The cyber and data security laws in India

Cyber space is where an average human spends a considerable amount of his time today. It certainly is our right and duty to know and be aware of the rules and regulations i.e. laws governing the cyber space in our country. Here are some of the integral legislations pertinent to cyber security and data privacy:

A. The Information Technology Act, 2000 (IT Act) and the Information Technology (Amendment) Act, 2008:

The IT Act contains provisions for the protection of electronic data. The IT Act penalises ‘cyber contraventions’ (Section 43(a)–(h)), which attract civil prosecution, and ‘cyber offences’ (Sections 63–74), which attract criminal action.

The IT Act was originally passed to provide legal recognition for e-commerce and sanctions for computer misuse. Breaches of data security could result in the prosecution of individuals who hacked into the system, under Sections 43 and 66 of the IT Act. the IT (Amendment) Act 2008 was passed, which, inter alia, incorporated two new sections into the IT Act, Section 43A and Section 72A, to provide a remedy to persons who have suffered or are likely to suffer a loss on account of their personal data not having been adequately protected.

B. A Data (Privacy and Protection) Bill 2017 (the Data Privacy Bill 2017) :

It was introduced in Parliament in July 2017. Apart from intending to make the right to privacy a statutory right and streamlining the data protection regime in India, it seeks the establishment of a Data Privacy and Protection Authority for the regulation and adjudication of privacy-related disputes. It is yet to be enacted into law.

C. Credit Information Companies Regulation Act, 2005(“CICRA”):

As per the CICRA, the credit information pertaining to individuals in India have to be collected as per privacy norms enunciated in the CICRA regulation. Entities collecting the data and maintaining the same have been made liable for any possible leak or alteration of this data.
The CICRA has created a strict framework for information pertaining to credit and finances of the individuals and companies in India. The Regulations under CICRA which provide for strict data privacy principles have recently been notified by the Reserve Bank of India.

What authorities are responsible for data protection?

No state or central authorities have yet been designated purely for the enforcement and regulation of data protection laws although any plaintiffs have the right to bring a matter of concern to a Court with suitable jurisdiction.

The Personal Data Protection Bill, 2018(“the PDPB”) contemplates the establishment and incorporation of a Data Protection Authority by the Central Government. It will consist of eminent former members of the judiciary. It will deal exclusively with data protection breach and cyber-crimes.

Types of cyber-criminal activities:

i. Hacking i.e. unauthorized access: Section 43A and Section 66A of the Information Technology Ac, 2000.

ii. Denial-of-service attacks: Causing disruption or denial of access to any person authorized to access any computer by any means- Section 43(e) and (f) of the Information Technology Act, 2000.

iii. Phishing:
a) Identity Theft: fraudulent or dishonest use of the electronic signature, password or other unique identification feature of any other person- Section 66C of ITA.
b) Cheating by personation: Using a computer/ communication device to cheat by pretending/representing to be another person or knowingly substituting one person for another- Section 66D, ITA

iv. Infection of IT systems with malware such as ransomware, spyware, worms, Trojans, and viruses is also a punishable offence.

Thus, identification of various types of cyber-crimes and the laws governing them is highly essential to prevent cyber-criminal activities in the first place, and to make the cyber space safer.
Article by Shrawani
Editing by Mahima Gupta