1 WEBZINE ON CYBER LAWS

Contents
4 Primer
To Data
Protection 16 Laws Related
To Data
Protection

6 Global
Watch 18 Comparative
Analysis

10 National
Development 20 Guest
Blog

14 Cases Related
To Data
Protection 23 Centre for
Cyber Laws Team
 Primer To Data
Protection
The Constitution constitutes the Right to Privacy as vital. This has
a significant impact on Indian law, shapes public policy and court
decisions, and serves as a monitoring procedure on all governmental
activities at the legislative and executive levels. This right imbibes within
itself, the laws on consumer protection, health, information technology,
telecom licensing, and the financial industry, in addition to the public
law consequences. Currently, the Information Technology Act of 2000
(“IT Act”), along with supplemental rules, serves as the legal basis for
protection of personal data and privacy. The Personal Data Protection
Bill, 2019 (the “PDP Bill”) was introduced by the government in 2019
and sent to the Joint Parliamentary Committee (“JPC”) for a thorough
analysis.
The JPC submitted its report to Parliament on December 16, 2021,
along with a number of recommendations and changes to the PDP Bill.
While the Bureau of Indian Standards created data privacy guidelines
as an assurance framework for businesses, the Reserve Bank of India
controls payment aggregators and lending services. Additionally, the
Central Government issued due-diligence guidelines for internet
intermediaries to follow.
The protection of Personal Information (“PI”) and Sensitive Personal
Data and Information (“SPDI”) is addressed in some provisions of the
Information Technology Act, 2000, as amended from time to time

4 WEBZINE ON CYBER LAWS

and the Information Technology (Reasonable Security industry, which have frequently soured relations between
Practices and Procedures and Sensitive Personal Data or the US and India.
Information) Rules, 2011 (“SPDI Rules”). It is important to note that the Personal Data Protection
The waves of change were an expansion of the bill’s Bill, 2019, has been withdrawn and is no longer being
purview to include both personal and non-personal debated in Parliament as of 3 August 2022. In India, there
data, which has led to the renaming of the PDP Bill as isn’t yet a specific agency in charge of data protection. In
the “Data Protection Bill, 2021” (“DP Bill”). The PDP accordance with the current legal framework, all entities,
Bill aimed to define how major technology companies including any company, firm, sole proprietorship, or
operate in the nation and was considered comparable to other association of people engaged in commercial or
the European General Data Privacy Regulation. Social professional activities (“Body Corporate’), are responsible
media companies, industry experts, and even ministers for adhering to the provisions of the IT Act and the
criticized the draft bill that was put up in 2019, claiming rules established thereunder. These entities include any
that it had too many flaws to be useful and advantageous company, firm, sole proprietorship, or other association
for both consumers and businesses. Facebook and Twitter, of people engaged in commercial or professional
among other businesses, have long expressed concern activities. You can find more about Data Protection and
about India’s proposed stricter rules for the internet its principles here.

5 WEBZINE ON CYBER LAWS

 Global Watch
In this section, we will take a look at the various frameworks
internationally in the realm of data protection. In recent years, as data
and its importance have grown, various data protection developments
too have come across the world. In the context of the same, we look
at Data Protection in jurisdictions such as the US, China, Canada,
Australia, New Zealand and the EU.

Data Protection in the EU

EU Data Protection and Privacy is governed by the General Data
Protection Regulation (GDPR) which came into being in 2018. The
GDPR has been a defining legislation in the field of Data Protection
and various countries including those outside of the EU, have borrowed
from the framework of. The regulation sets out important differences
such as between data controllers and data processors wherein the
former is the organization which collects data and the latter processes
the data (for example, cloud service providers). It also defines types of
data - personal data, non personal data and who a data subject is.
The GDPR has 11 chapters pertaining to rights of the data holder, duties
of the data controller and duties of the data processor. It also governs
transfer of data to third countries and provides remedies and liabilities
for the breach of such data protection principles. The rights of the data

