Introduction:

With a view to source funds for Swachh Bharat initiative, Section 119 of Finance Act, 2015 is introduced which provides for levy of Swachh Bharat Cess (SBC) on value of all taxable services at a rate of two percent. Though it was told initially that levy is going to be only on specified luxury services,but eventually it is notified with effect from 15.11.2015 on value of all taxable services at the rate of half percent. The levy is introduced at the unexpected timeand in a haste manner giving not more than one week time for the trade to adapt it.Many issues popped up and CBEC has released FAQs to clarify some of them. Let us have a look at various aspects of this levy.

Levy and Collection of SBC:

SBC is leviable on value of all taxable services at the rate of 0.5%. Unlike EC and SHEC, though it is named as ‘Cess’, it is not a cess on service tax amount. It is an additional tax on value of all taxable services. It is not applicable to services which are not taxable under Finance Act, 1994 and those which are exempted by notifications issued there under.

Invoicing& Tax Payment:

SBC needs to be shown separately in the invoice after service tax amount. Further, whatever the SBC amount charged during the month or quarter shall be paid by 5th/6th of the immediately following monthin cash without adjusting against CENVAT Credit. The accounting codes notified are as under;

Cum-Tax Calculations:

In certain agreements, the services provider agrees for provision of services for a consideration which is inclusive of all taxes. In such a case, the service provider discharges service tax in the method as specified in Section 67(2) of Finance Act, 1994 that is popularly known as cum-tax method. That is to say, if the contract value is Rs 10 Crore, then service tax shall be calculated as 10 Crore * 14/114.

Sub-section (5) of Section 119 of Finance Act, 2015 which provides for levy of SBC, expressly provides that the provisions of Finance Act, 1994 and rules made thereunder are applicable to levy and collection of SBC. Accordingly Section 67(2) is equally applicable to SBC also. Therefore even after the introduction of SBC, such service tax payable of 14% has to betaken as 14.5% and accordingly the obligation of SBC has to be met.

Reverse charge/Joint Charge:

It has been clarifiedthat reverse charge and joint charge mechanism is applicable even for collection and payment of SBC also in the same manner as applicable to service tax.

For example, in case of legal services, it is service receiver liability to pay entire service tax amount to Government. In case of such services, service receiver himself is responsible to pay entire SBC amount (0.5%) to Government.

In case of works contract services, the responsibility to pay service tax is equally divided between service provider and service receiver. In such cases, 0.25% out of 0.5% of SBC will be collected and paid by service provider and it is the responsibility of service receiver to pay the balance 0.25% directly to Government.

Abatements:

It has been clarified that in case of services for which abatements are applicable, similar to service tax, SBC shall be computed on net taxable value after deducting the abatement portion.

For example, in case of renting of hotel rooms, service tax is applicable only on 60% of the gross amount charged towards the accommodation. Balance 40% is the abated amount which is not subject to service tax. Suppose if the amount charged towards such accommodation is Rs. 10,000/- then in such cases, similar to service tax, SBC shall be calculated on 60% of the gross amount charged i.e. Rs. 6000/-(10,000x60%).

It has also been clarifiedthat SBC is calculated in similar manner in case of valuation of works contract and Restaurant services as provided respectively under Rule 2A and Rule 2C of the ServiceTax(Determination of Value)Rules, 2006.

Applicability of SBC to services taxable at Special rates:

Certain services as given under sub-rules to Rule 6 of the Service Tax Rules, 1994 are taxable at special rates at the option of service provider. It has been clarified that special rate of SBC for these services shall be calculated using the following formula. The applicable rates after applying the formula are given as annexure to this paper.

SBCSplrate = ST Spl rate×(0.5%) (14%)

Point of Taxation:

As stated above, SBC is a new levy of tax effective from 15.11.2015 onwards. It has been clarified in the FAQs issued by CBEC that Rule 5 of Point of Taxation Rules, 2011 is applicable to determine the taxability. Accordingly, no SBC is applicable when amount is received before 15.11.2015 and invoice for the same is raised either before 15.11.2015 or within 14 days after levy i.e. 29.11.2015. It is not relevant when the service is provided.

