Cyber Law And Data Protection In India: Laws Related To Cybercrimes, Data Privacy, And It Act Compliance

KEY TAKEAWAYS

• Cyber law is any branch of law dealing with Information systems, Computers, electronics, software & hardware, legal informatics, etc. It currently offers a legal perspective to deal with cybercriminal activities, manage the use of the internet and also safeguard one’s privacy while interacting online.
• The offenders who commit computer-related crimes while physically located in foreign countries are also punishable under the Information Technology Act of India, thus, the law is not restricted to India alone, but is reciprocated in nature. This is evident looking at various countries across the globe that have set policies to protect the personal data of their citizens through enacting laws such as the General Data Protection Regulation (GDPR) in the European Union (EU) and the Personal Information Protection and Electronic Documents Act in Canada (PIPEDA).
• To regulate the use of information technology and communication and to secure the rights of individuals, the Indian Parliament passed the Information Technology Act in 2000 which also has been amended subsequently. For instance, Section 43A makes it unlawful for corporations to underprotect data in their possession through negligence, while Section 72A punishes anyone who divulges information that is protected legally, both of which help to keep data protection and privacy in check.

INTRODUCTION

The term ‘Cyber Law’ is formed by coming together the two words, ‘cyber’ and ‘law’ ‘Cyber Law’ deals with the Internet laws and regulations linked with modem technology. The term ‘Cyber’ is associated with information technology and computing or internet usage however ‘law’ is procedures, laws, rules or some sort of regulation formulated by society to contain any kind of unrest or disharmony. Laws and regulations have been instituted in various fields of life and among them cyberlaw is the systematic legal consideration of the internet, information in digital form, software and computer security. A fitting introduction to cyber law is: It means it symbolizes situations where there are mere laws in the era when everything is increasingly going paperless. Cyber laws refer to laws governing the use of the internet and laws that shield individuals’ identity when they are using the internet. Learning about the computer and its peripheries can be a very general subject and it covers subjects like legal informatics and electronic elements like information systems, computers, software, and hardware. Cyber law is lucrative in that it offers legal mechanisms that could be used to address cyber crimes. According to the data obtained in January 2021, the total number of victims was 4%. Today the internet user is estimated at 66 billion and this number is expected to rise by 7% every year which equates to approximately 875000 new users every single day. Thus, it is imperative to regulate the use of cyberspace through cyber laws due to the increased uptake of cyberspace. In this era, as technology advances, the virtual, once a mere tool for accessing information, becomes a platform for interacting and transacting. This singular technological advancement has become an indispensable tool in our everyday activities thus resulting in increased and frequent occurrences of cybercrimes. Cyber law is a general term and it covers other general laws and some specific laws as well as laws for specific purposes. Cybercrimes include those that are committed against one person or organization, another organization or a government. Some of the cybercrimes that may be committed by individuals and involve violation of cyber law and internet laws include Cyberstalking, Cyberbullying, cyber pornography and child pornography, cyber threatening, cyber defamation, and identity theft.

Some of the cybercrimes involving government agencies and organizations include Terrorist activities, misuse of power and authority, hacking into national security systems, leaking of classified information, and sabotaging aimed at some businesses. It encompasses areas such as privacy and governance of rights including freedom of speech and right to information, protection against cyber-crimes, management of fraudsters, and spams, and e-commerce regulation. The Information Technology Act provides the following definition of data: data means information, knowledge, facts, concepts, instructions, being prepared in, processed or processed by the computer system or network in any form consisting of computer printouts or in magnetic or optical storage media or punched cards or nearly computer internal memory and for the other, data definition is a fact that it is a number, measurement, observation, password, etc. It also includes ‘any other electronic information that is available with public or private service providers’, which also includes both static contents and transactional contents as per the electronic consent model prescribed by the Digital Locker Authority. Personal data concerns a particular person’s identity factors, such as name, residential address, e-mail address, telephone number, Aadhaar number, Internet Protocol Address, or any health record. The need to protect data comes with the worries of data leakage, whereby information is extracted by unauthorized people, which has bad impacts on individuals and businesses. Effective ways to combat theft of data are as follows: How to safeguard yourself against data theft: coupled with the help of passwords, such as WPA or WPA2, for secured wireless networks, using encryption to safeguard stored data on laptops, and maintaining the laptops fully updated with the latest necessary software. It refers to the aluminium measures and processes adopted to ensure that data is secure from loss or theft and is not corrupted in the process, and in the worst-case scenario, the extent of damage is limited. It also ensures that there is privacy and protection by dictating how personal and important data should be gathered and managed depending on the degree of data risk and value. As already stated, data protection is a global issue that applies to every person, business, and government depending on the relevant context. This is evident since data protection focuses on the need to protect significant data and ensure people do not gain access to it. For instance, when joining a company one fills in the personnel details in the Human resource section; such details are kept secret; this builds confidence. It also protects against hackers and fraudulent transactions which helps in cost savings and ensures that there is better management and ethical business practices which could lead to business success. 

