Cyber Laws

Introduction and rights over our data

The Internet has become the lifeline of today’s world. It has now become a common place for everything including work, entertainment, education, business, monetary transactions, and connecting to people. We spend most of our time on the internet than in the real world so it is only fair we are all known as ‘netizens’ (citizens of the internet) and with more than 56% of the entire world population using the internet, there has even been growth in online crimes such as cyberbullying, data harvesting, cyber fraud. Etc. The most important issue while accessing the internet is threat to privacy. Therefore, it is very essential to have proper legislation to govern the activities on the internet and make it a secure place for netizens. These legislations governing the activities over the internet are collectively known as cyber laws. There are many types of cyber law, such as laws regarding online content streaming, net banking norms, crypto currency norms, but this article shall mainly focus on the Privacy and rights over our personal data.

When a user goes into a website, or runs an application, the amount of personal information the companies behind them can gather is shocking. From mere accessing a website, they can learn about your browser history, location, and various other details. These details after being harvested over the years become very accurate and have huge potential to be used against you. So, in order to protect us from such misuses of our data, Cyber Laws have been implemented.

The biggest concern to an average user is the corporates behind any website or applications harvesting their “sensitive personal data”. In the Information Technology Act, 200 the phrase sensitive personal data has been defined as:

“such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit”

The definition in the act is vague and ambiguous, and gives the Central Government the power to determine which data falls within the category. However, the General Data Protection Rules has defined sensitive personal data as data relating to:

  • The racial or ethnic origin of a person
  • Their political opinions
  • Their religious beliefs or other beliefs of a similar nature
  • Whether they are a member of a trade union
  • Their physical or mental health or condition
  • Their sexual life
  • The commission or alleged commission by them of any offence or
  • Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

Apart from this information, companies can also gather your Aadhar number, bank account information and many more. This article shall try to shed some light on legislations formulated protect our data and our rights over our data, and talk about remedies in case of data law violation.

Rights over our data

The European Union (EU) was the first in the world to formulate a proper comprehensive rule to regulate companies on how our data is to be used and for what purposes our data can be collected, while providing netizens with absolute control over their data. The General Data Protection Rules (GDPR) was brought into force in 2018 and subsequently laid down some key principles regarding collection and processing of user data, which are as follows:

  • Fairness and Transparency: The users must be aware of what information are being collected, and must be able to choose and disable the information they do not wish to share. The companies collecting such data must be transparent and should inform the user about the purpose of gathering their information and usage of such data.
  • Limitation of Purpose: The Limitation of Purpose refers to the purpose of data usage. In other words, GDPR has limited the scope of what corporations can do with our data. As per the rules, our data must be used for legitimate and lawful purposes. The purpose of the collection must be clearly established and informed to the user. This ensures user’s security and prevents from data falling in the hands of a third party without their knowledge.
  • Data Minimization and accuracy: GDPR mandates that corporations should collect only such data which are absolutely necessary for serving the purpose of the application or website we are on. For example, when you install a game in your smart phone, it might require access to internet connection, social media – for sharing your in-game statistics with friends, and access to microphone for communicating, but it will not require access to your contacts, camera, calendar, or personal files. The application is allowed to access only those features necessary for it to function properly and even such access must be expressly accepted by users, furthermore, users can choose and restrict any access that seems unnecessary.  Some information collected from our social media may be stored by the application, but we can exercise our right to erasure and have the corporations permanently delete our data.
  • Time limitation: Companies can store our personal information in their massive servers for as long as they want. Hence, GDPR has placed limitations on the time of storing data, now companies are not allowed to store our data for longer than required.
  • Confidentiality: The most important concern while sharing our data is privacy, companies might share them with third party and we might receive targeted advertisements at best, and be subjected to online fraud and identity theft at worst. Therefore, it is essential that our data remains only with the ones who we choose to give, and GDPR has placed a strict rule of confidentiality on corporations collecting our data. No data can be shared with any third party without our express consent.
  • Accountability: GDPR places strict penalties on corporations that breach any rule regarding personal data and can impose fines that can go to the tune of millions for any such breach.

