The government issued four sets of rules related to the Information Technology Act in April. These rules were tabled in Parliament a few days ago — and will be placed on the table for 30 days.
Rules, in general, form part of a legislation and usually deal with details that may need quick changes in response to changing circumstances. Parliament retains oversight over rules and can modify them.
Three sets of the IT rules that have been tabled have important implications related to freedom of expression and privacy.
The Information Technology Act has a provision for safeguarding “sensitive personal data or information” (SPDI) maintained by companies. These companies are required to adhere to “reasonable security practices and procedures” (RSPP), and are liable to compensate for any loss due to negligence in maintaining such procedures. The act further states that RSPP will be determined by an agreement between the individual whose data is being maintained and the company holding the data. In the absence of such an agreement, the company will comply with such RSPP as notified in rules. The act also authorises the Central government to define what SPDI is.