6 WEBZINE ON CYBER LAWS

subject or data holder extend to (i) Right to Transparency
government agencies handle the data of US citizens
(about any data collection in understandable terms) (ii) and there are indeed individual acts such as the HIPAA
Right to Access and Information (about how data is being (Health Insurance Portability and Accountability Act -
processed) (iii) Right to Rectification and Erasure (which
this prevents doctors from sharing their patients’ medical
pertains to the removal of personal data and the right todata) and the GLBA and FCRA which impose on
be forgotten) and (iv) Right to Object (to the processingfinancial institutions a duty to disclose to their consumers
of PI). Herein, one can see that both the controller and how their data is used. Even so, the country does not yet
processor operate subject to the data subject’s consent. have a country-wide federal law for data protection and
The above is only a simple primer to the important it is the opinion of many scholars that the US needs a
aspects of the GDPR but it has been the source for many more robust system. Currently, the regime does not have
scholarly writings, debates and legislations. too much depth in terms of online data protection - and
concepts such as data controller and data processor have
To understand the EU’s GDPR in a more detailed
not been defined or formally regulated.
manner, you may click here or here. A more summary
interpretation is available here. However, in June of this year, the US House of
Representatives Committee on Energy and Commerce
Data Protection in the US voted in support of the American Data and Privacy
The US is self-regarded as a flagship bearer of the free Protection Act or ADPPA. The same is yet to get
world. Many states in the US do have dedicated data approval in the US House of Representatives, the Senate
laws including California which has modeled the same and the White House - but this is a starting step which
on EU’s GDPR. Utah, Colorado and Virginia also do will hopefully see some updates soon.
have laws against misuse of personal information. The More information on Data Protection can be found here
US does recognize a Right to Privacy which affects how and here.

7 WEBZINE ON CYBER LAWS

Data Protection in Canada there instead. It also does not apply to organizations
Canada’s data protection regime is composed of Federal which collect information for domestic or journalistic,
and State Laws enacted by the provinces of Alberta, artistic and literary purposes.
British Columbia and Quebec. The Federal Law is called More can be learnt about the Canadian Data Protection
the Personal Information Protection and Electronic Regime - here and here.
Documents Act of 2000 (PIPEDA). Its provisions borrow
Data Protection in Australia
from the EU GDPR regime as well as the Data Protection
Directive in the country. The act entered into force in Australia’s data protection law - Consumer Data Right
full swing in 2004 and since then various amendments came into force recently - in 2020. The same is set against
have been introduced to adapt to the information age. a background of the Australian Federal Privacy Act and
The PIPEDA applies to organizations in respect to the the Australian Privacy Principles (APP). The Privacy Act
data that the organization collects, uses and discloses. It operated through the APP. The same applies to “APP
places accountability accordingly and pursuant to the Entities” which are individuals, private entities, etc.
same, the organization holding personal information in with an annual turnover of more than 3 million AUD
its custody is subject to obligations (including transferred and all Australian government agencies. Per the same -
information). This is similar to the GDPR understanding limitations have been posed on the collection, storage,
of “controller”. use and disclosure of personal data. Further, it is required
that the APP Entities give notice to the citizens regarding
Electronic as well as physical records are subject to
any collection or use of data and consent is required for
this federal law. However, the law does not apply to
any further disclosure.
government institutions as the federal Privacy Law applies
8 WEBZINE ON CYBER LAWS
Various rights of consumers and citizens have been system which is accessible to citizens and organizations.
recognized in this framework - in a nuanced manner More can be learnt about Data Protection in New Zealand
too - such as the Right to Anonymity, Right to Data here and here.
Quality, Right to Correct Data, Right to Deletion, Right
to object to Marketing. Sensitive data must only be Data Protection in China
collected when reasonably necessary. Australia also has In 2021, China passed the Personal Information
a relatively robust enforcement framework overseen by Protection Law which lays down rules and regulations
the Office of the Australian Information Commissioner regarding data collection. The same has been regarded as a
who may issue legally binding rules and guidelines. They fundamental law equivalent to the GDPR. The same had
hold investigatory powers, may impose civil penalties and a focus on the “rights of natural persons” including that
authorize dispute resolution. of making decisions about the use of their information,
More can be learnt about the Australian Data Protection deletion of the information, being informed about the
regime here and here. use and collection of their data and the mechanisms being
used in pursuance of the aforementioned. It accordingly
Data Protection in New Zealand places obligations upon PI Processors, State Organs
The government of New Zealand has focused on data dealing with PI. There are special classifications made for
protection in its governance for many years. The most the processing of sensitive personal information and the
recent legislation has been the Privacy Act of 2020 which cross border transfer of any data - both elements having
has 13 Information Privacy Principles which regulate the stricter rules pertaining to them.
collection and use of personal information with a focus The China’s Cyberspace Administration (CAC) and
on the purpose of collection, the source of collection, the codes of the country have been data aware for some
consent of the person and disclosure of the information time - which is fitting as China is one of the more
collected, manner of collection, storage and security of technologically advanced countries which deals with a
information alongside limits on use and disclosure in the lot of data. The CAC has been an active authority in the
country and outside. issuing of guidelines and rules for data protection and
The New Zealand regime takes assistance from the NZ cyber security at large. These rules (including the PIPL)
Privacy Commissioner who has the authority to issue extend in applicability to individuals and organizations
legally binding rules and guidelines. They provide training with exemptions made only for domestic usage of data.
in the field, resources for agencies and resources for More can be learnt about China’s Data Protection
individuals. They also have an intuitive online reporting regulations here and here.

