The Information Technology Act has served to be an important piece of legislation. An overview of its salient features would enable us to understand the significant contribution it has made in terms of helping our nation keep pace with the changing needs of the times. However, the Act cannot be stretched beyond its objectives. Surveillance is age old concept but the methods to achieve the same are evolving every day.

In contemporary times, it cannot be feasible to totally negate the fundamental exigencies of national security. There must be a fine balance between the needs of our security apparatus and the dignified existence of our citizenry. Policing cannot become a scourge for the people. Therefore, a separate data protection law detailing out the nuances of balancing security needs with citizens' rights is a must in present times.

Introduction
The rising volume of internet –based transactions in the last decade of the twentieth century necessitated states to arrive at a broad concensus and some semblance of uniformity across jurisdictions. In keeping with the spirit of the UNCITRAL, the Indian Parliament enacted the Information Technology Act,2000 to accord legal sanctity to the then emerging alternatives to paper- based methods of communication and storage of information.

The impetus to the process of having in place a legal regime on this score came from the voluminous increase in e-commerce or electronic trade. The ascertainment and enforcement of obligations and rights of the various stakeholders involved in such transactions i.e., the sellers, the buyers and the Internet Service Providers had to be clear and certain, and so were the transactions carried out in the electronic form require certainty of legal effect and validity. On the other hand it also seeks to facilitate the storage and use of electronic records by the Governmental agencies vis a vis filing, storage, maintaining and use of records.

The trajectory followed by the said act was of expanding the definition and meanings attributed to terms under the traditional law to things done in the virtual space. By this attribution, the functional equivalence between the traditional and the emerging ways of conducting trade and other activities could be achieved. The functional equivalence principle lays out criteria under which electronic communications may be considered equivalent to paper-based communications.[2] Hence, documents in the electronic form, could be legible by all, unaltered overtime, reproducible and authentic. All this would ensure acceptability of the document before public authorities and the courts.

Besides, It enacts a cyber law regime to regulate electronic communications, trade and commerce and prevent computer related crimes. An elaborate framework has been set up under the act for the purpose. Various certification authorities have been set up in order to oversee licensing, certification and monitoring, A regulator has been appointed to oversee these certification authorities.

A controller has been appointed to enable the Government to monitor and regulate activities like creating web pages, advertisements, bulletin board and most importantly, e-commerce originating from the country. to dispose off the appeals from the decisions of the Controller and adjudicating authorities,a Cyber Appellate Tribunal has been set up.

The Act provides for liability to pay compensation for unauthorized access to computer, its network and database. It seeks to punish a person who makes misrepresentation or suppresses any material fact to the Controller, of the IT activities or indulges in illegally accessing data,[3] hacking[4],etc.

Data Protection Under IT Act, 2000

The relevant Indian laws governing online data protection are the Information Technology Act, 2000 (IT Act) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. In 2009, S.43A was inserted by way of an amendment as a result of pressure from domestic and international IT industry and to keep up with stringent data protection laws prevailing in Europe as:
This was adversely affecting outsourcing.[5] The 2009 amendment brought body corporates within the compensation mechanism for failing to protect sensitive personal data or information owned, controlled or operated by it.

However, the provisions under the IT Act were found to be inadequate especially in comparison to the international standards in contemporary phase of the evolving jurisprudence in this respect. With the pervasion of digital element into our lives, the debate on data security has been reignited. It is a clichéd phrase that data is the new oil in present times.

In comparison to the much glorified GDPR[6] of the European Union, certain deficiencies in the Indian law have been briefly, though not exhaustively, summed up in the next paragraph. The GDPR specifically confers protection to natural persons and their rights and freedom upon data processing.

This is not expressed in the IT Act. Also, The GDPR expressly extends application of certain principles such as data integrity, protection from unlawful processing, accountability, fairness and transparency to data processing. The It Act, on the other hand,merely talks about the collection of information and use. Principles listed in the GDPR but not mentioned in IT Act are Unlike the GDPR[7], the IT Act does not have a provision that specifically deals with lawfulness of processing.

Also, the IT Act does not define consent or list the conditions for child's consent which are mandated under the GDPR. Both laws include biometric data, health records and sexual orientation in the list of sensitive data. GDPR and IT Act lay down additional categories of sensitive personal data that are not common to the two laws.

