share the business data on WhatsApp with Facebook. After the announcement there
has been a situation of panic among the people as fear of data leak has arisen
in the minds of people. Although, WhatsApp claims that there won’t be such a
situation as only business data and no personal data will be shared with
Facebook but WhatsApp’s credibility is doubtful as it has a different privacy
policy for European countries.
The announcement also comes in the backdrop of
news of sensitive data leaks from companies like Domino’s and Air India.
Although, for quite some time news of data leaks from different companies has
been coming but the issue is really serious now. To put this into context
India saw a 37% increase in data leak in 2020 and this year already cases of
various data breaches have come out. Hence, the question arises what
framework does our government have for such data breaches.
Although India does not have any data protection law as vast as that of other
countries especially European countries but Information Technology Act which was
passed in 2000 “provides legal recognition for transactions carried out by means
of electronic data interchange and other means of electronic communication,
commonly referred to as "electronic commerce", which involve the use of
alternatives to paper-based methods of communication and storage of information,
to facilitate electronic filing of documents with the Government agencies.”
The Act also defines cyber crimes and prescribes penalties for them.
original act provided for the following offences:
Section 65. Tampering with computer source documents.
Section 66. Hacking with a computer system.
Section 67. Publishing of information which is obscene in electronic form.
Section 68. Power of Controller to give directions.
Section 69. Directions of Controller to a subscriber to extend facilities to
Section 70. Protected system.
Section 71. Penalty for misrepresentation.
The act was amended in 2008 which introduced the following offences:
Section 66B. Receiving stolen computer or communication device
Section 66C. Using the password of another person
Section 66D. Cheating using computer resource
Section 66E. Publishing Private images of others
Section 66F. Acts of cyberterrorism
Section 67A. Publishing Images containing sexual acts
Section 67B. Publishing child porn or predating children online
Section 67C. Failure to maintain records
Section 72A. Disclosure of information in breach of lawful contract
Section 73. Publishing electronic signature certificate false in certain
Section 74. Publication for fraudulent purpose
The punishments for the above-mentioned offences can extend to imprisonment for
life and/or an indefinite amount of fine.
The act has faced a great amount of scrutiny and has been constantly criticized
for its narrow scope and applicability as it seems ineffective concerning recent
data leaks. The critics have also argued that the act does not deal sufficiently
with the offence of data breach. Section 72A of the Act which specifically deals
with the offence of data breach states that,
Section 72A. Punishment for disclosure of information in breach of lawful
Save as otherwise provided in this Act or any other law for the time being in
force, any person including an intermediary who, while providing services under
the terms of lawful contract, has secured access to any material containing
personal information about another person, with the intent to cause or knowing
that he is likely to cause wrongful loss or wrongful gain discloses, without the
consent of the person concerned, or in breach of a lawful contract, such
material to any other person, shall be punished with imprisonment for a term
which may extend to three years, or with fine which may extend to five lakh
rupees, or with both.
Therefore, in reaction to the rising cases of data breaches and the act’s low
applicability in dealing with such breaches a committee was constituted in 2017
headed by Retd. Justice BN Srikrishna to propose a statute on data protection.
The committee tabled its opinion and Personal Data Protection Bill was
introduced by the Ministry of Electronics and Information Technology in 2018.
The bill was not passed by the parliament and also received heavy criticism. The
bill received heavy criticism because it was deemed to be giving excessive power
to the state. Retd. Justice BN Srikrishnan himself termed the bill as having the
ability to turn India into an Orwellian state. Hence, a revised bill was
introduced in the parliament in 2019.
The Amended Bill aims to:
“to provide for protection of the privacy of individuals relating to their data,
specify the flow and usage of personal data, create a relationship of trust
between persons and entities processing the personal data, protect the
fundamental rights of individuals whose personal data are processed, to create a
framework for organizational and technical measures in processing of data,
laying down norms for social media intermediary, cross-border transfer,
accountability of entities processing personal data, remedies for unauthorized
and harmful processing, and to establish a Data Protection Authority of India
for the said purposes and for matters connected there with or incidental
The bill was sent for further expert analysis to a Joint Parliamentary Committee
headed by Member of Parliament, Meenakshi Lekhi. As of May 2021, it is still
with the Committee and awaits introduction in the parliament.
It is to be noted that with digitalization various aspects of an individual’s
life are changing which include parameters of security of an individual. Now
protecting a person does not mean the protection of his body and property only,
a new aspect, data has been introduced to such list.
Today we are surrounded by
the digital world, our every information, personal details, financial details,
travel details are there in the digital world and if not protected effectively
can fall into the wrong hands. Thus, it is of utmost importance that an
effective data protection law is passed and put to force in India.
Written By: Raghav Agarwal
- Information Technology Act, 2000
- Section 72A, IT Act, 2000
- The Personal Data Protection Bill, 2019
, 2nd Year BBA LLB, USLLS, GGSIPU