9 WEBZINE ON CYBER LAWS

 National Development
Of the recent developments to the cyber law area in India is the ramification
of the Personal Data Protection Bill. The Data Protection Bill is set with
the policy to allow users to “manage” their data, ensuring the platforms
operating in India to be “accountable,” and promote “transparency” in
all data transactions. The Data Protection Bill will soon be updated by
the government. The Personal Data Protection Bill (hereon referred to as
PDPB), which was initially introduced in 2019, was brought to the Joint
Parliamentary Committee, which then gave its report in December 2021
while citing various revisions. Early this year, the government withdrew the
law, citing the necessity for a new draft to incorporate the suggestions from
the JPC and other industry stakeholders. The PDPB must make sure that
conducting business is simple. Although the government would prefer a
law that was on par with international norms, particularly the Global Data
Protection Regulation (GDPR) put in place by the European Union, there
are three key distinctions between the Indian and western markets that
must be taken into account.
First, the market is enormous in scope and breadth.
Secondly, there should be no restrictions on businesses because the market
is still in its formative years.
Finally, there would likely be substantial opposition from western firms to
any regulations that serve India’s interests.
10 WEBZINE ON CYBER LAWS
 However, industry leaders will put the government to
the test on the NPD issue as they attempt to play tough,
claiming worries over intellectual property. The younger
plays will not be driven out of the market which the
public NPDs will ensure.

Data Localization or No Local Access

Two aspects of data localization include discussion from
personal and sensitive data perspective as to whether
cross-border flow of sensitive data be allowed and whether
should all data – sensitive or otherwise, be stored only
within the Indian territory.
The government has previously shown that it is possible
to coerce the major corporations to follow the rules by
enforcing the Reserve Bank of India’s mandate that
payment data be stored in India. Global leaders in their
respective industries- Visa and Mastercard both comply
with the RBI’s 2018 ruling. Therefore, when requiring
In order to implement the “CAT” combination, the local preservation of sensitive data and its copies, the
policy must permit users to “control” their data, ensure government can be tough. In terms of cross-border
the “accountability” of platforms running in India, and movement, the government can permit a set window
guarantee “transparent” in all data transactions. during which the data can be moved outside of India and
The government’s pursuit of privacy and data protection then returned, similar to how the RBI handles payment
must not come at the expense of ease of doing business. data (24 hours or one business day). However, there will
always be security issues with data usage outside of India.
The government must not, under any circumstances,
compromise on three other issues which will be briefly The industry’s justification for data localization’s price
discussed hereon in addition to the CAT combination. is likewise untrue. Reports of Apple’s “Goldengate”
Project first appeared in June 2021. According to a
Analysis and Recommendations: The Non-Negotiables New York Times investigation, Apple was employing
Addressing the issue of Non-Personal Data:
Of the most important aspects that ought not to be
ignored is the issue of non-personal data which the
government must look at by accounting for the larger
interests of the market, but without getting conservative.
Non-personal data (NPD) would simply include all those
data sets with knowledge and information that cannot be
narrowed down to an individual or be used for individual
profiling.
The NPD sets can support startups and other business
owners in a market of 1.3 billion individuals who will
eventually switch over to 5G and the metaverse. The
government is correct in requiring all businesses doing
business in India to provide anonymized data sets or NPD
sets in order to develop policies that are supported by
facts. However, by including it with personal data under
the same bill, it is conservative in estimating its potential.

11 WEBZINE ON CYBER LAWS

a state-owned server company in Guiyang to store the need any kind of government authorization before being
personal information of its Chinese customers. Based on sent internationally.
sources, the corporation had abandoned its encryption The government must draw a firm boundary on the issue
technology, used around the world after complaints of personal data, either by adopting the RBI’s approach or
from the Chinese government, and Beijing-employed by classifying it by data type or industry. It is incorrect to
personnel were now in charge of the data centers, believe that a private corporation must consult with the
raising issues with data privacy and integrity. The state- government prior to each cross-border data transmission.
owned enterprise Guizhou-Cloud Big Data, or GCBD,
Marginal gap between Accountability and Punishment
purportedly received the encryption keys for the data of
for Social Media Platforms
Chinese consumers.
It should come as no surprise that social media businesses
The Indian government, unlike China, would not wish
must work with all governments. Quarterly reports on
to infringe upon the intellectual property of any party,
the requests made to them by sovereign countries and the
domestic or foreign, because of the way it does business, but
actions taken are published by Facebook and Google. The
it must continue to adhere to the data localization policy.
removal of person or business profiles, however, is one area
Long-term, it may serve as a catalyst for the development
where some social media platforms have set up a trap. The
of an entire industry centered on data solutions, encourage
most prominent example of this is Twitter and President
additional local and international businesses to invest in
Donald Trump. The legislation needs to establish a fine
the area, and provide job opportunities. The commercial
line here. No matter where they are from or how big their
sector can start talking about cross-border data transfers
global operations are, social media platforms operating
after it confirms with data localization. Another issue
in India must first disclose whether they are publishers
involving cross-border data transfers would be - to what
or intermediaries. If it is former, the content, profile, and
extent may the central government intervene?
page removal policies needs to be made available to the
Separating personal data from non-personal data would public.
be beneficial in this situation because the latter would not

