The Information Technology Act has served to be an important piece of
legislation. An overview of its salient features would enable us to understand
the significant contribution it has made in terms of helping our nation keep
pace with the changing needs of the times. However, the Act cannot be stretched
beyond its objectives. Surveillance is age old concept but the methods to
achieve the same are evolving every day.
In contemporary times, it cannot be
feasible to totally negate the fundamental exigencies of national security.
There must be a fine balance between the needs of our security apparatus and the
dignified existence of our citizenry. Policing cannot become a scourge for the
people. Therefore, a separate data protection law detailing out the nuances of
balancing security needs with citizens' rights is a must in present times.
The rising volume of internet –based transactions in the last decade of the
twentieth century necessitated states to arrive at a broad concensus and some
semblance of uniformity across jurisdictions. In keeping with the spirit of the
UNCITRAL, the Indian Parliament enacted the Information Technology Act,2000 to
accord legal sanctity to the then emerging alternatives to paper- based methods
of communication and storage of information.
The impetus to the process of
having in place a legal regime on this score came from the voluminous increase
in e-commerce or electronic trade. The ascertainment and enforcement of
obligations and rights of the various stakeholders involved in such
transactions i.e., the sellers, the buyers and the Internet Service Providers
had to be clear and certain, and so were the transactions carried out in the
electronic form require certainty of legal effect and validity. On the other hand
it also seeks to facilitate the storage and use of electronic records by the
Governmental agencies vis a vis filing, storage, maintaining and use of records.
The trajectory followed by the said act was of expanding the definition and
meanings attributed to terms under the traditional law to things done in the
virtual space. By this attribution, the functional equivalence between the
traditional and the emerging ways of conducting trade and other activities
could be achieved. The functional equivalence principle lays out criteria under
which electronic communications may be considered equivalent to paper-based
communications. Hence, documents in the electronic form, could be legible by
all, unaltered overtime, reproducible and authentic. All this would ensure
acceptability of the document before public authorities and the courts.
Besides, It enacts a cyber law regime to regulate electronic communications,
trade and commerce and prevent computer related crimes. An elaborate framework
has been set up under the act for the purpose. Various certification authorities
have been set up in order to oversee licensing, certification and monitoring, A
regulator has been appointed to oversee these certification authorities.
controller has been appointed to enable the Government to monitor and regulate
activities like creating web pages, advertisements, bulletin board and most
importantly, e-commerce originating from the country. to dispose off the appeals
from the decisions of the Controller and adjudicating authorities,a Cyber
Appellate Tribunal has been set up.
The Act provides for liability to pay compensation for unauthorized access to
computer, its network and database. It seeks to punish a person who makes
misrepresentation or suppresses any material fact to the Controller, of the IT
activities or indulges in illegally accessing data, hacking,etc.
Data Protection Under IT Act, 2000
The relevant Indian laws governing online data protection are the Information
Technology Act, 2000 (IT Act) and Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules,
2011. In 2009, S.43A was inserted by way of an amendment as a result of
pressure from domestic and international IT industry
and to keep up with
stringent data protection laws prevailing in Europe as:
This was adversely
affecting outsourcing. The 2009 amendment brought body corporates within
the compensation mechanism for failing to protect sensitive personal data or
information owned, controlled or operated by it.
However, the provisions under the IT Act were found to be inadequate especially
in comparison to the international standards in contemporary phase of the
evolving jurisprudence in this respect. With the pervasion of digital element
into our lives, the debate on data security has been reignited. It is a clichéd
phrase that data is the new oil in present times.
In comparison to the much
glorified GDPR of the European Union, certain deficiencies in the Indian
law have been briefly, though not exhaustively, summed up in the next
The GDPR specifically confers protection to natural persons and their rights and
freedom upon data processing.
This is not expressed in the IT Act. Also, The GDPR expressly extends application of certain principles such as data
integrity, protection from unlawful processing, accountability, fairness and
transparency to data processing. The It Act, on the other hand,merely talks
about the collection of information and use. Principles listed in the GDPR but
not mentioned in IT Act are Unlike the GDPR, the IT Act does not have a
provision that specifically deals with lawfulness of processing.
