0

A PROJECT REPORT ON

CYBER OFFENCES

Submitted To: Submitted By:

Dr. Supinder Kaur Sanjana
Department of Laws Roll No. 1233/18
Panjab University LLM (1ST Semester)
Chandigarh Department of Laws
Panjab University.
 1

ACKNOWLEDGEMENT

I take the prerogative to express my heartfelt gratitude to my guide Prof. Supinder Kaur
Department of Laws Panjab University, Chandigarh for her diligent guidance all through the
course of my project. It is her fruitful teaching which has given me a comprehensive
understanding of the topic. She has truly been a source of inspiration to me.

I would also like to thank my friends, who have been very helpful in providing me useful
information, wherever needed for the completion of my project. I also extend my
thankfulness to my parents for their precious moral support.

I’m grateful for all their help and valuable advice which has made the successful completion
of my project possible.

Sanjana
1233/18
 2

INDEX

S.No. Particulars Page No.

1. Introduction 4

2. Cyber Crime 4-6

3. Classification of Cyber Offences 6

4. Offences under the I.T. Act, 2000 with amendment 7 - 16

of 2008

5. Recent Developments in Privacy Laws 17-22

6. Conclusion 23
 3

INTRODUCTION
The introduction of the internet has brought the tremendous changes in our lives. People of
all fields are increasingly using the computers to create, transmit and store information in the
electronic form instead of the traditional papers, documents. Information stored in electronic
forms has many advantages, it is cheaper, easier to store, easier to retrieve and for speedier to
connection. Though it has many advantages, it has been misused by many people in order to
gain themselves or for sake or otherwise to harm others. The high and speedier connectivity
to the world from any place has developed many crimes and these increased offences led to
the need of law for protection. Some countries have been rather been vigilant and formed
some laws governing the net. In order to keep in pace with the changing generation, the
Indian parliament passed the law – Information Technology Act, 2000. The I.T. Act, 2000
has been conceptualized on the United Nations Commissions on International Trade Law
(UNCITRAL) model law.

The Government of India enacted its Information Technology Act, 2000 with the objectives
stating officially as: “to provide legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication, commonly referred
to as “electronic commerce”, which involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of documents with
the Government agencies and further to amend the Indian Penal Code, the Indian Evidence
Act, 1872, the Bankers Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934
and for matters connected therewith or incidental thereto.”1

CYBER CRIME
Cyber-crime is a generic term that refers to all criminal activities done using the medium of
computers, the Internet, cyber space and the worldwide web. Computer
crime, or Cybercrime, refers to any crime that involves a computer and a network. The
computer may have been used in the commission of a crime, or it may be the target.2
Netcrime is criminal exploitation of the Internet. Dr. Debarati Halder and Dr. K. Jaishankar
(2011) define Cybercrimes as: “Offences that are committed against individuals or groups of
individuals with a criminal motive to intentionally harm the reputation of the victim or cause

1
https://www.lawctopus.com/academike/offences-act-2000/ accessed on 4th November, 2018 at 9 p.m.
2
Warren G. Kruse, Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley
p.392
 4

physical or mental harm to the victim directly or indirectly, using modern telecommunication
networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones
(SMS/MMS)”. Such crimes may threaten a nation’s security and financial health. Issues
surrounding these types of crimes have become high-profile, particularly those
surrounding cracking, copyright infringement, child pornography, and child grooming. There
are also problems of privacy when confidential information is lost or intercepted, lawfully or
otherwise.

An Australian nationwide survey conducted in 2006 found that two in three convicted cyber-
criminals were between the ages of 15 and 26.

Internationally, both governmental and non-state actors engage in cybercrimes,

including espionage, financial theft, and other cross-border crimes. Activity crossing
international borders and involving the interests of at least one nation state is sometimes
referred to as cyber warfare. The international legal system is attempting to hold actors
accountable for their actions through the International Criminal Court.

A report (sponsored by McAfee) estimates the annual damage to the global economy at $445
billion.

There isn’t really a fixed definition for cyber crime. The Indian Law has not given any
definition to the term ‘cyber crime’. In fact, the Indian Penal Code does not use the term
‘cyber-crime’ at any point even after its amendment by the Information Technology
(amendment) Act 2008, the Indian Cyber law. But “Cyber Security” is defined under Section
(2) (b) means protecting information, equipment, devices computer, computer resource,
communication device and information stored therein from unauthorized access, use,
disclosure, disruption, modification or destruction.

Cyber Crime is not defined officially in IT Act or in any other legislation. In fact, it cannot be
too. Offence or crime has been dealt with elaborately listing various acts and the punishments
for each, under the Indian Penal Code, 1860 and related legislations. Hence, the concept of
cybercrime, is just a “combination of crime and computer”.

Cyber-crime in a narrow sense (computer crime): Any illegal behaviour directed by

means of electronic operations that targets the security of computer systems and the data
processed by them3.

Cyber-crime in a broader sense (computer-related crime):

 Any illegal behaviour committed by means of, or in relation to, a computer system or
network, including such crimes as illegal possession and offering or distributing
information by means of a computer system or network.

