Spread the love

This Article is written by Arijit Kundu of 5th Semester of Heritage Law College, Kolkata, West Bengal, an intern under Legal Vidhiya

Abstract:

The Information Technology Act, 2000, was India’s first information technology law. The IT Act of 2000’s preamble lists three goals, the first of which is to give legal validity to transactions made with electronic means. Second way to make it easier for documents to be filed electronically, and thirdly, to alter a specific act. The 2000 IT Act provided electronic papers and digital data legal validity and recognition for electronic signatures and facilitated the completion of legally binding and enforceable electronic agreements and contracts. Additionally, it offered a legislative framework to control the certifying authorities and issue digital signature certificates. The Act also provided criminal consequences for breaking the rules of the IT Act, 2000. With time, new types of cyber breaches were introduced, resulting in newer and better laws. The Information Technology (Amendment) Act, 2008 amended the IT Act in 2008, and it took effect on October 27, 2009. It added Sections 43A and 72A, which penalise intentional personal data breaches and require the maintenance of reasonable security practices and procedures by corporate bodies that possess, deal with, or handle sensitive personal data or information. Section 43A stated that “sensitive personal data or information” would refer to personal information that would be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. On March 28, 2012, India acquired its first legislative framework for data privacy thanks to the 2011 Rules, which were drafted by the instructions provided to the Central Government under Section 43A.

Keywords: online intermediaries, sensitive personal data, reasonable security practices, cybercrime.
Introduction:   

In 1980, the internet was first introduced; in 1995, internet services were launched for the education and research community for academic purposes; in the late 1990s, the Internet Technology service was linked to railway services; and in the 2000s, the cable internet was introduced in India. During this time, the Information Technology Act 2000 was passed. In 1996, the United Nations Commission on International Trade Law adopted contemporary legislation regarding electronic trade and cyberspace, and India also passed the Information Technology Act to safeguard its citizens from cybercrime both in India and abroad. The IT Act of 2000 primarily focused on electronic transactions, digital signatures, and cybersecurity, but it doesn’t have specific provisions related to intermediaries or the protection of sensitive data. The European Union passed the Data Protection Directive way back in 1995, but the IT Act of 2000 lacked such provisions. The Information Technology Bill, 2006, was introduced as a result, and the Information Technology (Amendment) Act, 2008, followed, with its provisions taking effect on October 27, 2009. The Information Technology (Amendment) Act, 2008 added Section 43A to the IT Act, and the Central Government notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 in order to exercise the authority granted by clause (ob) of sub-section (2) of Section 87 in convergence with Section 43A of the IT Act, 2000.

General Overview of the IT Act, 2000:

The United Nations Commission adopted legislation on electronic trade and cyberspace in 1996, and its goal was to implement cyber rules all over the world. When the Information Technology Act was adopted in 2000, it was the 12th country in the world to do so. In relation to data breaches in e-commerce, social media, and cyberspace, the Act specifies a number of punishments. Transactions done using electronic data interchange, or “electronic commerce,” are given legal status under the Information Technology Act of 2000 with the aid of alternatives to paper-based methods of communication and information storage. In relation to data breaches in e-commerce, social media, and cyberspace, the Act specifies a number of punishments. Transactions done using electronic data interchange, or “electronic commerce,” are given legal status under the Information Technology Act of 2000 with the aid of alternatives to paper-based methods of communication and information storage.

Schedule of the Act:


There are 90 parts, 13 chapters, and 2 schedules in the IT Act. The Act’s chapters are listed below.

Chapter 1 covers the applicability of the Act and the meanings of the various terminology used in the Act.

Chapter 2 discusses digital and electronic signatures.

Chapter 4 deals with electronic records, while Chapter 3 deals with electronic government.

Chapter 5 covers the security of these documents, while Chapter 6 covers the guidelines for certifying authority.

Chapter 7 also offers the credentials necessary to establish an electronic signature.

Chapter 8 describes subscriber obligations, and Chapter 9 deals with various fines.

Chapter 10 contains sections devoted to the Appellate Tribunal.

Chapter 11 provides a list of several offences for data breaches and the corresponding fines.

Chapter 12 specifies the circumstances in which intermediaries are shielded from responsibility for any legal or data privacy violations.

