In the modern world, cyberspace is as relevant as the virtual space that an individual occupies. However, even as the average person lives and transacts online as easily as they do offline, they are not being regulated and held accountable in the same manner. As more and more of our daily lives migrate online, accelerated in a large amount by the recent COVID-19 pandemic and rapidly developing technology, we need to question what protections do we have at our disposal in cyberspace?
A case may be made that such protection is needed on two fronts. Firstly, there is a need for preventive protection. For instance, an enormous digital footprint is left in the wake of an individual’s activity on the Internet which has a large potential for misuse. There is a grave need to secure, anonymize and protect such data. At the same time, cyberspace and navigation of cybercrime continue to be uncharted territory in India, from a legal perspective. There is an absence of regulation and stringent cyber security laws in India, which in turn minimises the scope of penalization of online offences. Accordingly, there is an urgent need that the extant laws should identify, regulate, and enable swift prosecution of online offenders.
Overview of the Regulatory Landscape in India
In an interconnected world, each jurisdiction has developed its own security and data protection regime and procedures. India, however, despite its widely expanding online population, helped along by numerous players in the telecom industry, has not yet rolled out specific comprehensive legislation dealing with the subject matter. In the absence of the same, we must examine the collated framework of extant judicial pronouncements and data protection and cyber security laws in India.
Relevancy of the Information Technology Act, 2000 and Rules
In India, the primary act regulating activity over the internet is the Information Technology Act 2000 (“IT Act”) along with the rules framed thereunder.
The application of the IT Act is not confined to India. Per Section 1(2) read with Section 75 of the IT Act, it has extraterritorial application in respect of an online offence or contravention committed outside India by any person.
Cyber Offences
The IT Act prescribes penalties and civil compensation and criminal prosecution for various contraventions and offences under Chapter IX[2] and Chapter XI.[3] For instance, the act allows for civil compensation to be recovered for damage done to computer systems without permission from the owner.[4] However, where a person is found to dishonestly or fraudulently commit such damage, the same is punishable as a criminal offence with imprisonment and a fine.[5] Similarly, fraudulently receiving stolen communication computers and other devices[6]; identity thefts (by way of impersonation, tampering with digital signatures, hacking passwords among others)[7], particularly impersonation using the computer resource in any manner[8] is punishable as a criminal offence. The IT Act further provides for the formation of a Controller of Certifying Authorities to regulate the issuance of digital signatures. It has also established a Cyber Appellate Tribunal for the resolution of disputes. The Cyber Appellate Tribunal has, for the purposes of discharging its functions under the IT Act, the same powers as are vested in a civil court in India.
Enforcement Agency
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (“IT Rules, 2013”) establish the Indian Computer Emergency Response Team (“CERT-In”) as the nodal agency to handle various cyber incidents and take emergency measures for their containment. Individuals and organizations may voluntarily report cyber security incidents and concerns to CERT-In and seek technical and other assistance and support.
Data Security
The IT Act contained no explicit provisions regarding data protection at the time it was first implemented. Data security breaches, such as those committed by individuals hacking into computer systems could result in the prosecution of offenders under Sections 43 and 66 of the IT Act, however, the IT Act did not provide a remedy against the organization responsible for a breach of data. Section 43-A and Section 72-A were retrospectively added to the IT Act for this purpose by way of an amendment in 2008. The former provides that a body corporate shall be liable to pay damages by way of compensation to the person affected by a breach of data protection, owing to actions of such body corporate, while the latter provides for punishment for disclosure of information in breach of lawful contract.
Consequently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules, 2011”) were notified by the Indian government under Section 43-A of the IT Act.
Under the provisions of the IT Rules, 2011, certain compliances are applicable in respect of a “body corporate”, defined as including “…company, firm, sole proprietorship or other association of individuals engaged in commercial or professional activities…” which dealt in the collection, disclosure and transfer of “personal information” and “sensitive personal data or information”.
The IT Rules, 2011 further defined “personal Information” (“PI”) as meaning “…any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person…”. [9] and “sensitive personal data or information” (“SPDI”) as including PI relating to “…passwords; financial information such as Bank Account or Credit Card or Debit Card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; Biometric information; any detail relating to the aforementioned as may be provided to the body corporate for providing service; and any of the information received by the body corporate under the aforementioned for processing, stored or processed under lawful contract or otherwise.”. However, “… any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force…” is not considered SPDI. [10]
The level of compliances to be observed under IT Rules, 2011 differs depending on whether a body corporate deals only in PI or also SPDI. There is stricter regulation of the collection and processing of SPDI in India. Generally, these mandate that collection of PI be done subject to the consent of the provider of information, for a lawful purpose; require maintenance of a privacy policy by the organization; impose restrictions for data retention, data disclosure, data transfer and data security measures.
The latest compliances for data protection in India are imposed under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rules, 2021”) notified on February 25, 2021. The IT Rules, 2021 primarily prohibit and regulate digital media and content on the internet, and the role of intermediaries, including social media intermediaries, in keeping the personal data of their users safe online. In particular, these require all intermediaries, including social media intermediaries, to prominently publish on their websites and mobile applications all rules and regulations, privacy policy and user agreement for access or usage of their online resources by any user as well as available mechanisms for grievance redressal, including the name and details of a grievance officer. [11] Additional compliance is prescribed for significant social media intermediaries such as Twitter, Facebook etc.[12]
Sector-Specific Regulation
In India, certain industries are subject to sector-specific data privacy rules, regulations, standards and best practices. For instance, the Reserve Bank of India (“RBI”) has issued Guidelines on Regulation of Payment Aggregators and Payment Gateways in March 2020 which require payment aggregators to implement data security standards (prescribed thereunder, including the requirement of cyber security audit and reports and framing IT policy. Further, the Indian Insurance Regulatory and Development Authority (“IRDAI”) has put in place several guidelines including IRDAI Guidelines on Information and Cyber Security for Insurers, IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017, and the IRDAI (Protection of Policyholders’ Interests) Regulations, 2017 pertaining to data security and applicable on insurers. The Securities and Exchange Board of India (“SEBI”) maintains similar guidelines data and cyber security for stockbrokers, stock exchange and depositories.
