Cyber Law Fundamentals PDF

Document Details

StunningNaïveArt

Uploaded by StunningNaïveArt

University of Mumbai

Tags

cyber law information technology act cybercrimes data protection

Summary

This document provides an overview of cyber law in India, focusing on the Information Technology Act, 2000, and related legislation. It details the introduction of cyber law, types of cyber laws, recent developments, remedies, and case laws. It also discusses digital signatures, electronic contracts, and related legal aspects under Indian law.

Full Transcript

CYBER LAW FUNDAMENTALS Introduction of cyber law The inception of cyber law in India can be traced back to the late 1990s when the necessity for internet regulation became apparent. The information Technology Act is an outcome of the resolution dated 30th January 1997 of the Gene...

CYBER LAW FUNDAMENTALS Introduction of cyber law The inception of cyber law in India can be traced back to the late 1990s when the necessity for internet regulation became apparent. The information Technology Act is an outcome of the resolution dated 30th January 1997 of the General Assembly of the United Nations, which adopted the Model Law on Electronic Commerce on International Trade Law. In mid-July 1998, the Department of Electronics took the initial step by drafting the Bill. However, it wasn’t introduced in the House until December 16, 1999, following the establishment of a new IT Ministry. The draft underwent significant revisions to incorporate suggestions from the Commerce Ministry, particularly concerning e-commerce and adherence to World Trade Organisation (WTO) guidelines. Subsequently, the Ministry of Law and Company Affairs vetted the joint draft, leading to its approval by the Union Cabinet on May 13, 2000. The Information Technology Bill swiftly passed through both Houses of the Indian Parliament and received the President’s assent on June 9, 2000. Officially enacted on October 17, 2000, the Bill became known as the Information Technology Act, 2000 (IT Act). Cyber law encompasses laws relating to – Cybercrimes Electronic and digital signatures Intellectual property Data protection and privacy Types of Cyber Laws Cybercrimes laws Cybersecurity laws Data Privacy and Protection The IT Act 2000: Objectives and Provisions The IT Act 2000 was designed to provide a legal framework for electronic governance  recognition to electronic records and digital signatures. It aimed to facilitate e-commerce and address cyber crimes by defining various offences and prescribing penalties for them. The Act encouraged the use of digital transactions and ensuring security practices within the cyber space. The IT Amendment Act, 2008 The Information Technology (Amendment) Act, 2008 was introduced and became effective from October 17, 2009. This amendment introduced several key changes, including: Enhanced Security Measures: Introduction of provisions related to identity theft, child pornography and cyber terrorism. Data Protection: Definitions and obligations pertaining to data protection were strengthened to ensure user privacy. Liability of Intermediaries: Specific guidelines were set for intermediaries, which played a crucial role in determining their accountability for data hosted on their platforms. Recent Developments: IT Rules 2021 The Indian Parliament introduced the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules further refine the framework for digital media, emphasising: Regulation of Social Media and Intermediaries: The rules require social media intermediaries to establish grievance redressal mechanisms and take down content that violates specified guidelines. Digital Media Oversight: Provisions for the regulation of digital news media and OTT platforms to ensure adherence to ethical standards. Enhanced Cybersecurity Measures: Emphasis on increased cybersecurity measures to protect data and penalise breaches. Remedies in India Everyone today must be aware about some very basic provisions of the two Acts which are hereby used as a tool by the Courts for providing remedy to the victims of Cyber Crime. They are as follows: Information and Technology Act, 2000 Section 65: Tampering with the Computer Source Documents- The accused be punished with an imprisonment which may extend up to three years or fine up to Rs. 20,000/-. Section 66: Hacking the Computer System- offender is to be punished with an imprisonment which may extend up to three years or fine up to Rs. 50,000/-. Section 66-A: Sending of Offensive Messages- The accused is punishable with an imprisonment which may extend up to three years or fine. Section 66-B: Receiving stolen computer or electronic device- The accused be punished with an imprisonment which may extend up to three years or fine up to Rs. 100000/-. Section 66-C: Fraudulently using password of any another person The accused be punishable with an imprisonment which may extend up to three years or fine up to Rs. 1 Lack. Section 66-E: Publishing private images of other persons without consent- The accused be punishable with an imprisonment which may extend up to three years or a fine of Rs. 2 Lacks. Section 66-F: Cyber Terrorism- If any individual who is denied to access any particular website of any Ministry or Government Department does so in an un-authorized way which may threaten or can cause detriment to the sovereignty or integrity of India, is punishable with imprisonment which may extend up to life. Section 67: Publishing information which is obscene via electronic form- a crime punishable with an imprisonment