12 WEBZINE ON CYBER LAWS

They must be held responsible for every single piece revisions, the small print will come under close examination,
of material put on their platforms, regardless of who but in order to move forward, the government must first
publishes them, if they wish to claim to be the latter. take a firm stand on the aforementioned issues.
Platforms like Twitter have long identified both in a The government must establish a cutoff point when all
way that suits their agenda. no longer. There is also the businesses doing business in India are required to abide
issue of data protection officials, who can be contacted by the new rule, drawing inspiration from the GDPR.
by the government or by private citizens in the event It should be mentioned that a data protection bill for a
of cybercrime, misleading information, or offensive market as intricate and expansive as India will require
literature. Given the urgency of these events, the law must subsequent adjustments and comments; so, expecting the
specify that a specific number of data protection officers ideal document all at once would be mistaken. Whatever
or ombudsmen must be available for a specific number of the ultimate form and whatever course corrections are
platform users. For example, the legislation can mandate a necessary, the national interests must still continue to
specific number of cops for every million users. become topmost in priority.
When the data protection bill is revised to reflect the

13 WEBZINE ON CYBER LAWS

 Cases Related To
Data Protection
1. Meta Platforms Ireland Ltd v. Bundesverband der Verbraucherzentralen
und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.,
C‑319/20
• In April 2022, the Court of Justice of the European Union(“ CJEU”),
while interpreting Article 80, GDPR held , in a landmark judgment that
a consumer association under Article 80, GDPR is empowered to file a
lawsuit autonomously and independently to file complaints in relation to
any breach of GDPR obligations by an entity.
• Article 80 of the GDPR national legislation may permit individual
consumer groups or associations to bring representative actions for
breaches of the GDPR when mandated by concerned individuals. In this
case, though, no such mandate had been provided, and Meta argued that
the GDPR precluded such options.
• The CJEU, however, found that a claim was sufficient if the data
processing concerned could affect the rights of identified or identifiable
natural persons under the GDPR without actual harm suffered by the
data subject. As a result, consumer groups can put forth representative
actions for data protection violations regardless of whether they have
been mandated or not by one or more specific individuals.

14 WEBZINE ON CYBER LAWS

2 Stadler v Currys Group Limited (EWHC 160 (QB) • The High Court relied on previous English
• The Case concerned an application to strike out decisions and reiterated that proof of actual loss or
a claim for damages (including pursuant to Article damages shall actually be required for a claim under
82 UK GDPR) by a claimant who had returned Article 84, UK GDPR to succeed. his indication that
a defective television to a retailer without having claimants pursuant to Article 82 UK GDPR will be
logged out of the Amazon Prime app; the claimant’s required to demonstrate loss will be welcomed by
account details were used to purchase a movie for data controllers, and appears to confirm the more
£3.49. Although the retailer refunded the purchase limited role that representative actions are likely to
price and made an ex gratia payment of £200, the play in data breach claims
customer sued for damages. The retailer applied to
strike out the claims at a preliminary stage.