Some of the difficulties that are associated with the protection of information include the following; There are no standard policies across the globe, the implementation of protection measures costs a lot of money, a lot of time is spent on protecting information and lastly, there is a need for professionals in protection of information. Continuous technological development is hard to embrace and to incorporate new changes in the technological sector into consideration. The Constitution of India does not contain a specific provision for the protection of the right to privacy; however, various decisions stated that this right is inherent in the Constitution above all, in Article 21 of the Constitution which guarantees the right to life and personal liberty. The then historic judgement of the SC in the landmark case – “K. S. Puttaswamy (Retd. ) v Union of India” settled this debate and established that privacy is a constitutionally protected right recognised under Article 21 of the Indian Constitution. This particular case was filed against the Indian government and its scheme known as Aadhaar pointing out that it infringed upon the right to privacy. The Supreme Court’s ruling holds a special place for the protection of the Right to Privacy as a fundamental right and thus against data theft and for protecting the personal data of individuals. This judgment has given rise to a rethinking of the Aadhaar Card and privacy and thereby the six fundamental rights that are under threat by the implementation of the Aadhaar Card. It also led to recent changes that can be seen as the government’s positive response, including the reform of surveillance to make it more transparent and better regulated by the judiciary. One must acknowledge that the recognition of the right to privacy as a fundamental right marks a step forward in matters regarding the protection of personal data and the recognition of individual privacy in India.

EVOLUTION OF DATA PROTECTION LAWS

Data privacy has not always been a burning issue, however, data as private property was recognized in 1604 in Semayne’s case, where it was said that every man’s house is his castle and fortress. The concept of privacy changed its meaning over time, and many discussions started with an article in the Harvard Law Review by Attorney Samuel Warren and Justice Louis Brandeis, aptly named “The Right to Privacy,” where the protection of privacy was identified as one of the significant forms of freedom in the post-industrial society. The modern notion of privacy first originated in the year 1948, when the concept of privacy entered the human legal framework via the Universal Declaration of Human Rights (UDHR) under Article 12(4). 

More development on privacy protection was done by the Organisation for Financial Cooperation and Development (OECD) when it issued its guidelines on the protection of privacy and the trans-border flow of personal data in 1980.  This led to the beginning of the formulation and adoption of the nation’s data privacy laws with the first one being that of Germany in 1970. 

The historical background of data protection bills can assist us in comprehending why it is crucial amidst historical events. The Data Protection Bill, 2019, has been subject to intense discussions because of the problems concerning state data access, the perspectives of technological development and economic growth, and the reinforcement of data localization demands. The Joint Parliamentary Committee (JPC) has scrutinized this bill thoroughly, and after going through its analysis in the year, 2021, it removed many of the problems highlighted initially for formulating the revised bill known as the Digital Personal Data Protection Bill 2022. The foundations for this were laid by the B. N. Srikrishna Committee, which in 2018 prepared a draft report titled "A Free and Fair Digital Economy: While this proposed bill was similar to the GDPR, specifically focusing on controlling data through individual consent and placing certain responsibilities on data fiduciaries. Each of the above drafts contributes to the DPDP Act, 2023 in some ways: While giving individuals considerable autonomy to decisions over the handling of their data, the legislation enshrines the rights to access, rectify, erase, and restrict processing. It also places absolute requirements on the data fiduciaries for honourable and legal processing of the data. 