The miscellaneous chapter is located in Chapter 13.

Salient Features of the Information Technology Act, 2000

On October 17, 2000, the Information Technology Act of 2000 went into effect.

Salient Features Information Technology Act of 2000 :

1. The Act recognises e-commerce as lawful, which helps electronic transactions for profit.

2. It recognises electronic documents just like any other type of documentary record. By doing so, it equalises the value of electronic and paper transactions that are documented.

3. Additionally, the Act grants legal recognition to digital signatures, which must first undergo proper authentication by certifying bodies.

4. To handle appeals against deciding authorities, the Cyber Law Appellate Tribunal has been established.

5. Negotiable instruments, powers of attorney, trusts, wills, and any contract for the sale or conveyance of real estate are exempt from the I.T. Act’s restrictions.

6. The Act is applicable to any cybercrime or violation that a person, regardless of nationality, commits outside of India.

7. According to Section 90 of the Act, the State Government may enact rules to implement the Act’s provisions by publishing a notification in the “Official Gazette.”

8. Although initially there was no particular provision for preservation of secrecy and online trading in India prior to the passage of this Act, the SEBI had indicated that trading of securities over the internet will be legal in India.

9. The Indian Penal Code, 1860, was determined to be insufficient to address the needs of new offences arising from the advent of the Internet. Even some of the more common offences, such as solicitation, fraud, securities, and conspiracy, Thus, India passed the Information Technology Act, 2000, as a preventative measure for the prevention of cybercrime.

General Overview of the IT Act, 2011, Sensitive Data Information Rules :
On April 13, 2011, the Central Government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Rules of the Act:

Rule 3 defines sensitive personal data, which includes

• Biometric
•Present and Past Data

•Bank Account Details

• Credit card and debit card details

• Passwords 
• any information on the aforementioned clauses given to the body corporate in order to perform services;
• any information that the body corporate receives under the aforementioned clauses for processing, storing, or processing pursuant to a valid contract or otherwise

Rule 4 says that every corporation (or someone acting on behalf of a corporation) that gathers, receives, has, stores, or otherwise handles the information of the information provider is required by Rule 4 of the 2011 Rules to submit a privacy statement. Anyone who has given the body corporate any information pursuant to a valid contract or contracts must have access to this privacy policy. Additionally, the corporate website must host a copy of the privacy policy. The body corporate’s practices and policies for the gathering, receiving, possession, storage, management, or dealing with of information must be expressly stated in the privacy policy. The sorts of sensitive or personal data that the body corporate has obtained should also be listed.

Rule 6 says that without the information provider’s prior authorization, a body corporate is not allowed to publish or distribute such data or information to any third party, unless it obtains the prior consent of the provider of the information who agreed to the contract of sharing of information or otherwise, or when the disclosure is necessary for complying with the law.
The second scenario is that government agencies are mandated under law to obtain such information for various purposes relating to verification of identity, prevention, investigation, detection relating to cybercrime, punishment, and prosecution. In such cases, prior consent from the information provider is not necessary. The government agency must make a written request to the entity that is in possession of the sensitive personal data or information, explicitly describing the reason for doing so. Additionally, the government agency must specify that the data received in this manner is published or disclosed to no one.

Legal Guidelines:
1. The disclosure of information shall take place only in compliance with the law for the time being in force.

2. The body corporate or any person receiving the information on its behalf shall not publish it elsewhere.

3. The third party receiving the information shall not disclose it any further.

Rule 8:

1. Rule 8 says body corporates that possess, interact with, or manage any sensitive personal data or information are required under the IT Act to maintain appropriate security practices and procedures. According to Rule 8 of the 2011 Rules, a body corporate or a person acting on its behalf shall be deemed to have complied with reasonable security practices and procedures if they have implemented such practices and standards and have a thorough documented information security programme and information security policies that contain managerial, technical, operational, and physical security control measures that are commensurate with the information assets being held.

2. As per Rule 8(2), the body corporate is required to follow the standards of IS/ISO/IEC codes for best practices for data protection. A body corporate may adhere to standards other than the IS/ISO/IEC codes of best practices for data protection as long as those standards are (i) duly approved and notified by the Central Government and (ii) regularly certified or audited by an independent auditor who is duly approved by the Central Government.