3
cyberlawsindia.net/internet-crime.html accessed on 28th March, 2018 at 9 P.M.
 5

 Any contract for the sale or conveyance of immovable property or any interest in such
property;
 Any such class of documents or transactions as may be notified by the Central
Government Confidential.

CLASSIFICATION OF CYBER OFFENCES

The increase rate of technology in computers has led to enactment of Information
Technology Act 2000. The converting of the paper work into electronic records, the storage
of the electronic data, has tremendously changed the scenario of the country.4

Offences: Cyber offences are the unlawful acts which are carried in a very sophisticated
manner in which either the computer is the tool or target or both. Cybercrime usually
includes:

(a) Unauthorized access of the computers (b) Data diddling (c) Virus/worms attack (d) Theft
of computer system (e) Hacking (f) Denial of attacks (g) Logic bombs (h) Trojan attacks (i)
Internet time theft (j) Web jacking (k) Email bombing (l) Salami attacks (m) Physically
damaging computer system.

The offences included in the IT Act 2000 are as follows:

1. Tampering with the computer source documents.

2. Hacking with computer system.
3. Publishing of information which is obscene in electronic form.
4. Power of Controller to give directions
5. Directions of Controller to a subscriber to extend facilities to decrypt information
6. Protected system
7. Penalty for misrepresentation
8. Penalty for breach of confidentiality and privacy
9. Penalty for publishing Digital Signature Certificate false in certain particulars
10. Publication for fraudulent purpose
11. Act to apply for offence or contravention committed outside India
12. Confiscation
13. Penalties or confiscation not to interfere with other punishments.
14. Power to investigate offences.

4
www.legalservicesindia.com accessed on 4th November 2018 at 9 P.M.
 6

OFFENCES UNDER THE IT ACT, 2000

Section 43 deals with penalties and compensation for damage to computer, computer
system etc. This section is the first major and significant legislative step in India to combat
the issue of data theft. The IT industry has for long been clamouring for a legislation in India
to address the crime of data theft, just like physical theft or larceny of goods and
commodities. This Section addresses the civil offence of theft of data. If any person without
permission of the owner or any other person who is in charge of a computer, accesses or
downloads, copies or extracts any data or introduces any computer contaminant like virus or
damages or disrupts any computer or denies access to a computer to an authorized user or
tampers etc.…he shall be liable to pay damages to the person so affected. Earlier in the ITA -
2000 the maximum damages under this head was Rs.1 crore, which (the ceiling) was since
removed in the ITAA 2008.

The essence of this Section is civil liability. Criminality in the offence of data theft is being
separately dealt with later under Sections 65 and 66. Writing a virus program or spreading a
virus mail, a bot, a Trojan or any other malware in a computer network or causing a Denial of
Service Attack in a server will all come under this Section and attract civil liability by way of
compensation. Under this Section, words like Computer Virus, Compute Contaminant,
Computer database and Source Code are all described and defined.

Questions like the employees’ liability in an organisation which is sued against for data theft
or such offences and the amount of responsibility of the employer or the owner and the
concept of due diligence were all debated in the first few years of ITA -2000 in court
litigations like the bazee.com case and other cases. Subsequently need was felt for defining
the corporate liability for data protection and information security at the corporate level was
given a serious look.5

Section 65: Tampering with source documents is dealt with under this section.
Concealing, destroying, altering any computer source code when the same is required to be
kept or maintained by law is an offence punishable with three years imprisonment or two
lakh rupees or with both. Fabrication of an electronic record or committing forgery by way of
interpolations in CD produced as evidence in a court attract punishment under this Section.
Computer source code under this Section refers to the listing of programmes, computer
commands, design and layout etc. in any form.

5
http://www.iibf.org.in/document/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf accessed on 11th April,
2018 at 10 p.m.
 7

Parliament Attack Case:

Navjot Sandhu alias Afzan Guru v. NCT Delhi, 2005

Facts: In this case several terrorist attacked Parliament House on 13 December, 2001. In this
Case, the Digital evidence played an important role during their prosecution. The accused
argued that computers and evidence can easily be tampered and hence, should not be relied.
In Parliament case, several smart device storage disks and devices, a Laptop were recovered
from the truck intercepted at Srinagar pursuant to information given by two suspects. The
laptop included the evidence of fake identity cards, video files containing clips of the political
leaders with the background of Parliament in the background shot from T.V news channels.
In this case design of Ministry of Home Affairs car sticker, there was game “wolf pack” with
user name of ‘Ashiq’, there was the name in one of the fake identity cards used by the
terrorist. No back up was taken. Therefore, it was challenged in the Court.

Held: Challenges to the accuracy of computer evidence should be established by the

challenger. Mere theoretical and generic doubts cannot be cast on the evidence.

Anvar P.V. v. P.K. Basheer, 2014 and Sudhir Jain v. R.P. Mittal, 2013

The Supreme Court in these cases reversed it earlier judgment and held that electronic
data/evidence is prone to modification and hence until a certificate is generated by the official
responsible, the evidence cannot be taken as primary evidence.