which may extend up to five years or fine up to Rs. 1 Lack. Section 67-A: Publishing images or sexual content-The accused be punished with an imprisonment which may extend up to seven years or fine up to Rs. 1 Lack. In such cases even the person accessing or forwarding such content may also be held liable or can be made a party to the crime, as he is also expressly participating in the offence by doing so. Section 71: Mis-representation- If any individual makes any mis-representation before the Certifying Authority or conceals any material fact from them for obtaining any license, Digital Signature Certificate shall be punishable with an imprisonment which may extend up to two years or fine up to Rs. 10,000/-. Jurisdiction If a crime is committed on a computer or computer network in India by a person resident outside India, then can the offence be tried by the Courts in India? Section 1(2) of Information Technology Act, 2000, the Act extends to the whole of India and also applies to any offence or contravention committed outside India by any person. Section 75 of the I.T. Act, 2000 also mentions about the applicability of the Act for any offence or contravention committed outside India. Laws for Cyber Crime in India Information and Technology Act, 2000 Indian Penal Code, 1860 it must be noted that a person cannot be punished twice for the same offence, as it will violates his Fundamental Right ensured under Article 20 (2) of the Indian Constitution i.e. Double Jeopardy Double Jeopardy The double jeopardy clause, included in the Fifth Amendment of the Constitution, provides protection against being prosecuted again for the same offense after being acquitted, convicted, and/or punished for the same offense. Once acquitted, a defendant cannot be retried for the same offense on the basis of new evidence, no matter how damning that evidence may be. Double jeopardy applies only in criminal court cases and does not prevent defendants from being sued in civil court over the same offense. Data protection and data privacy laws Meaning: There are two aspects: (1) data privacy: Data privacy means when, how, and to exactly what extent the personal data of a consumer can be shared and communicated to others. (2)data protection: is the legal safeguarding of data against any loss, damage or corruption. As data is now collected at an unprecedented rate, there is a serious issue of protecting the data collected from unauthorised sources. Evolution of data protection laws Universal Declaration of Human Rights (UDHR) by virtue of Article 12(4). Organisation for Economic Cooperation and Development (OECD) guidelines on protection of privacy and transborder flow of personal data in 1980. Countries started framing their data privacy laws as early as Germany in the year 1970. The landmark General Data Protection Regulation (GDPR) came into effect on May 25, 2018, revolutionizing the data privacy and protection laws. In the Indian context, privacy has been a matter of debate in the judicial courts, with some addressing privacy as a fundamental right and others not admitting it as a right under Article 21 of our Constitution. Finally, in 2017, in K.S. Puttaswamy v. Union of India (2018) pronounced the right to privacy a fundamental right safeguarded under Article 21. Section 43A of IT Act states that if a body corporate that is possessing, dealing or handling sensitive personal data or information of an individual is negligent in ensuring reasonable security in the process, which results in wrongful loss or damage, then such body corporate is liable to pay damages. Section 72A of the IT Act provides punishment of a fine extending to Rs. 5,00,000 or imprisonment for a term extending to three years in case of disclosure of information, knowingly and intentionally, without the consent of the person concerned, violating the terms of a lawful contract. Overview of the Digital Personal Data Protection Act, 2023 The DPDP Act established a comprehensive framework for the processing of personal data and has replaced the limited provisions of the IT Act. some important aspects of the DPDP Act: Bodies formed under the DPDP Act: The Act uses various terms, which can look confusing on the outset. It is important to understand the difference between the terms used like: Data processors, Data Fiduciaries, data principles, data controllers, etc. The person whose personal data is collected is called the data principal. The data fiduciary is body that determines the purpose and means behind processing of personal data. Their position is equivalent to that of a data controller. Exceptions allowed under the DPDP Act: Exceptions in the interest of sovereignty and integrity of India, security of state, friendly relations with foreign states, maintenance of public order and preventing incitement to commit offences are allowed under the DPDP Act. Applicability of the DPDP Act: The Act has extra-territorial application and has no restriction on international data transfers Grounds for lawful processing of personal data: Consent is the primary source for lawful processing of personal data. Also, Data Fiduciaries can identify a legitimate claim for lawful processing of data. Data subject rights and obligations: There are rights for the data principles, like the right to access, right to erasure, and the right to object and then there are also obligations, non compliance of which leads to fines and punishment. Applicability of data protection and data privacy laws in India The DPDP Act will apply to those organisations that meet the