Recently WhatsApp updated its privacy policy in India which will allow it to share the business data on WhatsApp with Facebook. After the announcement there has been a situation of panic among the people as fear of data leak has arisen in the minds of people. Although, WhatsApp claims that there won’t be such a situation as only business data and no personal data will be shared with Facebook but WhatsApp’s credibility is doubtful as it has a different privacy policy for European countries.

The announcement also comes in the backdrop of news of sensitive data leaks from companies like Domino’s[1] and Air India[2]. Although, for quite some time news of data leaks from different companies has been coming but the issue is really serious now[3]. To put this into context India saw a 37% increase in data leak in 2020[4] and this year already cases of various data breaches have come out[5]. Hence, the question arises what framework does our government have for such data breaches.

Although India does not have any data protection law as vast as that of other countries especially European countries but Information Technology Act which was passed in 2000 “provides legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies.”[6]

The Act also defines cyber crimes and prescribes penalties for them.

The original act provided for the following offences:
Section 65. Tampering with computer source documents.[7]
Section 66. Hacking with a computer system.[8]
Section 67. Publishing of information which is obscene in electronic form.[9]
Section 68. Power of Controller to give directions.[10]
Section 69. Directions of Controller to a subscriber to extend facilities to decrypt Information.[11]
Section 70. Protected system.[12]
Section 71. Penalty for misrepresentation.[13]

The act was amended in 2008 which introduced the following offences:
Section 66B. Receiving stolen computer or communication device[14]
Section 66C. Using the password of another person[15]
Section 66D. Cheating using computer resource[16]
Section 66E. Publishing Private images of others[17]
Section 66F. Acts of cyberterrorism[18]
Section 67A. Publishing Images containing sexual acts[19]
Section 67B. Publishing child porn or predating children online[20]
Section 67C. Failure to maintain records[21]
Section 72A. Disclosure of information in breach of lawful contract[22]
Section 73. Publishing electronic signature certificate false in certain particulars[23]
Section 74. Publication for fraudulent purpose[24]

The punishments for the above-mentioned offences can extend to imprisonment for life and/or an indefinite amount of fine.

The act has faced a great amount of scrutiny and has been constantly criticized for its narrow scope and applicability as it seems ineffective concerning recent data leaks. The critics have also argued that the act does not deal sufficiently with the offence of data breach. Section 72A of the Act which specifically deals with the offence of data breach states that,

Section 72A. Punishment for disclosure of information in breach of lawful contract.[25]
Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.

Therefore, in reaction to the rising cases of data breaches and the act’s low applicability in dealing with such breaches a committee was constituted in 2017 headed by Retd. Justice BN Srikrishna to propose a statute on data protection. The committee tabled its opinion and Personal Data Protection Bill was introduced by the Ministry of Electronics and Information Technology in 2018. The bill was not passed by the parliament and also received heavy criticism. The bill received heavy criticism because it was deemed to be giving excessive power to the state. Retd. Justice BN Srikrishnan himself termed the bill as having the ability to turn India into an Orwellian state.[26] Hence, a revised bill was introduced in the parliament in 2019.

The Amended Bill aims to:
“to provide for protection of the privacy of individuals relating to their data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.”[27]

The bill was sent for further expert analysis to a Joint Parliamentary Committee headed by Member of Parliament, Meenakshi Lekhi. As of May 2021, it is still with the Committee and awaits introduction in the parliament.

Conclusion
It is to be noted that with digitalization various aspects of an individual’s life are changing which include parameters of security of an individual. Now protecting a person does not mean the protection of his body and property only, a new aspect, data has been introduced to such list.

Today we are surrounded by the digital world, our every information, personal details, financial details, travel details are there in the digital world and if not protected effectively can fall into the wrong hands. Thus, it is of utmost importance that an effective data protection law is passed and put to force in India.

End-Notes:

1. https://indianexpress.com/article/technology/tech-news-technology/dominos-data-breach-name-address-other-details-of-over-18-crore-orders-leaked-7328416/
2. https://indianexpress.com/article/explained/air-india-sita-data-breach-explained-7325501/
3. https://analyticsindiamag.com/10-biggest-data-breaches-that-made-headlines-in-2020/
4. https://www.theweek.in/news/biz-tech/2020/11/17/india-sees-37-increase-in-data-breaches-cyber-attacks-this-year.html
5. https://www.csoonline.com/article/3541148/the-biggest-data-breaches-in-india.html
6. Information Technology Act, 2000
7. Ibid
8. Ibid
9. Ibid
10. Ibid
11. Ibid
12. Ibid
13. Ibid
14. Ibid
15. Ibid
16. Ibid
17. Ibid
18. Ibid
19. Ibid
20. Ibid
21. Ibid
22. Ibid
23. Ibid
24. Ibid
25. Section 72A, IT Act, 2000
26. https://economictimes.indiatimes.com/news/economy/policy/personal-data-protection-bill-can-turn-india-into-orwellian-state-justice-bn-srikrishna/articleshow/72483355.cms
27. The Personal Data Protection Bill, 2019

Written By: Raghav Agarwal, 2nd Year BBA LLB, USLLS, GGSIPU