File Copyright Online - File mutual Divorce in Delhi - Online Legal Advice - Lawyers in India

Analysis Of Cyber Law With Focus On Data Protection

The internet has now embellished as an integral part of everyone's daily routine. It has taken over the world, from basic communications to online shopping. Companies have also chosen to carry on their operations via the internet. As a result, e-commerce has grown in popularity. Many government procedures are now conducted online, and e-finance has exploded in popularity in the last year. The popularity of internet has been growing on and on thus increasing the perils in association to it.

In the twenty-first century, when information reigns supreme, data is a valuable asset. Data is the driving force behind the world's growth in the modern era. This is where the Data Protection Laws come into play. Many countries have passed laws based on these principles.

This paper examines the current state of data protection laws in India and around the world, as well as the Indian legal aspects of the Data protection and the Privacy.

What is cyber law?

Cyber law comprises of two words cyber and law. Cyber is used as a prefix in this, a term in connection with information technology as to compute in the internet. It is a relationship between modern computing and technology. Law is a a set of procedural rules and regulations which has entrenched in the society to follow to ensure peace and harmony. There are various subjects for which laws are made, one of them is cyber law. Cyber law is the law which governs the legal prospects of the Internet and also administers the digital information, software or the security.

The suitable introduction to Cyber Law is: It is 'paper laws' in the 'paperless world'[1]. It comprises of laws on how to retrieve and utilize the internet and even provides with rules in order to protect the online privacy as well. The term cyber law is a wide terms which includes various subjects like legal informatics and electronic elements, including information systems, computers, software, and hardware. It's the legal structure to tackle with the Cybercrimes.

Importance of cyber laws

As of early 2021, the number of people that use the internet is over 4.66 Billion. With that number increasing by 7% annually. This also means every day can account for almost 8,75,000 new users[2] This instantaneous increase of usage of cyberspace has made it necessary to have cyber laws.

As with time technology is a growing on and on cyberspace which had initially started as an information tool, today has now become form for communication and commerce as well. The Technology is developing every single day it has become a core part of our lives, for every small thing we require cyberspace which in turn has led to the inevitable increase in the cyber crimes.

We have seen in this time of COVID-19 all the things going online, businesses going online, the studies going online and what not, this time also saw an increase in the usage of e-commerce which in turn has made necessary that there are proper regulatory practises set up to ensure that no malpractices take place in the cyberspace. The cyber laws restrict the people from the cyber criminal activities or it least tries to reduce the pace of the cyber crimes. Cyber law provides with a security for all data and properties of individuals, organisations and the government. It also helps to restrain the illegal activities while assessing it. It governs the actions and reactions on the cyberspace.

Advantages Of Cyber law

The cyber law ensures that all the online transactions are safe and protected it keeps a track of all the electronic records. It has also aided in establishing the electronic governance over the cyberspace as call recognition is granted to the old transactions taking place through electronic media which also in turn made the digital signature is legal which has turned to view a turning point in the legislation of India.

Has also helped the various government departments by facilitating the e-filing of the documents and also authorising the and also giving the bankers the authorisation for in order to keep records in the configuration of electronic and granting the allowance of electronic fund transfers between various institutions. The cyber laws led to the birth of new security agencies like cyber cell which in turn monitors the cyber traffic and provide software as well hardware security and blocking the unwanted content from the internet.

Difference between cyber and the conventional crime

The basic different betwixt the two terms is obviously the use of technology, which is the main under he cyber crime however it can only act as a small aid in the crimes which are conventional.

For conducting a cybercrime one is usually highly educated professionals, hackers, organised ideological people where as the conventional crimes are conducted by the petty unorganised gang, usually the poor and illiterate strata of the society.

In a conventional crime the criminals tend to leave an evidence behind which reaches to them whereas cybercrime has a less chance as hackers leave behind any traces which could lead back to them.

The scale of attacking in the cybercrime is very higher as the compare to a conventional one, like the robber will be able to rob one or two banks in a Week or so whereas the cybercriminal would be able to rob the 100s of bank with just a click.

The Cybercrime allows to be conducted by sitting anywhere from world, it isn't essential to be there at the crime place necessarily. The cybercriminal could be anywhere even at a place where there are no law regulations the actions.

The cybercrime is conducted at a machine speed, in minutes multiple sites can be targeted and the data could be hacked from their profiles.

Reasons for cyber crime

'human beings are vulnerable so rule of law is required to protect them'[3]. This saying can be applied to the cyberspace as well. The Cyberspace is a vulnerable space where the computers are there, therefore Cyber Law is a requirement that serves as a deterrent to cybercrime. There are a number of grounds that the cyberspace is a space which is suspectible where the computers could lead to the cybercrimes.

One of the logics is that a computer is the tool which has a distinct quality to huge amount of data during a very compact space which enables the extraction of an information or any data by the hackers smartly in flash and use that data for their own use. Another reason is that the hackers have a very easy access to the system. The skilled hackers have the capability to get an unauthorised access to the system by infringing the access codes, retina images, voice recognitions and many more which could incite to fooling the biometric system thus allowing the hackers to access the system.

The computers are able to work through an operating system, which in turn is made up of millions and millions of code which are difficult to break by a human mind, thus it is thought that there is no loophole in it and thus nothing wrong would happen in that stage which is being misused through the hackers. Even a single small loophole in the operating system is detected by the hackers which in turn they exploit, thus this complexity becomes a reason for cybercrimes. Cybercrimes could also be a result of negligence act.

