Let us look at some of the major provisions in the amended IT Act that serve to strengthen the country’s data protection regime.
Intermediaries: Section 79 sets out conditions under which an intermediary will not be liable for any third party information, data, or communication link made available or hosted by him. As long as an intermediary’s function is limited to providing access to a communication system over which information is transmitted or temporarily stored or hosted; and the intermediary does not initiate transmission or select or modify the information; and observes due diligence and guidelines prescribed by the Centre, he will not be liable.
However, if the intermediary conspires or abets or induces an unlawful act; or does not take steps to remove or disable access to a material on being notified by a government agency that it is being used to commit an unlawful act, then he will be held liable. This appears to be much more transparent because exemption from liability for any unlawful content/information using an intermediary’s infrastructure is clearly stated.
Data protection new clause 43A: The existing Act provides for penalty for damage to computers, computer systems under the title “Penalty and Adjudication” in section 43 that is widely interpreted as a clause to provide data protection. Unauthorized access to a computer, computer system or computer network is punishable with a penalty of up to Rs1 crore.
This section has been improved to include stealing of computer source code for which compensation can be claimed. Data protection has now been made more explicit through insertion of a new clause 43A that provides for compensation to a person whose personal data may be compromised by a company.
Penalty for breach of confidentiality and privacy: Under section 72A, punishment for disclosure of information in breach of a lawful contract is prescribed. Any person including an intermediary who has access to any material containing personal information about another person, as part of a lawful contract, discloses it without the consent of the person will attract punishment with imprisonment of up to three years and/or a fine of Rs5 lakh.
This will bring those responsible for breaching data confidentiality, under lawful contracts, to justice, and also act as a deterrent.
Cyber crimes: Existing sections 66 and 67 on hacking and obscene material have been updated by dividing them into more crime-specific sub-sections thereby making cyber crimes punishable. Child pornography is a crime under section 67B. Section 66 on hacking has been revised, and additional sections 66A to 66F have been inserted to address specific crimes such as identity theft, impersonation, sending of obscene messages, violation of privacy and cyber terrorism. Section 69 on crimes against national security has been made stronger for interception, monitoring of information, blocking of websites and capturing traffic data and information through additional sections 69A and 69B.
Critical information infrastructure protection: The earlier section 70 on protected systems has been revised to include any computer as part of critical information infrastructure (with a clear definition) through an appropriate notification, and two new sub-sections 70A and 70B have been added to designate a national nodal agency in respect of critical information infrastructure. Indian Computer Emergency Response Team under section 70B will discharge wide ranging functions related to cyber security incidents. Service providers, intermediaries, companies and others will have to provide information to the agency as may be required.
Examiner of electronic evidence: Cyber forensic evidence is critical for trial of cyber criminals. Under section 79A, the Central government may specify any of its departments as an Examiner of Electronic Evidence, for purposes of providing expert opinion before any court.
Electronic signature: The Act has been made technology neutral. Earlier only digital signatures based on asymmetric cryptography were recognized as electronic signatures to sign electronic documents/records. Section 3 on digital signatures has been replaced by electronic signatures. Now the Centre is empowered to issue any other types of signatures based on new, mature technologies under sections 15 and 16.
Electronic contract formation: Section 10A has been added, which provides for validity of contracts formed through electronic means.
Audit of electronic records: Section 7A was added that provides for audit of documents maintained in electronic form.
Encryption: Section 84C enables the Centre to prescribe the modes or methods of encryption for secure use of the electronic medium and for promotion of e-governance and e-commerce
The amended IT Act strengthens the data protection regime, and makes cyberspace more trustworthy since cyber criminals, whether engaging in data and identity theft, financial frauds or posing threat to national security through acts of cyber terrorism, will be brought to justice.
Kamlesh Bajaj is chief executive officer, Data Security Council of India. This is the final part of a four-part series on cyber security.
For the earlier articles in the series, go to www.livemint.com/cybersecurity.htm
Respond to this column at firstname.lastname@example.org