With the advancement in technology, the cases related to cybercrime and data privacy are at their peak. In India, the ‘Right to Privacy ‘ is held as a fundamental right guaranteed by Part III of the Constitution of India on August 24, 2017, by the Supreme Court of India.
The only significant law on data privacy and protection is the Information Technology Act, 2000 (“ITA”) and the “Reasonable practices and procedures and sensitive personal data or information Rules, 2011”.
Information Technology Act, 2000
The act defines ”data” as a representation of information, knowledge, facts, concepts, or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed, or has been processed in a computer system or computer network, and maybe in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
Section 43 of the Act deals with Penalty and compensation for damage to the computer, computer system, etc. The amendment to the act added section 43-A which deals with the Compensation for failure to protect data
“Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.”
Offenses And Penalty
The prominent cyber and data privacy crimes are:
- Data damage, steal, conceal, alter from the computer or system
- Data breach, copying, extracting from personal drive or locations or device.
- Sending offensive messages, obscene pictures, identity theft
- Violation of privacy
- Cyber terrorism
The offenses of data privacy and cyber crimes are mentioned under Chapter XI of the Act as:
- Section 65 (Tampering with computer source documents): If any person knowingly or intentionally conceals, destroys or alters, or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
- Section 66 (Computer-related offenses): If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment extending to three years or with a fine extending to five lakh rupees or with both.
- Section 66-A talks about Punishment for sending offensive messages through communication services, etc. Any person who sends, by means of a computer resource or a communication device, any information that is grossly offensive or has menacing character; or which he knows to be false; or for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable, extending to three years and with fine.
- Section 66-B deals with Punishment for dishonestly receiving stolen computer resources or communication devices. Anyone who dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device shall be punished with imprisonment extending to three years or with fine extending to rupees one lakh or with both.
- Section 66-C talks about Punishment for identity theft. Any person who fraudulently or dishonestly makes use of the electronic signature, password, or any other unique identification feature of any other person, shall be punished with imprisonment extending to three years and shall also be liable to a fine which may extend to rupees one lakh.
- Section 66-D deals with Punishment for cheating by personation by using computer resources. Anyone who by means of any communication device or computer resource cheats by personation shall be punished with imprisonment extending to three years and shall also be liable to a fine which may extend to one lakh rupees.
- Section 66-E is about Punishment for violation of privacy. Section 66-E is about Punishment for violation of privacy. Whoever intentionally or knowingly, captures, publishes, or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punishable with imprisonment extending to three years or with a fine not exceeding two lakh rupees, or with both.
- Section 66-F deals with Cyber terrorism. Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment or which may extend to imprisonment for life.
- Section 67 deals with the Punishment for publishing or transmitting obscene material in electronic form. A person shall be punished on first conviction with imprisonment extending to three years and with a fine extending to five lakh rupees and in the event of second or subsequent conviction with imprisonment extending to five years and also with a fine which may extend to ten lakh rupees.
- Section 72 (Penalty for breach of confidentiality and privacy): Any person who has secured access to any electronic record, book, register, correspondence, information, document, or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment extending to two years, or with fine extending to one lakh rupees, or with both.
- Amendment to the act inserted Section 72-A which deals with Punishment for disclosure of information in breach of lawful contract. Anyone who has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment extending to three years, or with fine extending to five lakh rupees, or with both.
Information Technology (Reasonable Security Practices and procedures and sensitive personal data or information) Rules, 2011
The 2011 Rules have been framed under Section 43A of the Information Technology Act, 2000 (“IT Act”).
The main highlights of the rules are:
- The rules only apply to bodies corporate and persons located in India.
- Rule 3 defines Sensitive personal data or information of a person as information relating to;—password; financial information; physical, physiological, and mental health conditions; sexual orientation; medical records and history; biometric information, and so on. Provided that, any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
- Rule 4 asks Body corporate to provide policy for privacy and disclosure of information including sensitive personal data or information and ensure that the same are available for view by such providers of information who have provided such information under a lawful contract.
- Rule 5 imposes duties and guidelines on the body corporate while collecting information.
- Rule 6 says that any disclosure of the information of sensitive personal data to a third party shall have prior permission of the provider.
- Rule 8 defines reasonable security practices and procedures implemented by body corporates. The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in sub-rule (1).
Data Protection Bill, 2019
A Committee chaired by Judge B. N. Srikrishna, established to examine various issues related to data protection in India. The Committee submitted its report, together with the Proposed Personal Data Protection Bill, 2018 to the Department of Information Technology and Technology in July 2018. The Protection of Personal Information Bill, 2019 states that the Bill is based on the recommendations of the Expert Committee report and recommendations received from various stakeholders.
The Bill regulates personal information relating to the public, as well as the processing, collection, and storage of such data under the Bill, the data principal is a person whose personal data is used. A business or individual that determines the methods and objectives of data processing is known as data fiduciary. The Bill regulates the processing of personal data by the government and companies incorporated in India. It also controls foreign companies, when dealing with the personal details of the Indian people.