3. The utility of Rule 8 is that in the case of an information security breach, the body corporate will be able to show that it has implemented security control measures in accordance with its documented information security programme and information security policies according to Rule 8 of the 2011 Rules, which establishes a safe harbour.

Salient Features of the IT Act, 2011:

1. It defines ‘body corporate’ as a sole proprietorship or another group of people carrying out business or professional activity. This definition is understood to exclude entities like NGOs and other think tanks that are not involved in business or professional endeavours.

2. The SPDI Rules provide protection for in-country natural persons. As a result, the collection of information or data by a firm, partnership, trust, corporation, LLP, etc. won’t trigger the SPDI Rules’ data protection responsibilities. The SPDI Rules only apply to Indian citizens, according to consensus.

3. Information and data gathered offline or physically are not covered by the IT Act or the SPDI Rules, which only apply to information and data collected online. Data privacy and storage apply in electronic format.

4. It defines the term sensitive personal data and information.

5. It gives autonomy for giving and withdrawing consent for sensitive information at any point by the information provider, as given under Rule 5 of Sub-Rule 7.

6. It allocates a post for grievance officers to resolve disputes and complaints. The Grievance Officer has to redress the grievances of the providers of information expeditiously and no later than one month from the date of receipt of the grievance, as per Rule 5(9).

7. Rule 6(1) obligated the body corporate to follow the same measures for safety in the transfer of information to a third party, on the same condition that they received information from the third party.

8. It ensures reasonable security practices in the handling of sensitive personal data and information as per Rule 8.

Changes brought about in 2011:

Online Intermediaries:

The Information Technology Act of 2000 primarily focused on electronic transactions, digital signatures, and cybersecurity. The IT Amendment Act of 2011 expands the scope of the legislation to include provisions relating to intermediaries, data protection, and privacy.

A) Online Intermediaries :  The IT Amendment Act 2011 introduced specific provisions related to online intermediaries that were not included in the original IT Act. These provisions regulate intermediaries such as social media platforms, search engines, e-commerce, and websites and make them liable for the content and information shared or hosted on their platforms.

B)    Reasonable Security Practices related to Intermediaries :  In the Information Technology Act, 2000 there is no mechanism for Reasonable Security Practices and Procedures as mentioned in the Rule 8 of Information Technology ( Reasonable security practices and procedures and sensitive personal data or information ) Rules, 2011 which says that if  a body corporate or a person acting on its behalf has implemented reasonable security practises and standards and has an extensive documented information security programme and information security policies that contain managerial, technical, operational, and physical security control measures that are commensurate with the information assets being protected with the nature of If there is a breach in information security, the body corporate or someone acting on its behalf must show, upon request from the legal authority, that security control measures have been implemented in accordance with the information security programme and policies that have been documented. Secondly, the international standard of IS/ISO/IEC 27001 on “Information Technology—Security Techniques—Information Security Management System—Requirements” is followed while collecting such data. Thirdly, any business association or entity created by one of these associations that has members that self-regulate by adhering to codes of best practices for data protection other than IS/ISO/IEC must have these codes officially authorised and notified by the Central Data Protection Board for efficient implementation by the government. Lastly, the IS/ISO/IEC 27001 standard or the approved codes of best practices for data protection, as implemented by the body corporate or a person acting on its behalf, shall be deemed to have been in compliance with reasonable security practices and procedures, provided that such standard or the approved codes of best practices have been certified or audited on a regular basis by entities through an independent auditor, as duly approved by the Central Government. An auditor must conduct an audit of appropriate security practices and procedures at least once each year or whenever the body corporate or someone acting on its behalf upgrades its computer resources and processes significantly.

Data Protection and Privacy:

Personal information, according to the SPDI Rules, is “any information relating to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”

A. Privacy Policy:  Both Acts address data protection and cyber security. The IT Amendment Act, 2011 places more emphasis on the protection of critical infrastructure and promotes national-level cyber security; it exclusively defines sensitive personal data and information under Rule 3. Every corporation (or someone acting on behalf of a corporation) that gathers, receives, has, stores, or otherwise handles the information of the information provider is required by Rule 4 of the 2011 Rules to submit a privacy statement. Anyone who has given the body corporate any information pursuant to a valid contract or contracts must have access to this privacy policy. Additionally, the corporate website must host a copy of the privacy policy. The body corporate’s practices and policies for the gathering, receiving, possession, storage, management, or dealing with of information must be expressly stated in the privacy policy. The sorts of sensitive or personal data that the body corporate has obtained should also be listed.