15 WEBZINE ON CYBER LAWS

 Laws Related To
Data Protection
The Indian Constitution does not expressly guarantee the fundamental
right to privacy. However, certain fundamental rights such as the right to
freedom of speech and expression under Article 19(1)(a) and the right to
life and personal liberty under Article 21 of the Indian Constitution have
been interpreted by the court to include the right to privacy within their
ambit. The Hon’ble Supreme Court has recently ruled in the landmark
case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India and
Ors. that the right to privacy is a fundamental right, subject to reasonable
restrictions set forth in Article 19(2).
Currently, there is no separate legislation addressing data protection or
privacy in India. The Information Technology Act of 2000 (hereinafter,
referred to as the “IT Act”) and the Indian Contract Act of 1872 are the
pertinent legislations in India that deal with data protection. As these laws
have only a limited scope, the Indian government had earlier introduced
the Personal Data Protection Bill, which has now been withdrawn due
to various issues being flagged in the bill. India, is therefore likely to have
legislation on the subject in the coming time.
The Information Technology Act, 2000 addresses matters related to civil
and criminal penalties, and provides for compensation and punishment
for unlawful disclosure, misuse of personal data and breach of contract
involving personal data.
16 WEBZINE ON CYBER LAWS
Section 43A of the Information Technology Act, 2000, rules or regulations made thereunder, has secured access
provides that where a body corporate, possessing, dealing to any electronic record, book, register, correspondence,
or handling any sensitive personal data or information information, document or other material.
in a computer resource which it owns, controls or Section 72A lays down that disclosure of personal
operates, is negligent in implementing and maintaining information without the consent of the person concerned
reasonable security practices and procedures and thereby or in breach of a lawful contract, with the intent to cause
causes wrongful loss or wrongful gain to any person, or knowing that it is likely to cause wrongful loss or
such body corporate shall be liable to pay damages by wrongful gain, will be punishable with imprisonment
way of compensation to the person so affected. The for a term which may extend to three years, or with fine
Explanation to this Section explains that the ambit of which may extend to five lakh rupees, or with both. While
“sensitive personal data or information” will be prescribed Section 72A covers an intermediary in its ambit and
by the central government and that “reasonable security makes them liable for disclosure of information in breach
practices and procedures” means security practices of lawful contract, Section 79 of the IT Act provides for
and procedures designed to protect such information certain cases wherein the intermediary is exempted from
from unauthorized access, damage, use, modification, any liability. Section 79(1) provides that subject to the
disclosure or impairment (as may be specified in an subsequent conditions [elaborated in clauses (2) and (3)],
agreement between the parties or in any law for the time an intermediary shall not be liable for any third party
being in force and in the absence of such agreement or any information, data, or communication link made available
law, such reasonable security practices and procedures as or hosted by him.
may be prescribed by the Central Government).
Section 69 of the IT Act, however, deviates from the
The Information Technology (Reasonable Security general rule of data protection and empowers the
Practices and Procedures and Sensitive Personal Data government to order or direct any agency to intercept,
or Information) Rules, 2011, prescribed by the Central monitor or decrypt or cause to be intercepted or
Government, explains the scope of “Sensitive personal monitored or decrypted any information generated,
data or information of a person”, specifying that it transmitted, received or stored in any computer resource,
includes such personal information which consists of if the government is satisfied that such action is necessary
information relating to passwords, financial information, in the interest of the sovereignty or integrity of India,
sexual orientation, medical records and history, biometric defense of India, security of the State, friendly relations
information, etc. with foreign States or public order or for preventing
Section 72 of the IT Act provides penalty for breach incitement to the commission of any cognizable offense
of confidentiality and privacy by any person who, in relating to above or for investigation of any offense.
pursuance of any of the powers conferred under the Act,

17 WEBZINE ON CYBER LAWS

 Comparative Analysis
Different nations adopt quite different approaches to regulating data
protection. In comparison to a country that is getting ready to comply
with data protection regulations, a country that has had data protection
in place for a longer period of time has a better degree of compliance.
There is no single comprehensive data protection law in the US. A
jumble of laws protects the personal data in the United States. The
Freedom of Information Act(FOIA) and the Privacy Act of 197440
are federal statutes that protect citizens from the government’s use of
their personal information.
In contrast to the US model, the EU’s online data privacy regulation
allows companies less latitude in how they can conduct their
operations related to online privacy. The European Union passed its
Data Protection Directive in 1995, which established standards that
member countries were required to follow. The Data Directive specifies
how, when, and how the notification of data collection should be given,
and it is very protective of personal information. The EU model of
data protection is characterised as a thorough model in which a body is
established to make sure that organisations and people are abiding by
privacy protection rules.

