Data theft laws in India and its implication
Introduction
In the contemporary era dominated by information, where data holds immense power and serves as a form of currency, the unauthorized acquisition and exploitation of this valuable resource have emerged as a widespread and intricate challenge. This issue carries significant consequences for individuals, organizations, and even entire nations. Recently, a case unfolded, described as potentially the most extensive data leak in the country, involving the exposure of personal details from over 81.5 crore Indians, purportedly sourced from the Indian Council of Medical Research (ICMR). This incident is just one among numerous instances of data breaches, highlighting the urgent necessity for a robust and comprehensive data protection framework.
Data theft, encompassing unauthorized access, acquisition, or retrieval of confidential information, has become a pervasive concern for individuals and enterprises alike. In India, the legal landscape governing data theft has primarily been shaped by the Information Technology Act, 2000, and subsequent amendments. This legislation, coupled with provisions from the Indian Penal Code, has been instrumental in addressing offenses related to unauthorized access and data breaches.
Data theft laws in India
Data theft, also referred to as data breach or intrusion, entails the unauthorized acquisition, replication, or retrieval of confidential or sensitive information from individuals or enterprises without their knowledge or consent. This may involve the illicit acquisition or hacking of passwords, banking details, personal information, client particulars, or corporate data like trade secrets, software, source codes, and proprietary information. In the Indian context, the regulation of data theft primarily falls under the purview of the Information Technology Act, 2000.
Provisions within the IT Act extend penalties to actions related to the disclosure of information in violation of lawful contracts (Section 72A) and breaches of confidentiality and privacy (Section 72). Section 43 addresses unauthorized access to computer systems, networks, or electronic devices, imposing penalties for unauthorized copying, extraction, or downloading of data. Section 66 of the IT Act specifically targets computer-related offenses, including data theft, punishing unauthorized access to computer systems with the intent to commit or facilitate data theft.
While the introduction of the Personal Data Protection Bill in 2019 aimed to bolster data protection and privacy in India, its status as law was pending as of the last update. The bill outlined regulations for the collection, storage, processing, and transfer of personal data.
In instances of data breaches, certain sections of the Indian Penal Code (IPC) can also come into play. For example, Section 403 deals with the criminal penalty for dishonest misappropriation or conversion of movable property for personal use. Section 378, originally addressing theft of immovable property, could be invoked if data stored in hardware devices like floppy disks or pen drives is stolen.
Moreover, Section 63B of the Indian Copyright Act stipulates punishment for individuals knowingly using a computer or infringing copy of a computer program.
A notable legal precedent was established by the Supreme Court in the case of Jagjeet Singh v. State of Punjab & Anr. (Special Leave Petition (Criminal) No. 3583 of 2021). The judgment emphasized that instances of hacking and data theft could be considered offenses under the IPC, highlighting that the IT Act does not exclude the applicability of the IPC in matters related to hacking and data theft.
Digital Personal Data Protection Act, 2023:
The newly passed DPDP Act extensively tackles the concern of data theft and imposes substantial responsibilities on data fiduciaries. These fiduciaries, acting as guardians of personal data, hold the principal duty to protect this information from theft, breaches, and unauthorized access. The legislation mandates the implementation of rigorous protocols, encryption methods, and access controls by data fiduciaries to secure the data they gather and handle.
In contrast to the 2019 version of the bill, the 2023 DPDP Act is more restrained, featuring diminished obligations for businesses and fewer protections for consumers. On the one hand, the regulatory structure is simpler, but on the other, it vests the central government with unguided discretionary powers in some cases. The DPDP Act is applicable to both Indian residents and businesses that collect the data of Indian residents. Notably, it extends its reach to non-citizens residing in India, whose data processing is linked to activities related to the offering of goods or services outside India.
Introducing a pioneering data privacy law in 2023, the act mandates obtaining consent before processing personal data and outlines specific exceptions clearly defined in the legislation. This marks the establishment of India’s first statutory framework for data protection, fostering the gradual development of minimal standards of behavior and compliance for businesses engaged in data collection.
The act excludes non-automated personal data, offline personal data, and personal data in existence for at least 100 years. Notably, the maximum penalty limit of INR 500 crore has been eliminated. As of now, the act does not incorporate provisions for grievance redressal review. The timeline of 72 hours within which a data breach is to be reported to authorities is excluded.
Apart from the uncertainties surrounding the implementation, there are reservations about certain aspects of the law and how they might compromise the protections seemingly provided by it.
Conclusion
The rapid evolution of information technology presents new legal challenges that transcend traditional categories such as Criminal Law, Intellectual Property Law, Contract, and Tort. One such formidable challenge is the escalating threat of Data Theft, where information in the form of data is illicitly copied or taken from a business or individual without their knowledge or consent.
Recognizing data as a valuable asset, it becomes evident that despite being one of the largest countries globally in terms of internet users, India lacks a robust legal framework to safeguard its citizens’ data. The existing IT laws in India are a decade old and prove insufficient in addressing the contemporary challenges faced by the current generation. Moreover, these laws suffer from inadequate implementation by both the executive and legislative branches. The appointment of adjudicating officers, intended to resolve conflicts, remains unfulfilled in many states. Additionally, there is a lack of standardized guidelines or penalty formats mandated by the legislature for adjudicating officers to follow. This lack of uniformity creates chaos, with different officers employing disparate procedures and judgments based on their individual discretion.
The urgent need is apparent for a robust technical law that can establish a formidable data protection mechanism for the citizens of the country. Laws should not only address present challenges but also anticipate and mitigate potential future issues, providing a comprehensive and adaptive legal framework.
“PRIME LEGAL is a full-service law firm that has won a National Award and has more than 20 years of experience in an array of sectors and practice areas. Prime legal fall into a category of best law firm, best lawyer, best family lawyer, best divorce lawyer, best divorce law firm, best criminal lawyer, best criminal law firm, best consumer lawyer, best civil lawyer.”
Written by- Amrita Rout