-commerce laws. This area needs to be seriously andurgently addressed.

Cyberlaw training also needs to be given to the government departments andthe relevant officers engaged in e-commerce and e-governance activities. This isessential, as the preamble of the Information Technology Act specifically states thatthe objective of this law is to promote e-commerce and electronic filing of documentswith government agencies.

Nothing much has been done to facilitate access by consumers to the tribunalcourt alternatives for e-commerce disputes. The Indian e-commerce law has onlyprovided that one statutory authority be established, namely adjudicating officers.At the time of writing, only one case has been filed in India before the adjudicatingofficer for grant of damages by way of compensation under the Indian Cyberlaw.

This industry and the public at large have been generally unaware of theprovisions and remedies stipulated under the law. Until such time as the government

35


starts massive capacity-building programmes and initiatives, the situation is likely tocontinue to remain the same.

Various institutes in India conduct courses on cyberlaw for lawyers, studentsand other professionals. However, most of these courses are pure commercial venturesand the quality of knowledge and awareness imparted is not up to the standard andoften leaves much to be desired. With the media reporting cyberlaw related issues,as well as various cases conducted under the law, awareness about crimes conductedover the Internet has been slowly increasing.

As time flies fast, e-commerce continues to grow with each passing day.However, a look at the existing laws shows that it will take a large amount of timeand effort for South Asian countries to effectively put their legal regimes in agreementwith the existing international best practices and procedures.

G. Concluding observations

This study has suggested that there is a need to improve Internet density, andthis could be achieved through the entry of private parties into the field oftelecommunications. This should be encouraged as a matter of policy. Greatercooperation among SAARC-member countries could enable exchange of informationand experiences related to the establishment and successful implementation ofe-commerce legal and regulatory systems.

Increased regional cooperation and negotiation of treaties between SAARC-member countries would ensure protection of legitimate e-commerce interests. Alongthese lines, there is a need to establish a regional mechanism on jurisdiction. Thiswould ensure that in the event any e-commerce contracts would be violated, thejurisdiction of the victim/consumers country would prevail. The countries of SouthAsia could also benefit by coming to a joint agreement on the issue of ISP liability.

Comprehensive dissemination of information should be made to the publicabout existing e-commerce laws. Education and training for officials in enforcementagencies, the judiciary, the police force, and so forth is needed with a top prioritygiven to the various legal issues relating to e-commerce.

There is an urgent and compelling need to set up an intergovernmentalrecommendatory body to help South Asian countries without laws to make e-commercelaws as soon as possible. Some existing laws in South Asian countries might needmodification to meet international standards. One way to help would be through

36


propagation of existing model laws, such as UNCITRAL Model Laws on E-Commerceand Electronic Signatures.

The urgent requirement at this time is to ensure that countries in South Asiathat have not yet enacted e-commerce laws consider how to learn from and takeadvantage of the good work already done in other countries of the region. There areno benefits from duplication of effort, but governments need to take into accountinternational principles and best practices so that they can be incorporated in theire-commerce legal regimes. As a result, their e-commerce laws and regulatoryframeworks would be in agreement with international best practice and evolvinglegal trends and developments around the world.

harmonization of e-commerce laws and regulatory systems in south asia

Documents