The GDPR commendably explicitly underscores various rights such as the Right of access, Right to restrict processing, Right to data portability, Right to object, Right to erasure, Right in relation to automated decision making and profiling.

Such a rights-oriented approach is missing in our Information technology regime, barring a vague reference in places. GDPR consists of additional and elaborate measures for security of data processing. These include appointing a data security officer, conducting privacy impact assessment, maintenance of records of processing which are missing in the Indian law.

The right to Compensation and the right to redress is a right under the GDPR but not under the IT Act. However, the comparison hitherto undertaken is flawed at the outset because of the very fact that the Indian Information Technology Act is not primarily a data security law which leads us to the pressing need that Indian must have a separate data security law.

The question of data privacy in India became mired in intense debates especially in the wake of the Supreme Court of India recognizing the right to privacy as a fundamental right in the case of Justice K.S.Puttaswamy v. Union of India.

Declaring right to privacy a fundamental right under part III of the Constitution, J. Kaul observed;
Let the right of privacy, an inherent right, be unequivocally a fundamental right embedded in part-III of the Constitution of India, but subject to the restrictions specified, relatable to that part. This is the call of today. The old order changeth yielding place to new.[8]

However, the same is not absolute. Section 6(2) of the Information Technology Act empowers the Central or State Government or any other competent authority to direct any agency of the appropriate government to monitor, intercept or decrypt any information transmitted, generated, received or stored in any computer resource on various grounds such as Security of the State, in the interest of sovereignty and integrity of India, friendly relations with foreign states, to maintain public order, to prevent incitement to the commission of an offence and investigation of crime.

This is not the only reason why this Section is considered a far greater violation of the citizens' right to privacy than any other piece of legislation concerning the monitoring and interception of data. This Section also enables the agencies to reach directly to subscribers besides through intermediaries. In case of Indian Telegraph Act, the network of Telecom Service Providers is envisaged as the location of interception but Section 69 covers intermediaries as well as the subscribers which renders it as a highly intrusive kind of surveillance.[9]

Conclusion
The Information Technology Act has served to be an important piece of legislation especially in the area of cyber crimes. Around 44, 546 cases were registered under the Cyber Crime head in 2019 as compared to 27, 248 cases in 2018. Therefore, a spike of 63.5% was observed in Cyber Crimes.[10] However, the Information technology Act, cannot be stretched beyond its objectives.

A separate data privacy law is a a must. Surveillance is age old concept but the methods to achieve the same are evolving every day. It is necessary to have certain guidelines on its regulation so that both the national security and the fundamental right are equally maintained. citizen. When a monitoring system undertakes surveillance without any specific purpose and intends to collect data in the pretext of national security it turns the democratic State into a Policing State.[11]

Steps such as appointment of judicial members in the committee which is responsible for deciding the initiation of surveillance order and also in the review committee which is responsible for reviewing such orders can add checks and balances. Recourse to interception should be the exception rather than the rule.

End-Notes:

1. Rameen Khan, LL.M Scholar, SLS, Department of Law, Central University of Kashmir
2. United Nations Commission On International Trade Law, UNCITRAL Model Law on Electronic Commerce (1996), available at https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_commerce seen 4.08 pm I.S.T
3. s. 43, Information Technology Act, 2000
4. s.66, Information Technology Act, 2000
5. Aparna Viswanathan, Indian & International Perspectives on key topics including data Security, E-commerce, Cloud Computing and Cyber Crimes'189 ( 2012)
6. General Data Protection Regulation
7. Justice K S Puttaswamy (Retd.) and anr v. Union of India and Ors. Writ petition (Civil) no. 494 of 2012 available at https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf
8. Ananya Garg, Surveillance and privacy vis-à-vis Section 69 of the Information Technology Act' available at https://blog.ipleaders.in/surveillance-and-privacy-vis-a-vis-section-69-of-the-information-technology-act/
9. NCRB, Crime in India, vii(2019) snapshots
10. Sagnik Sarkar, Panoptical Surveillance of the State in a Dystopian Future-A threat to Privacy vol 7(1)Indian Insitute of Legal Studies Law Review p93(2021)