In all cases where payments are received after 15.11.2015, even if invoices are issued before 15.11.2015, SBC is applicable in terms of this rule. The impact of this rule is that SBC is applicable to all cases where services are provided and invoices issued but amounts are outstanding as on 15.11.2015.In view of this, SBC becomes applicable even to cases where services are provided much before SBC is notified but amount towards taxable service is outstanding as on 15.11.2015.

In the opinion of paper writer, applicability of this Rule 5 to cases of new levy is doubtful as the same appears to be in conflict with Section 67A which provides that the rate, value and exchange as prevailing at the time when service is provided or agreed to be provided but the rule completely ignores the time when service is provided but considers only the payment towards taxable services.

It is doubtful whether charging section 66B is applicable in cases where are provided before the levy is introduced. On a similar issue under law prevailing prior to 01.07.2012, in the case of Reliance Industries Ltd vs. CCE,2008(10)STR243(Tri-Ahmd) wherein it was held that services rendered prior to introduction of levy on a particular activity is not liable to service tax. Thus ambiguity is prevailing on applicability of SBC for services provided before 15.11.2015 but payments are received afterwards.

SBC whether eligible as CENVAT Credit:

No specific amendments are made in CENVAT Credit Rules, 2004 to expressly facilitate service receiver to take CENVAT Credit of SBC. Further it has been clarified in the FAQs that service receiver cannot avail CENVAT Credit of SBC as the said tax is not integrated in the CENVAT chain.

However sub-section (5) of Section 119 of Finance Act, 2015 which provides for levy of SBC, expressly provides that the provisions of Finance Act, 1994 and rules made thereunder are applicable to levy and collection of SBC. CENVAT Credit is an aspect related to collection of SBC and on this count, CENVAT Credit Rules, 2004 may even be applicable to SBC.

In the case of CCE vs. Shree Renuka Sugars Ltd,2015-TIOL-1478-HC-KAR-CX wherein it was considered whether sugar cess levied on imported sugar under Sugar Cess Act, 1982 is eligible for CENVAT Credit. Under Sugar Cess Act, 1982 also, provisions of Central Excise Act, 1944 and rules made thereunder are made applicable for levy and collection of sugar cess. In such scenario, the Karnataka High Court held that even in the absence of specific provisions in CENVAT Credit Rules, 2005 about sugar cess, it is nothing but excise duty under Rule 3 of the CENVAT Credit Rules, 2004 and accordingly eligible for CENVAT Credit.

Applying the same analogy to SBC, it appears that a service receiver is eligible for CENVAT Credit of SBC even in the absence of specific provisions in CENVAT Credit Rules, 2004 in this regard.

However, those assessees adopting conservative approachhave to be very cautious in availing the credit post implementation of SBC as it may be possiblethat some of the vendors do not disclose service tax and SBC component separately in their invoices which might lead to availment of SBC. Hence, the assessee has to be very cautious and avail only such component pertaining to service tax as credit and not the SBC.

SBC discriminates SEZs and EOUs/other exporters:

Exemption of services procured by SEZs towards exports are guided by Notification No 12/2013-ST dated 01.07.2013. SEZs are entitled to either ab-intio exemption or exemption by refund of service tax paid on services used for export upon satisfaction of certain conditions as laid down in the said notification. This exemption notification is given to SEZs under Section 93(1) of Finance Act, 1994.

It has been clarified that all the exemptions provided under Section 93(1) of Finance Act, 1994 are equally applicable to SBC also. On this count SEZs technically becomes eligible to procure domestic services without paying any SBC or eligible for refund if it is paid.

On the other hand EOUs and other major exporters are entitled to get refund of service tax paid on domestic services used for export under Rule 5 of CENVAT Credit Rules, 2004. As discussed above, it has been clarified that CENVAT Credit of SBC is not available. In such scenario, refund of SBC under this Rule 5 is not available. Thus this would lead to a scenario where SEZs are entitled to claim exemption of SBC on their input services used on export but on the other hand EOUs and other major exporters are not entitled to similar exemption benefit and their exports has to bear the burden of SBC.

In the opinion of the paper writers, it may not be the legislative intent to relieve SEZs from SBC especially in the circumstances where CBEC has expressly clarified that SBC is not eligible for CENVAT Credit and what is not allowed under CENVAT Credit route is generally not allowed under refund or exemption route. Therefore Government is required to clarify this issue at the earliest to avoid litigation.