A negligent act can turn into a profound concern as it implies a direct welcome to hack the operation for the hackers. It is necessary to be a little bit of vigilant and avoiding any negligence as it would be a cause to cyber crimes. A reason for cybercrimes can also be that the evidence can be lost. The hackers can remove the traces of their breaching which in turn makes it difficult to reach to the hackers, which in turn makes the system a little bit more prone to the cyber attacks.

The evolution of the technology is one of the biggest reasons of cyber crime, invoking people to try new things and learn them thus leading to cybercriminal activities. Some cybercriminal activities arise out of revenge. A person would be hurt by the other person because of any reason which would entice him to take a step against the person and he would take help of the cyberspace to do so.

Scope of cyber law

The cyber laws is a subject of wide range. There are different cyber laws which serve different types of purposes. The cyber crimes can happen with individuals or as an organisation or against the government. As an individual one can get involved in online harassment or stalking, child pornography whereas cyber terrorism, threats, misuse of power against national security could be cyber crimes involving the government.

It deals with various aspects like protecting the privacy and the various rights like the freedom of speech And right to information, preventing any kinds of frauds dealing with a lot of spammers and a jurisdiction over the e-commerce.

The cyber laws can be divided into various broad categories:

  • Fraud
    A fraud can be committed online like identity theft, credit card theft and other financial Crimes, the Cyberlaws that have been made which in turn protecting the victim from the fraud committed, the person who commits the fraud can face criminal charges and the victim can also initiate the civil action in opposition to the person committing fraud. People fall for various scams through which the criminals are able to get the money from their accounts, this is generally termed as phishing
  • Copyrighting Issues
    The internet comprises of an enormous amount of data which is available to anyone anywhere and anytime as per the convenience. But if someone tries to copy the any type of information which is accesible on the internet and claims it has its own then cyber laws have a provision for protecting the hardwork of an individual or an organisation who has put the data or information on the internet.
  • Online Harassment and Stalking
    Many people especially the girls are the victims of online harassment and stalking, this has been becoming a very huge issue, almost everyday we see in news that someone was caught for the same, various cyber laws have been enacted for the same.
  • Trade Secrets
    Cyber law also helps in protecting the trade secrets of the businesses which are doing the work online as it provides various provisions for it. It helps the e-commerce to initiate a legal action in case the trade secrets are in jeopardy.
  • Data Protection
    People who are being dependent on the cyber law to ensure the protection of the information that is personal. Even the organisations as well as the companies also depend on it to preserve its data confidentiality.

Impact of Cyber Crimes

The cyber crimes can have huge impact on the individual, business, economy and the country's security as well. Nowadays everyone is extremely reliable on cyberspace to do all the work be it transferring money or shopping thus making them subjected to a higher risk of getting into some kind of fraud. A survey conducted in 2011by Norton CyberCrime[4] revealed that over 74 million people of The United States were victims of cybercrime in 2010, which caused financial losses of almost $32 billion.

In India also the citizens are being persuaded to be cashless, using various apps to make payments via apps like Paytm, Bhim and many more. But with the emergence of all the trends of being cashless and using the Internet for the purpose of money has increased the chances of a person falling prey to an online scam or fraud if he full knowledge is not with him and smart ample to utlize them carefully. The companies face the risk which is similar of suffering from the financial losses as a result of the various cybercrimes its exposed to.

The risk doesn't confine to financial losses even to leakage of personal information of a human being too. The social networking sites act as an open platform to take a peak at anyone's life which can be dangerous in one way or other. The hackers have the capability to hack in anyone's account and take any information and use it in any manner which puts a huge strain on the people on how to freely use the networking sites. The people start losing trust in the sites and various platforms as the people hear or see the experience about the scams or frauds or phishing. This puts a risk on all the e business as no one would be ready to make transactions with them because of the fear.

Cyber crimes also affect the national security as nowadays all the work of the country is done using the advanced technologies and network which in turn can help the terrorists to intrude into any other country's security networks and obtain the necessary information to cause harm to that specific country. They could even breach the country's data and destroy it or add any kind of misinformation to the records of the country, these things could jeopardise the nation's security, integrity and peace.

What is data?

Data has been defined as "a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer" as per the Information Technology Act[5].

In simple words data can be explained as a accumulation of the facts; the facts can be numbers, measurements, observations or passwords to anything. It has also been defined as "any electronic information that is held by a public or private service provider (like a government service department, a bank, a document repository, etc. This includes the static documents as well as the transactional document"[6] under the electronic consent structure which is provided by the Digital Locker Authority.

Data can be a Personal Data, it is the information which is associated with a person who is precised. This in turn helps make a person identified through the data. It appends the attributes of a specific person, like Your Name, Address, Email Address, Phone number, Aadhar card number, your IP Address or can be anything like the health record held by a doctor or by the hospital.

The data is very important therefore many people try to extort the the data. Data Theft is when data is extorted through illegal means from one system to other which in turn provide benefits to the person who extorted the info. It's breach of privacy of one person which can lead to harsh repercussions for individuals and businesses. The data theft can be performed by means of USB Drive, Email, Remote sharing & Malware Attacks. The data theft can be prevented through various methods like using strong passwords to protect the data, installing firewall systems, wireless networks should be secured,the data should be kept encrypted, one could be assuring that the system is updated and one properly can handle and dispose the sensitive data.