Section 66: Computer related offences are dealt with under this Section. Data theft stated
in Section 43 is referred to in this Section. Whereas it was a plain and simple civil offence
with the remedy of compensation and damages only, in that Section, here it is the same act
but with a criminal intention thus making it a criminal offence. The act of data theft or the
offence stated in Section 43 if done dishonestly or fraudulently becomes a punishable offence
under this Section and attracts imprisonment upto three years or a fine of five lakh rupees or
both. Earlier hacking was defined in Sec 66 and it was an offence.

Now after the amendment, data theft of Sec 43 is being referred to in Sec 66 by making this
section more purposeful and the word ‘hacking’ is not used. The word ‘hacking’ was earlier
called a crime in this Section and at the same time, courses on ‘ethical hacking’ were also
taught academically. However the act of hacking is still certainly an offence as per this
Section, though some experts interpret ‘hacking’ as generally for good purposes (obviously to
facilitate naming of the courses as ethical hacking) and ‘cracking’ for illegal purposes. It
would be relevant to note that the technology involved in both is the same and the act is the
same, whereas in ‘hacking’ the owner’s consent is obtained or assumed and the latter act
‘cracking’ is perceived to be an offence.
 8

Section 66 is now a widened one with a list of offences as follows:

66A Sending offensive messages through communication service, causing annoyance etc.
through an electronic communication or sending an email to mislead or deceive the recipient
about the origin of such messages (commonly known as IP or email spoofing) are all covered
here. Punishment for these acts is imprisonment upto three years or fine.
AIR 2015 SC 1523

Shreya Singhal v. Union of India

Police arrested two women for posting allegedly offensive and objectionable comments on
Facebook about the propriety of shutting down the city of Mumbai after the death of a
political leader. The police made the arrests under Section 66A of the Information
Technology Act of 2000 (ITA), which punishes any person who sends through a computer
resource or communication device any information that is grossly offensive, or with the
knowledge of its falsity, the information is transmitted for the purpose of causing annoyance,
inconvenience, danger, insult, injury, hatred, or ill will.

The main issue was whether Section 66A of ITA violated the right to freedom of expression
guaranteed under Article 19(1)(a) of the Constitution of India. As an exception to the right,
Article 19(2) permits the government to impose “reasonable restrictions . . . in the interests of
the sovereignty and integrity of India, the security of the State, friendly relations with foreign
States, public order, decency or morality or in relation to contempt of court, defamation or
incitement to an offense.”

The Supreme Court of India invalidated Section 66A of the Information Technology Act of
2000 in its entirety. The Court held that the prohibition against the dissemination of
information by means of a computer resource or a communication device intended to cause
annoyance, inconvenience or insult did not fall within any reasonable exceptions to the
exercise of the right to freedom of expression.

66B Dishonestly receiving stolen computer resource or communication device with

punishment upto three years or one lakh rupees as fine or both.

66C Electronic signature or other identity theft like using others’ password or electronic
signature etc. Punishment is three years imprisonment or fine of one lakh rupees or both.

66D Cheating by personation using computer resource or a communication device shall be

punished with imprisonment of either description for a term which extend to three years and
shall also be liable to fine which may extend to one lakh rupee.

66E Privacy violation – Publishing or transmitting private area of any person without his or
her consent etc. Punishment is three years imprisonment or two lakh rupees fine or both.
 9

66F Cyber terrorism – Intent to threaten the unity, integrity, security or sovereignty of the
nation and denying access to any person authorized to access the computer resource or
attempting to penetrate or access a computer resource without authorization. Acts of causing
a computer contaminant (like virus or Trojan Horse or other spyware or malware) likely to
cause death or injuries to persons or damage to or destruction of property etc. come under this
Section. Punishment is life imprisonment.

It may be observed that all acts under S.66 are cognizable and non-bailable offences.
Intention or the knowledge to cause wrongful loss to others i.e. the existence of criminal
intention and the evil mind i.e. concept of mens rea, destruction, deletion, alteration or
diminishing in value or utility of data are all the major ingredients to bring any act under this
Section.

To summarise, what was civil liability with entitlement for compensations and damages in
Section 43, has been referred to here, if committed with criminal intent, making it a criminal
liability attracting imprisonment and fine or both.

R v. Whiteley6:

In this case the accused gained unauthorized access to the Joint Academic Network (JANET)
and deleted, added files and changed the passwords to deny access to the authorized users.
The perspective of the section is not merely protect the information but to protect the
integrity and security of computer resources from attacks by unauthorized person seeking to
enter such resource, whatever may be the intention or motive.

Case Reported In India:

Official website of Maharashtra government hacked. The official website of the government
of Maharashtra was hacked by Hackers Cool Al- Jazeera, and claimed them they were from
Saudi Arabia.

Section 67 deals with publishing or transmitting obscene material in electronic form. The
earlier Section in ITA was later widened as per ITAA 2008 in which child pornography and
retention of records by intermediaries were all included.

