Cyber Law

Cyber Law

This Essay is submitted by – Ragha Sudha R, B.Com., LL.B., (Hons.), School of Law, SASTRA Deemed to be University.

Introduction to Cyber Law

The technological advancementover the past erahas increased the usage of computer and mobile phones. People are now dependent upon internet facilities (the World Wide Web) for everything. Internet has become popular for providing a platform for communication between people andfor supplying information.

This concept of internet does not exist in reality but only in the virtual world. Cyberspace is an extension of this idea of virtual reality.It is a notional environment in which the communication over the internet takes place and an area where the information made available on the internet is stored. This information stored in cyberspaceincludes sensitive information andpersonal data which has the possibility of being misused. Hence there comes a necessity to safeguard this data and regulate the use of internet with certain legal infrastructure.

India has possessed an extremely detailed legal system with respect to various fields since independence. Yet, it was impossible to imagine the necessity for laws governing technology and cyberspace at that time. When this necessity came, the Information Technology Act, 2000 (also known as the cyber security law)was passed.

The scope of IT Act, 2000 is quite wide. It aims at providing legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involve the use of alternatives to paper-based methods of communication and storage of information and aims at facilitating electronic filing of documents with the Government agencies.[1] This Act was amended in 2008 owing to other developments in the field of Information Technology.Various pre-existing laws like Indian Penal Code, 1860, the Indian Evidence Act, 1872, the Banker’s Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 have also been amended to incorporate within them the changes brought in due to advancement of technology as well as the Information Technology Act.

Data Protection and Privacy:

An areathat requires immediate attention now is the protection and privacy of personal data.Though the terms data protection and privacy are used synonymously, there is a fundamental difference between boththat can be explained through an example. When a consumerprovides his bank details to the service provider, he does so in the belief that his details will be protected from the cyber criminals and would not be misused by the service provider himself. The former known as data protection aims at protecting the data from the third party and the latter termed asdata privacy prevents misuse of the data by the receiver of the data.

Personal data means any information relating to an identified or identifiable natural person[2].Such sensitive data when made publicly available poses a greater risk because of the problems it creates due to its abuse. Security of personal data is a never-ending battle. Not even giants like Facebook and Twitter are able to provide complete privacy to the personal data of the users.

Absence of laws to protect personal data leads to the increase in various cybercrimes like cyberstalking, cyberbullying, cybertheft, harassment, dissemination of obscene material, defamation, hacking, assault by threat, cyber trespass, cheating and fraud. Apart from the crimes, misuse of personal data also violates the right guaranteed under the constitution. Privacy as a right has developed and evolved over the years.It was first recognized in Kharak Singh vs.The State of U.P. and Ors.[3]and subsequently given the status of fundamental right in Justice K.S.Puttaswamyand Ors. vs. Union of India and Ors.[4]where the apex court held that right to privacy is intrinsic part of right to life guaranteed under Article 21. This puts pressure on the government to make laws to protect personal data available online.

Analysis of IT Act:               

There are certain provisions in the IT Act, 2000 that provides for payment of compensation (Civil) and punishment (Criminal) in case of misuse or wrongful disclosure of personal data.

  • Section 43A imposes liability upon a body corporate by the way of compensation to the person so affected where the body corporate handling any sensitive personal data or information is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to that person.
  • Section 72 prescribes punishment for a person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned and discloses such material to any other person.
  • Section 72A prescribes punishment for a person including an intermediary who has secured access to any material containing personal information about another person under the terms of lawful contract and has intentionally and knowingly disclosed the same in breach of lawful contract without the consent of the person concerned.

The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that deals with protection of “Sensitive personal data or information of a person”. These rules prescribe reasonable procedures and practices which are required to be followed by a body corporate handling personal information to ensure security of such data. The rules have stated the personal information consists of information relating to

  • Passwords;
  • Financial information;
  • Physical, physiological and mental health condition;
  • Sexual orientation;
  • Medical records and history;
  • Biometric information.

Section 69 of the IT Act is an exception to the general rule of privacy since it prescribes the grounds on which any information including personal information in any computer resource can be intercepted, monitored or decrypted by the Government. It also empowers the Government to disclose such information in public interest.

Another exception where personal information of a person can be shared is by the order of the court or the consent of the person providing such information. In this case, the body corporate asking for such information should also disclose its privacy policy. However, owing to the huge percentage of the illiterate population in the nation, people are not aware that they have to give their ‘consent’for the corporatesto use personal information and therefore, it has reduced to a mere formality.Moreover, not much importance is attached to the privacy policy which are put up on the websites of the body corporates without following any guidelines.

In order to rectify this situation, Rule 5 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 was made which requires that the consent of the person providing information should be obtained in writing through letter, fax or e-mail and an option should be given to the discloser of the information to withdraw his consent later.

Despite the existence of laws, rules and regulations dealing with data protection and privacy, there are many instances of data breach.A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.[5] It is also called data spill, data leak or data theft. This might be caused due to physical breach, external hacking, insider threats or social engineering.An incident of data breach is a major concern since it breaks the element of trust that the provider of information has placed upon the body corporate.

In order to prevent such cybercrimes certain basic principles for data protection and privacy should be adopted. One amongst them, Data Minimization Principleentails that personal data collected should be limited to what is necessary to the purposes and should not exceed what is adequate. Data Quality means rating of data according to relative importance and give more protection to data that is more important.According to the principle of integrity and confidentiality personal data should not be disclosed or used for purposes other than those specified except (a) with the consent of the person providing such information or (b) by the authority of law. As per the Security Safeguards Principle, protection against risks, loss, theft or unauthorized access should be given to personal information.

Conclusion:

As the nation is progressing towards a digitalized world, the privacy of people has become more andmore important. At present, Indian’s data protection regime is governed primarily by Information Technology Act and Rules. However, the need of the hour is to have a comprehensive law for data protection and privacy. India is moving in this direction and the Personal Data Protection Bill, 2018 has been drafted which is on lines with EU GDPR regulations.This will be laid before the Parliament soon. Passing of this law will create a huge impact and make our nation legally safe in the field of data protection and privacy.

Edited by – Pragash Boopal

[1]Preamble to the IT Act, 2000.

[2]Regulation (EU) 2016/679 of The European Parliament and of the Council.

[3]A.I.R. 1963 S.C. 1295.

[4]A.I.R. 2017S.C. 4161.

[5]United States Department of Health and Human services, Administration for Children and Families.