Data is defined as a formalised portrayal of information, knowledge, facts, concepts, or instructions that's intention is to be processed, is being processed, or has been processed in a computer system or computer network, and may be in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the computer's memory under the Informatization Act. In simple terms, data can be defined as a collection of facts.

What is data protection?

A synchronisation of strategies and procedures which is applied to safeguard the privacy, accessibility and the righteousness of the data is termed as data protection. This synchronisation staves off any kind of possibility of data loss, theft, or corruption and in occurrence of a breach it can help in lessening the damage caused.

This also gives a capability of restoring the data to the exact functional state before the corruption or breach had taken place. It is a correlation of technology and data, how data is collected and it's circulation. It coves the subjects of immutability, preservation and deletion of the data and not only it's availability. It's tries to put a balance between providing privacy and protection.
The term data protection and term data privacy are two terms which are interconnected to each other.

The term data privacy is more like prescribing how data should be collected and handled depends upon the sensitiveness and significance of data being provided. Data privacy is administered through the regulations of data protection. Data privacy provides with who gets the access to the data however the data protection is protecting the the datas from the people who don't gain access to the data.

The data protection is done on all levels be it personal or corporate or government, the technique and scale of doing this on the different levels can be different according to the situation needs whom to give access and from whom to protect. A few perceptions are needed to be observed in process of data protection. In the process at whatever level being conducted, it needs to be within a precise limit, excess of everything is detrimental and the data has to be unerring and relevant in nature.

There must a specific rationale behind the data protection and it should be done through proper security and appropriate rights have to be provided with to the authorised. The data being protected must be done with the assent of whosoever concerned. A proper endurance is required to be given by the data protectors about the accountability of the data.

Importance of Data protection

The paramount reason for the data protection is which acts as an asset by safeguarding all types of valuable data and avoiding any unwanted access to it by anyone. It also helps in maintaining a line of privacy for example in a company an employee provides personal details to the HR department who keeps the data to itself and doesn't allow any unauthorised access or when a client shares the details, which when protected increases the trust and confidence of clients in organisation that in turn helps the organisation to sustain in the society.

It directs as a safety shield in opposition to the hackers and thus not falling to any types of fraudulent activities like scams, phishing, theft and many more. It helps in order to prevent any financial loss on personal level of on business level. It's a crucial component of a business especially the ones whose most work is done online, they are at a greater risk that their website or the platform gets hack and all the data is accessed by the unauthorised like the competitors companies.

It also encourages better management of work as the data protection requires good management of work and also encourage to have moral ethics. This also in turn leads to increase in business profits and reduces the risks in a lot of ways, thus making the business more successful and increasing their customer base. This also encourages people to take initiatives and start their own businesses.

To a large extent, there have been challenges. which also attaches with data protection process like at the present moment there doesn't exist a global agreement on data protection so it's sone as per the needs of oneself which sometimes may lead to be not in other people favour. Its costly as well as time consuming process and to ensure the protection process is correct and there is no downside to it a professional is required to do the same. The technology is changing everyday new new things are coming up which makes it difficult to adapt and implement the new changes on a daily basis.

Data protection laws in India

Its an arrangement of privacy policies, laws and the procedures that focus on reducing any kind of interfering into anyone's personal data. In India there are no specific laws for data protection and privacy.

The Privacy's Right of an individual is not as such a provision of the constitution of India, but the courts have an observation that the privacy is a right with in relation to other fundamental rights that is right of freedom of speech and expression[7] and right to life and personal liberty[8]. But these both rights are condemned to some restrictions which may be laid by the country.

"No person shall be deprived of his life or personal liberty except according to the `procedure established by law" [9]is given under the Article 21. This doesn't not precisely certifies the right to privacy as one of the fundamental rights. The Right To Privacy as a part of fundamental right has come a very long way. The issue of right to privacy as a part of the fundamental rights under the Indian Constitution which has been tabled through various cases and every court has provided with its own different opinions in the different cases.

This issued was presented for the very first time under the case of M. P. Sharma and Ors. V Satish Chandra, District Magistrate, Delhi and Ors[10]. The India's Supreme Court refrained from giving the status of the fundamental rights of right of privacy. It had said that in the case of R. Rajagopal and Anr. V State of Tamil Nadu[11] that "The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. It is a "right to be let alone". A citizen has the right to privacy protection.

The question Is right to privacy a Fundamental Right under Article 21 of Indian Constitution, was first of all answered in the famous case of Kharak Singh v State of U.P. and others[12] in which a stern elucidation of the word "life And personal Liberty " was created and it was ruled that Right to privacy, wasn't a part of the fundamental rights guaranteed by the Indian Constitution. But, this question took a different turn with the landmark judgment of Maneka Gandhi v Union of India[13]. This case gave the term "personal liberty" widest possible elucidation. Thus creating right to privacy as a vital component of right to life under the Indian Constitution's Article 21.

Eventually also in the case of People's Union for Civil Liberties (PUCL) v Union of India[14] the Supreme Court had observed that the "We have, therefore, no hesitation in holding that right to privacy is a part of Rights to "life" and "personal liberty" enshrined under Article 21 of the Constitution." Once the facts in a given case constitute a right to privacy, Article 21 is attracted. The said right cannot be curtailed except according to procedure established by law.