Publishing or transmitting obscene material in electronic form is dealt with here. Whoever
publishes or transmits any material which is lascivious or appeals to the prurient interest or if
its effect is such as to tend to deprave and corrupt persons who are likely to read the matter
contained in it, shall be punished with first conviction for a term upto three years and fine of
five lakh rupees and in second conviction for a term of five years and fine of ten lakh rupees
or both.

This Section is of historical importance since the landmark judgement in what is considered
to be the first ever conviction under I.T. Act 2000 in India, was obtained in this Section in the

6
[1991] 93 cr App rep 25
 10

famous case “State of Tamil Nadu vs Suhas Katti” on 5 November 2004. The strength of the
Section and the reliability of electronic evidences were proved by the prosecution and
conviction was brought about in this case, involving sending obscene message in the name of
a married women amounting to cyber stalking, email spoofing and the criminal activity stated
in this Section.

Section 67-A deals with publishing or transmitting of material containing sexually

explicit act in electronic form. Contents of Section 67 when combined with the material
containing sexually explicit material attract penalty under this Section.

Section 67B This section deals exclusively with child pornography. Depicting children
engaged in sexually explicit act, creating text or digital images or advertising or promoting
such material depicting children in obscene or indecent manner etc. or facilitating abusing
children online or inducing children to online relationship with one or more children etc.
come under this Section. ‘Children’ means persons who have not completed 18 years of age,
for the purpose of this Section. Punishment for the first conviction is imprisonment for a
maximum of five years and fine of ten lakh rupees and in the event of subsequent conviction
with imprisonment of seven years and fine of ten lakh rupees.

Bonafide heritage material being printed or distributed for the purpose of education or
literature etc. are specifically excluded from the coverage of this Section, to ensure that
printing and distribution of ancient epics or heritage material or pure academic books on
education and medicine are not unduly affected.

Screening videographs and photographs of illegal activities through Internet all come under
this category, making pornographic video or MMS clippings or distributing such clippings
through mobile or other forms of communication through the Internet fall under this category.

Section 67C fixes the responsibility to intermediaries that they shall preserve and retain
such information as may be specified for such duration and in such manner as the Central
Government may prescribe. Non-compliance is an offence with imprisonment up to three
years or fine.

Case Laws:

The State of Tamil Nadu v. Suhas Katti.

Facts: This case is about posting obscene, defamatory and annoying message about a
divorcee woman in the Yahoo message group. E-mails were forwarded to the victim for
information by the accused through a false e- mail account opened by him in the name of the
victim. These postings resulted in annoying phone calls to the lady. Based on the complaint
police nabbed the accused. He was a known family friend of the victim and was interested in
marrying her. She married to another person, but that marriage ended in divorce and the
accused started contacting her once again. And her reluctance to marry him he started
harassing her through internet.
 11

Held: The accused is found guilty of offences under section 469, 509 IPC and 67 of IT Act
2000 and the accused is convicted and is sentenced for the offence to undergo RI for 2 years
under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to
undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of
IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run
concurrently.”

The accused paid fine amount and he was lodged at Central Prison, Chennai. This is
considered the first case convicted under section 67 of Information Technology Act 2000 in
India.

In a recent case, a groom’s family received numerous emails containing defamatory

information about the prospective bride. Fortunately, they did not believe the emails and
chose to take the matter to the police. The sender of the emails turned out to be the girl’s step-
father, who did not want the girl to get married, as he would have lost control over her
property, of which he was the legal guardian.

Avnish Bajaj (CEO of bazzee.com – now a part of the eBay group of companies) case.
Facts: There were three accused first is the Delhi school boy and IIT Kharagpur Ravi Raj and
the service provider Avnish Bajaj.

The law on the subject is very clear. The sections slapped on the three accused were Section
292 (sale, distribution, public exhibition, etc., of an obscene object) and Section 294 (obscene
acts, songs, etc., in a public place) of the Indian Penal Code (IPC), and Section 67 (publishing
information which is obscene in electronic form) of the Information Technology Act 2000. In
addition, the schoolboy faces a charge under Section 201 of the IPC (destruction of
evidence), for there is apprehension that he had destroyed the mobile phone that he used in
the episode. These offences invite a stiff penalty, namely, imprisonment ranging from two to
five years, in the case of a first time conviction, and/or fines.

Held: In this case the Service provider Avnish Bajaj was later acquitted and the Delhi school
boy was granted bail by Juvenile Justice Board and was taken into police charge and detained
into Observation Home for two days.

Section 68 of this Act provides that (1) The Controller may, by order, direct a Certifying
Authority or any employee of such Authority to take such measures or cease carrying on such
activities as specified in the order if those are necessary to ensure compliance with the
provisions of this Act, rules or any regulations made there under.

(2) Any person who fails to comply with any order under sub-section (1) shall be guilty of an
offence and shall be liable on conviction to imprisonment for a term not exceeding three
years or to a fine not exceeding two lakh rupees or to both.
 12

Explanation: Any person who fails to comply with any order under sub section (1) of the
above section, shall be guilty of an offence and shall be convicted for a term not less then
three years or to a fine exceeding two lakh rupees or to both.

The offence under this section is non-bailable & cognizable.