18 WEBZINE ON CYBER LAWS

When comparing the legislative and enforcement models to privacy. India’s data protection law is in its early stages,
of the United States and the European Union, there whereas the EU’s comprehensive data protection regime
are many differences and some similarities. In terms dates back to the 1970s. Higher levels of protection for
of legislation, the EU regime seems simpler and more personal data are required by EU data protection rules, but
streamlined than the US one. For instance, the EU only India, a popular outsourcing country for EU businesses,
has one law that guarantees people of EU member states nevertheless struggles to comply with these stringent
the right to informational privacy. In contrast, the United standards. The legislature has left some gaps in the 2006
States relies on numerous laws, including the GLBA bill’s design despite efforts to create a separate discipline
and HIPAA, to ensure privacy rather than relying on for data protection laws. While today’s requirements call
a single legislatio. Various factors, including the kind for a comprehensive Act, the measure was entirely crafted
of information in question and the kind of business in using the format of the UK Data Protection Act.
question, affect data protection in the United States. The comparison of the EU data protection law with
Therefore, Americans do not have a general right to the the Indian IT Act 2000 reveals significant disparities.
privacy of all personal information; rather, the right to The objective of the IT Act 2000 is to acknowledge
privacy is conditional upon the nature of the information e-commerce and e-governance operations in India, not
and whether or not the industry sector in charge of the just to protect data, hence it only addresses the meaning
data is governed by law. The EU Informational Privacy of “data,” not “personal data”. The country’s personal
Directive, on the other hand, offers a broad right to sensitive data is somewhat protected by the 2009
privacy to everyone, regardless of the sort of business or Amendment, but a more comprehensive and focused
information involved, therefore it is not constrained by law is urgently needed. The proper requirements for the
such circumstances. Indian law can be assessed by comparing it to the law of
In contrast to India’s history with data protection and developed nations. Data differ from one another in terms
the right to privacy, the European Union (EU) has a of utility; they are not all of equal relevance. As in the US,
comprehensive system for protecting those rights. Article we must frame distinct categories of data with varying
8 of the ECHR is interpreted broadly to include the right utility values.

19 WEBZINE ON CYBER LAWS

 Guest Blog
In this edition, we bring you a guest article by Chaitanya Basotra, a 2nd year student at NLU Delhi
CYBERCRIME AND CONTRAVENTIONS: CONTOURS, ESSENCE AND SCOPE.

“We believe that data is the phenomenon of our times. It is the one lakh of the populace was 3.9.
world’s new natural resource. If all of this is true – even inevitable
– then cyber-crime, by definition, is the greatest threat to every Cybercrime vis-à-vis Crime
profession, every industry, every company in the world.” - Ginni “The criminal quality of an act cannot be discovered by reference to
Rometty. any standard but one: is the act prohibited with penal consequences.”
The world we inhabit is a world of change. It is a world in continuous – Lord Atkin.
flux. A world where things from justice to crime are wedged in- “Everybody should want to make sure that we have the cyber tools
between a spectrum linked with the strands of dynamism. The necessary to investigate cybercrimes, and to be prepared to defend
ingenuity and innovation that our world has seen in the past 100 against them and to bring people to justice who commit it.” – Janet
years, epitomizes the same dynamism. Reno
Developments in the ‘cyber-world’ have led to huge changes in how A reasonable question can be asked at this point - what exactly do we
individuals, societies and global conglomerates view themselves vis- mean when we talk of cybercrimes? How is a cybercrime different
a-vis each other. This has also affected the rights and obligations of from, say, a ‘usual’ crime?
people to each other. As Yougal Joshi and Anand Singh note:
As a corollary to this, cybercrimes have been on a steady rise. This has “Cybercrime combines the term “crime” with the root “cyber” from
been a direct result of a growing number of people getting access to the word “cybernetic”, from the Greek, “kubernân”, which means
the internet. The World Economic Forum’s 2020 report on Global to lead or govern. The “cyber” environment includes all forms of
Risks noted how “roughly one million people join the internet every digital activities, regardless of whether they are conducted through
day”. By 2022 almost 6 billion people will be interacting with data as networks and without borders.”
a consequence of having the internet on their hands. All of this has The Council of Europe Convention 2001 talked about four broad
been exacerbated by the covid-19 pandemic that made the internet categories of offences which were to be included under that of
an integral part of people’s lives. Stanford University reports that cybercrimes - (i) offences against the confidentiality, integrity and
almost half of the US labour force has started working from home availability of computer data and systems; (ii) computer- related
because of the pandemic. offences; (iii) content related offence; and (iv) offences related to
1
WEF Global Risks Report 2020. https://www3.weforum.org/ infringements of copyright and related rights.
docs/WEF_Global_Risk_Report_2020.pdf accessed 22 October This is all well, good and reasonable, but how is a cybercrime
2022. different from a usual crime?
Firstly, the difference arises in the ‘mode’ which is utilized for each’s
2
Steve Morgan, ‘Humans on the Internet Will Triple From 2015
commission. In case of a cybercrime, “cyberspace becomes the tool
to 2022 And Hit 6 Billion’ (cybersecurityventures, 18 July 2019)
criminals use to commit old crimes - like fraud, theft and
<https://cybersecurityventures.com/how-many-internet-users-
4
will-the-world-have-in-2022-and-in-2030/> accessed 22 October PTI, ‘5 PC RISE IN CYBERCRIMES IN INDIA’
2022. (Economic Times, 31 August 2022) <https://telecom.
economictimes.indiatimes.com/news/5-pc-rise-in-cybercrimes-
3
May Wong, ‘Stanford research provides a snapshot of a new work-
in-india-in-2021-charge-sheeting-only-in-one-third-cases-
from-home economy’ (news.stanford.edu, June 29 2020) <https://
govt-data/93904202#:~:text=Exclusive-,5%20pc%20rise%20
news.stanford.edu/2020/06/29/snapshot-new-working-home-
in%20cybercrimes%20in%20India%20in%202021%2C%20
economy/> accessed 22 October 2022.
charge,the%20Ministry%20of%20Home%20Affairs> accessed 22
Talking about India specifically, the NCRB noted that in 2021 October 2022.
there was an increase by 5% of reported cybercrimes over 2020. The
number was 15% for 2019. The cybercrime incident or reports per

