The recent fiasco around the that accessed confidential information via WhatsApp on Indian government officials, scientists and journalists caused a fair bit of outrage with heated debates around privacy and data protection.However, the Facebook-owned messaging app got away scot-free with a light rap on the knuckles. This isn\u2019t the first time a tech major has been found guilty of compromising data and getting away without being penalized \u2013 all thanks to India\u2019s infecund two-decade-old IT Act, 2000.Drafted in an age when the internet penetration in India stood at 0.5 percent, the IT Act is not built to accommodate technologies like AI, cloud, mobility, IoT, and quantum computing. Adding to the complexity is the multitude of social media apps and unregulated content from news websites and online discussion forums.[Note to the reader: Internet penetration in India currently stands at over 40 percent and is projected to reach 627 million users by the end of 2019] Pavan Duggal\/Pavan Duggal Associates\u201cThe IT Act also doesn't address privacy issues \u2013 privacy is now a fundamental right and the law needs to specifically address privacy concerns, but that's not the case."--\u00a0Dr Pavan Duggal, Advocate, Supreme Court of India & Founder-Pavan Duggal AssociatesCSO India talks to the country\u2019s eminent cyber law experts to get a read on the deficits in the IT Act, 2000 and how global tech majors view the Indian demographic as a perfect hunting ground to gather and monetize humongous amounts of unregulated data.Loopholes in the Indian IT Act, 2000Simply put, the Indian IT Act is not a cybersecurity law and therefore does not deal with the nuances of cybersecurity, explains Dr Pavan Duggal, Advocate, Supreme Court of India and founder of Pavan Duggal Associates. \u201cThe IT Act also doesn't address privacy issues \u2013 privacy is now a fundamental right and the law needs to specifically address privacy concerns, but that's not the case,\u201d he points out.So was the IT Act, 2000 flawed to start with? Not really, opines international cyber law expert and founder of Cyberjure Legal Consulting, Adv. Puneet Bhasin. She believes that when the IT Act 2000 came into being, it was actually a good piece of legislation. She explains that the surface of cyber-attacks has exponentially increased and this was not foreseen by the government. Prashant Mali\/Cyber Law Consulting\u201cWhatsApp and Facebook are covered by the \u2018safe harbour\u2019 provision under Sec-79 of the IT Act, 2000, which exempts intermediaries from liability in certain instances."--Adv (Dr) Prashant Mali, cyber & privacy law expert, Bombay High CourtThe penalties levied by the IT Act are minimal compared to GDPR, and the manner of implementation is even more dismal. For instance, the IT Act has provided for damages of up to INR 5 crore, under section-43 of the IT Act.\u00a0However, Duggal reveals that there hasn't been a single case when the penalty levied has exceeded INR 12-13 lakh.To add some perspective, Facebook makes INR 18 crore per day, so the maximum penalty amount levied by the Indian IT Act is roughly what the company makes in three-and-a-half hours.How Facebook and WhatsApp got away without having to pay a pennyAdv (Dr) Prashant Mali, cyber & privacy law expert at the Bombay High Court explains that the companies are covered within the definition of the \u201cIntermediary\u201d under Section 2(1) (w) of the Information and Technology Act, 2000.\u201cWhatsApp and Facebook are covered by the \u2018safe harbour\u2019 provision under Sec-79 of the IT Act, 2000, which exempts intermediaries from liability in certain instances,\u201d says Mali.Simply put, the law states that intermediaries will not be liable for any third party information, data or communication link made available by them. Furthermore, the guidelines do not specify any penalty or damage to be borne by a company if the rules are not followed.In addition, the Computer Emergency Response Team (CERT) does not penalize intermediaries to report a breach or unauthorized access on their own accord. IDG India\/CSO Online India10 takeaways for the Indian governmentAn amendment that did more harm than goodThe Indian IT Act, 2000 was formed to grant legality to electronic transactions and to promote e-commerce. However, the Act hasn't been amended in 20 years, barring once in 2008.Contrary to what one might expect, Duggal reveals that the 2008 amendment further debilitated the Act by making cyber-crime a cognizable (bail-able) offence. This explains the near absence of cyber-crime convictions.\u201cThe 2008 amendment was built on an erroneous presumption that it would be better to reduce the quantum of punishment and increase the fine,\u201d reveals Duggal. Now, this was a bad idea as it eliminated the deterrents from the IT Act.India \u2013 a data goldmine for major league tech giants\u00a0Indian citizens have been victims to numerous instances of data breach and privacy violations \u2013 take for instance the Cambridge Analytica incident, or the Aadhaar account breach of 1.1 billion citizens, or for that matter the 2018 personal data leak incident of 5 lakh Google+ users. Puneet Bhasin\/Cyberjure Legal Consulting"Why do you think the trends like business analytics, business intelligence, and digital marketing have seen such rapid growth in India? We've been sitting ducks for the last 20 years."--Puneet Bhasin, International cyber law expert, Founder-Cyberjure Legal ConsultingThe absence of strict data protection and privacy laws coupled with insipid, inconsequential penalties has made India a data-rich demographic for global heavyweights. "Why do you think the trends like business analytics, business intelligence, and digital marketing have seen such rapid growth in India? We've been sitting ducks for the last 20 years," says Bhasin.Seconding Bhasin\u2019s observation, Duggal opines that the absence of stringent cyber laws makes India a fertile ground for large companies to carry out all kinds of experimentation. \u201cThese experiments invariably land up making guinea pigs out of Indian citizens, simply because we don't have a data protection law,\u201d he says.The fundamental right to privacy is only enforceable against state action and not against private entities. Also, a lot of service providers are companies located outside the territorial boundaries of the country and therefore are not required to comply with India's IT Act.