Title Of Research Paper - INFORMATION TECHNOLOGY ACT

INTRODUCTION
In August 2017, the Supreme Court of India’s landmark judgment in Puttaswamy v. Union
of India¹ affirmed that the right to privacy is a fundamental right under the Indian
Constitution². In Puttaswamy v. Union of India³, the various opinions have observed that
informational privacy is an important aspect of such privacy in this day and age.

As arguments were made in this case, the Ministry of Electronics and Information
Technology (MEITY), Government of India also set up a Committee of Experts to identify key
data protection issues in India and recommend methods of addressing them⁴. MEITY and
the Committee of Experts have now issued a white paper which recognises the need for
comprehensive data protection regulations that incorporate established data protection
principles⁵. Public comments and consultations have been called for on the basis of this
paper, as we gear up to build on the fundamental right to privacy and put in place strong
data protection laws to protect personal data.

In this paper we analyse the only existing ‘comprehensive’ data protection rules in India, i.e.
the Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011 (“Rules”), issued under the Information
Technology Act, 2000 (“IT Act”). The paper examines the provisions of the IT Act and the
Rules that provide for the protection of personal data, the kind of personal data that they
apply to, as well as some of the criticisms of these provisions and their enforcement.

THE IT ACT AND THE RULES

The IT Act was enacted to promote and provide a legal framework for electronic
communications and electronic commerce⁶.The IT Act as enacted in 2000, defines and
regulates the use of electronic records and digital signatures. It also identifies and provides
punishments for various computer crimes, such as hacking, electronic forgery, unauthorised
access to computer systems, breach of confidentiality and privacy etc. The IT Act puts in
place various administrative and adjudication mechanisms to deal with electronic commerce
and
communication related issues. It also touches upon issues such as intermediary liability.

Over the years, a need was expressed to update the IT Act, to make the law more
technology
neutral to keep up with constant developments in technology. After significant
deliberation,the IT Act was amended in 2008, for the purpose of protecting personal data,
and implementing data security practices and procedures, among other things⁷.

The amendment brought in Section 43A, which deals with protection of personal data that
companies possess, handle or deal with. It also empowered the government to enact rules
for
this purpose. In 2011, the government issued the Rules i.e. the Information Technology
(Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011.

SECTION 43A OF THE IT ACT

Section 43A of the IT Act does not specifically provide for a right to privacy, however, it does
provide for protection of certain categories of personal data / information. It seeks to provide
compensation to individuals who are affected due to negligence by a body corporate in
dealing
with an individual’s personal information.

This section provides the following:

(i) A body corporate may be liable to compensate an individual for lack of protection
of their personal data if:
a. The body corporate possesses, handles, or deals with ‘sensitive personal data or
information’, in a computer resource that it owns, operates or controls;
b. It is negligent in implementing reasonable security practices and procedures; and
c. Wrongful loss or wrongful gain is caused because of such negligence.

(ii) The term ‘sensitive personal data or information’ has been defined to mean such
personal information as may be prescribed by the Central Government⁸.

(iii) The term ‘body corporate’ has been defined to mean a company and to include firms,
sole proprietorships or other associations of individuals engaged in commercial or
professional activities.

(iv) ‘Reasonable security practices and procedures’ have been described as security
practices and procedures designed to protect information from unauthorised access,
damage, use, modification, disclosure or impairment. These practices may be
specified in an agreement between the parties, or law, or prescribed by the Central
Government.

Some of the relevant definitions under the IT Act in this context are:
(i) “Data”, defined as follows: “data means a representation of information, knowledge, facts,
concepts or instructions which are being prepared or have been prepared in a formalised
manner, and is intended to be processed, is being processed
or has been processed in a computer system or computer network, and may be in any form
(including computer printouts magnetic or optical storage media, punched cards, punched
tapes) or stored internally in the memory of the computer and
(ii) “Information”, defined as follows: "information includes data, message, text,
images, sound, voice, codes, computer programmes, software and databases or
microfilm or computer generated microfiche⁹.