It comprehensively defines personal data, with certain data categorized as sensitive personal data where special protection is warranted; personal data principle rights that allow the data subjects to control the processing of their information; data fiduciary requirements to get prior consent and apply proper safeguards; limitations on the transfers of data across borders; and enforcement agencies such as the Data Protection Board of India and the Appellate Tribunal in India. While the DPDP Act brings a significant change in individual privacy protection provisions in the country, this is highly dependent on its implementation and encouragement of legal actions for the enforcement of its provisions. Some of the main issues are: Developing the capacity of the Data Protection Board of India; Achieving an adequate level of protection of the individual’s privacy rights while promoting values such as innovation, and economic growth; International standardisation and recognition of the adequate level of data protection to support the free movement of data across national borders and international trade.

Recapitulating, as early as 2017, B. N. Srikrishna Committee was set up with the mandate of putting in place the regulation structure for the protection of personal data in India. In the same year, “in KS Puttaswamy v Union of India, the Supreme Court of India” established the right to privacy as a fundamental right under the Constitution. relative to 2018, the committee drew up another draft report highlighting the principles of data processing: individual consent and documented liabilities regarding data fiduciaries. Some of the key provisions of the GDPR were the right to be forgotten which enables individuals to place limitations on how their data will be used, and or erased; and the creation of a Data protection authority (DPA). The government proposed a new law to regulate the collection and processing of personal data of its citizens by all forms of organizations that work inside India, with severe punishment rates for violators. Some of the key implementation requirements for data fiduciaries were that data should be used for reasonable and specified purposes, while user protection was based on principles of data transparency and security. Other areas that were under the law included Data processors outside India but operating or profiling that may infringe on the privacy rights of data principals within India. The committee also emphasised that it would not have any backdate effect, but would have implications for other legislation – the Aadhar Act and the RTI Act – on data protection that needed enhancements.

Some of the schedular requirements found under the Act for passing include; Public interest, law and order, emergency, employment, reasonable purpose or need, state security, legal process, and research or journalistic purpose. It permitted data transfers across borders but on certain prescribed safeguards and norms; also prescribes that sensitive human data should be processed only in India. Child safeguarding was possible by putting special measures such as restricted use of features such as tracking and advertising.

However, the issues have been raised against the backdrop of the draft bill where criticisms were made arguing that the bill allowed the performance of governmental functions to process personal data in defiance of the “Puttaswamy ruling”, and a lack of regulation for surveillance. These considerations contributed to the changes and adoption of the Personal Data Protection Bill in 2019 which was transformed into the DPDP Act, 2023, showing that there is a middle ground to be attained between personal privacy and data protection on the one side and technological advancement, digital business, and economic development on the other.

LAWS RELATED TO CYBER CRIMES, DATA PRIVACY, AND IT ACT COMPLIANCE

Cybercrime is defined as actions that involve the use of computers or related equipment or are connected to a computer network. Computer crimes are executed for a specific purpose; sometimes, as a way of achieving personal gains by the perpetrator, while in other cases; the intention is to harm or destroy the computer that is being targeted. Moreover, the use of computers or networks leads to the dissemination of malware, unlawful information or pictures, and other defiant contents or data. Various criminal activities can be committed through cybercrimes for monetary benefits such as ransom or cyber terrorism, cyber frauds such as phishing, 419 and identity theft, frauds of accounts and payment cards etc. Cybercriminals might also seek to gradually obtain, purchase and sell personal and corporate information.

Cyber crimes are covered by the Information Technology Act in India of the year 2000 along with the Indian Penal Code of the year 1860. The Information Technology Act, of 2000 also covers issues concerning computer crime and electronic transactions. But, in 2008 several changes were incorporated concerning the Act which deals with the definition and punishment of cybercrime. Therefore, provisions under the Indian Penal Code of 1860 and the Reserve Bank of India Act were modified to strengthen legal actions against cyber crimes.

