Data protection law in India
Recently whatsapp updated its privacy policy in India which will allow it to share the business data on whatsapp with facebook. After the announcement there has been a situation of panic among the people af fear of data leak has arisen in the minds of people. Although whatsapp claims that there won’t be such a situation as only business data and no personal data will be shared with facebook but whatsapp’s credibility is doubtful as it has a different privacy policy for European countries. The announcement also comes in the backdrop of news of sensitive data leaks from companies like dominos and AirIndia although for quite some time news of data leaks from different companies has been coming but the issue is really serious now. To put this into context India saw a 37% increase in data leaks in 2020 and this year already cases of various data breaches have come out hence the question arises what framework does our government have for such data breaches.
Although India does not have any data protection law as vast as that of other countries especially European countries but information technology Act which was passed in 2000 provides legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication commonly referred to as electronic commerece which involve the use of alternative to paper based methods of communication and storage of information to facilitate electronic filing of documents with the government agencies.
The Act also defines cyber crimes and prescribes penalties for them.
Section 65- tampering with computer source document
Section 66- hacking wit a computer system
Section 67- publishing of information which is obscene in electronic form
Section 68- the power of controller to give direction
Section 69- directions of the controller to a subscriber to extend facilities to decrypt information
Section 70- protected system
Section 71- penalty for misrepresentation
The Act was amended in 2008amended in 2008 which introduced the following offences:
Section 66B- receiving stolen computer or communication device
Section 66C- using the password of another person
Section 66D- cheating using computer resource
Section 66E- publishing private images of others
Section66F- Acts of cyberterrorism
Section67A- publishing images containing sexual acts
Section67B- publishing child porn or predating children online
Section67C- failure to maintain records
Section 72A- disclosure of information in breach of lawful contract
Section73- publishing electronic signature certificate false in certain particulars
Section74- publishing for the fraudulent purpose
The punishment for the above-mentioned offence can extend to imprisonment for life and or an indefinite amount of fine.
The act has faced a great amount of scrutiny and has been constantly criticized for its narrow scope and applicability as it seems ineffective concerning recent data leaks. The critics have also argued that the act does not deal sufficiently with the offence of data breach section-72A of the act which specifically deals with the offence of data breach states that section 72A- punishment for disclosure of information in breach of lawful contract. Saves as otherwise provided in this act or any other law for the time being in force any person including an intermediary who, while providing services under the terms of the lawful contract has secured access to any material containing personal information about another person with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses without the consent of the person concerned or in breach of a lawful contract such material to any other person shall be punished with imprisonment for a term which may extend to three years or with fine which may extend to five lakhs or with both.
Therefore in reaction to the rising cases of data breaches and the act’s low applicability in dealing with such breaches a committee was constructed in 2017 headed by Retd. Justice BN Srikrishna propose a statute on data protection committee tabled its opinion and the personal data Data Protection Bill was introduced by the Ministry of Electronics and Information Technology in 2018. The bill was not passed by the parliament and also received heavy criticism. The bill received heavy criticism because it was deemed to be giving excessive power to the state. Retd. Justice BN Srikrishnan himself termed the bill as having the ability to turn India into an Orwellian state hence a revised bill was introduced in the parliament in 2019.
The amended bill aims to provide for the protection of the privacy of individual relating to their data specify the flow and usage of personal data create a relationship of trust between persons and entities processing the personal data protect the fundamental rights of individuals whose personal data are processed to create a framework for organizational and technical measures in the processing of data laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data remedies for unauthorized and harmful processing and to establish a data protection authority of India for the said purposes for matters connected therewith or incidental thereto. The bill was sent for further analysis expert analysis to a Joint Parliamentary Committee headed by a member of Parliament Meenakshi Lekhi As of 2021 it is still with the committee and awaits introduction in the parliament.