The issue was also pondered upon by the SC in one of the landmark case of K. S. Puttaswamy (Retd.) v Union of India[15]. In the case the court has held that " Privacy is a constitutionally protected right that stems primarily from Article 21 of the Constitution's assurance of life and personal liberty. Privacy issues arise in a variety of contexts from the other aspects of freedom and dignity recognised and guaranteed by Part III's fundamental rights."

This case had put up a challenge against to government's Aadhaar scheme which is a kind of a uniform based on biometrics identity card, which the government had proposed to make necessity in order to grant an access to all the services and benefits provided by the government. The Supreme Court faced the challenges on the base that the scheme was in violation of the right to privacy.

It is one of the latest judgement of the SC that ruled that the Right to privacy is a fundamental right granted to the citizens of India through Indian Constitution. The acknowledgment of right to privacy as a fundamental right is a proof that as a nation we are moving in a right direction in order of setting up a designated system which would provides techniques for protecting personal data and avoiding data theft in any manner.

The judgement resulted in making the Aadhar Card being appraised and safeguarding the personal data of people which is precious in any form is kept safe from any breaches or is in privacy reaching no ones hand. This had also directed a remarkable step that the data which is stored with many other government agencies should also be evaluated and keeping it safe.

This had radically changed the way of the government to view its citizens' privacy in practice and as well as the prescription. It necessitated the governments to initiate various structural reforms and try to bring in transparency and openness in the procedures to commission and execute the surveillance projects, and thus building a mechanism of judicial oversight over surveillance requests.

Indian Contract Act

The common law principles are the basis of the Indian Contract Act. It gives provision where the participants of the contract can add relevant clauses in the accord for data protection like a confidentiality clause. This is provided under the Section 27. clause provides with that a person would be compensated in case of data leakage The clause provides with that a person would be compensated in case of data leakage of any manner and also lays down what mechanism is to be imposed with the person who is behind the data leakage depending upon to what extent it is leaked. The companies enter into several agreements on a regular basis which help them in a smooth running of the business thus they relay on this proviso to protect their confidential information of their clients.

Indian Penal Code 1860

An amendment was made to this act which made the term data as a segment of the definition of movable property thus making data theft or its misappropriation as a crime as per the act. The computer data or databases are movable in nature thus getting protection under the act. It has been proved really effective in prevention of data theft. It could cover a few topics in the connection of the data protection , but being a very old statue it doesn't able to cover a lot of subjects like breaches of data privacy. The data has been incorporated in the term moveable property but is data is to be in consideration it's part in all the sections or not is still a question to ponder upon by the courts.

Copyright Act 1957

This act provides protection to the Intellectual Property Rights of all kinds of works including the literary, dramatical, artistic work. With an amendment to the act the database of the computer has been included in the term literary work. The amendment is a benefit to the customers as no other institution other than the service providing company can legally make use of the information provided by them in any manner.

So if a a particular data base is being copied and shared among others or is being used for one owns need then it leads to a copyright infringement which would thus lead to civil or criminal remedies. Under this act it is difficult to differentiate between the data protection and data base protection as data protection is mainly for protecting of the personal data however the database protection is protection of ones work performed or art being created. This act provides punishment under section 63B for the piracy of copyright data. The punishment can be a term in jail or fines of varying amounts.

Information technology Act 2000

This act was introduced as a legal framework to administer the virtual ecosystem which comprises of e-commerce, electronic contracts, e-mails and so on and on. The act had been passed on long back the virtual ecosystem has grown to large extents since then thus making this act more and more relevant in nature. It gives a legal status to all the transactions helped out through the method of electronic manner, usually called e commerce.

It is an alternative to a paper based way of communicating and storing of data with various government institutions. This act cover the subject of data protection to some extent, providing with laws to prevent misappropriation of Data and imposing various fines. It also provides with payment to compensate both civil and criminal in the event of misusing the data which is personal or it's disclosure in wrongful means or violating any terms of agreement in relation to personal data protection. The act had undergone a major amendment in 2008.

The sections in relation to data protection are:
The act has a provisio under the section 43 that grants protection in case there is any kind of unauthorised access of a system by levying a heavy penalty up to One Crore. It also covers any kind of download or extraction or copy of the unauthorised data.

A punishment fee of up to 5 crore fine can be imposed under section 43 A if there is any kind of negligence in the implementation and maintenance of proper security practices by a corporate body who is in possession or deals or handles with data which is of sensitive nature and the negligence in turn leads to any loss or gain which is wrongful in any manner. The corporate body would be liable to pay the compensation in the form of penalty.

Anyone who knowingly or intentionally conceals, destroys, or alters any computer source code used for a computer, computer programme, computer system, or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, faces a sentence of up to three years in prison, a fine of up to Rs 2,00,000, or both, according to Section 65 of the IT Act. As a result, computer source documents have been protected from any kind of tampering.

Section 66 provides with that anyone who has committed any conduct as to referred to in section 43 dishonestly or fraudulently shall be punished. It has been designed to protect against hacking. According to this section, hacking is defined as any kind of act committed with intention to cause wrongful loss or damage to another person, or with knowledge that wrongful loss or any damage could be caused to another person, and information stored in a computer resource must be destroyed, deleted, altered, or its value and utility diminished. The hacker can face a three-year prison sentence or a fine of two lakh rupees lower limit, or both, under this clause.