Punishment: Imprisonment up to a term not exceeding three years or fine not exceeding two
lakh rupees.

Transmission of electronic message and communication:

Section 69: This is an interesting section in the sense that it empowers the Government or
agencies as stipulated in the Section, to intercept, monitor or decrypt any information
generated, transmitted, received or stored in any computer resource, subject to compliance of
procedure as laid down here. This power can be exercised if the Central Government or the
State Government, as the case may be, is satisfied that it is necessary or expedient in the
interest of sovereignty or integrity of India, defence of India, security of the State, friendly
relations with foreign States or public order or for preventing incitement to the commission of
any cognizable offence relating to above or for investigation of any offence. In any such case
too, the necessary procedure as may be prescribed, is to be followed and the reasons for
taking such action are to be recorded in writing, by order, directing any agency of the
appropriate Government. The subscriber or intermediary shall extend all facilities and
technical assistance when called upon to do so.

Section 69A inserted in the ITAA, vests with the Central Government or any of its
officers with the powers to issue directions for blocking for public access of any information
through any computer resource, under the same circumstances as mentioned above. Section
69B discusses the power to authorise to monitor and collect traffic data or information
through any computer resource.

Now, this Section 69 of ITAA is far more intrusive and more powerful than the above-cited
provision of Indian Telegraph Act 1885. Under this ITAA Section, the nominated
Government official will be able to listen in to all phone calls, read the SMSs and emails, and
monitor the websites that one visited, subject to adherence to the prescribed procedures and
without a warrant from a magistrate’s order. In view of the foregoing, this Section was
criticised to be draconian vesting the government with much more powers than required.

Section 70 of this Act provides that – (1) The appropriate Government may, by
notification in the Official Gazette, declare that any computer, computer system or computer
network to be a protected system.

(2) The appropriate Government may, by order in writing, authorize the persons who are
authorized to access protected systems notified under sub-section (1).
 13

(3) Any person who secures access or attempts to secure access to a protected system in
contravention of the provision of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.

Explanation: This section grants the power to the appropriate government to declare any
computer, computer system or computer network, to be a protected system. Only authorized
person has the right to access to protected system.

Punishment: The imprisonment which may extend to ten years and fine.

Section 71 provides that- (1) Whoever makes any misrepresentation to, or suppresses any
material fact from, the Controller or the Certifying Authority for obtaining any license or
Digital Signature Certificate, as the case may be, shall be punished with imprisonment for a
term which may extend to two years, or which fine which may extend to one lakh rupees, or
with both.

Punishment: Imprisonment which may extend to two years or fine may extend to one lakh
rupees or with both.

Section 72 provides that- Save as otherwise provide in this Act or any other law for the
time being in force, any person who, in pursuance of any of the powers conferred under this
Act, rules or regulation made there under, has secured assess to any electronic record, book,
register, correspondence, information, document or other material without the consent of the
person concerned discloses such material to any other person shall be punished with
imprisonment for a term which may extend to two years, or with fine which may extend to
one lakh rupees, or with both.

Explanation: This section relates to any person who in pursuance of any of the powers
conferred by the Act or it allied rules and regulations has secured access to any: Electronic
record, books, register, correspondence, information, document, or other material.

If such person discloses such information, he will be punished. It would not apply to
disclosure of personal information of a person by a website, by his email service provider.

Punishment: Term which may extend to two years or fine upto one lakh rupees or with both.

Section 73 provides that – (1) No person shall publish a Digital Signature Certificate or
otherwise make it available to any other person with the knowledge that-

(a) The Certifying Authority listed in the certificate has not issued it; or

(b) The subscriber listed in the certificate has not accepted it; or
 14

(c) The certificate has been revoked or suspended, unless such publication is for the
purpose of verifying a digital signature created prior to such suspension or
revocation.

(2) Any person who contravenes the provisions of sub-section (1) shall be punished with
imprisonment for a term which may extend to two years, or with fine which may extend to
one lakh rupees, or with both.

Explanation: The Certifying Authority listed in the certificate has not issued it or, the
subscriber listed in the certificate has not accepted it or the certificate has been revoked or
suspended.

The Certifying authority may also suspend the Digital Signature Certificate if it is of the
opinion that the digital signature certificate should be suspended in public interest.

A digital signature may not be revoked unless the subscriber has been given opportunity of
being heard in the matter. On revocation the Certifying Authority need to communicate the
same with the subscriber. Such publication is not an offence it is the purpose of verifying a
digital signature created prior to such suspension or revocation.

Punishment: Imprisonment of a term of which may extend to two Years or fine may extend
to 1 lakh rupees or with both.

Case Laws:

Bennett Coleman & Co. v. Union of India7

In this case the publication has been stated that ‘publication means dissemination and
circulation’. In the context of digital medium, the term publication includes and transmission
of information or data in electronic form.

Section 74 provides that- Whoever knowingly creates, publishes or otherwise makes

available a Digital Signature Certificate for any fraudulent or unlawful purpose shall be
punished with imprisonment for a term which may extend to two years, or with fine which
extend to one lakh rupees, or with both.

