A K Bhavana·
Article Writing
···36 views

DATA THEFT: A LEGAL PERSPECTIVE

About the Author

This article is written by Pranav C Satheesh. He is a final year BBA LLB (Hons,) student at Government Law
College, Kozhikode. He is also an editor trainee at ljrfvoice.com.

Introduction

The Digital Personal Data Protection Act, 2023[1] defines “data” as a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means[2];

Data has become one of the most valuable resources in today’s digital age, comparable to oil in the industrial era. The ease of collecting, storing, and transferring data has provided immense opportunities but has also given rise to a critical problem, data theft. India, with its rapidly growing digital economy, has become a hotspot for cybercrimes, including data theft. Since personal information or data  is a manifestation of an individual personality, the Indian courts including the Supreme Court of India, have recognised that the right to privacy it as an integral part of the right to life and personal liberty[3].

According to Internet Freedom Foundation (IFF), India has seen an alarming number of data breaches over the past few years. IFF reported that between 2018 and 2021, over 500 million records containing personal data of Indian citizens were exposed in various breaches. This number continues to rise, underscoring the urgency of implementing stringent data protection mechanisms in India. IFF also noted that specific sectors, such as healthcare, financial services, and e-commerce, are frequent targets for breaches. Just last year, the Indian Council of Medical Research (ICMR) suffered a massive leak that compromised the personal data of81.5 crore individuals, potentially making it one of the largest breaches in India’s history. The compromised medical records caused serious privacy violations with personal health data being exposed. High-profile incidents, such as the alleged data breach of Aadhaar India’s biometric-based identity system and unauthorized access to banking data, highlight the vulnerability of individuals and organizations to such crimes[4]. Addressing this issue requires an understanding of India’s existing legal framework, judicial precedents, and gaps that necessitate reform.

What is a Data Breach?

As per the Digital Personal Data Protection (DPDP) Act of 2023[5], a data breach occurs when personal data that should have remained secure and confidential gets exposed whether through hacking, accidental release, or careless handling. The definition is fairly broad – any unauthorized or accidental disclosure, alteration, loss, or access that compromises the confidentiality, integrity, or availability of personal data.

Data breaches can lead to direct financial losses through fraud or the necessity of remedial actions, such as legal fees and compensations. I can also cause fundamental right infringements by way of violating right to privacy.

Legal Framework Governing Data Theft in India

IIndia’s response to data theft is primarily governed by the following legislative and regulatory frameworks:

  1. Information Technology Act, 2000 (IT Act) :The IT Act is India’s principal law governing cybercrimes, including data theft:

Section 43 of the IT Act encompasses a range of activities falling under data theft. For instance, it specifies that individuals who, without proper authorization, download, copy, or extract data, computer databases, or information from a computer system or network, including data stored in removable storage media, are liable to compensate the affected party for damages.

 Section 43(a) Penalizes individuals who access a computer system without authorization and extracts, downloads, or copies data. Penalties include monetary compensation up to ₹1 crore[6].

Section 66  Criminalizes hacking, defined as unauthorized access with intent to destroy or alter data, prescribing imprisonment up to three years or a fine of ₹5 lakh.

2. The Digital Personal Data Protection Act, 2023 (DPDP)

The Digital Personal Data Protection Act lays down a detailed framework aimed at preventing and responding to personal data breaches. This framework emphasizes proactive measures and timely responses, placing significant responsibilities on Data Fiduciaries (businesses deciding the how and why of using personal data) to ensure data security and compliance. The fiduciaries are also responsible for preventing and responding to personal data breaches through data processors (third parties or vendors employed by the fiduciary) who process data on behalf of the fiduciary.

Data Fiduciaries are required to adopt robust security measures to prevent breaches, following standards like IS/ISO/IEC 27001 or government-approved alternatives. They must also conduct regular risk assessments to address vulnerabilities. Failure to implement these safeguards can result in penalties of up to ₹250 crores per breach under the DPDP Act. In case of a breach, Fiduciaries must notify the Data Protection Board (DPB) and affected users promptly, providing clear and actionable details. Notifications to the DPB must include the breach’s nature, timing, impact, and mitigation steps, submitted within 72 hours. Users must also be informed about the breach’s cause, consequences, and measures they can take to protect themselves. Non-compliance with notification obligations can result in fines of ₹200 crores per instance.

3. Bharatiya Nyaya Sanhita, 2023[7]

Section 303 of BNS[8]: This section specifically addresses theft related to mobile phones, data, or computer hardware/software.It offers a legal framework to prosecute individuals engaged in cyber theft activities.

Section 317 of BNS[9]: Section 317 is pertinent when an individual receives stolen mobile phones, computers, or data. It does not only target the thief but also extends its scope to anyone in possession of such stolen property, even if held by third parties.

Section 318 of BNS[10]: Address frauds, including password theft, creation of bogus websites, and cyber frauds. Imposes varying imprisonment and fines based on the gravity of the offence.