Types of Cyber Crimes

• Child Pornography or Child Sexually Abusive Material

Child sexual abuse materials (CSAM) as any content that involves sexually abusing or exploiting children. The Indian law concerning child pornography is enshrined in a section of the IT Act passed by the Indian parliament and is named Section 67(B) which states that whoever publishes or transmits any obscene material, depicting children or any person in the sexually explicit act in any electronic form shall be presumed to have committed an offence.

• Cyber Bullying

Cyberbullying is a form of bullying that takes place through technology, such as through a computer, tablet, mobile phone, or laptop. This type of bullying is done through computers, mobile devices, the internet, and other technical devices like social networking sites and sites that provide games and messaging platforms. It often entails the use of gestures or therapies that are performed severally in an attempt to threaten, upset or embarrass the targeted individuals.

• Cyberstalking

Cyberstalking involves an act of perpetuating aggression and unwanted attention to another individual via communications technologies and the internet. This can be through texts, emails, social media updates and the likes which can at many times be ceaseless, systematic and meticulous.

• Cyber Grooming

Cyber grooming is a process where a person or a group of persons target a teenager to sexually exploit the teenager by coaxing or even lusting the teenager into making sexual advances

• Vishing

Vishing involves stealing a victim's confidential information through phone calls. Cybercriminals use sophisticated social engineering tactics to convince victims to divulge private information, gaining access to personal accounts. Like phishing and smishing, vishing deceives victims into believing they are being polite by responding to the call, with callers often pretending to be from the government, tax department, police, or the victim’s bank.

• Phishing

Phishing fraud involves sending emails that appear to be from legitimate sources but contain malicious attachments designed to steal personal information such as IDs, IPINs, Car numbers, expiration dates, CVVs, etc., which are then sold on the “Dark web”.

• Online Sextortion

Online sextortion occurs when a cybercriminal threatens to publish sensitive and private material unless the victim provides a sexual image, sexual favour or money. 

• Smishing

Smishing fraud uses text messages to trick victims into calling a fake phone number, visiting a fraudulent website, or downloading malicious software.

• Bank Fraud

This involves using another person’s electronic signature, password or any unique identifier without their consent with a criminal intention to defraud. Temperately, fraudulent use of another person’s credit card or debit card such as making unauthorized charges or withdrawals is referred to as card fraud. 

• Identity Theft and Impersonation

This becomes the case when either the debit/credit number or personal identification number (PIN) gets into the wrong hands of fraudsters be it employees of the establishment or hackers.

INFORMATION TECHNOLOGY ACT, OF 2000 (IT ACT)

The first law in India regulating the use of information technology in the country is the Information Technology Act, passed by the Indian Parliament in 2000. It also seeks to authorise electronic contracts including those conducted through electronic data interchange or other electronic mediums known as Electronic Communication and Information Storage. The Act enables the submission of documents to the offices of the government through electronic means, and it also customizes several laws such as the Indian Penal Code, the Indian Evidence Act, of 1872, the Banker’s Book Evidence Act, of 1891, the Reserve Bank of India Act, 1934, and the other associated laws. Since the damages caused by such cyber-attacks have escalated and technology is in most cases; inadequately interpreted, changes have been made to the legislation. These amendments reflect the serious measures and consequences brought into the Indian Parliament, but to safeguard the sectors, such as e-governance, e-banking, and e-commerce. The transfers of contemporary communication devices are the domain of the IT Act scope. It consecrates electronic ways of accepting contracts with legal tender thus making such contracts as legal and binding as any other standard contracts. It has established a framework to foster the development of electronic commerce thereby enhancing the idea advancement achieve its objective of creating an optimal environment for the advancement of electronic commerce. This Act is important in the Indian legal system as it provides a framework that directs the investigation for regulating cybercrimes. Other sections that deserve recognition are section 43, in which different forms of cybercriminal activities like intentionally harming any computer without the approval of the owner are considered a crime, with the owner having a right to receive back the amount spent on repair. For instance, in the case of “Poona Auto Ancillaries Pvt. Ltd. The Punjab National Bank” has a legal responsibility to compensate the head of the firm, Mr Santosh Patil, and rs. 45 lakh to the head of the firm as he became a victim of phishing attacks caused by the negligence of the concerned bank.

