India’s IT Act 2000 a toothless tiger?

The recent WhatsApp breach turned the spotlight yet again on India’s dated, ineffectual IT Act, 2000. Cyberlaw experts Pavan Duggal, Prashant Mali and Puneet Bhasin tell us everything that’s wrong with the Act and what the government ought to do to fix it.

The recent fiasco around the Pegasus spyware that accessed confidential information via WhatsApp on Indian government officials, scientists and journalists caused a fair bit of outrage with heated debates around privacy and data protection.

However, the Facebook-owned messaging app got away scot-free with a light rap on the knuckles. This isn’t the first time a tech major has been found guilty of compromising data and getting away without being penalized – all thanks to India’s infecund two-decade-old IT Act, 2000.

Drafted in an age when the internet penetration in India stood at 0.5 percent, the IT Act is not built to accommodate technologies like AI, cloud, mobility, IoT, and quantum computing. Adding to the complexity is the multitude of social media apps and unregulated content from news websites and online discussion forums.

[Note to the reader: Internet penetration in India currently stands at over 40 percent and is projected to reach 627 million users by the end of 2019]

pavan duggal Pavan Duggal/Pavan Duggal Associates

“The IT Act also doesn't address privacy issues – privacy is now a fundamental right and the law needs to specifically address privacy concerns, but that's not the case."

-- Dr Pavan Duggal, Advocate, Supreme Court of India & Founder-Pavan Duggal Associates

CSO India talks to the country’s eminent cyber law experts to get a read on the deficits in the IT Act, 2000 and how global tech majors view the Indian demographic as a perfect hunting ground to gather and monetize humongous amounts of unregulated data.

Loopholes in the Indian IT Act, 2000

Simply put, the Indian IT Act is not a cybersecurity law and therefore does not deal with the nuances of cybersecurity, explains Dr Pavan Duggal, Advocate, Supreme Court of India and founder of Pavan Duggal Associates. “The IT Act also doesn't address privacy issues – privacy is now a fundamental right and the law needs to specifically address privacy concerns, but that's not the case,” he points out.

So was the IT Act, 2000 flawed to start with? Not really, opines international cyber law expert and founder of Cyberjure Legal Consulting, Adv. Puneet Bhasin. She believes that when the IT Act 2000 came into being, it was actually a good piece of legislation. She explains that the surface of cyber-attacks has exponentially increased and this was not foreseen by the government.

prasanthmali photoquote Prashant Mali/Cyber Law Consulting

“WhatsApp and Facebook are covered by the ‘safe harbour’ provision under Sec-79 of the IT Act, 2000, which exempts intermediaries from liability in certain instances."

--Adv (Dr) Prashant Mali, cyber & privacy law expert, Bombay High Court

The penalties levied by the IT Act are minimal compared to GDPR, and the manner of implementation is even more dismal. For instance, the IT Act has provided for damages of up to INR 5 crore, under section-43 of the IT Act. However, Duggal reveals that there hasn't been a single case when the penalty levied has exceeded INR 12-13 lakh.

To add some perspective, Facebook makes INR 18 crore per day, so the maximum penalty amount levied by the Indian IT Act is roughly what the company makes in three-and-a-half hours.

How Facebook and WhatsApp got away without having to pay a penny

Adv (Dr) Prashant Mali, cyber & privacy law expert at the Bombay High Court explains that the companies are covered within the definition of the “Intermediary” under Section 2(1) (w) of the Information and Technology Act, 2000.

“WhatsApp and Facebook are covered by the ‘safe harbour’ provision under Sec-79 of the IT Act, 2000, which exempts intermediaries from liability in certain instances,” says Mali.

Simply put, the law states that intermediaries will not be liable for any third party information, data or communication link made available by them. Furthermore, the guidelines do not specify any penalty or damage to be borne by a company if the rules are not followed.

In addition, the Computer Emergency Response Team (CERT) does not penalize intermediaries to report a breach or unauthorized access on their own accord.

10 takeaways for the indian government IDG India/CSO Online India

10 takeaways for the Indian government

An amendment that did more harm than good

The Indian IT Act, 2000 was formed to grant legality to electronic transactions and to promote e-commerce. However, the Act hasn't been amended in 20 years, barring once in 2008.

Contrary to what one might expect, Duggal reveals that the 2008 amendment further debilitated the Act by making cyber-crime a cognizable (bail-able) offence. This explains the near absence of cyber-crime convictions.

“The 2008 amendment was built on an erroneous presumption that it would be better to reduce the quantum of punishment and increase the fine,” reveals Duggal. Now, this was a bad idea as it eliminated the deterrents from the IT Act.

India – a data goldmine for major league tech giants

 Indian citizens have been victims to numerous instances of data breach and privacy violations – take for instance the Cambridge Analytica incident, or the Aadhaar account breach of 1.1 billion citizens, or for that matter the 2018 personal data leak incident of 5 lakh Google+ users.

puneetbhasin Puneet Bhasin/Cyberjure Legal Consulting

"Why do you think the trends like business analytics, business intelligence, and digital marketing have seen such rapid growth in India? We've been sitting ducks for the last 20 years."

--Puneet Bhasin, International cyber law expert, Founder-Cyberjure Legal Consulting

The absence of strict data protection and privacy laws coupled with insipid, inconsequential penalties has made India a data-rich demographic for global heavyweights. "Why do you think the trends like business analytics, business intelligence, and digital marketing have seen such rapid growth in India? We've been sitting ducks for the last 20 years," says Bhasin.

Seconding Bhasin’s observation, Duggal opines that the absence of stringent cyber laws makes India a fertile ground for large companies to carry out all kinds of experimentation. “These experiments invariably land up making guinea pigs out of Indian citizens, simply because we don't have a data protection law,” he says.

The fundamental right to privacy is only enforceable against state action and not against private entities. Also, a lot of service providers are companies located outside the territorial boundaries of the country and therefore are not required to comply with India's IT Act.

Copyright © 2019 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.