4. Credit Information Companies Regulation Act, 2005[11] (CICRA)

As per the CICRA, the credit information pertaining to individuals in India have to be collected as per privacy norms enunciated in the CICRA regulation. Entities collecting the data and maintaining the same have been made liable for any possible leak or alteration of this data. Based on Fair Credit Reporting Act and Graham Leach Bliley Act, the CICRA has created a strict framework for information pertaining to   credit and finances of the individuals and companies in India. The Regulations under CICRA which provide for strict data privacy principles have recently been notified by the Reserve Bank of India.

Industry Initiatives

 In India, the efforts at complying with the demands of adhering to privacy laws have also originated from the private sector apart from the Government. The Indian software and outsourcing industry has been taking initiatives on its own that would provide comfort to the foreign clients and vendors. The National Association of Service & Software Companies (NASSCOM) is India’s national information technology trade group and has been the driving force behind many private sector efforts to improve data security. For example, NASSCOM has created a National Skills Registry which is a centralized database of employees of the IT services and BPO companies. This database is for verification (with independent background checks) of

the human resources within the industry. Further, a self-regulatory organization has been launched which will establish, monitor and enforce privacy and data protection standards for India’s business process outsourcing (BPO) industry.  Additionally, many BPO service providers in India have engaged in voluntary self-regulation and adopted stringent security measures to reduce the risks of misuse of non-public personal data.

Global Frameworks and Laws for Data Breach Prevention

Internationally, data breach prevention is governed by a combination of national laws, regional regulations, and global conventions aimed at ensuring data security and privacy. Prominent among these is the General Data Protection Regulation[12] (GDPR) of the European Union, which sets stringent standards for data protection and imposes significant penalties for non-compliance. The United States employs sector-specific laws like the Health Insurance Portability and Accountability Act[13] (HIPAA) for healthcare data and the California Consumer Privacy Act[14] (CCPA) for consumer data protection. Globally, the Convention 108+ of the Council of Europe is the first legally binding international treaty on data protection, promoting cooperation and harmonized approaches to data security among member countries[15]. Countries like Japan, South Korea, and Brazil have also enacted robust frameworks, such as Brazil’s Lei Geral de Proteção de Dados[16] (LGPD), influenced by GDPR principles. These laws collectively emphasize preventive measures like implementing advanced security protocols, conducting risk assessments, and mandating breach notifications to protect personal data and ensure accountability on a global scale.

Key Indian Cases on Data Theft

Courts in India have played a significant role in interpreting and enforcing laws related to data theft. Key cases include:

Justice K.S. Puttaswamy (Retd.) v. Union of India[17]

A nine-judge bench of the Supreme Court examined whether the right to privacy is a fundamental right under the Indian Constitution. Privacy was recognized as a fundamental right under Article 21 (Right to Life and Personal Liberty). The judgment laid the groundwork for India’s data protection legislation.

Syed Asifuddin v. State of Andhra Pradesh[18]

Herein Employees of Tata Indicom were accused of unauthorized access to the systems of BSNL to extract confidential information. The Andhra Pradesh High Court upheld charges under the IT Act, emphasizing that unauthorized access to proprietary information constitutes a punishable offence.

Sony Sambandh.com v. State of Andhra Pradesh[19]

This case involved a hacking incident targeting Sony’s e-commerce platform. The accused accessed customer databases without permission. The court convicted the accused under Sections 43 and 66 of the IT Act, demonstrating the law’s applicability to commercial data theft.       

Vikas Gupta v. State of Punjab[20]
The accused was charged with illegally accessing a government database and sharing sensitive information with third parties. The Punjab and Haryana High Court imposed stringent penalties, reaffirming the significance of data protection.

Some landmark international cases include;

  • Google Inc. v. Oracle America, Inc.[21]

The United States Court of Appeals for the Federal Circuit dealt with Oracle’s claim against Google for using its Java code in Android without permission. While the case focused on intellectual property, it highlighted the significance of securing proprietary data in digital platforms, impacting how data security is perceived in software development.

  • Google Spain SL v. Agencia Española de Protección de Datos[22] (AEPD)

The Court of Justice of the European Union ruled that individuals have the “right to be forgotten” and can request the removal of outdated or irrelevant personal data from search engines. This case established a crucial principle in data privacy law, influencing how personal data should be handled and deleted, particularly in the context of data breaches.

  • Home Secretary v. Computer Associates[23]

The UK Court of Appeal addressed the unauthorized access to sensitive customer information stored by Computer Associates. The court reinforced the duty of organizations to safeguard sensitive data, establishing significant legal precedent for data security obligations and the consequences of failing to prevent breaches

Challenges in Addressing Data Theft in India

Despite existing laws, combating data theft in India presents several challenges including;

  • Inadequacy of Existing Legislation : The IT Act and BNS provide a fragmented approach to data protection. The DPDP though comprehensive still has glaring limitations.
  • Enforcement Issues : Weak enforcement mechanisms and lack of technical expertise within law enforcement agencies hinder effective action against perpetrators.
  • Cross-Border Jurisdiction : Cybercrimes often transcend national boundaries, creating jurisdictional challenges in investigation and prosecution.
  • Public Awareness Deficit :  Many individuals and small businesses remain unaware of basic data security practices and their legal remedies in the event of data theft.