ENFORCEMENT AND CONSEQUENCES OF NON-COMPLIANCE

As mentioned above, Section 43A of the IT Act only empowers the central government to
define ‘sensitive personal data or information’, and prescribe reasonable security practices
and
procedures. The central government has, however, provided a full set of compliances to be
undertaken by body corporates / persons, in relation to information, PI and SPDI, under the
Rules.
Assuming that the Rules are considered valid and legally binding, the manner in which the
Rules have been drafted and pose two problems.

The first issue is the practical implementation of compliance with the Rules. As seen above,
The Rules vary in their application. It can be difficult to identify which of the provisions of the
Rules need to be complied with in a given situation. While the Clarification does help in this
regard, it may not be considered legally binding. Further, the Clarification also limits the
protection granted to individual data providers. The second issue is enforcement of the
Rules. Section 43A, under which the Rules have been issued, merely provides for a
compensatory mechanism in very specific situations. A body
corporate which possesses, deals with or handles, SPDI, must be negligent in implementing
reasonable security practices and procedures.

In such a situation, if negligence leads to wrongful gain or wrongful loss¹⁰, the body corporate
may be liable to compensate the person affected. There is no specific consequence
provided for non-compliance with the provisions of the Rules.
Section 45 of the IT Act does however provide for a ‘residuary penalty’ where no penalty has
been separately provided for contravention of any rules or regulations under the IT Act. The
person contravening the rules or regulations will be liable to;
(i) pay a compensation not
exceeding INR 25,000 to the person affected by such contravention or
(ii) a penalty not exceeding INR 25,000. This section is merely a residuary provision, and the
amount of compensation / penalty provided for is minimal.

CASE LAWS

1. ABC VS XYZ
In this case, the accused preferred an appeal before the Supreme Court after the High Court
rejected the application of the accused to exhibit the Compact Disc filed in defence and to
get it proved from the Forensic Science Laboratory.

The Supreme Court held that a Compact Disc is also a document. It further observed that it
is not necessary to obtain admission or denial concerning a document under Section 294 (1)
of CrPC personally from the accused, the complainant, or the witness.

2. A VS B
Facts: The petitioner approached the Court under Section 482, CrPC to quash the charge
sheet filed against him. The petitioner secured unauthorized access to the protected system
of the Legal Advisor of Directorate of Vigilance and Anti-Corruption (DVAC) and was charged
under Sections 66, 70, and 72 of the IT Act.

Decision: The Court observed that the charge sheet filed against the petitioner cannot be
quashed with respect to the law concerning non-granting of sanction of prosecution under
Section 72 of the IT Act.

FOOTNOTES

1. Puttaswamy v. Union of India.

2. Puttaswamy v. Union of India (2017)holds that “the right to privacy is protected
as an intrinsic part of the right to life and personal liberty under Article 21 and
as a part of the freedoms guaranteed by Part III of the Constitution”.
3. Opinions authored by J. Chandrachud, J. Chelameswar, J. Kaul and J.
Nariman, Puttaswamy v. Union of India.
4. Writ petition (civil) no 494 of 2012, (2017).
5. White Paper of the Committee of Experts on a Data Protection Framework for
India.
6. Preamble to the IT Act, and Fiftieth Report, Standing Committee on Information
Technology (2007-2008)
7. Statement of Objects and Reasons, Information Technology (Amendment) Bill
2006.
8. In this context, note that under the IT Act, the terms ‘data’ and ‘information’
are defined.
9. Section 2(1)(v) of the IT Act.
10. The terms wrongful loss and wrongful gain are not defined under the IT Act.
(i) "Wrongful gain" is gain by unlawful means of property to which the person
gaining is not legally entitled;
(ii) "Wrongful loss" is the loss by unlawful means of property to which the
person losing it is legally entitled; and (iii) Gaining wrongfully, losing
wrongfully. A person is said to gain wrongfully when such person retains
wrongfully, as well as when such person acquires wrongfully. A person is said
to lose wrong-fully when such person is wrongfully kept out of any property, as
well as when such person is wrongfully deprived of property.