In the health sector, the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 regulate confidentiality of information of patients, and further, the proposed Digital Information Security in Healthcare Act (“DISHA“) is sought to be applied to the collection, storage, transmission and access of health data in the future. It also provides for the establishment of the National Digital Health Authority to enforce privacy and security measures for health data and to regulate the storage and exchange of health records.
Privacy Rights in India
The Constitution of India does not list the right to privacy as a fundamental right. However, this right is granted to the citizens of India basis the interpretation taken by the Indian Supreme Court in 2017 in the landmark judgment of Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India And Ors. Herein, the Hon’ble Supreme Court primarily interpreted Article 21 of the Constitution viz. the fundamental right to life of Indian citizens as being inclusive of the right to privacy and inter-alia, the right to protection of citizens data and informational privacy.[13]
Shortly following this pronouncement, the Srikrishna committee, under the chairmanship of the (former) Justice of the Supreme Court, B.N Srikrishna) was empanelled. The Srikrishna committee was the result of the realisation instilled for improvement in the legal framework of data privacy laws in India so as to give stimulus to the fundamental right to privacy owed to Indian citizens. The committee tabled its report on the need for new data protection law in India, accompanied by the draft Personal Data Protection Bill, 2018. The draft Bill sought to regulate the flow and usage of personal data, the various entities processing the personal data, protect the fundamental rights of individuals whose personal data was processed, create a framework for accountability, processing of data, cross-border transfer and provide remedies for contravention. Prominently, it sought to establish a Data Protection Authority of India for the said purposes. The draft Bill, 2018, was since revised and thereafter has been tabled and is currently pending approval before the Indian Parliament as the Personal Data Protection Bill, 2019 (“PDP Bill”).
New Proposed Data Protection Law in India
The PDP Bill was tabled in the Indian Parliament by the Ministry of Electronics and Information Technology (“Ministry”) on December 11, 2019, and is largely modelled after the European Union’s GDPR. A joint parliamentary committee has recently finalised and adopted a revised version of the PDP Bill on November 22, 2021. This proposed statute shall govern the processing of personal data by the Indian government, Indian companies and foreign companies.
Section 3(28) of the PDP Bill defines “personal data” to mean “…data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling…”.
Some of the interesting developments proposed under the PDP Bill include the creation of a Data Protection Authority (“DPA”) similar to the European Union as well as the categorization of personal data to be protected. For instance, the PDP Bill provides for data localization through a three-tiered structure. Hereby, data transfer/localization restrictions do not apply to personal data, however, restrictions are imposed on “sensitive personal data” and “critical personal data” (subject to be defined by the Indian government).
Sensitive personal data is defined to include “special categories of personal data” including financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the Indian government, in consultation with the DPA and the concerned sector-specific regulator. While the same may be transferred outside of India but must continue to be stored in India. Further, “critical personal data” cannot even be transferred outside India. However, to a limited extent, data transfers to countries or organizations deemed to provide an adequate level of protection are permitted. Further, the PDP Bill prescribes various obligations for data fiduciaries (including social media intermediaries) on how they shall obtain, deal/process and retain personal data. It makes them accountable for the compliance of the obligations in respect of the processing of personal data undertaken by it or on its behalf. For instance, when processing sensitive personal data of children, data fiduciaries are accountable for putting in place mechanisms for age verification and parental consent.
Further, there are stringent penalties prescribed for processing or transferring data in violation of the PDP Bill. The maximum financial penalty for a violation under the PDP Bill has been capped at INR 15 crore. Also, processing of de-identified personal data/re-identification without consent is punishable with imprisonment of up to three (3) years, or fine or both by the DPA. The PDP Bill seeks to establish an appellate tribunal to adjudicate the first appeals against the DPA’s decision, and the second appeal can be filed before the Supreme Court of India.
Conclusion
The two fronted approaches discussed above is necessary for not just the common Indian citizen but the security of the Indian nation. In light of the above, it may be surmised that while the Indian IT Act and the supplementary legislation, rules and regulations have been developed and come a long way since their original inception, they are not enough to secure data protection and guard against cyber threats.
There are numerous difficulties and instances to consider in providing for data protection and privacy laws in India, such as the paradoxical issue of preserving the anonymity of personal data while striving to identify the true culprit of an online crime due to identity theft and spoofing, thereby allowing anyone sitting anywhere in the world to conduct crimes to the point where they endanger the nation’s security.
While there is a need for new data protection law in India and a strong argument to be made in the favor of the PDP Bill, at the same time, it may be said that over the years the Indian government has advanced from minimal policing of cyber and data security in India to over-policing. Many critics have vocalised their concerns over the over-reaching powers granted to the Indian government under the PDP Bill, for instance, to prescribe what constitutes critical personal data and many foreign entities consider the changes proposed thereunder to be too strict for compliance. Thus, while the Indian government may be likely to adopt the version of the PDP Bill recommended by the joint parliamentary committee, several major issues remain to be debated on the front of data protection in India.