B. Sensitive Personal Data and Information:  Sensitive personal data or information about a person is any information about that person that includes:

(i) password

(ii) facts about financial accounts, credit cards, debit cards, and other payment methods

(iii) state of one’s bodily, physiological, and mental health;

(iv) sexual preference;

(v) medical histories and records;

(vi) Biometric details

(vii) any information on the aforementioned clauses submitted to the body corporate for the purpose of providing service; and

(viii) any information that the body corporate receives under the aforementioned articles for processing, storing, or processing pursuant to a valid contract.

Note: Any information provided under the Right to Information Act of 2005 or any other law currently in effect or that is readily accessible in the public domain shall not be considered sensitive personal data or information for the purposes of these laws.

C. Obligations of the Body Corporate: There are several sub-rules pertaining to the gathering of personal data in Rule 5 of the 2011 Rules. Only sub-rules 1, 2, and 4 of these apply to sensitive personal data, whereas the others cover all forms of “information” (as that term is defined in the IT Act and previously described).

When gathering sensitive personal information, the data collector is required to get the provider’s permission in advance. Furthermore, only a legitimate and essential reason may be used to gather sensitive personal data. Sensitive personal data or information that a body corporate (or any person acting on the body corporate’s behalf) holds shall not be retained for longer than necessary for authorised purposes.

The “provider of information” has the ability to revoke the consent they previously provided to the body corporate, according to Rule 5’s Sub Rule 7. The withdrawal must be communicated to the body that collected the information in writing.

Comparative Analysis of Punishment under the IT Act 2000 and IT Act 2011.

Offences under the Information Technology Act, 2000

Section 65: In case of tampering with the document stored in the computer system, the punishment is imprisonment for a time period of 3 years, a fine of ₹ 2 lakhs, or both.

Section 66: Defines offences related to computers or any act mentioned in Section 43 for which imprisonment extends to 3 years or a fine up to ₹ 5 lakhs or both.

Section 66B defines the offence of receiving a stolen computer source or device dishonestly, for which imprisonment extends to 3 years or a fine up to ₹ 1 lakh or both.

Section 66C defines : theft, for which imprisonment extends to 3 years or a fine of ₹1 lakh or both.
Section 66 D: Defines Cheating by Personation, for which imprisonment extends to 3 years or a fine of ₹ 2 lakhs or both.

Section 66E: Defines Violation of Privacy, for which imprisonment extends to 3 years or a fine of ₹ 2 lakhs or both.

Section 66F: Defines cyberterrorism, for which punishment is life imprisonment.

Section 67: Defines the transmitting of obscene material through electronic form, for which imprisonment may extend up to 5 years and a fine of ₹ 10 lakhs.

Section 67B: Penalises Depicting children in sexually explicit form and transmitting such material through electronic mode, for which imprisonment extends up to 7 years and a fine of up to ₹10 lakhs is charged.

Section 67C defines failure to preserve and retain information by intermediaries, for which imprisonment extends up to 3 years with a fine.

Punishment under the Information Technology Act, 2011:

The 2011 Rules don’t specify any penalties for breaking them.

Any person, including an intermediary, who discloses personal data without the consent of the person concerned and with the intent to harm that person is subject to imprisonment for a term that may extend to three years, a fine that may extend to five lakh rupees, or both under Section 72A of the IT Act.

The elements necessary to commit an offence under Section 72A of the IT Act are (i) securing secured access to personal data when providing services under a legal contract; (ii) disclosing personal data with the intent to cause wrongful loss or wrongful gain; (iii) doing so without the concerned person’s consent; or (iii) disclosing information that violates the contract that the personal data was secured under. Please be aware that whether the disclosure of personal data, either without authorization or in violation of the contract, actually caused loss or harm to the person to whom such personal data belongs is irrelevant for the purposes of Section 72A. Liability can be established with the intention of causing harm.