Conclusion:

Introduction of SBC is one more example of how tax laws are enforced in our country without giving any importance for deliberation with trade and tax experts to understand and address the potential issues that may arise. Levy is enforced in less than one week time after its notification without even seeking views of trade bodies or making proper study on various aspects. Much ambiguity is built up in form of CBEC clarifications on eligibility of CENVAT Credit and applicability to services provided before levy but payments are received after the levy become effective. Before parting, recalling this quote- “Death, taxes and childbirth! There’s never any convenient time for any of them”. We have no option but to simply accept them.

An nexu re:

Table showing the SBC rates for services taxable at Special Rates:

This article is contributed by Partners of SBS and Company LLP – Chartered Accountant Company You can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it.

Amendment to Indian TP Rules allowing use of Multiple Year data and Range Rules: (Vide Notification no: 83/2015 dated 19 October 2015 w.e.f 01.04.2014):

The amended rules allow the use of “multiple year data” and “range concept” for determination of ALP for undertaking a transfer pricing comparability analysis.

1. Multiple Year Data

As a general principle the amended rules require use of current year data while undertaking transfer pricing analysis. Data relating to the current year which may be available subsequently at the time of a transfer pricing audit can be used in the audit proceedings. Use of a multiple year data is permitted in certain Circumstances.

• Earlier provision:

Rule 10B (4) of the Rules provides that the data to be used in analysing the comparability of an uncontrolled transaction with an International Transaction shall be the data relating to the financial year in which the International Transaction has been entered into. However, data relating to a period not being more than two years prior to such financial year may also be considered if such data reveals facts which could have an influence on the determination of transfer prices in relation to the transactions being compared.

• Amendment:

As per amended Rule 10B(4) the earlier provision shall not apply while analysing the comparability of an uncontrolled transaction with an international transaction or a specified domestic transaction, entered into on or after the 1st day of April, 2014 (“Current Year” being replaced by Financial year in the above said provision).

Rule 10B (5) provides that, where the RPM, CPM and TNMM has been used for determination of the arm's length price of an international transaction/ SDT, entered into on or after the 1st day of April, 2014, then, notwithstanding anything contained in sub-rule (4), the data to be used for analysing the comparability of an uncontrolled transaction with an international transaction or a specified domestic transaction shall be:

• The data relating to the current year; or
• The data relating to the financial year immediately preceding the current, if the data relating to the current year is not available at the time of furnishing the return of income by the assessee, for the assessment year relevant to the current year.

Further, if current year data is available at the time of transfer pricing assessment, then such data must be used.

2. Range Concept: Ø Earlier provision:

Section 92C(2) provides that in a case where more than one price is determined by the most appropriate method, the ALP shall be taken to be the arithmetical mean of such prices.

Further, if the variation between the ALP and the price at which International Transaction/SDT is undertaken, does not exceed such percentage as notified by the Central Government (not exceeding 3%), of the price of International Transaction/SDT, then the transfer price shall be deemed to be the ALP. The

1

Central Government has notified one percent for wholesale traders and three percent in all other cases as the tolerable range.

Ø Amendment:

Rule 10 CA - Computation of ALP in certain cases:

• Where in respect of an international transaction or a specified domestic transaction, the application of the most appropriate method referred to in Sec 92C(1) results in determination of more than one price, then the arm's length price in respect of such international transaction or specified domestic transaction shall be computed in accordance with the provisions of this rule.
• A dataset shall be constructed by placing the prices as mentioned above in an ascending order and the arm's length price shall be determined on the basis of the dataset so constructed:

Provided further, if the data for current year is available at the time of transfer pricing assessment proceedings and fails qualitative or quantitative filters, then such comparable cannot used for benchmarking purpose irrespective of the fact that data of previous year remains to be comparable.