Explanation: This section prescribes punishment for the following acts:

Knowingly creating a digital signature certificate for any

1. fraudulent purpose or,

2. unlawful purpose.

7
AIR 1973 SC 106
 15

Knowingly publishing a digital signature certificate for any

1. fraudulent purpose or
2. unlawful purpose

Knowingly making available a digital signature certificate for any

1. fraudulent purpose or
2. unlawful purpose.

Punishment: Imprisonment for a term up to two years or fine up to one lakh or both.
 16

RECENT DEVELOPMENTS IN PRIVACY LAWS

Draft Personal Data Protection Bill, 2018

 The Committee of Experts on a Data Protection Framework for India (Chair: Justice
B. N. Srikrishna) submitted its report and draft Bill to the Ministry of Electronics and
Information Technology on July 27, 2018. The Committee was constituted in August,
2017 to examine issues related to data protection, recommend methods to address
them, and draft a data protection Bill.

Summary on the Draft Personal Data Protection Bill, 2018

 Rights of the individual: The Bill sets out certain rights of the individual. These
include: (i) right to obtain confirmation from the fiduciary on whether its personal
data has been processed, (ii) right to seek correction of inaccurate, incomplete, or out-
of-date personal data, and (iii) right to have personal data transferred to any other data
fiduciary in certain circumstances.

 Obligations of the data fiduciary: The Bill sets out obligations of the entity who has
access to the personal data (data fiduciary). These include: (i) implementation of
policies with regard to processing of data, (ii) maintaining transparency with regard to
its practices on processing data, (iii) implementing security safeguards (such, as
encryption of data), and (iv) instituting grievance redressal mechanisms to address
complaints of individuals.

 Data Protection Authority: The Bill provides for the establishment of a Data
Protection Authority. The Authority is empowered to: (i) take steps to protect
interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure
compliance with the Bill. It will consist of a chairperson and six members, with
knowledge of at least 10 years in the field of data protection and information
technology. Orders of the Authority can be appealed to an Appellate Tribunal
established by the central government and appeals from the Tribunal will go to the
Supreme Court.

 Grounds for processing personal data: The Bill allows processing of data by
fiduciaries if consent is provided. However, in certain circumstances, processing of
data may be permitted without consent of the individual. These grounds include: (ii)
if necessary for any function of Parliament or state legislature, or if required by the
state for providing benefits to the individual, (iii) if required under law or for the
compliance of any court judgement, (iv) to respond to a medical emergency, threat to
 17

public health or breakdown of public order, or, (v) for reasonable purpos¬¬es
specified by the Authority, related to activities such as fraud detection, debt recovery,
and whistle blowing.

 Grounds for processing sensitive personal data: Processing of sensitive personal data
is allowed on certain grounds, including: (i) based on explicit consent of the
individual, (ii) if necessary for any function of Parliament or state legislature, or, if
required by the state for providing benefits to the individual, or (iii) if required under
law or for the compliance of any court judgement.

 Sensitive personal data includes passwords, financial data, biometric data, genetic
data, caste, religious or political beliefs, or any other category of data specified by the
Authority. Additionally, fiduciaries are required to institute appropriate mechanisms
for age verification and parental consent when processing sensitive personal data of
children.

 Transfer of data outside India: Personal data (except sensitive personal data) may be
transferred outside India under certain conditions. These include: (i) where the
central government has prescribed that transfers to a particular country are
permissible, or (ii) where the Authority approves the transfer in a situation of
necessity.

 Exemptions: The Bill provides exemptions from compliance with its provisions, for
certain reasons including: (i) state security, (ii) prevention, investigation, or
prosecution of any offence, or (iii) personal, domestic, or journalistic purposes.

 Offences and Penalties: Under the Bill, the Authority may levy penalties for various
offences by the fiduciary including (i) failure to perform its duties, (ii) data processing
in violation of the Bill, and (iii) failure to comply with directions issued by the
Authority. For example, under the Bill, the fiduciary is required to notify the
Authority of any personal data breach which is likely to cause harm to the individual.
Failure to promptly notify the Authority can attract a penalty of the higher of Rs 5
crore or 2% of the worldwide turnover of the fiduciary.

 Amendments to other laws: The Bill makes consequential amendments to the

Information Technology Act, 2000. It also amends the Right to Information Act,
2005, and to permit non-disclosure of personal information where harm to the
individual outweighs public good.8

8
http://www.prsindia.org/billtrack/draft-personal-data-protection-bill-2018-5312/ accessed on 4th November
2018 at 10:42 PM.
 18

AADHAR JUDGEMENT (Justice K. S. Puttaswamy v. Union of India)