Section 66 is defined as dishonest or fraudulent conduct as described in Section 43, with Equal punishment of three years of imprisonment or a fine towards the amount of rupees five lakhs. In the “Kumar v. Whiteley case”, the accused was found guilty of unauthorized access and modification to the database and this made them sentenced to one-year rigorous imprisonment as well as a fine of Rs 5000. Section 66B lays down provisions on the following, receiving any stolen communication apparatus or computer with fraudulent intention for which the offender may be put behind bars for a term which may extend to three years along with a fine which may extend to Rs 1 lakh. Another section that speaks of password hacking or identity theft is Section 66C, whereby the punishment can be up to 3 years of imprisonment along with a fine of Rs 1 lakh. Section 66D: Cheating by personation using computer resource: whoever cheats shall commit cheating by personation using computer resource shall be punished with imprisonment to 3 years along with a fine up to Rs 1 lakh. Section 66E relates to the use of computers to publish or transmit material depicting any person engaged in sexual activity or involved in a state of undress, with penalties of up to three years of imprisonment along with fines up to Rs 2 lakhs. Cyber terrorism is for which Section 66F has been enacted and the entrepreneurs that send threatening e-mails to the Bombay Stock Exchange and National Stock Exchange get life imprisonment. The last crucial Section 67 deals with the publication and transmission of obscene material through electronic media which is punishable with the holding of imprisonment up to five years with a fine which can extend up to Rs Ten Lakh.

INFORMATION TECHNOLOGY ACT COMPLIANCE

The IT Industry is today among the leading industries in India with its market value reaching USD 180 in 2021. As this sector continues to expand, compliance with the relevant regulations has become very essential. It also elaborates on the kind of regulatory bodies and compliances for data protection and cybersecurity, IPR, e-commerce, and Startups in the Information Technology industry in India. The Ministry of Electronics and Information Technology (MeitY) is the leading ministry that has the power to formulate policies regarding the Information Technology industry. MeitY continues to develop numerous laws and policies regarding compliance and cybersecurity with the backbone law of the country being the Information Technology (IT) Act of 2000. This legislation concerns sectors involving electronic commerce, digital signatures, protection against cybercrime and data protection. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 are rules framed under the Act that outlines rules and regulations concerning the collection, having, and storing of sensitive personal data by corporations. The Payment and Settlement Systems Act, of 2007 is the Indian law handling payment systems and includes RTGS, NEFT and IMPS systems among others. Currently, the Reserve Bank of India (RBI) has provided guidelines for IT governance and security in banking and financial institutions to protect information security primarily focusing on the principles of confidentiality, integrity, and availability. The Personal Data Protection Bill 2019 outlines the data control and usage of personal information, in a legal, reasonable and transparent manner. Further, the EU General Data Protection Regulation concerns organizations that process personal data of EU subjects. In India, the Information Technology Act, 2000 and the rules under section 43A and regulation of Sensitive Personal Data or Information, 2011 regulate data protection fairly and transparently. Companies must meet numerous data protection laws such as the data protection principles, asking for permission to process data and data protection principles on data control. Hacking, phishing and the involvement of malware pose some of the major problems affecting the IT industry and can lead to various problems such as data leakage, embezzlement and a negative perception of the organization. To mitigate these threats, the government of India has put into practice compliances including the IT Act, 2000 & Cyber Security Policy, 2013 that emphasize organizations to ensure that they enact sufficient security measures. CERT-In is a central agency for responding to Computer Emergence Response Team-India or computer security incidents. It assists government organisations, vital establishments, and organisations, to develop capabilities for anti-cybersecurity threats measures and avoiding cyber shocks. It covers a wide range of services such as incident response, vulnerability management and assessment, and security audit, among others, and works with organizations from different countries to share information and experiences.