20 WEBZINE ON CYBER LAWS

5
IJRISAT, Chief Editor. “A Study on Cyber Crime and Security Writing about viruses and worms, Susan Brenner says:
Scenario in INDIA.” IJEMR, 2013. Like a virus, a computer worm is a self-replicating computer program.
6
Malik, Jitender & Choudhury, Sanjaya. (2019). Privacy and Unlike a virus, a worm does not need to attach itself to a host to
surveillance : The Law relating to Cyber Crimes in India. Journal spread to other systems. A worm uses a network to send copies of
of Engineering, Computing and Architecture. 9. 74-98.extortion itself to other computers on that network; worms can therefore
- in new ways”. Secondly, a cybercrime has the capacity to affect replicate on their own, without any assistance from computer users.
individuals on a far higher scale than a ‘usual’ crime. Thirdly, DDOS or Distributed Denial of Service do not resemble hacking
cybercrimes make the task of attribution of the offence to a particular or malware attacks. They do not require access to a computer. Just
individual or body a particularly difficult task. like a warplane before dropping bombs does not need access to
Some Contraventions: Hacking, DDOS and Malware the territories of an enemy state, DDOS attacks do not require
“perpetrator gaining entry into a computer”.
The act of ‘Hacking’ computer systems can be traced back to the AI
labs of MIT in the 1950s. Hacking back then was not connected Hacking, Malware and DDOS continue to cost billions of dollars
with the negative connotations it does today. It was based on worldwide and has been used by states as tools towards indirect and
‘principles’ that made it a quixotic endeavor. One hacker laid these direct aggression. It is predicted that by 2025, these cybercrimes
principles out as follows: will cost the world around 10.5 trillion USD annually by 2025. In a
world where the metaverse becomes a reality, hacking is one of the
- Access to computers…….. should be unlimited and total
chief contraventions of cyberlaw.
- All information should be free
Cybercrime and India
- Promote decentralization
But how is cybercrime looked at in the schema of judicial, legal and
- Art and beauty can be created on a computer. legislative contours in the world’s biggest democracy - India?
The quixotism turned into all out criminality with the onset of the Provisions of the IPC have been utilized in an ingenuous manner to
80s. This was brought about due to the advent of the ARPANET handle cyber-related crimes. For example, cybercrimes like sending
(consequently the internet) and the personal computer. Due to this, threatening messages, defamatory messages, web-jacking have been
hacker communities were no longer isolated groups but full fledging dealt with by provisions of the IPC like sections 504, 499 and 383
groups. respectively.
Kevin Poulsen or ‘Dark Dante’ epitomized this shift in hacking But with the adoption in 1997 by the UNGA of the Model Law
culture: on Electronic Commerce, a need for a new law was felt. Thus, the
“He broke into various computer systems, including systems IT Act of 2000 which has been termed as the “mother of cyber law
involved in classified research for the Department of Defence. legislation in the country”, came to the fore. The Objectives of the
Poulsen was just 17.” act could be summed up as follows:

Malware is another way of carrying out cybercrimes. It does not (i) To give legal recognition to any transaction which is done by
consist of a physical agent, rather an agent in the virtual world like a electronic way or use of internet
virus is utilised to carry out an unlawful task. This is one of the many (ii) To stop computer crime and protect the privacy of internet users.
ways in which a cybercrime differs from a usual crime. A malware 13
Ibid.
can further be divided into a virus or a worm.
14
Ibid (n 7).
7
Brenner, Susan W.. Cybercrime and the Law: Challenges, Issues,
and Outcomes. Lebanon: Northeastern University Press, 2012
15
Ibid (n 7).

ibid.
8 (iii) To give more power to IPC, RBI Act and Indian Evidence Act
for restricting electronic crime.
Ibid.
9

However, there were certain lacunae in the existing legislation. In

10
Ibid.
order to deal with inadequacies in the act, in 2008 an amendment
11
Ibid. was brought forth.
12
Ibid. The salient features of the amendment can be summarized as
follows:

21 WEBZINE ON CYBER LAWS

 • New provision to address data protection and privacy
• New provision to address new forms of computer misuse- impersonation; identity theft and e-commerce frauds like
phishing; video voyeurism; offensive messages and spam; pornography
• Monitoring of traffic data and information for cyber security
• New provision for empowering CERT to call and analyze information relating to breach in cyber space and cyber
security
Limitations of the IT Act of 2000
Child pornography was a big issue that the amendment sought to directly control. As Jitender Malik notes:
“It [the amendment] talks only of sexualized representations of actual children, and does not include fantasy play-
acting by adults, etc. From a plain reading of the provision, it is unclear whether drawings depicting children will also be
deemed an offence under the provision.”
Talking about Section 66A he notes:
“Section 66A which punishes persons for sending offensive messages is overly broad and is patently in violation of
Article 19(1) (a) of the Constitution. The fact that some information is “grossly offensive” or that it causes “annoyance”
or “inconvenience” while being known to be false cannot be a reason for curbing the freedom of speech.”
He also writes that “while the threat of cyber-terrorism might be very real, blanket monitoring of traffic is not the way
forward to get results and is sure to prove counter-productive - privacy”.
Ibid (n 7).
16

Ibid (n 7).
17

Ibid (n 7).
18

Ibid (n 7).
19

Thus, the amendment does not satisfactorily deal with the issues of encryption, intermediaries, privacy and child
pornography.
Way Forward
The proposed ‘IT Rules 2021’ stretch out to deal with the various lacunae associated with the previous amendment.
However even the proposed rules have not been without their shortcomings. As the Indian Express notes, “The
proposal to set up government-appointed committees has triggered concerns about the government overriding social
media platforms’ content decisions.”
Along with the legislature, the courts must use the powers vested in them by the Constitution to ensure that justice is
upheld. The judgment of the courts in leading cases like Shreya Singhal and K.S. Puttuswamy should act as bulwarks for
future pro-activeness on the part of the judiciary.
Cybercrimes are a nefarious activity which extends its existence beyond territorial and geographical boundaries. If total
proceeds of cybercrime were to be treated as a country, then it would be a country with the third largest economy in
the world.
This then is the danger which cybercrime poses for the future of a peacefully symbiotic world. This then is enemy
number one for a future that belongs not just to us but to our children.
Soumyarendra Barik, ‘Explained: What are the draft amendments to IT Rules, 2021?’ (indianexpress, 9 June 2022)
20

<https://indianexpress.com/article/explained/india-it-rules-2021-amendments-social-media-explained-7958000/>
accessed 22 October 2022.

22 WEBZINE ON CYBER LAWS

 Centre for
Cyber Laws Team
Centre Director: Dr. Aparajita Bhatt
Dr. Aparajita Bhatt, Assistant Professor, Faculty of Law at National
Law University, Delhi specializes in Business Laws. She teaches
Cyber Laws, Corporate Laws and Mergers & Acquisitions at NLUD.
She is the Director of the Centre for Cyber Laws. She has also been
a course coordinator of UGC Swayam MOOCs and UGC e-pg
Pathshala course on Information and Communication Technology.

Student Team:

Aditendra Singh is a 5th year student at National Law University,

Delhi. He has deep interest in the interplay of law and technology.
He wishes to contribute to the discourse around evolution and
applicability of data principles in India. In his free time, he likes to
read on topics of history.

Smriti Phuyal is a 5th year student at National Law University, Delhi.

She is deeply interested in data sovereignty and internet governance.
She seeks to create a strong user privacy centric model for social
media companies and aims to spread awareness about digital privacy.
In her free time, she enjoys travelling and reading books.

23 WEBZINE ON CYBER LAWS

 Arvind Kumar Tiwari is a 5th year student at National Law
University, Delhi. He has a keen interest in Data Protection Laws,
Artificial Intelligence and Blockchain and aims to learn more about
the interplay between Technology Law and Human Rights. His
hobbies include cycling, playing basketball and running.

Niraj Jha is a 5th year student at National Law University, Delhi. He

has a deep interest in Blockchain technology, FinTech and Crypto
world and the related legal strings attached with it. He aims to create
awareness about Blockchain technology and Crypto world, and
also to create awareness about the Regulations, Safety and security
Related to it. He enjoys Trading and Reading 

Aryan Bhat is a 4th year student at National Law University Delhi.

He is fascinated by artificial intelligence, fintech and the possibilities
they offer. He is particularly interesting by the interface between
intellectual property rights and technology law. His hobbies include
reading novels, cricket and cycling.

Anushka Gupta is a penultimate year student at National Law

University Delhi. She’s currently looking to venture into fields of Law
which are prominently intersected with Technology - particularly
IPR, Cyber laws and Competition Law.

24 WEBZINE ON CYBER LAWS