STATUS QUO OF INDIAN CYBER LEGAL FRAMEWORK AND FUTURE CHALLENGES

This article is written by Sai Sriharsha Dimli of Andhra University, an intern under Legal Vidhiya

Abstract:

The rapid growth of cyberspace in India has brought numerous benefits and opportunities, but it has also given rise to various cyber threats and challenges. This research examines the status of the Indian cyber legal framework, highlighting its strengths and weaknesses in addressing cybercrime and related issues. The study explores vital legislation, policies, and initiatives designed to combat cyber threats and protect citizens’ digital rights. Additionally, the research discusses the emerging challenges faced by India’s cyber legal framework, considering technological advancements, and evolving cyber threats. This article concludes by offering insights into the potential measures and reforms required to bolster India’s cyber legal framework and ensure a secure and resilient digital environment for its citizens.

Keywords:

Indian Cyber Legal Framework, Cybercrime, Digital Rights, Legislation, Cyber Threats, Challenges

Introduction:

The digital revolution in India has led to significant advancements in technology adoption, digitization of services, and increased internet penetration. While these developments have brought numerous advantages, they have also exposed individuals, businesses, and the government to cyber threats and challenges. The effectiveness of a legal framework is critical in addressing cybercrime, safeguarding digital rights, and fostering trust in the digital ecosystem. This research aims to evaluate the existing Indian cyber legal framework, assess its strengths and weaknesses, and identify the future challenges it faces.

Research Methodology:

The research will employ a mixed-method approach, combining qualitative and quantitative data. A comprehensive literature review will be conducted to analyse existing laws, regulations, and policies related to the Indian cyber legal framework. Case studies of notable cybercrime incidents and their legal outcomes will be examined to understand the practical implications of the laws. Interviews and surveys will be conducted with legal experts, cybersecurity professionals, and government officials to gather qualitative insights on the strengths and weaknesses of the current framework.

Review Literature:

In the late 20th century, free international trade emerged as a significant turning point, giving birth to globalization. Information technology, supported by computers and seamless communication, became crucial, with the world wide web (www) bringing wonder and unforeseen potential risks. E-commerce also showed great promise, transforming trade transactions previously reliant on written communication and postal services.

The rise of email communication prompted the United Nations to act on data protection, leading to the adoption of a “Model Law” by the United Nations Commission on International Trade in 1996. These technological advancements turned the world into a global village, enhancing various sectors like the economy, commerce, society, and education.

At the turn of the millennium, India recognized the need for a strong framework to combat cyber-criminal activities. Strengthening encryption and privacy policies became crucial, especially after terrorist attacks like Mumbai’s 26/11 and Pathankot, which involved data breaches. India’s vulnerability to digital interventions raised concerns about its ability to address present-day legal issues related to cyberspace and the growing internet fraud.

In the early 21st century, the Information Technology (IT) Act, 2000 was passed which became the primary legislation governing cybercrime in India. This Act was aligned with the United Nations Model Law on Electronic Commerce 1996 (UNCITRAL Model) and received endorsement from the UN General Assembly on January 30, 1997. Its primary objective was to establish the legal validity of electronic communications, business transactions, trade, and commerce, specifically within computer systems and networks[1]. The Act emphasized the importance of unimpeded development while ensuring strict adherence to legal standards. It encompasses various aspects, including the recognition of electronic documents, digital signatures, cyber offences, contraventions, and the judicial processes for handling cybercrimes.

Objectives:

• To assess the effectiveness of the current Indian cyber legal framework in combating cyber threats.
• To analyze the existing laws and regulations for data protection and privacy in cyberspace.
• To identify potential challenges and vulnerabilities in the current legal framework.
• To propose recommendations and policy suggestions for strengthening the Indian cyber legal framework.

Status Quo of Indian Cyber Legal Framework:

The Indian cyber legal framework comprises a combination of acts, regulations, and policies designed to regulate cyberspace and combat cybercrime. Information Technology Act, 2000 (IT Act) is the primary legislation governing cyber activities in India. It provides legal recognition for electronic documents and digital signatures and outlines offences related to unauthorized access, data theft, cyberbullying, etc. In addition to the IT Act, India has enacted amendments to address emerging cyber threats. The introduction of the Information Technology (Amendment) Act, of 2008, expanded the scope of cyber offences and introduced provisions for the protection of sensitive personal data. India has established specialized Cybercrime Cells and Computer Emergency Response Team-India (CERT-In) to deal with cyber incidents and respond to cybersecurity threats[2]. The establishment of the CERT-In further strengthened the country’s cybersecurity preparedness. Strengths of the Indian cyber legal framework includes provisions for digital signatures, electronic records, and the appointment of a controller to oversee data protection.