In a landmark decision on 27th September 2018 the Supreme Court of India upheld the
Aadhaar Act, the use of the money bill route for its legislative passage and the use of
mandatory Aadhaar-based identification for government welfare schemes, the expenditure for
which is drawn from the Consolidated Fund of India. Most mandatory private use of Aadhaar
has been struck down.
We may record here that (Aadhaar) enrolment is of voluntary nature. However, it becomes
compulsory for those who seeks to receive any subsidy, benefit or service under the welfare
scheme of the government expenditure whereof is to be met from the Consolidated Fund of
India.
In a 567 page majority judgment, authored by Justice Sikri and concurred upon by two other
judges—Chief Justice Dipak Misra and Justice AM Khanwilkar—the Supreme Court
answered five questions...
Question 1: Whether the Aadhaar project creates or has tendency to create surveillance
state and is, thus, unconstitutional on this ground?
Judgment: The architecture of Aadhaar as well as the provisions of the Aadhaar Act do not
tend to create a surveillance state, said the majority order.
According to the order, this is ensured by the manner in which the Aadhaar project operates.
Drawing from representations made by the Unique Identification Authority of India and the
government, the order stated:
 During the enrolment process, minimal biometric data in the form of iris and fingerprints is
collected.
 UIDAI does not collect purpose, location or details of transaction. Thus, it is purpose blind.
 The information collected, as aforesaid, remains in silos. Merging of silos is prohibited.
 The requesting agency is provided answer only in ‘Yes’ or ‘No’ about the authentication of
the person concerned.
 The authentication process is not exposed to the internet world.
 There are sufficient authentication security measures taken.
 There is an oversight by Technology and Architecture Review Board and Security Review
Committee.
 During authentication no information about the nature of transaction etc. is obtained.
 The authority has mandated use of Registered Devices for all authentication requests.
Hence the three judges have held that “it is very difficult to create profile of a person simply
on the basis of biometric and demographic information stored in CIDR”.
But the order does dilute some provisions pertaining to data protection. For instance, it has
directed that authentication records are not to be kept beyond a period of six months, whereas
the Aadhaar Act permitted five years.
 19

Question 2: Whether the Aadhaar Act violates the right to privacy and is
unconstitutional on this ground?
Judgment: Referring to the earlier Supreme Court decision that determined privacy to be a
fundamental right, the order states that any restraint on privacy must meet three tests.
 backed by law
 legitimate state aim
 proportionality
The existence of the Aadhaar Act and delivery of welfare benefits fulfil the the first two
requirements.
The order noted that the third test of proportionality has also been met because:
 the purpose of the act is to ensure deserving beneficiaries of welfare schemes are correctly
identified;
 it also achieves the balancing of two competing fundamental rights: right to privacy on the
one hand and right to food, shelter and employment on the other.
But the majority order directs that Section 7 of the Act, which says proof of Aadhaar number
is necessary for receipt of certain subsidies, benefits and services, etc., would cover only
those benefits for which expenditure is drawn from the Consolidated Fund of India.

“On that basis, CBSE, NEET, JEE, UGC, etc. cannot make the requirement of Aadhaar
mandatory as they are outside the purview of Section 7 and are not backed by any law.”
Supreme Court Majority Order

Question 3: Whether children can be brought within the sweep of Sections 7 and 8 of
the Aadhaar Act?
Judgment: The majority order has permitted the enrollment of children under the Aadhaar
Act with the consent of their parents/guardian.
On turning 18, if a child wants to opt out of the Aadhaar, she will be given the option to exit.
Currently that provision is absent in the act.
Determining that school admission of children is neither a service nor a subsidy, the order
directed that requirement of Aadhaar would not be compulsory for admission.
Since under the Constitution education is a fundamental right for children of the ages 6 to 14
years, enrollment under a scheme such as Sarv Shiksha Abhiyan does not require Aadhaar as
it is not a benefit.
But for availing benefits of other welfare schemes Aadhaar can be made mandatory for
children, subject to the consent of the parents.
And though the order allows for the limited use Aadhaar, it includes an overwhelming
exception.
 20

“We also clarify that no child shall be denied benefit of any of these schemes if, for some
reasons, she is not able to produce the Aadhaar number and the benefit shall be given by
verifying the identity on the basis of any other documents.”
Supreme Court Majority Order

Question 4: Whether several sections of the Act are unconstitutional?

Judgment: The majority order has in many cases read down and in some, even struck down
sections that the petitioners argued to be unconstitutional. The most important of which is
Section 57 which permits the use of Aadhaar by private companies.
Section 57 permits the use of Aadhaar number for establishing identity for any purpose, by
the state or any corporate or person, pursuant to any law or contract.
Judgment: The order stated that “any purpose” is susceptible to misuse and can only be a
purpose backed by law. It also found that allowing any corporate or person to use Aadhaar
for authentication, especially on the basis of a contract between the corporate and an
individual, would enable commercial exploitation of private data and hence is
unconstitutional.
But the order is not crystal clear whether all private use of Aadhaar for authentication is
unconstitutional or whether this applies only if such private use is based on a contract
between a corporate and a person.