(3) Where an enterprise has undertaken comparable uncontrolled transactions in more than one financial year, then for the purposes of sub-rule (2) the weighted average of the prices of such transactions shall be computed in the following manner, namely:—

3. Range:

• Rule 10CA(4) provides that in a case where more than one price is determined by the most appropriate method and where the ALP has been determined as per TNMM, RPM, TNMM and CUP method and has minimum of 6 comparables, the arm’s length range will start from 35th percentile and end at 65th percentile of the weighted average margins of comparables.
• Rule 10CA(5) provides that If the transfer price is within the arm’s length range, then the Transfer shall be deemed to be the arm's length price.
• Rule 10CA(6) provides that if the transfer price is outside the arm's length range referred, the arm's length price shall be taken to be the median of the dataset.
• Rule 10CA(7) provides that If the method used for determining the ALP is other than the methods specified above or the number of comparable companies is less than 6, the arm's length price shall be the arithmetical mean of all the values included in the dataset.

Further, if the variation between the ALP and the Transfer price, does not exceed such percentage as notified by the Central Government (not exceeding 3%), of the price of International Transaction/SDT, then the transfer price shall be deemed to be the ALP.

• In a case where the provisions of sub-rule (4) are not applicable,

Further, if the variation between the ALP and the Transfer Price does not exceed such percentage as notified by the Central Government (not exceeding 3%), of the Transfer Price, then the transfer price shall be deemed to be the ALP.

¹CBDT Notification No. 45/2014 dated 23 September 2014 on the applicable range for AY 2014-15 28 | P a g e

For the purpose of this rule, computation of range Rule 10CA (8), shall be as under:

Ø Thirty-fifth percentile and Sixty-fifth percentile of a dataset is defined as having values arranged in an ascending order, shall be the lowest value in the dataset such that at least thirty five percent and sixth-fifth percent of the values included in the dataset are equal to or less than such value respectively.

Ø Median of the dataset is defined as having values arranged in an ascending order, shall be the lowest value in the dataset such that at least fifty percent. of the values included in the dataset are equal to or less than such value.

Illustration 1 Provided in Rule 10CA(4)—The data for the current year of the comparable uncontrolled transactions or the entities undertaking such transactions is available at the time of furnishing return of income by the assessee and based on the same, seven enterprises have been identified to have undertaken the comparable uncontrolled transaction in the current year. All the identified comparable enterprises have also undertaken comparable uncontrolled transactions in a period of two years preceding the current year. The Profit level Indicator (PLI) used in applying the most appropriate method is operating profit as compared to operating cost (OP/OC). The weighted average shall be based upon the weight of OC as computed below :

From the above, the dataset will be constructed as follows :

For construction of the arm's length range the data place of thirty-fifth and sixty-fifth percentile shall be computed in the following manner, namely:

Total no. of data points in dataset *(35/100) Total no. of data points in dataset *(65/100)

Thus, the data place of the thirty-fifth percentile = 7*0.35=2.45.

Since this is not a whole number, the next higher data place, i.e. the value at the third place would have at least thirty five per cent of the values below it. The thirty-fifth percentile is therefore value at the third place, i.e. 8.2%.

The data place of the sixty-fifth percentile is = 7*0.65=4.55.

Since this is not a whole number, the next higher data place, i.e. the value at the fifth place would have at least sixty five per cent of the values below it. The sixty-fifth percentile is therefore value at fifth place, i.e. 10.57%.

The arm's length range will be beginning at 8.2% and ending at 10.57%.

Therefore, if the transaction price of the international transaction or the specified domestic transaction has OP/OC percentage which is equal to or more than 8.2% and less than or equal to 10.57%, it is within the range. The transaction price in such cases will be deemed to be the arm's length price and no adjustment shall be required. However, if the transaction price is outside the arm's length range, say 6.2%, then for the purpose of determining the arm's length price the median of the dataset shall be first determined in the following manner:

The data place of median is calculated by first computing the total number of data point in the dataset * (50/100). In this case it is 7*0.5=3.5.

Since this is not a whole number, the next higher data place, i.e. the value at the fourth place would have at least fifty per cent of the values below it (median).

The median is the value at fourth place, i.e., 9%. Therefore, the arm's length price shall be considered as 9% and adjustment shall accordingly be made.

This article is contributed by Partners of SBS and Company LLP – Chartered Accountant Company You can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it.

Significance of Maintenance of Cost Accounting Records:

Most of the companies in present day business scenario may be maintaining the cost records only for internal purpose or to comply with the statutory requirements. But maintaining the cost records in formal and systemic manner helps the companies to cater various other needs.

These cost records help operations management team, promoters, government in making very important decision relating business. Many times, management need cost data to make decisions such as CAPEX, pricing, inventory valuation, cost control etc. Government need costing data to decide on product pricing for critical and important products in the economy, levy anti dumping duties, provide assistance in the form of subsidy etc. Cost data apart from financial data assists regulatory and tax authorities in their departmental audits.

Read more: Significance Of Maintenance Of Cost Accounting Records And Cost Audit

Note is divided into two chapter’s i.e. Chapter I covering Law and Chapter II covering the deduction based on the law.

Chapter I

The following are some of the important definitions as per the Information Technology Act 2000.

Section 2 (i) "computer" means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;

Section 2(j) "computer network" means the interconnection of one or more computers through— (i) the use of satellite, microwave, terrestrial line or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers or communication device whether or not the interconnection is continuously maintained;

Section 2(k) "computer resource" means computer, computer system, computer network, data, computer data base or software;

Section 2(l) "computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions;

Section 2(n) "cyber security" means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.

Section 2 (o) "data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;

Section 2 (t) "electronic record" means data, record or data generated, image or sound stored, receivedor sent in an electronic form or micro film or computer generated micro fiche;

Section           2          (v) "information" includes data, text, images, sound, voice, codes, computer programmes,software and databases or micro film or computer generated micro fiche:

Section 2 (w) intermediary", with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web- hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes;'.

Section 2 (za) "originator" means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary;

Section 2 (ze) "secure system" means computer hardware, software, and procedure that—

(a) are reasonably secure from unauthorised access and misuse;

(b) provide a reasonable level of reliability and correct operation;

(c) are reasonably suited to performing the intended functions; and

(d) adhere to generally accepted security procedures;

The following are some of the important sectionsof the Information Technology Act 2000. Section 43 - Penalty and compensation for damage to computer, computer system, etc

If any person without permission of the owner or any other person who is in charge, of a computer, computer system or computer network,—

(a) accesses or secures access to such computer, computer system or computer network; or computer resource

(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;

(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(e) disrupts or causes disruption of any computer, computer system or computer network;

(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;

(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;

(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,

(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means,

(j) steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage".

"he shall be liable to pay damages by way of compensation to the person so affected"]

Explanation.—For the purposes of this section,—

(i) "computer contaminant" means any set of computer instructions that are designed—

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network;

"computer database" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;

"computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;

(iv) "damage" means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.

(v) "computer source code" means the listing of programme, computer commands, design and layout and programme analysis of computer resource in any form."

Section 43A - Compensation for failure to protect data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Explanation. -- For the purposes of this section,-‑

(i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

(ii) "reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;

(iii) "sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

Section 44 - Penalty for failure to furnish information, return, etc

If any person who is required under this Act or any rules or regulations made thereunder to—

(a) furnish any document, return or report to the Controller or the Certifying Authority fails to furnish the same, he shall be liable to a penalty not exceeding one lakh and fifty thousand rupees for each such failure;

(b) file any return or furnish any information, books or other documents within the time specified therefor in the regulations fails to file return or furnish the same within the time specified therefor in the regulations, he shall be liable to a penalty not exceeding five thousand rupees for every day during which such failure continues;

(c) maintain books of account or records fails to maintain the same, he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues.

Section 45 - Residuary penalty

Whoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation not exceeding twenty-five thousand rupees to the person affected by such contravention or a penalty not exceeding twenty-five thousand rupees.

Section 65 - Tampering with computer source documents

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

Explanation.—For the purposes of this section, "computer source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form.

Section 66 - Computer related offences

If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.

Explanation.-- For the purposes of this section,-‑

(a) the word "dishonestly" shall have the meaning assigned to it in section 24 of the Indian Penal Code; (45 of 1860).

(b) the word "fraudulently" shall have the meaning assigned to it in section 25 of the Indian Penal Code(45 of 1860).]

Section 67C - Preservation and retention of information by intermediaries

• Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
• any intermediary who intentionally or knowingly contravenes the provisions of sub-section (1) shall be punished with an imprisonment for a term which may extend to three years and also be liable to]

Section 72 - Penalty for Breach of confidentiality and privacy

Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

Section 72A - Punishment for disclosure of information in breach of lawful contract

Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.’]

