INTRODUCTION
In 2016, debit cards of multiple Indian banks including SBI, HDFC, ICICI etc. were compromised which resulted in gargantuan drive to replace the cards in India. The State Bank of India alone reportedly replaced around 6 lakh cards. In March 2018, millions of Facebook accounts including that of multiple Indians were breached by a political marketing firm, Cambridge Analytica. A few days ago, websites of Ministry of Defence, and Home had allegedly come under cyber-attack. All of these incidents point towards the need to overhaul under-developed cyber security and data protection laws in India.
No Specific Legislation on Privacy and Data Protection
In 2018, the Supreme Court of India in Retd. Justice Puttaswamy & Ors. v UOI held privacy to be a fundamental right subject to reasonable restrictions under Article 21 of the Constitution. However, unlike the USA or the Canada, India does not have a specific legislation on privacy and data protection. The Information Technology Act, 2000 enumerates certain provisions to protect data. It bestows legal recognition to electronic documents, digital signatures, and incorporates penal provisions for cyber crimes. The Act has an extra-territorial applicability i.e. it is applicable to offenses committed outside the territory of India. The USA has enacted Federal Trade Commission Act to protect data and privacy of consumers. Canada has Personal Information and Protection and Electronic Documents Act (PIPEDA) which has elaborately formulated rules to collect, use and disclose personal data..
Sensitive Personal Data or Information
Section 43A of the Act provides that whenever a body corporate in negligent in possessing, dealing or handling any sensitive personal data or information in a computer resource it owns, controls or operates, it shall be liable to pay damages. Section 43A is applicable only when the body corporate uses sensitive personal data or information (SPDI). By virtue of powers conferred by Section 87(2) read with Section 43A of the Act, the Central Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These rules are applicable only on bodies corporate or persons located in India. They do not have extra-territorial applicability.
What exactly is regulated by the SPDI Rules
Rule 3 enumerates an exhaustive list of what constitutes “sensitive personal data or information”. It includes passwords, financial information, sexual orientation, medical records and history, biometrics etc. However, if any of these information is present in public domain, or has been furnished under the Right to Information Act, 2005, then it shall not be regarded as SPDI.
When the Government can intercept, monitor and decrypt data
Under the provisions of Section 69 of the Act, the Government has the “power to issue directions for interception or monitoring or decryption of any information through any computer resource”. Section 69 marks departure from the general rule of safeguarding privacy and information. It lays down conditions including public order, investigation of any offence, security of the State, sovereignty or integrity of India etc., in which the Government might intercept or monitor or decrypt such information. This provision incorporates both interception and monitoring of data along with decryption to investigate cyber crimes. By virtue of Section 69 of the Act, the Government has notified the Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 along with Information Technology(Procedures and Safeguards for Blocking for Access of Information) Rules, 2009.
Tampering with Computer Source Documents, and Hacking with Computer System
Section 65 of the Act penalises intentional acts of concealing, destroying or altering or causing anyone else to conceal, destroy or alter any computer source code, computer programmer, computer system or computer network, with imprisonment up to three years, or fine up to two lakh rupees, or both.
Penalty for Breach of Confidentiality and Privacy
Section 72 of the Act imposes criminal liability on any person who in pursuance of powers granted under the Act secures access to “any electronic record, book, register, correspondence, information, document or other material” without seeking consent of such person. Section 72 imposes penalty of up to two years of imprisonment, or fine up to one lakh rupees, or both. Section 72 is applicable only when such breach takes place in the course of exercising powers conferred by the Act. Section 72A, on the other hand, is applicable on unauthorised disclosure of information by “any person”. The phrase “any person” also includes an intermediary. Section 72A provides that information disclosed should be obtained due to services provided under a lawful contract without the consent of such person in order to cause, or knowing that it shall cause wrongful gain or wrongful loss.
Adjudicatory Mechanism and Remedies Provided Under the IT Act
The Act lays down both civil as well criminal remedies in chapter IX and XI respectively. Usually, there is no bar to pursue both the remedies simultaneously. Chapter X of the Act stipulates for the constitution of the Cyber Appellate Tribunal which shall have powers of a civil court (Section 58) for the purposes of Section 195 and Chapter XXVI of the Code of the Criminal Procedure, 1973. This however, is specific to contraventions of the Act under Chapter IX i.e. to civil remedies.
Cognizance of Offences Under Chapter XI of the Act
Section 78 of the Act provides that a police officer of the rank of Deputy Superintendent of Police or above shall investigate offences committed under this Act. States like Uttar Pradesh, Karnataka and Delhi have cyber crime cells to investigate offences committed under this Act. There is no formulated procedure for prosecuting cyber offenders. Therefore, the Code of Criminal Procedure, 1973 is applicable on the offences committed under this Act.
Conclusion
The Act was substantially amended in 2008. The Amendment aimed to bridge the lacunas and loopholes in the original Act. The Amendment Act was criticized for reducing the quantum of penalties and lacking safeguards to shield the civil rights of individuals. Despite the criticisms, the amendment actually broadened the scope of the original Act. However, one of the major concerns in this age of big data is the insufficiency of Act to protect the privacy and sensitive personal information of individuals. To address these concerns, the Act requires thorough overhauling to make it competent to deal with cyber wars, data breaches, spamming, privacy protection and phishing.