Yahoo v. Controller of Certifying Authorities

The Controller of Certifying Authorities had sometime ago published an Order it passed against Yahoo India imposing 11 lakhs for not replying to multiple notices under Sec. 28 of the Information Technology Act, 2000 (link here). The notices were based on “requests/references from the intelligence bureau, Ministry of Home Affairs, Government of India on regular basis on sensitive issues relating to national security, integrity and defense.”

the 11 Lakh fine

[caption id=”attachment_2155" align=”alignleft” width=”300" caption=”A Nice Place to Stay on the Internet by Thomas Hawk licensed under CC BY-NC 2.0"]

[/caption]

Subsequently, the CCA recorded that Yahoo, “failed to respond to the above said notices from the Office of Controller of Certifying Authorities during the4 last six months which led to avoidable delays in sensitive investigations. That only on 19.07.2011 the company collectively replied to the notices submitting that the Controller is not the competent authority to seeks disclosure of user information.”

The CCA which also acts as a quasi-judicial authority to determine contraventions framed four issues whose findings are given below:

1. Whether the notices were simpliciter requests and not notices for the purposes of investigations under Sec. 28.

“The company’s contention that since the words “for the purpose of Investigation of certain contraventions committed under the Act”, have not been used in the notice, making it a request simpliciter, is untenable. It is significant to note that all the notices and show cause notice made reference to section 28 of the Act only. Once a notice is issued under section 28 of the Act, it is but obvious that the information is required “for the purpose of investigation of certain contraventions committed under the Act”. The notices issued to the company made it clear in no uncertain terms that under section 28 of the Act, the company is to provide certain details and it is always to the knowledge of the company that the said section gives CCA or any officer authorized by him the power to investigate any contravention of the provisions of this Act, rules or regulations made there under; and therefore also the authority and competence to seek information, which has been questioned by the company.”

2. Whether the Company’s contention that there was no investigation underway of any contravention of the provision of the Act, when the aforementioned notices were served upon the company is correct.

“14. It was clear that the information required was for investigation purpose only. The user details sought are neither figment of imagination of the Intelligence Bureau, nor of the Office of Controller. This information has been sought for protecting national security, integrity and defence. Hence, the Company’s plea that there was no investigation underway of any contravention of the provision of Act. When the aforementioned notices were served upon the company is untenable and incorrect. The company has failed to give any coherent reason why it came to a conclusion that there was no investigation underway of any contravention of the provision of Act. When the aforementioned notices were served upon the company.”

3. Whether the Company by disclosing user details as requested under various notices would be violating provisions of Section 72A and also make the office of the CCA liable under Section 72 of the Act ?

“16. Section 72 also provides the same saving clause, permitting disclosure of information as provided under the Act. The CCA cannot be made liable under section 72 for exercising the authority entrusted upon him under section 28 of the Act. Further, section 84 of the Act grants protection to the Controller or any person acting on behalf of him for anything which is in good faith done or intended to be done in pursuance of the Act or any rule, regulation or order made thereunder. All the notices as well as the show cause notice have been issued to the company without malafide intent and in good faith in the background of context and circumstances. The allegations of highhandedness and tendency to coerce are uncalled for.”

4. Whether the Company is liable under Section 44(a) of the Acft for its failure to furnish information and/or documents as directed by the CCA and also under the provisions of Secs. 174/175 of the Indian Penal Code, 1860 ?

“19. In my view, such a complete disregard of statutory authority by the company is reprehensible and condemnable. The company’s plea that the Controller is not a competent authority in its delayed response to the notices, is incorrect in the view of the stated position of law under the Act. Wherein section 28 empowers the Controller or any officer authorized by him the power to investigate any contravention of the provisions of this Act, rules or regulations made there under. There is an inherent contradiction in the company’s submission, on one hand it recognizes that the Office of CCA is competent under section 28 of the Act to investigate, and on other, it challenges the competency of the Controller or any officer authorized by him to issue notices under section 28 of the Act.”

Straight to the High Court

Under the IT Act, orders of the CCA are directly appealable to the Cyber Appellate Tribunal. However, the Cyber Appellate Tribunal seems to be more or less defunct since it does not have any members which have been appointed by the Central Government and even its last Presiding Office, Justice Mr. Rajesh Tandon retired on June 30, 2011. It seems that due to these peculiar circumstances, Yahoo filed a writ petition in the Delhi High Court (W.P. 6654/2011) challenging the Order of the CCA.

On the very first date of hearing (14.09.2011), the Hon’ble Court was pleased to stay the operation of CCA Order and the penalty imposed under it. This stay is a conditional stay, Yahoo! to enjoy the stay has to provide the information saught by the CCA within a week. The Order also records the lines of argument which may be developed by Yahoo in the future. The Order records that,

“2. The senior counsel for the petitioner has contended that the respondent №2 in pursuance to the notices issued under Section 28 of the Act was not empowered to seek the information sought and as such the petitioner cannot be said to be in violation thereof for not complying therewith. It is further contended that the respondent №2 is not even empowered to impose the penalty / fine as has been done. It is stated that the information if any required can be sought under Section 69 of the Act and which the petitioner is willing to furnish.

3. The matter requires consideration.”

In my view this litigation throws up several significant questions including,

a) which is the proper authority to issue such notices ? does the CCA have such a power even when there are detailed rules framed under Sec. 69 which provide for other authorities to issue notices to intermediaries to disclose data of their data ? If yes, then how do these authorities work together to share subscriber data ?

b) are other intermediaries also receiving notices from the CCA ? if yes, how are they responding to them ? how much subscriber data are they disclosing ?

c) how long will the position of the presiding member of the Cyber Appellate Tribunal lie vacant ? does this reflect lethargy on part of the government to fill the vacancy or it means that there is just not enough work to justify the appointment ?

_____

Disclosure : I am retained on the panel of the CCA and have refrained to express any opinion/comment on this litigation beyond the factual summary above.