Section 79 - Exemption from liability of intermediary in certain cases

(3) The provisions of sub-section (1) shall not apply if‑

(a) the intermediary has conspired or abetted or aided or induced, whether by threats or promise or otherwise in the commission of the unlawful act;

(b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner.

Explanation.-For the purposes of this section, the expression "third party information" means any information dealt with by an intermediary in his capacity as an intermediary.

The following are some of the important Rules of Information Technology (Intermediaries guidelines) Rules, 2011

2. Definitions.-‑

(d) "Cyber security incident" means any real or suspected adverse event in relation to cyber security

that violates an explicitly or implicitly applicable security policy resulting in unauthorised access,

denial of service or disruption, unauthorised use of a computer resource for processing or storage of

information or changes to data, information without authorisation;

(e) "Data" means data as defined in clause (o) of sub-section (1) of section 2 of the Act;

(h) "Information" means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

(i) "Intermediary" means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

(j) "User" means any person who access or avail any computer resource of intermediary for the purpose of hosting, publishing, sharing, transacting, displaying or uploading information or views and includes other persons jointly participating in using the computer resource of an intermediary.

3. Due diligence to be observed by intermediary.-‑

The intermediary shall observe following due diligence while discharging his duties, namely : -‑

(1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access or usage of the intermediary's computer resource by any person.

(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that -‑

(a) belongs to another person and to which the user does not have any right to;

(b) is grossly harmful, harassing, blasphemous; defamatory, obscene, pornographic, paedophilic,

libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

harm minors in any way;

infringes any patent, trademark, copyright or other proprietary rights;

violates any law for the time being in force;

deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

impersonate another person;

contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.

• The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):

Provided that the following actions by an intermediary shall not amount to hosting, publishing, editing or storing of any such information as specified in sub-rule (2) -‑

• temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource;
• removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act;
• The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.
• The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove non-compliant information.

• The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

   

   

The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

(7) When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing stating clearly the purpose of seeking such information or any such assistance.

(8) The intermediary shall take all reasonable measures to secure its computer resource and

information contained therein following the reasonable security practices and procedures as

prescribed in the Information Technology (Reasonable security practices and procedures and

sensitive personal information) Rules, 2011.

(9) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

(10) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to perform thereby circumventing any law for the time being in force:

Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the acts of securing the computer resource and information contained therein.

(11) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint.

The following are some of the important Rules of Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

2. Definitions.-‑

(b) 'Biometrics" means the technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', 'facial patterns', 'hand measurements' and 'DNA' for authentication purposes;

(c) "Body corporate" means the body corporate as defined in clause (i) of explanation to section 43A of the Act;

(d) "Cyber incidents" means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;

(e) "Data" means data as defined in clause (o) of sub-section (1) of section 2 of the Act;

(f) "Information" means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

(g) "Intermediary" means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

(h) "Password" means a secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information;

(i) "Personal information" means any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

3. Sensitive personal data or information.-‑

Sensitive personal data or information of a person means such personal information which consists of information relating to;-‑

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

provided that any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

4. Body corporate to provide policy for privacy and disclosure of information.-‑

The body corporate or any person who on behalf of body corporate collects, receives, posses, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for‑

(I)        clear and easily accessible statements of its practices and policies;

• type of personal or sensitive personal data or information collected under rule 3;
• purpose of collection and usage of such information;
• disclosure of information including sensitive personal data or information as provided in rule 6;
• reasonable security practices and procedures as provided under rule 8.

5. Collection of information.-‑

• Body corporate or any person on its behalf shall obtain consent in writing through letter or fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.
• Body corporate or any person on its behalf shall not collect sensitive personal data or information unless -‑
• the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
• the collection of the sensitive personal data or information is considered necessary for that purpose.
• While collecting information directly from the person concerned, the body corporate or any person on its behalf shall take such steps as are, in the circumstances, reasonable to ensure that the person concerned is having the knowledge of -‑

• Body corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.
• The information collected shall be used for the purpose for which it has been collected.
• Body corporate or any person on its behalf shall permit the providers of information, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible:

provided that a body corporate shall not be responsible for the authenticity of the personal information or sensitive personal data or information supplied by the provider of information to such body corporate or any other person acting on behalf of such body corporate.