The Personal Data Protection Bill was under consideration since 2021 to regulate the collection, storage, and use of personal data and protect individuals’ privacy. The Digital Personal Data Protection Bill was passed in 2023[3]which applies to digital personal data processing within India, both online and offline, and outside India for offering goods or services in India. Personal data can only be processed lawfully with individual consent, except for specified legitimate uses. Data fiduciaries must maintain accuracy, security and delete data after its purpose is fulfilled. The Bill grants rights to individuals, establishes a Data Protection Board, and allows exemptions for government agencies on specified grounds. However, it lacks regulation for data processing risks, does not grant data portability or the right to be forgotten, and may not adequately evaluate data protection standards for international transfers. The short-term appointments of the Data Protection Board members may impact its independent functioning.

Digital Payments and Financial Security[4] are on the rise with the increasing adoption of digital payment platforms, the Reserve Bank of India (RBI) and other financial authorities were working to ensure secure transactions and safeguard against fraud.

Concerning Social Media Guidelines, in 2021, the Indian government issued guidelines for social media intermediaries to address misinformation and online abuse[5].

Case Studies:

1. Shreya Singhal v. Union of India: This case is instrumental in safeguarding freedom of speech and expression on the internet. The Supreme Court of India declared Section 66A of the Information Technology Act, 2000, unconstitutional as it was found to be vague and violated the fundamental right to free speech[6].
2. CBI v. Arif Azim (Sony Sambandh case): The website www.sony-sambandh.com enabled NRIs to send Sony products to their Indian friends by paying online. A person used a name to order a Sony TV for Arif Azim in Noida. The payment was made using a credit card, but it was later discovered to be unauthorized. A complaint was lodged, leading to a CBI investigation under IPC Sections 419, 418, and 420, as the IT Act was not comprehensive enough. The investigation revealed that Arif Azim while working at a Noida Call Centre, had accessed that person’s credit card details and misused them. Arif Azim was found guilty, but due to his young age and first-time offence, he received a one-year probationary period as a lenient punishment. The court found the Indian Penal Code, 1860, to be an effective legal basis when the IT Act fell short[7].
3. Justice K.S. Puttaswamy (Retd.) v. Union of India and Ors: Though not solely focused on cyber law, this case was pivotal in establishing the right to privacy as a fundamental right under Article 21 of the Indian Constitution. The judgment played a significant role in shaping data protection and privacy laws in the country[8].
4. Umashankar Sivasubramanian v. ICICI Bank: The petitioner was sent an email by ICICI Bank requesting his Internet Banking credentials. And he provided the same. Unfortunately, the petitioner later discovered that he had fallen victim to fraud, resulting in a loss of Rs. 6.46 Lakhs. Consequently, he complained to the Bank, seeking compensation. After investigation, the Adjudicating Authority determined the Bank guilty of offences under Section 85 in conjunction with Section 43 of the IT Act, 2000 and ordered the Bank to pay Rs. 12.85 lakh to the petitioner as restitution[9].
5. A. Shankar v. State Rep: The petitioner applied Section 482 of the CrPC to have the charge sheet against them dismissed. The charge sheet was filed under Sections 66, 70, and 72 of the IT Act for unauthorized access to the protected system of the Legal Advisor of the Directorate of Vigilance and Anti-Corruption. The Court noted that the charge sheet cannot be explicitly quashed concerning the non-granting of prosecution sanction under Section 72 of the IT Act[10].
6. Aveek Sarkar v. State of West Bengal: This case dealt with the issue of intermediary liability under Section 79 of the IT Act. The court clarified that intermediaries like internet service providers and social media platforms could be held liable for content posted by users only if they fail to comply with the prescribed due diligence requirements[11].
7. Shamsher Singh Verma v. State of Haryana: The accused appealed to the Supreme Court after the High Court rejected his application to exhibit the Compact Disc for defence and forensic proof. The Supreme Court ruled that a Compact Disc is considered a document and is admissible under Section 294(1) of the CrPC without requiring personal admission or denial from the accused, complainant, or witness[12].
8. Avnish Bajaj v. State (NCT) of Delhi: Avnish Bajaj, the CEO of Bazee.com India Pvt Ltd, was arrested under Section 67 of the IT Act for allegedly hosting cyber pornography. However, the court found that he was not directly involved in the dissemination of pornographic content on the website. The evidence indicated that the cyber pornographic offence was committed by a third party, not Bazee.com itself. Mr Bajaj was granted bail and provided two sureties of Rs1 lakh each. However, he must prove that he was only a service provider and not responsible for creating the content[13].
9. Google India Pvt. Ltd. v. Visakha Industries: The Supreme Court of India upheld defamation proceedings against Google for not promptly removing a defamatory article from its Google Group service. The ruling establishes that intermediaries can be held liable as ‘publishers’ in defamation cases under Section 499 of the Indian Penal Code, 1860, for cases before December 2008. The case involved defamatory statements against M/s Visakha Industries posted on a Google Group in 2008[14].

Future Challenges:

With the evolving technology, there are some serious challenges to be taken care of. They are as follows[15]:

• Cybersecurity Threats: Rapid digitization and increased connectivity bring forth more sophisticated cyber threats, such as ransomware, data breaches, and state-sponsored attacks. Strengthening cybersecurity infrastructure and fostering public-private partnerships will be crucial.
• Data Privacy: The Personal Data Protection Bill (if passed) will play a significant role in safeguarding individuals’ data privacy. However, its implementation and enforcement will be challenging, especially for companies and organizations dealing with vast amounts of personal data.
• Online Misinformation and Fake News: Addressing the spread of false information and fake news on social media platforms without infringing upon freedom of expression remains a delicate balance for authorities.
• Surveillance and Privacy Concerns: Balancing the need for surveillance and law enforcement with citizens’ right to privacy will be an ongoing challenge.
• International Cooperation: As cybercrimes often transcend national boundaries, fostering international cooperation in investigating and prosecuting cybercriminals is crucial.
• Technological Advancements: Keeping pace with rapidly evolving technologies like artificial intelligence, blockchain, and quantum computing will require continuous updates to the legal framework.
• Capacity Building and Awareness: There is a need for continuous capacity building among law enforcement agencies, legal professionals, and the public to effectively combat cyber threats and stay informed about their rights and responsibilities in cyberspace.
• Ethical Use of Emerging Technologies: With the advancement of technologies like AI, IoT, and drones, ensuring ethical use and potential regulation will be essential to prevent misuse and abuse.

Conclusion:

The Indian cyber legal framework has made significant strides in addressing cybercrime and safeguarding digital rights. However, to meet the evolving challenges of the digital age, reforms are necessary. Strengthening the legal framework with timely updates, establishing specialized cybercrime units, and promoting cybersecurity awareness are crucial steps in ensuring a safer and more secure cyberspace for all stakeholders in India. By taking proactive measures and collaborating with international partners, India can position itself to face future cyber threats effectively.

---

[1] M. Dasgupta, “Cyber Crime in India” (2009)

[2] https://cybercert.in/indian-cyber-laws/ (last visited 4 Aug 2023)

[3] The Digital Personal Data Protection Bill, 2023, https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 (last visited 4 Aug 2023)

[4] RBI Releases Draft on Cyber Resilience, Digital Payment Security Controls, https://www.business-standard.com/finance/news/rbi-releases-draft-rules-on-cyber-resilience-for-payment-system-operators-123060200780_1.html (last visited 5 Aug 2023)

[5] Information Technology Rules, 2021, https://pib.gov.in/PressReleseDetailm.aspx?PRID=1700749 (last visited 5 Aug 2023)

[6] Shreya Singhal v. UoI (2015), Writ Petition (Criminal) No 167 of 2012

[7] CBI v. Arif Azim, AIR 2003

[8] Justice K.S. Puttaswamy (Retd.) v. Union of India and Ors (2017), Writ Petition (Civil) No 494 of 2012

[9] Umashankar Sivasubramanian v. ICICI Bank, Petition No. 2462 of 2008

[10] A. Shankar v. State Rep, Crl. O.P. No. 6628 of 2010

[11] Aveek Sarkar & Anr v. State of West Bengal & Anr (2014), Criminal Appeal No. 902 of 2004

[12] Shamsher Singh Verma v. State of Haryana (2015), Criminal Appeal No. 1525 of 2015

[13] Avnish Bajaj v. State (NCT) of Delhi (2008), 150 DLT 769

[14] Google India Pvt. Ltd v. M/S. Visakha Industries (2019), Criminal Appeal No. 1987 of 2014

[15] Anita Singh, Ritu Gautam and Pradeep, “Cyber Crime, Regulations and Security – Contemporary Issues and Challenges” (2022)