Anyone who uses a digital signature, password, or any other unique identification feature of another person unlawfully or dishonestly shall be punished with three years in prison and a fine of up to Rs.100,000.00 under Section 66A of the Act, which deals with identity theft. Identity theft is addressed in Section 66 C, which states that anyone who unlawfully or dishonestly uses another person's electronic signature, password, or any other unique identification feature is subject to imprisonment for up to three years and a fine of up to INR 1,00,000.

Shreya Singhal v. Union of India[16] is a 2015 Supreme Court of India decision on the issue of online speech and intermediary liability in India, handed down by a two-judge bench. Section 66A of the ITA2000, appertaining to restrictions on online speech, was declared unconstitutional by the Supreme Court on the grounds that it violated Article 19(1)(a) of the Indian Constitution. The Court added that the Section was not saved because it was a reasonable restriction on freedom of speech under Article 19 of the Constitution (2).

The SC struck down the Section 79 and the governing rules of it. It was decided that the intermediaries which are online can only be required to remove content as an when served with a government order or an order psssed by the court. In India, the case is regarded as a moment which is watershed for online free speech. Individuals (Shreya Singhal), NGOs, and businesses challenged the provisions in the Supreme Court through a series of writ petitions. The various petitions were grouped together and heard by Justices Chelameswar and Nariman in a two-judge bench.

Section 69 acts as an exception to the general rule of maintaining information privacy and secrecy provides that where the Government have a satisfaction which is a necessary in the interest of the integrity or sovereignty of India or defence or security of the State or in any case as the government deems fit to. This provides the authority to intercept, monitor, or decrypt any information in any computer resource, including personal information, the government may demand disclosure of information when it is in the public interest to do so by the government.

Section 69 of the Information Technology Act of 2000 covers both interception and monitoring, as well as decryption, for the purpose of investigating cybercrime in India. The Information Technology (Procedures and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009, were also published under this section. The Information Technology (Procedures and Procedures) Act has been published by the government. It provides for the various grounds upon which the government can interfere with the data.
In the interest of India's sovereignty and integrity, defence, security, friendly relations with foreign states, or public order, or to prevent instigation to the commission of any cognisable offence relating, Section 69A allows the Centre to block public access to an intermediary.

This act sets out penalty in case the confidentiality and privacy of data of someone is breached under Section 72. Any person who, without the consent of the person concerned, secures access to any electronic record, book, register, correspondence, information, document, or any other material in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, discloses such material to any other person shall be punished with imprisonment for a term up to two years, or a fine up to Rs 1,000,000. Furthermore, section 72A states that disclosing information without the consent of the person concerned and in violation of a lawful contract is punishable by up to three years in prison and a fine of up to Rs 5,00,000.

The provisions of the IT Act will apply to an offence or contravention committed outside India by any person if the act or behaviour constituting such offence or contravention includes a computer, computer system, or computer network located in India under the Section 75 of the IT Act.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
These rules have been inflicted by the government with an objective of ensuring reasonable security practices and procedures these rules have to be complied by the companies and other a legal entity that deals with sensitive personal information in any manner.

The Rules exclusively cover the protection of sensitive data which is personal in nature or information of a person, which includes information about a person's personal data Passwords; Financial information, Physical, physiological, and mental health conditions; Sexual orientation; Medical records and history.

The regulations provide acceptable security standards and processes which any individual or any the body corporate collecting, receiving, possessing, storing, dealing, or information being handled on behalf of the body corporate must follow when dealing with "Personal sensitive data or information." In the circumstances of a contravention, the body corporate or any other person acting on its behalf may be held liable to pay damages to the person who has been harmed.

Rule 3 establishes a list of items that are considered sensitive personal data, including financial information, sexual orientation, and credit or debit card information. Companies and other body corporates are required to create a privacy policy for dealing with personal information and data which is sensitive under Rule 4, which must be accessible on the body corporate's website.

It also states that the Companies and other body corporates shall not acquire sensitive personal data without first receiving consent in writing, by fax or e-mail from the provider indicating the explanation for why data is being collected. Even the personal information or sensitive data shall not be collected unless and until it is for a lawful purpose and the collection is required to carry out that specific purpose. The information gathered will only be used for the purpose for which it was gathered and will not be kept for any longer than is necessary.

Rule 6 requires the Body Corporate to obtain the consent of the parties concerned provider before revealing sensitive data to a third party, unless the parties have agreed otherwise agreed to such disclosure through any other means. However it can be disclosed without prior consent to the government entities mandated by law or as an order under the law a third party, unless the parties have agreed otherwise, who will be bound not to reveal it. Rule 8 clarifies that if a firm or other corporate body has adopted and recorded the standards of these security measures, they are regarded to have conformed with reasonable security practises.

Under section 69A of the IT Act, the government has also notified the Information Technology (Procedures and Safeguards for Blocking for Access to Information) Rules, 2009, which deal with website blocking. Various websites have been blocked by the government.

However the IT act and the rules prescribed is not adequate for the data protection as they have a very limited scope and it has various loopholes attached to it. There is no definition of a data breach of consent in the act. Only a 'body corporate' can collect and distribute information under the provisions of the IT Act. It doesn't have an overarching provision stating that interception can only take place in circumstances of public emergency or public safety. Furthermore, Any person may be prosecuted under section 69 of the IT Act or intermediary who fails to assist the specified agency with the interception, monitoring, decryption, or provision of information retained on a computer's hard drive is subject to a fine and a sentence of imprisonment of up to seven years.

The IT Act's rules and provisions aimed to protect sensitive personal data or information like information about passwords final in financial information et cetera whereas the information that is readily available in the public domain is not considered personal data and information that is highly sensitive. The vast majority of the provisions only apply to "sensitive personal data and information" gathered by "computer resource." Consumers can only initiate enforcement action in relation to a specific section of the regulations, which are limited to corporate entities that engage in automated data processing.

There is no mechanism for data localization, which was a major source of concern and the cause for the Chinese applications' ban in India. Although the preceding rules was a step toward creating a specialised data protection law but they are insufficient. Only protected data as described in the Rules is dealt with under these Rules. There is no comprehensive legislation that governs and regulates all data-related activities and has severe data-protection rules. India requires a robust data privacy law to meet these restrictions.

The Personal Data Protection Bill, 2006

The decision in K. S. Puttaswamy (Retd.) v Union of India[17] prompted the creation of the Personal Data Protection Bill, which is currently a proposed Legislation on data protection in India. It has yet to be passed by Parliament, but it gives us a good idea of how India's data protection laws have progressed. A committee was established to explore data privacy problems in July 2017 by The Ministry of Electronics and Information Technology which was presided by Justice B. N. Srikrishna, a retired Supreme Court judge.

In July 2018, the committee submitted the draft PDP Bill, 2018 which was approved by the Indian cabinet ministry on 4 December 2019 as the PDP Bill 2019 thus tabled in the Lok Sabha on December 11th , 2019. The Bill is being examined by a Joint Parliamentary Committee (JPC) with the help of professionals and stakeholders as of March 2020 who is in charge by Meenakshi Lekhi.

The Bill aims to protect individuals' privacy in relation to their personal data, specify the flow Establishing a trust relationship between persons and entities processing personal data, as well as protecting personal data the fundamental rights of individuals whose personal data is processed. It also creates a framework for organisational and technical measures in data processing, establish norms for social media intermediaries thus facilitating cross-border data transfer.

Its purpose is To keep personal information safe and secure information collected for a specific purpose by one organisation and to prevent its use for commercial or other purposes by any other organisations. It also allow individuals to seek compensation or damages for disclosure of personal data or information without their consent.

The proposed legislation divides data into three categories:

  1. critical for defence and intelligence services, as well as payments data from foreign banking services like Visa and Mastercard
  2. sensitive for health, religion, political orientation, biometrics, genetics, sexual orientation, and financial data of individuals and
  3. personal for health, religion, political orientation, biometrics, genetics, sexual orientation, and financial data of individuals.

While the regulation prevents the sharing and processing of essential data outside of India, it establishes restrictions on sensitive data processing and requires the user's agreement.
In addition, the bill proposes to establishes a national Data Protection Authority (DPA) to govern and regulate data fiduciaries under section 41 of the Act.

It is an ultimate regulatory authority to be chosen by the government as well as being in charge of ensuring data fiduciaries to follow the law. The body would also push for "Data Localization," which requires that Indians' personal information be stored in India.

The DPA is proposed as the regulatory and enforcement agency in the Bill. The Authority will comprises of a chairperson and six other members with at least ten years of experience in data protection, information security, data privacy, data science, and related topics. The bill provides with the Data Protection Authority's authority, operations, and administration.

The DPA can impose fines on data fiduciaries if they fail to comply with data processing responsibilities under this bill or DPA directives; or requirements for cross-border data storage and movement.

A penalty of more than 5 crore rupees can be imposed if DPA is not notified quickly. Furthermore, anyone who discloses, gets, transfers, sells, or proposes to sell personal sensitive data faces a five-year prison sentence or a charge or fine of up to three lakh rupees.

The individuals who are harmed as a result of data breaches are compensated. If the data breach was caused by the data fiduciary's carelessness or breach, the compensation is decided by a DPA adjudicating officer. The adjudicating officer's decision might be challenged in the Appellate Tribunal.

This bill attempts to regulate how government bodies and business entities established in India and abroad process personal data of persons. Only the processing of data is permitted with consent of the individual, in the event of an emergency medical situation, or when the state is delivering advantages to its residents.

Individuals have many rights in relation to personal data, including the ability to request Corrections or gaining access to private companies' data. The certain types of data processing, such as processing in the interest of national security, processing for legal processes, and so on, are exempted under the bill. It also makes it essential to keep a copy of data within India's borders. Certain sensitive personal information must be kept entirely in India.

The bill specifies three exceptions in which data can be accessed without restriction:
  1. to provide individuals with the benefit of state services,
  2. to take legal action against individuals, and
  3. in the event of a medical emergency.
The requirements will also not apply to state-run investigation agency and investigative journalists who have the required protections in place. For the public order and security of nations, as well as to improve its services, the government can request Non-Personal data from data fiduciaries at any moment according to the bill as stated section 35.