As previously mentioned, Section 43A mandates the payment of compensation for any negligence on the part of a body corporate in maintaining reasonable security practices and procedures, if such negligence causes loss. However, Section 43A does not impose any criminal penalties, even if there is an intentional failure to maintain reasonable security practices and procedures.

The scope of punishment is much more exhaustive in the IT Act 2000 than in the IT Intermediaries Guidelines Act 2011.

Comparative Analysis of the Shortcomings of IT Act 2000 and IT Act 2011:

IT Act 2000:

• There is no provision for data breaches.

The Act’s provision is limited to acquiring data; it places no accountability on the company or government agency for breaching it.

• Non-address to Privacy Concerns:

The Act doesn’t address individuals’ privacy concerns; any middleman can submit it to authorities, and thus it doesn’t address individuals’ privacy concerns.

• Simple Penalties:

The punishment allocated for these severe offences is not severe enough to deter them.

• There is no proper regulation for cybercrime.
The rate of growth of cybercrime is far ahead of the Act’s list of offences, and if not dealt with timely, it may pose a serious threat.

IT Act 2011:

• A flagrant infringement of the basic right to free expression and communication protected by Article 19(1)(a) of the Indian Constitution:

The intermediaries are not held responsible for checking the genuineness of any complaint filed against him; thus, time blocking is arbitrary without following the principles of natural justice. Social media is usually run by people who have business interests and are thus prone to manipulation, and they cannot be trusted as the custodians of free and fair speech and expression.

• Due diligence:

Content that is against the rules must be removed by intermediaries. The intermediaries would have to decide whether the content breaches the many, unclear rules in order to avoid being held responsible for compensation. They might prohibit more content than is necessary in order to reduce liability risk. This would suggest negative effects on internet freedom of expression.

• Lack of consideration for intermediary differentiation:

Since no two intermediaries are alike and even operate differently from one another, defining them under a unified set of functional principles is a mistake. Only equals should be treated equally, which is the fundamental tenet of the right to equality. To illustrate it, a small start-up with a mere budget is not expected to have the same efficiency as a massive social media giant like You tube in honouring takedown requests.

• The 36 hours of time is an inadequate timeline for all intermediaries:

The recommendations’ allotted time frame for intermediaries to extricate themselves from liability is not long enough, which again places a restriction on the rules. Even with the best of intentions, it may occasionally be technically impossible for an intermediary to abide by a takedown order within the required time frame (36 hours). Every minute, 60 hours of video are uploaded to YouTube; this is a staggering amount of video content and, as a result, a staggering number of takedown requests that must be handled daily. The topic of how much stuff should be removed should be discussed more. As a result, intermediaries should be categorised according to their capacity.

Conclusion : 

The Information Technology Act of 2000 primarily focused on electronic transactions, digital signatures, and cybersecurity, but the Act of 2011 expanded the scope to further include intermediaries, data protection, and privacy, but it is not free from problems. The intermediaries should be classified according to their capacity, the time frame of 36 hours should be increased, and the guidelines should be refined so that Article 19 of the Indian Constitution doesn’t get infringed and the principle of natural justice is ensured.

References :

  1. https://www.mondaq.com/india/privacy-protection/904916/a-review-of-the-information-technology-rules-2011-
  2. https://ssrana.in/articles/information-technology-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information/
  3. https://www.lexology.com/library/detail.aspx?g=35f56a2a-c77c-49e7-9b10-1ce085d981dd
  4. THE INFORMATION TECHNOLOGY (INTERMEDIARIES GUIDELINES) RULES, 2011: A Disaster on All Fronts
  5. MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY  (Department of Information Technology) NOTIFICATION New Delhi, the 11th April, 2011.
  6. https://singhania.in/blog/spdi-rules-2011-taking-a-step-towards-securing-data
  7. https://blog.ipleaders.in/relevance-of-sensitive-personal-data-information-rules-2011-in-2021/
  8. https://tsaaro.com/blogs/it-act-spdi-rules-data-protection-regime-of-india/
  9. http://www.mcrhrdi.gov.in/FC2020/week11/Intermediaries%20edited.pdf
  10. THE INFORMATION TECHNOLOGY ACT, 2000
  11. http://docs.manupatra.in/newsline/articles/upload/269ed933-8f47-4eb3-a6c3-da326c700948.pdf

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *