Reading time : 12 minutes
Enterprises worldwide are becoming more aware and vigilant of privacy, data protection, and data breaches, and Indian corporations are gradually becoming more aware of these global trends. This insight was showcased by a recent Deloitte-Blanco survey of 60 Indian enterprises, in which 43% of respondents stated that they were completely aware of current and upcoming data privacy laws and regulations, while 57% of organisations were either slightly aware or completely unaware of current and upcoming privacy laws and regulations.
In recent years, there has been an increase in the number of cybercrimes all over the world. The theft and sale of stolen data are occurring across continents where physical borders have no restraint or appear to be non-existent in this technological era. It is worth noting that India, as the largest source of outsourced data, may become a hotbed of cybercrime due to the lack of express data protection legislation in the country.
In this era of global technological ecosystem growth, the result has been a two-edged sword with a signiﬁcant positive and a genuine negative side. One unintended consequence of rapid development and digitization is the birth of cyberspace.
Data protection is the process of preventing sensitive information from falling into the hands of the wrong people to prevent corruption and nepotism. Sensitive information protection is based on three key functions:
- Controlling physical and logical access to sensitive information,
- Individual accountability for that sensitive information and identiﬁcation of those who have access to it, and
- Audit trails, both physical and logical, of who accessed the sensitive information.
Simply put, the Indian IT Act is not a cybersecurity law and therefore does not deal with the nuances of cybersecurity, explains Dr Pavan Duggal, Advocate, Supreme Court of India and founder of Pavan Duggal Associates. “The IT Act also doesn’t address privacy issues-privacy is now a fundamental right and the law needs to speciﬁcally address privacy concerns, but that’s not the case”.
The Supreme Court of India, in the case of K.S. Puttaswamy v. Union of India, in which the ‘Aadhar Card Scheme’ was challenged on the grounds that collecting and compiling demographic and biometric data of the country’s residents to be used for various purposes violates the fundamental right to privacy enshrined in Article 21 of the Indian Constitution. The Hon’ble Supreme Court by its decision pronounced on August 24, 2017, unanimously held as under:-
- The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.
- Privacy is a constitutionally protected right that emerges primarily from the guarantee of life and personal liberty in Article 21 of the Constitution. Elements of privacy also arise in varying contexts from the other facets of freedom and dignity recognised and guaranteed by the fundamental rights contained in Part III.
Information and Technology Act, 2000:-
Section 43A of the IT Act states that a body corporate that possesses, deals with, or handles any sensitive personal data or information on a computer resource that it owns, controls, or operates is liable to pay if such body corporate is negligent in implementing and maintaining reasonable security practices and procedures, resulting in wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, which shall not exceed a sum of Rupees Five Crore.
Section 66C deals with identity theft and states that anyone who fraudulently or dishonestly uses another person’s electronic signature, password, or any other
unique identiﬁcation feature shall be punished with imprisonment for a term of up to three years and a ﬁne up to Rupees One Lakh.
Section 72A requires any person, including an intermediary, who has secured access to any material containing personal information while performing services under the terms of a lawful contract.
- The IT Act does not contain a deﬁnition of a data breach.
- The provisions of the IT Act only deal with the collection and distribution of information by a ‘body corporate’.
- IT Act does not include the overarching stipulation that interception can only transpire in the case of a public emergency or in cases involving public safety. Additionally, section 69 of the IT Act mandates that any person or intermediary who fails to assist the speciﬁed agency with the interception, monitoring, decryption or provision of information stored in a computer resource shall be punished with imprisonment for a term which may extend to seven years, and shall be liable for a ﬁne.
- The term “consent” has not been deﬁned under the IT Act.
The IT Act’s rules and provisions aimed primarily to protect ‘personal information and sensitive personal data or information,’ i.e. information relating to:-
- ﬁnancial information such as bank account or credit card or debit card or other payment instrument details;
- physical, physiological, and mental health condition;
- sexual orientation; and
- medical records.
However, information that is freely available in the public domain is not considered to be ‘sensitive personal data or information.’