The bill also tries to include the concept of "Data Sovereignty," which allows the government to have access to crucial data if it believes it is necessary to protect India's sovereignty and integrity or to prevent any cognizable offence under section 2 of the Indian Penal Code. The bill aims to harmonise India's data protection laws with European standards.

It has, however, drawn various criticisms of its operation as well as the function of the government in it. Like as quoted by Justice B.N. Srikrishna:
The Data Protection bill stands with much more stringency than EU laid GDPR norms, provides the Centre with wide powers with regards to the DPA and appointment of Adjudicating officers. It also has many grey areas and undefined words like 'interest of sovereignty and integrity of India', 'public order' that can potentially be exploited to create an Orwellian State.

The Data Principal must first notify the Data Fiduciary, who must then notify the DPA if the Data Fiduciary is satisfied that the breach is likely to cause harm to the DP. As a result, the Officers of Data Fiduciaries and the Adjudicating officer will have a lot Authority in the face of this bill. Section 20 as per the bill provides the Data Principal the "Right to be Forgotten." However, he must demonstrate that his right or interest in blocking or restricting continuous exposure of his personal data outweighs any other citizen's right to freedom of speech and expression or right to information.

The bill contains a number of exceptions.. If it is required to prevent a cognizable offence relating to the state's security, sovereignty and integrity, friendly relations among states, or public order, the Central Government can exclude any agency of the federal government Bill's provisions in writing. Certain types of personal information, as an example that used for research, statistics, and journalism, are also exempt. It also does not apply to personal data processed by a natural person for personal or domestic purposes. However, such information should not be used for commercial purposes.

Eventhough the bill provides a skeletal structure for data protection and seeks to protect data, it contains some flaws. It requires data fiduciaries to collect data in a fair and reasonable manner that respects the privacy of individuals but it does not specify what constitutes a fair and relational conduct of personal data processing, which could lead to fairness and reasonability principles. This could result in fairness and reasonability principles varying across data fiduciaries and processing similar types of data in the same business.

Data protection under foreign law

Other than India, many countries treat data protection as a distinct discipline. They have well-crafted and well-established data protection legislation such as:
  • According to UNCTAD (United Nations Conference on Trade and Development), 107 countries (66 of which are developing economies) have enacted data and privacy legislation. Data protection laws are becoming more common around the world, and many of these laws have comprehensive guidelines-based frameworks.
  • PIPEDA was enacted in Canada (The Personal Information Protection and Electronic Documents Act). This entails that businesses that collect data during the course of their business activities disclose the purpose of the data collection to the data owners and obtain their consent before proceeding.
  • CalOPPA (California Online Privacy Protection Act), enacted in 2004, set a precedent in the United States by requiring websites to post privacy policies that detail data collection and use. From the year 2020, a new law known as the CCPA (California Consumer Privacy Act) will be enacted. It requires businesses to notify users of data processing and to take extra precautions to protect user information.
  • GDPR is one of the most popular stringent data protection laws in the world (General Data Protection Regulation) in European Union. It is founded on the principles of consent, transparency, protection, and user control, and it could result in a fine of up to 4% of the company's annual revenue.
  • Another piece of European Union legislation is the ePrivacy Directive and Regulation, which requires websites to obtain user consent before launching non-essential cookies.
  • In 2014, South Africa passed the POPI (Protection of Personal Information Act), which establishes requirements for customer consent to direct marketing outreach and sets standards for responsible data processing.
  • In 2017, China passed a Cyber Security Law. It harmonises data protection in China and aids in the protection of sensitive data held by Chinese citizens.
  • Despite the fact that Australia's Privacy Act was enacted in 1988, it has undergone significant revisions to make it better for citizens. It establishes Information Privacy Principles (IPPs) for Australian citizens and regulates government and private sector data collection.
  • The Data Privacy Act of 2012 established data protection laws in the Philippines. It applies to all businesses that handle personal information about Filipino citizens and residents. It is based on the principle that all data processing should be transparent, proportional, and for a legitimate purpose.
  • Germany has a strict BDSG regime (Bundesdatenschutzgesetz). It establishes strict guidelines that businesses must follow in order to adopt and maintain data security measures in IT system.
  • Argentine Republic completed the PDP (National Directorate of Personal Data Protection) and raised the stakes for data privacy significantly. It gives people the ability to request the deletion and transfer of their data for the first time.
  • As an outcome,, all of the world's major economies are enacting new data protection and privacy rules and legislation to safeguard their citizens' sensitive personal data. Which is how Intern is assisting in the creation of a better, data-protected world.

Analysis and Suggestions
Everyone feels the Data protection is required. laws all over the world. People are concerned about the security of their personal information. This is why data protection legislation is gaining graspness all over the globe. People are working to get the government to pass newer data protection laws that will give them more transparency and security over their personal sensitive data. The Indian system is attempting to enact data protection laws, and a draught bill has already been drafted; however, it is urgent that this bill be brought before parliament and codifing it as soon as possible.

While we may enact laws across the country, it's also critical that the citizens of the country are data aware citizens who understand how their data is used by many companies for monetary gain. With the advancement of technology, it will be necessary to amend these data protection laws on a regular basis while maintaining their rigidity. After reviewing laws from other countries, I believe the European GDPR establishes a gold standard for data protection legislation.