GDPR being the pioneer in data protection laws has created a great example of netizens’ data security and soon other countries followed suit. India came up with its own data protection rules viz.(PDPB) which was introduced in 2019, but has not become a law yet. PDPB has been formulated on the similar lines of GDPR to make Indian netizens more secure while accessing the internet.

Some key features of PDPB are as follows:

  • Accountability: Similar to the GDPR the PDPB also holds corporations accountable for any breach in user data. Furthermore, the users are to be informed of what data is being shared with a third party, and the data must never be sent outside the territory of India without express consent by the user.
  • Fiduciary Obligations: Fiduciary obligations regarding the collection and processing of data limits the scope of purposes of data collection. The collected information must be used for a legitimate and lawful purpose. Also, express consent is required for the collection and processing of data. The corporations must be transparent to the users about their personal data and must inform the authorities in case of any breach.
  • Data Protection Authority: PDPB seeks to establish a Data Protection Authority to protect netizens’ rights and prevent from any misuse or breach of their personal information.
  • Right to erasure: Similar to the GDPR, PDPB also introduces the right to erasure that vests users with absolute control over their data. We can ask corporations to delete every data of ours by simply writing an email.
  • Penalties: Strict penalties shall be imposed on failure to comply with the provisions of the PDPB. On failure to comply with data fiduciary, the corporations shall be liable to pay a fine which may extend up to Rs. 5 Crores or 2% of their overall worldwide turnover of the preceding financial year, whichever is greater. For violation of data processing rules the corporations shall be liable to pay a fine of Rs. 15 crores of 4% of their annual turnover, whichever is higher.

Since PDPB has still not been made a law, Indian netizens are dependent on Information Technology Act, 2000 (ITA) for the protection of our rights and multiple amendments have been made in it for protection of our rights.

Protection of Data under IT Act, 2000

The IT Act mandates the corporations to protect the data of netizens and imposes strict penalties in failure to do so.

Section 43A of the IT Act reads imposes compensation on failure to protect data, and the Section reads as follows:

“43A. Compensation for failure to protect data: Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Explanation. –For the purposes of this section:

  • body corporate‖ means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
  • reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
  • sensitive personal data or information‖ means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

The IT Act through this section mandates corporations collecting our data to keep them safe and out any third party’s hand. Companies must be careful while storing our data and any breach due whether intentional or due to negligence shall be penalised, making our data safer, similar to the GDPR in some ways.

Further, in Section 72 the act imposes strict penalties for breach of confidentiality and privacy. The section reads as follows:

“72. Penalty for Breach of confidentiality and privacy.– Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”

Therefore, as per the statute, any person or corporation collecting our data has strict liability to maintain confidentiality and should not share our data to anyone else without our express consent. Severe penalties can be imposed on failure to do so.

Other than companies, people close to us can also gain access to our personal information and data, and the same can be accessed by hackers. Therefore, it is pertinent to protect netizens from violation of privacy by persons as well. This has been taken care by the IT Act in Section 66E. The section reads as follows:

“66E. Punishment for violation of privacy – Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.

Explanation – For the purposes of this section

  • transmit‖ means to electronically send a visual image with the intent that it be viewed by a person or persons;
  • capture‖, with respect to an image, means to videotape, photograph, film or record by any means;
  • private area‖ means the naked or undergarment clad genitals, public area, buttocks or female breast:
  • publishes‖ means reproduction in the printed or electronic form and making it available for public;
  • under circumstances violating privacy‖ means circumstances in which a person can have a reasonable expectation that
  • he or she could disrobe in privacy, without being concerned that an image of his private area was being captured;
  •  any part of his or her private area would not be visible to the public, regardless of whether that person is in a public or private place.”

It is very common for people to share personal pictures and information about other people for various reasons such as revenge, access to private bank accounts, and even at times just for fun. These bizarre acts have been criminalised and strict penalties have been imposed under this section.