Personal Data Protection Bill, 2018:-
It is important to note that there is no speciﬁc data protection legislation in India. The Personal Data Protection Bill, 2006, was introduced in the Rajya Sabha in 2006 with the goal of protecting an individual’s personal data and information collected for a speciﬁc purpose by an organisation and preventing its use by other organisations for commercial or other purposes.
Following the Supreme Court’s decision in Justice K.S. Puttaswamy v. Union of India (Right to Privacy Matter), which declared the right to privacy to be a fundamental right, it was felt that it was critical to protect personal data as a facet of informational privacy. As a result, the Personal Data Protection Bill, 2018, was introduced in Parliament, with provisions covering various aspects of data protection.
- According to the Justice Srikrishna Committee’s recommendations, courts of law and regulatory authorities should be allowed to develop principles of fair and reasonable data processing. The Bill requires data ﬁduciaries to collect data in a fair and reasonable manner that respects individuals’ privacy, but it does not explicitly specify a fair and reasonable manner of personal data processing, which could result in fairness and reasonability principles varying across ﬁduciaries processing similar types of data and ﬁduciaries in the same business evolving an approach.
- Data localization may have a negative impact on smaller data ﬁduciaries who resort to alternative cheaper storage mechanisms with increased compliance burdens and costs, and some of them may be discouraged from investing in India as a market due to extra costs incurred from putting up duplicate servers, as a result of which consumers may not have the option of availing services from all data ﬁduciaries. In some cases,
where the data ﬁduciary is registered as a foreign entity, law enforcement may not be accelerated. Furthermore, before mandating data localization, India must invest in and improve data centre infrastructure and grid capacity.
- Personal data may be processed if it is required for the performance of any function of Parliament or any State Legislature. The Bill allows for the processing of an individual’s personal data without their consent if it is required for any function of the Parliament or state legislature that is irrational and it is diﬃcult to predict the possibility of the Parliament or State Legislature accessing any personal data without the individual’s consent.
- The State has the authority to process data for the following purposes:-
- national security,
- the prevention, investigation, and prosecution of law violations,
- legal proceedings,
- personal or domestic purposes, and
- research and journalistic purposes.
A critical question is whether all of Bill’s exceptions are justiﬁed. In Puttaswamy v. Union of India, the Supreme Court allowed exceptions to an individual’s right to privacy only when a larger public purpose backed by law is satisﬁed by the infringement of an individual’s privacy, emphasising that the exemption must be necessary for and proportionate to achieving the purpose.
As a result, it is clear that a legal exception for national security may be justiﬁed. However, it is unclear whether exceptions for legal proceedings, research, and journalism purposes meet the requirements of necessity and proportionality.
- According to the Bill, the ﬁduciary must notify the DPA only if a data breach (i.e., accidental or unauthorised use or disclosure of data) is likely to cause harm to any data principal. The unanswered question is whether the ﬁduciary should have the authority to decide whether a data breach must be reported to the DPA. From a simple reading, we can deduce that the ﬁduciary has the authority to determine whether the data breach caused any harm to the data principal.
Also read: HUMAN RIGHTS IN INDIA: A BRIEF STUDY
This could lead to selective data breach reporting, preventing the DPA from being overburdened with low-impact data breach reports while also failing to meet the ﬁduciary responsibilities of duty reporting. In contrast, there may be a conﬂict of interest when deciding whether to report a breach, because the ﬁduciary is regulated by the DPA, and cases of breaches and promptness of notiﬁcation are evaluated in independent data audits ordered by the DPA, the results of which are summarised into a score, made public, and inﬂuence the insight of a ﬁduciary’s trustworthiness.
- When it comes to data breach notiﬁcations, the bill states that they must be made by the data ﬁduciary to the Data Protection Authority of India (DPAI) “as soon as possible” if they pose potential “harm” to data principals. However, there is ambiguity in this provision because it does not specify how soon and within what time frame the breach must be reported.
- It is unclear what a “serving copy” of data entails. It could be alive, real-time replication of data on a server in India, or a backup at a speciﬁc frequency. The exclusive deﬁnition is required because the expenses, implications, and execution timelines for ﬁduciaries would diﬀer signiﬁcantly depending on the exact nature of a serving copy. Furthermore, what constitutes “critical personal data” must be explicitly stated, as this is a necessary pre-requisite for ﬁduciaries to prepare for storing this data solely in India.