“This part of the provision which enables body corporate and individuals also to seek
authentication, that too on the basis of a contract between the individual and such body
corporate or person, would impinge upon the right to privacy of such individuals. This part
of the section, thus, is declared unconstitutional.”
Supreme Court Majority Order (emphasis added)

The other sections that have been read or struck down include...
Section 33(1): disclosure of Aadhaar information in certain cases, such as pursuant to a court
order.
Judgment: The order said an individual, whose information is sought to be released, must be
given the opportunity of a hearing and the right to challenge any such court order.
Section 33(2): restricts confidentiality of Aadhaar data in cases of national security if so
determined by senior government officer (joint secretary).
Judgment: Any breach of confidentiality can be done only on the orders of a very senior
government officer (higher than joint secretary) along with a sitting high court judge.
Section 47: provides that only UIDAI can file a court complaint in case of violation of the
act.
 21

Judgment: The section must be amended to also allow filing of such complaint by an
individual/victim whose right is violated.
Section 2(d): pertains to authentication record ie: the record of the time of authentication,
identity of the requesting entity and the response provided by UIDAI.
Judgment: The provision in the present form has been struck down but can be reframed
keeping parameters laid down in order.
Regulation 27: This provides archiving of data for a period of five years.
Judgment: Struck down. Retention of data beyond the period of six months is impermissible.
Question 5: Whether the Aadhaar Act could be passed as ‘Money Bill’ within the
meaning of Article 110 of the Constitution?
Judgment: Since the purpose of the Aadhaar Act is to create unique identification so that
citizens can avail government subsidy, benefit or service, the expenditure for which would be
from the Consolidated Fund of India, it can be passed as a money bill.

OTHER IMPORTANT POINTS

Aadhaar-PAN Tax Linkage Maintained

The order upholds Section 139AA of the Income Tax Act, 1961 that makes it mandatory to
quote Aadhaar when filing tax returns or for allotment of Permanent Account Number.

No Mandatory Use Of Aadhaar To Open A Bank Account

The order found that such mandatory provision of Aadhaar to open a bank account or
maintain an existing one does not stand the test of proportionality and “violates the right to
privacy of a person which extends to banking details”.

No Mandatory Linking Of Aadhaar with Mobile Number

The order found that since the circular issued by the Department of Telecommunications
making such linkage mandatory was not backed by a law, it was illegal and unconstitutional.
It’s important to note that Justices Chandrachud and Bhushan delivered separate opinions in
this case. While Justice Bhushan concurred with the majority view, Justice Chandrachud
found the Aadhaar act “to be declared as unconstitutional”. He also stated that the Aadhaar
Act was not a money bill. “Superseding the authority of Rajya Sabha constitutes as a fraud on
the Constitution,” he said.9

9
https://www.bloombergquint.com/aadhaar/aadhaar-a-quick-summary-of-the-supreme-court-majority-
order#gs.gchwGLU accessed on 4th November 2018 at 10:37 PM.
 22

CONCLUSION
Due to the increase in the digital technology, various offences are increasing day by day.
Therefore, the IT Act 2000 need to be amended in order to include those offences which are
now not included in the Act. In India cyber-crime is not of high rate. Therefore, we have
time in order to tighten the cyber laws and include the offences which are now not included
in the IT Act 2000.

Since the beginning of civilization, man has always been motivated by the need to make
progress and better the existing technologies. This has led to tremendous development and
progress which has been a launching pad for further developments. Of all the significant
advances made by mankind from the beginning till date, probably the most important of them
is the development of Internet.

However, the rapid evolution of Internet has also raised numerous legal issues and questions.
As the scenario continues to be still not clear, countries throughout the world are resorting to
different approaches towards controlling, regulating and facilitating electronic
communication and commerce.

Data is the lifeblood of today’s digital economy and is driving new businesses that challenge
conventional wisdom about markets. With the proliferation of smartphones, every tap creates
a digital footprint: valuable information that can be exploited by companies to generate
everything, from customer preferences to consumption patterns.
Critically, the traditional notion of data being merely sensitive personal information is now
being challenged as companies are also exploiting real-time data generated from daily
activities such as one’s route preference whilst booking cab rides using an app. Even the
Government’s drive to digitise India on the back of initiatives such as JAM (Jan Dhan-
Aadhaar-Mobile) and the increased focus on digital payments is fuelled by data. As
dependence on data continues to grow, so does the vulnerability of data subjects. Hence, any
debate on data privacy must recognise the need for a comprehensive data privacy law, which
not only contributes to and complements the constitutional right to privacy but also enables
data subjects to harness the benevolence of technological advances.10

10
https://www.thehindubusinessline.com/opinion/imagining-indias-new-data-privacy-law/article9820124.ece
accessed on 4th November 2018 at 10:35 PM.
 23

BIBLIOGRAPHY
 Warren G. Kruse, Jay G. Heiser (2002). Computer forensics: incident response
essentials. Addison-Wesley p.392
 https://www.lawctopus.com/academike/offences-act-2000/ accessed on 4th November,
2018 at 9 p.m.
 cyberlawsindia.net/internet-crime.html accessed on 4th November, 2018 at 9 P.M.
 www.legalservicesindia.com accessed on 4th November, 2018 at 9 P.M.
 http://www.iibf.org.in/document/Cyber-Laws-chapter-in-Legal-Aspects-Book.pdf
accessed on, 2018 a 4th November 10 p.m.