It also imposes stiff penalties on businesses that fail to take the necessary precautions to protect the personal data of its citizens. While a large number of countries have enacted data protection and privacy legislation, many countries around the world still lack legislation to protect their citizens' personal data. It is unquestionably the right time for these countries to draught and implement data protection legislation.

The current IT Act regulations are clearly insufficient for the people of India. With such a large population, it is difficult to regulate all of the data generated by citizens in India. In a world where data breaches occur on a daily basis, India must provide security for the protection of its citizens' personal sensitive data. It is critical that all stakeholders align their policies with data protection requirements, encourage the adoption of privacy, and ensuring that the protection of data authority is implemented effectively. Examine the possibility of obtaining consent at the time of data collection.

The proper requirement for Indian law can be analysed by comparing it to the law of developed countries. Data does not all have the same utility and importance; it differs from one another based on utility. As a result, we must frame separate categories of data with different utility values, as the United States has done. Furthermore, the provisions of the IT Act primarily deal with data extraction, destruction, and other related issues.

Companies were unable to obtain complete data protection through this method, forcing them to enter into separate private contracts to keep their data safe. These contracts are enforceable in the same way that a general contract is.

Despite the efforts of creating a law for the protection of Data as a separate discipline, our legislature has leaves some kind of gaps in the bill of 2006. The bill is based entirely on the framework of the UK Data Protection Act, as the current requirement is for a comprehensive Act. As a result, it's possible that a compiled drafting based on US data protection laws would be more favourable to today's requirement.

With exponential increase in the manner of people consuming and generate data around the world, data will become more valuable by the day. With data fueling growth, it will be critical to safeguard citizens' data. Governments all around the globe will have to adapt to rapidly changing technologies and amend or develop new laws to protect people's sensitive personal data.

A concerted effort by the government and its data-savvy citizens will improve the world's data security, making it more transparent and open to new policies and laws. Though the concept of data protection is not new, the increasing trend of technological dependence and use of personal data necessitates the creation of a new law to deal with tracking and controlling technologically savvy individuals and organisations by establishing guidelines to prevent misuse of personal data.

People who use the internet to share data or transfer information for e-commerce transactions or other forms of communication value their privacy and associate it with personal freedom, and thus have the right to control data about them. To meet the emerging challenges, every e-privacy organization's practises must be benchmarked against national and international standards for privacy and fair information practises.

Although customers readily share personal information when conducting online transactions or exchanging communications, it is the responsibility of the State of monitoring and protect its citizens' interests. Because there isn't any specific law in India dealing with protection of Data, the courts consistently fail to protect the information shared with companies by punishing them for breach of trust.

As a result, it is critical and urgent that the Protection of Personal Data Bill 2019, which is currently pending in parliament for approval and ascension by the president, be passed and approved as soon as possible in order to protect citizens' personal data from being misused.

References: End-Notes:
  2. Survey conducted by Global digital population as of January 2021
  3. Hart said
  5. Defined under 2(1)(o) of the IT act.
  6. As defined by the digital locker authority
  7. Article 19(1)(a) Of the Indian Constitution
  8. Article 21 Of the Indian Constitution
  9. Article 21 Of the Indian Constitution
  10. M. P. Sharma and Ors. V Satish Chandra, District Magistrate, Delhi and Ors. 1954 AIR 300, 1954 SCR 1077
  11. R. Rajagopal and Anr. V State of Tamil Nadu 1995 AIR 264, 1994 SCC (6) 632
  12. Kharak Singh v State of U.P. and others 1963 AIR 1295, 1964 SCR (1) 332
  13. Maneka Gandhi v Union of India 1978 AIR 597, 1978 SCR (2) 621
  14. People's Union for Civil Liberties (PUCL) v Union of India AIR 1997 SC 568, JT 1997 (1) SC 288, 1996 (9) SCALE 318, (1997) 1 SCC 301, 1996 Supp 10 SCR 321, 1997 (1) UJ 187 SC
  15. K. S. Puttaswamy (Retd.) v Union of India. (Civil) No 494 of 2012; (2017) 10 SCC 1; AIR 2017 SC 4161
  16. Shreya Singhal and Ors. v. Union of India AIR 2015 SC 1523
  17. K. S. Puttaswamy (Retd.) v Union of India. (Civil) No 494 of 2012; (2017) 10 SCC 1; AIR 2017 SC 416

Law Article in India

Ask A Lawyers

You May Like

Legal Question & Answers

Lawyers in India - Search By City

Copyright Filing
Online Copyright Registration


How To File For Mutual Divorce In Delhi


How To File For Mutual Divorce In Delhi Mutual Consent Divorce is the Simplest Way to Obtain a D...

Increased Age For Girls Marriage


It is hoped that the Prohibition of Child Marriage (Amendment) Bill, 2021, which intends to inc...

Facade of Social Media


One may very easily get absorbed in the lives of others as one scrolls through a Facebook news ...

Section 482 CrPc - Quashing Of FIR: Guid...


The Inherent power under Section 482 in The Code Of Criminal Procedure, 1973 (37th Chapter of t...

The Uniform Civil Code (UCC) in India: A...


The Uniform Civil Code (UCC) is a concept that proposes the unification of personal laws across...

Role Of Artificial Intelligence In Legal...


Artificial intelligence (AI) is revolutionizing various sectors of the economy, and the legal i...

Lawyers Registration
Lawyers Membership - Get Clients Online

File caveat In Supreme Court Instantly