Need for Strong Cyber Security Legislation in India
With an increase in the usage of the internet and other digital devices, data security and data privacy threats have become a major issue of concern across different countries. In order to tackle the issue of cyber security threats, different countries are adopting cyber security strategies. This paper is an attempt to shed light on the cyber laws in India and its loopholes. The paper will analyze the loopholes present in cyber laws in India. It will further analyze the cyber security and cybercrime legislations of few other countries to pick up the best practices which India can adopt in its cyber legislation. Based on the above analyses, the paper will provide suggestions which can be adopted in the Indian cyber legislation.
Loopholes present in the Indian Cyber Laws
The Information Technology Act was enacted in the year 2000 and later it was implemented with effect from 17 October, 2000. The main objective of this act is also enacted with a view to legalise the evidentiary value of electronic record and to tackle various cyber crimes. But the Indian Cyber Laws are one of the weakest cyber laws in the world. This is because there are no data privacy laws or laws of the protection of intellectual property rights.
The citizens do not have any rights over their private data in cyberspace which means they do not have the right to remove any data. The Information Technology Act does not include provisions for issues related to the protection of domain name. The growth of e-commerce has led to an increased value of domain name. The cybersquatting that takes place is addressed by the Trademark Act and the Information Technology Act does not include any provisions for the same. Thus, there is a need for laws on the protection of Intellectual property rights in cyberspace.
The Information Technology Act does not lay down rules and regulations for phishing and spamming and these cybercrimes are still unaddressed. Cyber stalking is another issue which does not come under the ambit of IT Act. Thus, there is a need to address these loopholes present in the Indian Cyber Laws for a strong and rigid cyber security.
Best Practices from Other Countries and Suggestions
In comparison between the Indian Cyber laws and Cyber laws from different parts across the world, Indian Cyber Laws are still weak. There is a need for stronger cyber security and cybercrime legislation. The Information Technology act 2000 provides for very light punishments for those who violate cyber laws. Most of the offences under the Information Technology Act, 2000provides an imprisonment of three years or less. Section 77B of IT Act 2000 states that offences with imprisonment of three years or below are bailable offences while those with imprisonment of more than three years are cognizable offences. In other words, cybercrimes are not considered the same as those provided under the Indian Penal Code, 1860. In the case, Gagan Harsh Sharma v State of Maharashtra 2018, the accused was charged under Section 408 and Section 420 of IPC, and Section 43, 65, 66 under the IT Act 2000. The Indian Penal Code provides for an imprisonment of seven years and a non- bailable offence while the IT Act 2000 under sections Section 43, 65, 66 provides for bailable offense. The court held that the accused are guilty under Section 43, 65, 66 of the IT Act 2000. In other words, the accused got less imprisonment under IT Act 2000 for a similar offence which is under IPC. Thus, there should be a parallel drawn between the similar offences under IPC and IT Act 2000.
India has very weak data privacy and data protection laws. India can adopt cloud computing methods for stronger protection of data with an Indian cloud server. Cloud computing means “the storing, processing and use of data on remotely located computers accessed over the internet” In 2012, the EU released the “Unleashing the Potential of Cloud Computing in Europe” strategy with the aim to contribute to ‘data strategy, digital and industrial strategy’ . The strategy ensured that a uniform set of rules will be applied across all the members of the union. It also ensured a high level of data privacy and data protection over the cloud. This strategy will also allow the free flow of data across the E.U. according to the Free-Flow of Non-Personal Data regulation. The European Union Agency for Cybersecurity (ENISA) has drafted the EU Cybersecurity Act, 2019 which provides a cyber-security certification scheme for cloud services ensuring data protection. Since cloud services are a new concept, the framing of legislations on it is still at its initial stages. India should also make its own cloud server and a cloud policy which will help in protecting and storing the data of many Indian corporations.