following conditions: The organisation processes digital personal data that is capable of identifying the data principal to whom the collected data belongs. The data being processed is collected by the organisation in digital form The organisation is processing personal data within the Indian territory, or if processing of personal data is done outside India but processing is in connection with an activity offering the goods or services to individuals in India. Data protection authorities under the DPDP Act There are various terms used under the Act, which can be confusing. So, let’s understand the meaning of these terms: Data fiduciary: Defined under Section 2(i) as any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data. Data Principal: Defined under Section 2(j) as individual to whom the personal data relates and where such individual is- A child, includes parents or lawful guardians of such a child A person with a disability includes their lawful guardian acting on their behalf Data Processor: Defined under Section 2(k) as any person who processes personal data on behalf of a data fiduciary Data Protection Officer: Defined under Section 2(l) as an individual appointed by the Significant Data Fiduciary under Section 10(2)(a). Consent Manager: Defined under Section 2(g) as one who enables Data Principals to give, manage and withdraw consent through an accessible, transparent and interoperable platform. Significant Data Fiduciary: Defined under Section 2(z) as data fiduciary or class of Data Fiduciary who are notified by the Central Government under Section 10 of the Act. Case Laws M.P. Sharma v. Satish Chandra (1954): It is one of the first cases in India that dealt with the right to privacy in India. An eight judge bench of the highest court of the land sat down to decide upon the constitutionality of the search and seizure provisions of the Code of Criminal Procedure. The Court here doesn’t recognize any right to privacy and held that the search and seizures weren’t, in fact, violative of the right to privacy. As there is no provision in the Indian Constitution that deals with the right to privacy, it can’t be violated as well. R. Rajagopal v. State of Tamil Nadu (1994) where the Apex Court recognised the right to privacy of prisoners as well. Popular than the ‘Auto Shankar case’, it allowed the prisoner the right to publish his autobiography without any restrictions. In declaring the same, the court emphasized on the right to be left alone and, more particularly, to be in jail. This also includes an individual’s right to control the dissemination of information regarding their private life and the power to control any unwarranted intrusion into their rights. District Registrar and Collector, Hyderabad v. Canara Bank (2004) The Hon’ble Court rules on the significance of financial privacy of an individual. It stated that the right to privacy also extends to maintaining the confidentiality of bank account details and related information as well. This decision basically widened the scope of the right to privacy and also covered the financial aspects of the right. Unique Identification Authority of India v. Central Bureau of Investigation (2014) The court in this fascinating case decided on the issue of whether collection of biometrics by the UIDAI without the consent of the person violated the right to privacy. The court upheld the constitutionality of the Aadhar but also imposed certain restrictions on the data collection to allow people to safeguard their privacy. The decision assumes even more significance as it tries to maintain a delicate balance between the aim of the government with that of an individual’s privacy rights. Establishment of a Data Protection Board of India (DPBI) It will function as an impartial adjudicatory body responsible for resolving privacy-related grievances and disputes between relevant parties. As an independent regulator, it will possess the authority to ascertain instances of non-compliance with the Act’s provisions and impose penalties accordingly. The appointment of the chief executive and board members of the Data Protection Board will be carried out by the central government. An appeal against any order of the DPBI shall lie with the High Court. The High Court could take up any breach Suo moto. No civil court shall have the jurisdiction to entertain any suit or take any action in respect of any matter under the provisions of this Act and no injunction shall be granted by any court or other authority in respect of any action taken under the provisions of this Act. Penalty for infringement: The Act does not impose criminal penalties for non-compliance. The financial penalty could range from as high as Rs. 250 crores to a data fiduciary or data processor to as low as Rs.10000 to a data principal (the owner of data). Conflict with existing laws: The provisions of the DPDP Act will be in addition to and not supersede any other law currently in effect. However, in case of any conflict between a provision of this Act and a provision of any other law currently in effect, the provision of this Act shall take precedence to the extent of such conflict. Digital Signatures Meaning Digital signatures are like electronic “fingerprints.” They are a specific type of electronic signature (e-signature). In the form of a coded message, the digital signature securely associates a signer with a document in a recorded transaction. Digital signatures use a standard, accepted format, called Public Key Infrastructure (PKI), to provide the highest levels of