(7) Body corporate or any person on its behalf shall, prior to the collection of information including sensitive personal data or information, provide an option to the provider of the information to not to provide the data or information sought to be collected. The provider of information shall, at any time while availing the services or otherwise; also have an option to withdraw its consent given earlier to the body corporate. Such withdrawal of the consent shall be sent in writing to the body corporate. In the case of provider of information not providing or later on withdrawing his consent, the body corporate shall have the option not to provide goods or services for which the said information was sought.

(8) Body corporate or any person on its behalf shall keep the information secure as provided in rule 8.

(9) Body corporate shall address any discrepancies and grievances of their provider of the information with respect to processing of information in a time bound manner. For this purpose, the body corporate shall designate a Grievance Officer and publish his name and contact details on its website. The Grievance Officer shall redress the grievances of provider of information expeditiously but within one month from the date of receipt of grievance.

6. Disclosure of information.-‑

(1) Disclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation:

Provided that the information shall be shared, without obtaining prior consent from provider of information, with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. The Government agency shall send a request in writing to the body corporate possessing the sensitive personal data or information stating clearly the purpose of seeking such information. The Government agency shall also state that the information so obtained shall not be published or shared with any other person.

(2) Notwithstanding anything contained in sub-rule (1), any sensitive personal data or Information shall be disclosed to any third party by an order under the law for the time being in force.

(3) The body corporate or any person on its behalf shall not publish the sensitive personal data or information.

(4) The third party receiving the sensitive personal data or information from body corporate or any person on its behalf under sub-rule (1) shall not disclose it further.

7. Transfer of information.-‑

A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

8. Reasonable Security Practices and Procedures.-‑

(1) A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated/under the law, that they have implemented security control measures as per their documented information security programme and information security policies.

(2) The international Standard IS/ISO/IEC 27001 on "Information Technology -Security Techniques - Information Security Management System - Requirements" is one such standard referred to in sub-rule (1).

(3) Any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection as per sub­rule(1), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.

(4) The body corporate or a person on its behalf who have implemented either IS/ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule

(3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government. The audit of reasonable security practices and procedures shall be carried cut by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.

Chapter II

Deduction Based On Law

The information technology Act 2000, though Section 2 (w) outlines “intermediary", to include telecom service providers, network service providers, internet service providers, web- hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.

Further section 43 (A) Explanation (i) enumerates that "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

Thus as per the above the proposed entity is a body corporate and falls within the meaning of intermediary.

Section 43 (A) imposes penalty by way of damages on body corporate if it fails to protect confidential information / sensitive personal data by not adhering to instil reasonable security practices and procedures.

Section 72 A imposes punishment with imprisonment for a term which may extend to 3 years or with fine which may extend to 5 lakhs rupees or with both if any person including an intermediary discloses material containing personal information with an intent to cause or knowingly that he is likely to cause wrongful loss or wrongful gain to any third person in breach of a lawful contract entered between intermediary on the originator. In the present scenario, if the personal information of the user who has availed the services from the proposed entity under a contract, comes out in the public, then the proposed entity will be held liable for such breach of confidentiality.

However as a saving grace section 79 lays down certain exemptions which an intermediary and claim as immunity.

The Information Technology (Intermediaries guidelines) Rules, 2011 govern the operations of Intermediaries which is enumerated though rule 3 therein, which also provides the nature and scope of the privacy policy of the Intermediaries.

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 are the key to the operations of the proposed entity ( considering the nature of services that it wants to offer).

Rule 3 outlays the Sensitive personal data or information of a person as following :

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

Rule 4 provides for the mature and scope of the privacy policy and Rule 5 provides for the system through which the Sensitive personal data is obtained.

Rule 8 lays down the standards for reasonable security practices and procedures to be employed while obtaining the Sensitive personal data and more particularly states that the international Standard IS/ISO/IEC 27001 on "Information Technology -Security Techniques - Information Security Management System – Requirements should be in place.

This article is contributed by Partners of SBS and Company LLP - Chartered Accountant Company. You can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it.