CYBER CRIME AGAINST WOMEN: LOOPHOLES IN OUR JUDICIARY
Since the virtual world is more fascinating, individuals are more attracted to it which leads to cyber-crime. Women, particularly young girls who are inexperienced in the cyber world and do not understand the vices of the internet, are the most vulnerable to falling prey to cybercriminals and bullies. There are still many sections of society that believe women are inferior to men and as a result, are not allowed to attend school and, as a result, are easily indoctrinated in cyberbullying. The increasing prevalence of cybercrime against women has resulted in a sense of insecurity among women.
The Parliament then recognised the need to protect citizens and enacted its ﬁrst cyberlaw, the Information Technology Act of 2000. It establishes the legal framework for e-commerce in India, and the Act has been signed by the President of India and is now the law of the land in India. The act’s goal is to create a legal framework that ensures the legal sanctity of all electronic records and other electronic-based activities. Although India was one of the countries to implement this act, it was still primarily focused on protecting e-commerce and communications under the IT Act, and cyberbullying on women was not covered under this act, leaving this pressing risk unaddressed.
This act contains numerous loopholes because it is not a cybersecurity law and thus does not address cybersecurity. The right to privacy is guaranteed by the Indian Constitution to all citizens. Cybercrime violates an individual’s right to privacy and the IT Act of 2000 makes no provisions for privacy. When the act was amended in 2008, it reduced the punishment and increased the penalties, assuming it would be beneﬁcial, but it is now proving to be a “toothless tiger.” The lack of strict data protection and privacy laws, combined with insipid, insigniﬁcant penalties, has resulted in India becoming a data-rich demographic for global heavyweights.
The nationwide lockdown imposed on March 25th to prevent the spread of the coronavirus was unable to halt the rise in the number of cybercrime cases
against women. Particularly during the lockdown, there was an increase in sextortion cases, which were targeted by “caged criminals.” According to National Commission for Women data, 54 cybercrime complaints were received online in April, compared to 37 complaints received online and by mail in March and 21 complaints received in February. Because of the lockdown, frustration among cybercriminals is on the rise as they are conﬁned. As a result, criminals blackmail women into morphing their images in exchange for sexual favours.
Soon after the lockdown was announced, there was unexpected reporting of cases related to misinformation, fake news, and many cases reported that there were malware links and that after clicking on the same links, all the information on the phone was transferred to the criminals, and it also automatically turned on the microphone and camera, which also captured their personal juncture. There were many cases where victims did not report them because they were afraid it would tarnish their reputation in society or because they were concerned about the “social stigma” associated with cybercrime. Numerous studies have found that women are far more likely than men to be victims of cybercrime. As a result, the crime has an indeﬁnite impact on the victim’s life, making it far more miseable than they could have imagined. The majority of victims suﬀered ﬁnancial losses as a result of the networked scam, and the criminals extorted their money by blackmailing them. Furthermore, many of them were unable to report the same to the crime branch because they lacked courage and feared that reporting such fraud would cause them to be shunned from society. They were psychologically aﬀected by the burden and loss. Taking a more concise look at the impact that cybercrime has had on people’s minds, it is clear that women have been the most aﬀected by the crime and have had to bear the torments in order to maintain their social standing.
Considering all of the crimes and the eﬀects they have on people’s lives, it is clear that the government has a critical obligation to create and implement cyber security laws. Because we lack cyber security laws, one in every three women in our country has been subjected to cyber stalking or cybercrime. It is necessary
for judicial authorities to keep up with technological advancements and ensure that no individual suﬀers as a result of evolving technologies. From abusive online comments and cyber-harassment to the perpetuation of harmful stereotypes via social media and online imagery, these new forms of violence are spreading into the real world and have a signiﬁcant impact on women’s physical safety and psychological well-being.
Though India’s existing laws do not provide the necessary data protection, the country is in the process of drafting a data protection legislative enactment. A thorough examination of the aforementioned loopholes, as well as additional debates and discussions in Parliament to provide necessary recommendations to close them, would pave the way for the creation of a strong data protection law in India.
Author: Pratik Nayak
Editor: Kanishka Vaish, Senior Editor, LexLife India.