security and universal acceptance. PKI involves using a digital certificate for identity verification. Difference between Digital Signature and Electronic Signature The Ins and Outs of Digital Signatures The various components involved in creating and securing digital signatures. Hash Function — The hash represents the set of numbers and letters generated from an algorithm used by electronic signature software that is unique to a document. Hash functions are useful because they’re built to be one-way, meaning they can’t be reversed to find other files using the same values. Pubic key cryptology — Represents the cryptographic method used for generating the set of public and private keys associated with a document. Public key infrastructure (PKI) — PKI represents the standards, policies, people, and systems that offer support for distributing public keys and validating the identities of individuals or entities using a certificate authority and digital certificates. Certificate Authority (CA) — A trusted third-party charged with validating a signee’s identity. They also create the public/private key pair for someone or tie an existing public key from an individual back to themselves. After validating an identity, a CA provides them with a signed digital certificate. That information can then be used to verify the identity of a person tied to a public key. Types of Digital Signature Advanced and Qualified Advanced and Qualified signatures carry the same legal validity as signing a paper document with a pen. They’re created using PKI and asymmetric cryptography technology. They track details like when a document was signed, where the person was, and the device that was used to create the electronic signature. It also traces any changes made to a document after receiving a signature. Advanced and Qualified signatures verify a user’s identity. They rely on various methods of two-factor authentication before allowing a recipient to apply an electronic signature to a document, including: Asking recipients to enter a code sent to a mobile device Using biometric scanning on a mobile device Entering a one-time password sent through SMS What is a Digital Certificate? Digital certificates function similarly to drivers licenses in that they verify the identity of the person presenting the information. Digital Signature Certificate Classes Class 1 — Covers certificates issued to individuals and private subscribers. They confirm the details of a user name or email address. It’s the most basic digital signature certificate available. Class 2 — Covers certificates issued for use by business personal and private individuals. They confirm that the information provided in an application from a subscriber contains no conflicts with the information contained in a provider’s database. Class 3 — Covers high-assurance certificates issued to individuals and organizations primarily for e-commerce applications. They’re issued when a person presents themselves physically in front of a Certifying Authority. How to get Digital Signature Certificate Legal aspects of electronic contracts under Indian law Legal aspects of electronic contracts under Indian law E-Contracts or electronic contracts are basically the digitized form of traditional contracts. E-contract is any kind of contract formed by the interaction of two or more people through an electronic medium. Ex- E-mail sent as a job proposal and agreed by the job seeker through E-mail. Electronic contracts are recognized by many names such as “E-contracts”, “cyber contracts”, “digital contracts” and “online contracts”. E- Contracts are similar to contracts mentioned in the Indian Contract Act, 1872, the only difference being the medium. There are two parties to an E-Contract, Originator and Addressee as mentioned in and respectively of the Information Technology Act, 2000. section 2(1)(za): The Originator is the one who sends, generates, stores or transmits the data to the addressee without the intermediary being included. section 2(1)(b): The addressee is the one who is intended to receive the record set by the Originator without an intermediary being included. The E-contract has reduced the paper workload, travelling costs for contacting and whatnot. But everything has some disadvantages and so here also which will be discussed later. Forms of e-contracts There are generally 3 forms of E-contracts. These are- Click wrap agreements Browse wrap agreements Shrink wrap agreements Essential elements of e-contracts To validate an E-Contract under Indian Contract Act, of 1872 there are some essential elements. These are- Lawful offer Lawful acceptance Lawful object Competent parties to contract Certainty of terms Issues relating to e-contracts If E-contract saves time and labour, save from the workload and many things everyone witnesses in day-to-day life then it has some limitations and drawbacks also. Here we go with them one by one- Capacity to contract- It is one of the most essential elements to consider to enforce an agreement to become a contract. It is mentioned in sections 10, 11, and 12 of the Indian Contract Act, 1872 which includes soundness, major and not disqualified by law to be competent to contract. E-contracts also holds with these basic requirements. The issue in E-contract is that both parties are unaware of each other. The party providing the service or goods has no idea about the other party if he/she is legally competent to contract or not. Ex- if a minor of 16 years orders something through any shopping site

Use Quizgecko on...
Browser
Browser