Also, the IT
Act does not define consent or list the conditions for child's consent which
are mandated under the GDPR. Both laws include biometric data, health records
and sexual orientation in the list of sensitive data. GDPR and IT Act lay down
additional categories of sensitive personal data that are not common to the two
The GDPR commendably explicitly underscores various rights such as the
Right of access, Right to restrict processing, Right to data portability, Right
to object, Right to erasure, Right in relation to automated decision making and
Such a rights-oriented approach is missing in our Information
technology regime, barring a vague reference in places. GDPR consists of
additional and elaborate measures for security of data processing. These include
appointing a data security officer, conducting privacy impact assessment,
maintenance of records of processing which are missing in the Indian law.
right to Compensation and the right to redress is a right under the GDPR but
not under the IT Act. However, the comparison hitherto undertaken is flawed at
the outset because of the very fact that the Indian Information Technology Act
is not primarily a data security law which leads us to the pressing need that
Indian must have a separate data security law.
The question of data privacy in India became mired in intense debates especially
in the wake of the Supreme Court of India recognizing the right to privacy as a
fundamental right in the case of Justice K.S.Puttaswamy v. Union of
Declaring right to privacy a fundamental right under part III of the
Constitution, J. Kaul
Let the right of privacy, an inherent right, be unequivocally a fundamental
right embedded in part-III of the Constitution of India, but subject to the
restrictions specified, relatable to that part. This is the call of today. The
old order changeth yielding place to new.
However, the same is not absolute. Section 6(2) of the Information Technology
Act empowers the Central or State Government or any other competent authority
to direct any agency of the appropriate government to monitor, intercept or
decrypt any information transmitted, generated, received or stored in any
computer resource on various grounds such as Security of the State, in the
interest of sovereignty and integrity of India, friendly relations with foreign
states, to maintain public order, to prevent incitement to the commission of an
offence and investigation of crime.
This is not the only reason why this Section
is considered a far greater violation of the citizens' right to privacy than any
other piece of legislation concerning the monitoring and interception of data.
This Section also enables the agencies to reach directly to subscribers besides
through intermediaries. In case of Indian Telegraph Act, the network of Telecom
Service Providers is envisaged as the location of interception but Section 69
covers intermediaries as well as the subscribers which renders it as a highly
intrusive kind of surveillance.
The Information Technology Act has served to be an important piece of
legislation especially in the area of cyber crimes. Around 44, 546 cases were
registered under the Cyber Crime head in 2019 as compared to 27, 248 cases in
2018. Therefore, a spike of 63.5% was observed in Cyber Crimes. However,
the Information technology Act, cannot be stretched beyond its objectives.
separate data privacy law is a a must. Surveillance is age old concept but the
methods to achieve the same are evolving every day. It is necessary to have
certain guidelines on its regulation so that both the national security and the
fundamental right are equally maintained. citizen. When a monitoring system
undertakes surveillance without any specific purpose and intends to collect data
in the pretext of national security it turns the democratic State into a
Steps such as appointment of judicial members in the
committee which is responsible for deciding the initiation of surveillance order
and also in the review committee which is responsible for reviewing such orders
can add checks and balances. Recourse to interception should be the exception
rather than the rule.
- Rameen Khan, LL.M Scholar, SLS, Department of Law, Central University
- United Nations Commission On International Trade Law, UNCITRAL Model
Law on Electronic Commerce (1996), available at https://uncitral.un.org/en/texts/ecommerce/modellaw/electronic_commerce
seen 4.08 pm I.S.T
- s. 43, Information Technology Act, 2000
- s.66, Information Technology Act, 2000
- Aparna Viswanathan, Indian & International Perspectives on key topics
including data Security, E-commerce, Cloud Computing and Cyber Crimes'189 (
- General Data Protection Regulation
- Justice K S Puttaswamy (Retd.) and anr v. Union of India and Ors. Writ
petition (Civil) no. 494 of 2012 available at https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24-Aug-2017.pdf
- Ananya Garg, Surveillance and privacy vis-à-vis Section 69 of the
Information Technology Act' available at https://blog.ipleaders.in/surveillance-and-privacy-vis-a-vis-section-69-of-the-information-technology-act/
- NCRB, Crime in India, vii(2019) snapshots
- Sagnik Sarkar, Panoptical Surveillance of the State in a Dystopian
Future-A threat to Privacy vol 7(1)Indian Insitute of Legal Studies Law