For stronger data privacy laws, India can draft legislation similar to the General Data Protection Regulation, 2016 of the European Union. The General Data Protection Regulation, 2016, gives the individual the ‘right to be forgotten’ under Article 17, which allows the individual to delete personal information except for information which might violate the right to freedom of expression and information or in the public interest or under legal obligation.The regulation confers the ‘right to rectification’ under Article 16 which allows the individual to correct the data concerning him or her. The regulation also gives the individual the ‘right to data portability’ under Article 20 which allows the individual to receive his or her personal data through automated means . The individual can only avail the right to data portability without violating the rights of other individuals. Under Article 21 of General Data Protection Regulation, 2016, the individual has a ‘right to object’ his or her personal data from being processed except for the exceptions mentioned under Article 23 of the General Data Protection Regulation, 2016.The General Data Protection Regulation, 2016 provides for very strong legislation on protection of data and the privacy rights of the individuals in cyberspace. India should also adopt a similar legislation for data privacy.
Furthermore, India should also draft legislation for protecting the copyrights and trademarks in cyberspace. This will also help in tackling cybercrimes like cybersquatting and typo-squatting. Furthermore, laws should be made to avoid unsolicited email spamming like the Belgium law on spam mails, 2003 which will provide an opt-in option to the individuals. Spam mails are basically sending mails in a large number to the recipient causing annoyance and nuisance. This is mostly done to advertise the products of a company. Furthermore, mails are also a way of sending malware like virus, Trojan, etc. which harms the electronic device of the user. These mails can be sent under a false name to attract the recipient to open it and may harm the electronic device of the user. Thus, there is a need for proper legislation to criminalize the act of sending unsolicited emails. In Belgium, ‘Loi 11 mars 2003, surcertains aspects juridiques des services de la société de l'information’ is a legislation passed in 2003 which prohibits sending unsolicited emails. Article 14 of this act prohibits the use of emails for advertising without the “prior, free, specific and informed consent” of the recipient. Further, the article prohibits sending such emails using a third party’s identity or hiding any information regarding the origin of the mail. Violation of Article 14 leads to a fine of EUR 50,000 under Article 26 of the same Act. In India, email spam is still not prohibited by law but considering the threat to the electronic device through email spamming, it should be prohibited in India.
In India, there are no laws for protecting the domain names. Finland has a very strong legislation called Domain Name Act, 2003 for tackling issues like cybersquatting. This act provides for requirements to grant, renew, transfer, withdraw, revoke and terminate domain names. Section 11(5) and section 12(4) provides for anti-cybersquatting provision under the Domain Name Act, 2003. Section 11(5) and section 12(4) provides for termination and revocation of the domain name if the domain name is based on the name of a third party with ‘the obvious intent of obtaining benefit or harming another’. Other than provisions on cybersquatting, the act also provides protection against crimes like typo-squatting, etc. Section 11 of Domain Name Act, 2003 gives provisions of termination of domain name if it is being used to carry criminal activities or the domain name is transferred without the consent of the owner. Furthermore, the act also provides for detailed provisions for protecting the domain name. India should also draft a legislation providing protection to the domain names from being misused in bad faith. India should likewise make progress toward the advancement and improvement of domestic cyber security system.
The Information Technology Act 2000.
Gagan Harsh Sharma v State of Maharashtra (2019) CriLJ 1398.
“Unleashing the Potential of Cloud Computing in Europe” European Commission”. 2012. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0529:FIN:EN:PDF
Braidma. “Cloud Computing,” June 25, 2020. https://ec.europa.eu/digital-single-market/en/cloud.
General Data Protection Regulation, 2016. https://gdpr-info.eu/art-17-gdpr/
Loi 11 mars 2003, surcertains aspects juridiques des services de la société de l'information, 2013. http://www.informatica-juridica.com/anexos/loi-11-mars-2003-sur-certains-aspects-juridiques-des-services-de-la-so ciete-de-l-information/
 Domain Name Act, 2003 https://www.finlex.fi/en/laki/kaannokset/2003/en20030228.pdf
Author ~ Vanshika Aggarwal
O.P. Jindal Global University