Remedies and Adjudicating Authority

The Adjudicating Authority in cases of Cyber Law has been prescribed in Section 46 of the ITA. Any aggrieved party who becomes a victim of cybercrimes shall approach the Adjudicating Authority for speedy redressal. It lays down how an adjudicating officer shall be appointed and who can be an adjudicating officer, it reads as follows:

“46. Power to adjudicate-

  • For the purpose of adjudging under this Chapter whether any person has committed a contravention of any of the provisions of this Act or of any rule, regulation, 1 [direction or order made thereunder which renders him liable to pay penalty or compensation,] the Central Government shall, subject to the provisions of sub-section (3), appoint any officer not below the rank of a Director to the Government of India or an equivalent officer of a State Government to be an adjudicating officer for holding an inquiry in the manner prescribed by the Central Government.
  • The adjudicating officer appointed under sub-section (1) shall exercise jurisdiction to adjudicate matters in which the claim for injury or damage does not exceed rupees five crore:
  • Provided that the jurisdiction in respect of the claim for injury or damage exceeding rupees five crores shall vest with the competent court.
  • The adjudicating officer shall, after giving the person referred to in sub-section (1) a reasonable opportunity for making representation in the matter and if, on such inquiry, he is satisfied that the person has committed the contravention, he may impose such penalty or award such compensation as he thinks fit in accordance with the provisions of that section.
  • No person shall be appointed as an adjudicating officer unless he possesses such experience in the field of Information Technology and legal or judicial experience as may be prescribed by the Central Government.
  • Where more than one adjudicating officers are appointed, the Central Government shall specify by order the matters and places with respect to which such officers shall exercise their jurisdiction.
  • Every adjudicating officer shall have the powers of a civil court which are conferred on the ―Appellate Tribunal under sub-section (2) of section 58, and
  • all proceedings before it shall be deemed to be judicial proceedings within the meaning of sections 193 and 228 of the Indian Penal Code (45 of 1860)
  • shall be deemed to be a civil court for the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973 (2 of 1974)
  • shall be deemed to be a civil court for purposes of Order XXI of the Civil Procedure Code, 1908 (5 of 1908)

A victim of any crime of Cyber Law under the purview of the IT Act, 200 must first approach the Adjudicating Officer for dispute redressal, and if not satisfied with the relief granted by such officer, can prefer appeal before the Cyber Appellate Tribunal as per Section 57 of the act.

The Jurisdiction of Civil Courts have been barred in cases arising under the purview of IT Act under Section 61, and the Cyber Appellate Tribunals have been vested with similar powers to that of a Civil Court, and is deemed to be a civil court as per Section 46(2)(b) of the act.

If the aggrieved persons are further not satisfied with the relief granted by the Tribunal, they must approach the High Court having competent territorial jurisdiction to scrutinize the order of the Tribunal.

As apparent from this section, Cyber Appellate Tribunal has bee

The statute states that an adjudicating officer shall be appointed for proper remedy in Cyber Law cases and shall be a person who is not below the rank of a Director to the Government of India or an officer of a State Government.

Conclusion

Indian netizens have been made safer by various amendments in existing legislations, rights over our data have been more comprehensively defined and more and more control has been given to the users. However, when looking at the global scenario, Indian statutes are lagging far behind.

PDPB if implemented might give us similar rights and control over our data as that of European Union citizens. But even with lack of proper legislation we have enough rights to feel safe over regarding our data and have proper adjudicating authorities for speedy remedy.

The legislations are changing fast with time and PDPB is to be implemented in a phased manner and substitute provisions of the IT Act with regard to data protection. If implemented properly, the Cyber Laws in India can be at par with the GDPR and Indian netizens can be as secure as the citizens of developed countries.

Lets Connect

Disclaimer

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking the “Agree” button and accessing this website (www.daslegal.co.in) the user fully accepts that you are seeking information of your own accord and volition and that no form of solicitation has taken place by the Firm or its members.

The information provided under this website is solely available at your request for information purposes only. It should not be interpreted as soliciting or advertisement. The firm is not liable for any consequence of any action taken by the user relying on material / information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.