The role of IPR in the IT industry is highly significant, mainly in those areas where data protection is required such as in software and databases. The Indian authorities of patents, copyrights, and trademarks are the Patents Act of 1970, the Copyright Act of 1958 and the Trade Mark Act of 1999 respectively. Organizations must ensure that it protect their intellectual property through trademarks, patents, and copyright registration as well as ensure that they respect the price control acts and licensing policies to avoid violating them. It became significant in the IT sector that business processes like an e-commerce transaction need to be governed by laws such as the Indian Contract Act of 1872 the Consumer Protection Act of 2019 and the Information Technology Act of 2000. To regulate specific aspects of contracting in e-commerce, the laws of the Indian Contract Act play a central role while consumers’ rights are protected under the Consumer Protection Act against unfair trade practices. The IT Information Technology Act was enacted to provide the legal framework for the conduct of e-commerce and other electronic transactions. Some of the e-commerce laws and rules in India are the FDI Rules for E-commerce Business and Marketplaces and E-commerce Companies FDI policies which include the Foreign Direct Investment (FDI) Policy of E-commerce Business 2018 that outlines the requirements and procedure for foreigners to invest in E-commerce ventures in the country.

CONCLUSION

New generation advancement in information and technology has been the cause of the need for appropriately structured cyber law and data protection laws in India. Cyber law is a comprehensive field of law that covers every issue about information technology networks, computers, as well as electronic transactions to design a legal approach to curb cybercriminal activities and protect users’ information. The National legislation that underlies the cyber law of India is the Information Technology Act of 2000 which has been reviewed through an amendment due to the rise of new threats in computerized crimes and protection of personal data. Several sections of this Act, namely sections 43A, 66, 66C and 67 contain provisions that reflect provisions of cybercrime and its nature that incorporate different forms of cybercrimes such as unauthorized access, cyber terrorism and transmission of obscene materials and contents.

With the cases from other jurisdictions, data protection laws have evolved in India with the help of the occurring global phenomena, including GDPR and the OECD guidelines. The newly passed DPDP Act of 2023 brings in a revolution because it ensures individuals’ privacy rights in modern society. This Act also formulates from the prior outlines and proposals that B. N. Srikrishna Committee for separate consent for collection and processing of data, data fiduciary, as well as strict control over personal data of the individuals who have sensitive profiles. This act also creates authorities such as the Data Protection Board of India to monitor compliance and ensure the enforcement of the act.

FREQUENTLY ASKED QUESTIONS

1.    Do Defamation laws fall under IT laws?

It is important to note that defamation laws may be related to IT laws when used in situations where one is committing online defamation. In India, general defamation laws have been couched under sections 499 and 500 of the Indian Penal Code (IPC) that envisage outlawing an act that tends to bring any person or group or entity into ridicule, contempt or shame. Cyberbullying can also be a form of defamation law, even though defamation has not been limited to traditional newspapers and magazines these recent years. Section 66A of the Information Technology Act, 2000 (Though pronounced unconstitutional in 2015) dealt with sending of, any information through a communication system viz. , an electronic mail or exchanging messages which are provocative or indecent or contain gruesome visuals. The recent repeal of the Section 66A has raised certain controversies but other sections of the IT Act like Section 67, concerned with the sending of obscene material through electronic platforms and Section 79 concerned with the liabilities of intermediaries or networking sites responsible for the management of contents inciting defamation are significant

2.    Can cyber crime cells freeze an individual’s bank account?

Police cyber crime cells have the power to freeze an account if it is considered compromised in any kind of fraud or cybercrime. This action is usually done when the investigations are still ongoing to save more money and also to preserve some vital pieces of evidence. In cases of freezing of accounts, precautions are observed in consultation with the banks and applicable laws as well as judicial procedures are followed to maintain legal procedures.

3.    What are the limitations of Cyberlaw?

Technology advances rapidly, and this results in a faster rate of changes in the social fabric as laws are put in place or proposed. This lag can keep existing regulations stale and rather less efficient than would otherwise be the case. Cyber criminals’ activities tend to have global jurisdiction issues since many cyber criminals act across different jurisdictions. Currently, there are separate laws in each country and flags in terms of enforcement, which makes it challenging to collaborate and apprehend culprits. This remains the case particularly because many people, companies, and even police departments can be ignorant or have minimal knowledge of cyber laws, therefore providing insufficient security and enforcement.