Recommendations

To mitigate the risks associated with data theft, India must prioritize the following steps:

  • Capacity Building: Law enforcement agencies should receive technical training to handle data theft investigations efficiently.
  • Public Awareness Campaigns: Promoting awareness about data security among individuals and organizations[24].
  • Enhanced International Collaboration: Strengthening cooperation with foreign governments and organizations to tackle jurisdictional challenges.

On an individual or organizational level, to prevent and secure yourself from data breach one can do the following steps;

  • Data Minimization: Collect only the data necessary for specific purposes, reducing exposure in case of a breach.
  • Storage Limitation: Retain data only for a defined period and securely delete it afterward.
  • Encryption: Use strong encryption to protect data both at rest and in transit.
  • Security Protocols: Implement SSL, firewalls, and intrusion detection to prevent unauthorized access.
  • Data Governance Policies: Establish and regularly update policies outlining data handling, access, and storage procedures.
  • Risk Assessments and Audits: Conduct regular assessments and audits to identify vulnerabilities and ensure compliance.
  • Third-Party Oversight: Ensure third-party vendors follow the same security standards through contractual agreements and audits.
  • Awareness Campaigns: Continuously educate staff on security protocols and potential threats to foster a security-conscious culture.

Conclusion

Data theft is a pressing issue in India, threatening individual privacy, corporate confidentiality, and even national security. While existing measures, such as the IT Act and judicial interventions, offer some protection, they are increasingly inadequate in addressing the complexities of today’s fast-evolving digital landscape. The enactment of the Digital Personal Data Protection Act, 2023 marks a significant step toward establishing a robust framework for safeguarding data. However, this must be complemented by efforts to build institutional capacity and raise public awareness about data protection. By ensuring effective implementation and enforcement of these laws, India can not only enhance data security but also build trust among users and investors. This trust is crucial for fostering a resilient digital economy and achieving a sustainable and secure digital future.

[1] Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament, 2023

[2] Digital Personal Data Protection Act, No. 22 of 2023, § 2(h), Acts of Parliament, 2023

[3] Kharak Singh Vs. State of U.P (AIR 1963 SC 1295; Gobind Vs. State of M.P. (AIR 1975 SC 1375; R. Rajagopal Vs. State of Tamil Nadu ([1994] 6 SCC 632); People’s Union of Civil Liberties (PUCL) Vs. Union of India (AIR 1997 SC 568); Distt. Registrar and Collector, Hyderabad Vs. Canara Bank (AIR 2005 SC 186)

[4] “Rs 500, 10 minutes, and you have access to billion Aadhaar details,” The Tribune (Jan. 4, 2018).

[5] Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament, 2023

[6] Vakul Sharma, Information Technology: Law and Practice (4th ed. 2022).

[7] Bharatiya Nyaya Sanhita, No. 37 of 2023, Acts of Parliament, 2023

[8] Bharatiya Nyaya Sanhita, No. 37 of 2023, § 303, Acts of Parliament, 2023

[9] Bharatiya Nyaya Sanhita, No. 37 of 2023, § 317, Acts of Parliament, 2023

[10] Bharatiya Nyaya Sanhita, No. 37 of 2023, § 318, Acts of Parliament, 2023

[11] Credit Information Companies (Regulation) Act, No. 30 of 2005, Acts of Parliament, 2005

[12] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, 2016 O.J. (L 119) 1 (EU).

[13] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996).

[14] California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (West 2018).

[15] Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+), C.E.T.S. No. 223 (adopted May 17, 2018)

[16] Lei No. 13.709, de 14 de agosto de 2018, Lei Geral de Proteção de Dados Pessoais [General Data Protection Law], Diário Oficial da União [D.O.U.] de 15.08.2018 (Brazil).

[17] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1

[18] Syed Asifuddin v. State of Andhra Pradesh, 2005 CriLJ 4314 (AP HC).

[19] Sony Sambandh.com v. State of Andhra Pradesh, (2005) 1 ALD (Crl.) 630

[20] Vikas Gupta v. State of Punjab, 2013 SCC Online P&H 5126.

[21] Google Inc. v. Oracle Am., Inc., 750 F.3d 1332 (Fed. Cir. 2014).

[22] Google Spain SL v. Agencia Española de Protección de Datos (AEPD), Case C-131/12, [2014] ECLI:EU:C:2014:317.

[23] Home Sec’y v. Comput. Assocs., [2001] 3 All ER 928 (CA).

[24] Pavan Duggal, Cyberlaw: The Indian Perspective (LexisNexis, 3rd ed. 2021).

Related

Your email address will not be published. Required fields are marked *