Menu

Protecting Personal Data and Intellectual Property: Section 43 of the Information Technology Act 2000 and Its Legal Implications 

Publications, Research paper
Abstract 

The Information Technology Act, 2000 provides a legal framework for electronic governance by recognizing electronic records and digital signatures. It addresses cybersecurity concerns by defining offences related to unauthorized access, data breaches and cybercrimes, along with prescribing penalties for such activities. In today’s world no one wants any kind of interference or threat in their personal data and the same goes for the people in ancient times as well when privacy was related to their personal property like land, house, etc. Thus privacy has always been an important factor in human life. Section 43 of the IT Act, 2000 specifically addresses the issue of unauthorized access to computer systems, networks or any electronic device. This is crucial for today’s digital era as most of the cyber crimes and threat to privacy occur through misusage of computer systems and other electronic devices. Therefore, this paper discusses about how Section 43 of the IT Act, 2000 helps in protecting personal data and intellectually property, its legal implications and challenges. 

Keywords 

Information Technology Act 2000, Section 43, Personal Data Protection, Intellectual Property, Cybersecurity, Legal Implications. 

Introduction 

The Information Technology Act, 2000 is an act to facilitate electronic filing of documents with government agencies and to amend the Indian Penal Code, The Indian Evidence Act, 1872, The 

Banker’s Books Evidence Act,1891 and the Reserve Bank of India Act, 1934. It grants legal acknowledgment to electronic transactions, documents, signatures, and contracts and encourages online shopping, online government services, and electronic payments. It also sets guidelines and protocols for electronic communication and transactions. Additionally: 

  • It aims to solve issues pertaining to data security, privacy, and cybercrime. 
  • It gathers trust and confidence in digital transactions 
  • It provides support to the expansion of the digital economy.  It aims to minimize documentation and increase productivity  It encourages creativity and new ideas in the digital realm. 
  • It creates a safe and trustable environment for digital transactions 
Research Methodology 

This study uses quality assessment of research methods, comprising an in-depth inspection of legal documents, case studies, and academic articles relating to Section 43 of the Information Technology Act, 2000. The assessment focuses on explaining the legal rules, reviewing relevant court cases, and measuring the law’s practical effects on data protection and intellectual property rights. 

Review of Literature 

Existing literature on the Information technology Act, 2000 and Section 43 highlights the act’s role in providing a legal framework for electronic governance, addressing cybersecurity concerns and evolving data protection laws. Scholars emphasize the importance of organizations in data protection and the challenges associated with enforcing certain provisions. 

Understanding Section 43 of the Information Technology Act, 2000 

Section 43 deals with the penalties and compensation to be paid if there is a threat to any computer, computer system and other damage. A person violates the following laws when he gains access or accesses to a computer, computer system or computer network without proper permission or authorization from the actual owner or person in charge of that system by: 

  1. downloading, copying, or extracting any data, computer data base, or information from the system, computer, or computer network, including data held or stored in any removable storage medium 
  2. introducing or causing to be introduced any computer contaminant or computer virus into any computer, computer system, or computer network 
  3. disrupting or causing disruption of any computer, computer system, or computer network 
  4. denying  or causing the denial of access to any person authorized to access any computer, computer system, or computer network by any means 
  5. assisting anyone to help them access a computer, computer system or computer network which violates the Act , its rules and regulations 
  6. damaging any computer, computer system, computer network, data, computer data base or any other program existing in such system or network. 
  7. charging someone for services rendered on someone else’s account by altering or tampering with any computer, computer system, or computer network. 

In the above mentioned cases, the person who is violating and causing damage to another person will be liable to pay compensation to the aggrieved party. 

Among its various provisions, Section 43 holds particular significance as it addresses the critical issue of unauthorized access to computer systems and data. This section plays a crucial role in safeguarding personal data and intellectual property rights in the ever-evolving landscape of information technology. The rationale behind this research paper lies in the increasing importance of data protection and cybersecurity in the digital age. By imposing penalties for such unauthorized activities, Section 43 aims to deter cybercrimes, protect the integrity of computer systems, and ensure the security of sensitive information. 

Unveiling the Imperative: The Genesis of the Information Technology Act, 2000 

The Information Technology Bill, which later became the Information Technology Act, 2000, was introduced in the Indian Parliament in the Lok Sabha (House of the People) in August 2000. After being passed by both houses of Parliament, the bill received the assent of the President of India on 9th June 2000. The Information Technology Act, 2000 was implemented and came into force on 17th October 2000. But why was there a need for this act to be implemented? 

Over the years, the rapid growth of e-commerce and online transactions has been observed to make life more convenient. Now as these online platforms need some source of verification and ensure safety so that people don’t misuse such platforms for personal gains, a legal framework was needed to ensure safety, validity and impose sanctions on those who take undue advantage of such platforms. Thus, such legislation was required to authorize electronic contracts, digital signatures and electronic records to ensure the validity and enforceability of such transactions. Moreover with increasing cybercrime occurrences, data breaches and other threat to private online property, a proper legislation is required to impose sanctions and prevent such crimes. 

By providing legal recognition for electronic records, digital signatures, and online interactions with government agencies as well, such an act streamlines e-governance initiatives. Therefore, to align with international best practices and promote trust in electronic transactions, India needed a comprehensive legislation that could address legal issues related to electronic commerce, cybersecurity, and data protection. 

The Evolution of Section 43 through Amendments 

The IT Act of 2000 has been updated and modified multiple times over the years to adapt to technological advancements and new challenges in the digital realm. The purpose of these amendments has been to improve cybersecurity measures, strengthen data protection regulations, and ensure that the law is in line with international standards. Among the significant changes made to Section 43 are 

  1. The penalties mentioned in section 43 as well as its scope were narrow and inadequate. In order to keep up with the technological advancements and hackers becoming more proficient, The Information Technology (Amendment) Act, 2008 was introduced. It provided for the prevention of sensitive information being leaked thereby enhancing safety and also imposed stricter penalties for data breaches. 
  2. The 2008 amendment also made it mandatory for organizations to inform against incidents of data breaches and other possible cyber threat to the appropriate authorities 

and aggrieved individuals. This was the introduction of data breach notification requirement. 

  1. Thus the amendments to section 43 aimed at enhancing and strengthening data protections provisions, imposing higher penalties for data breaches, and enhancing the accountability of organizations in safeguarding sensitive information. It also focused on aligning India’s data protection laws with  international standards and best practices to ensure the effective protection of data and privacy rights of individuals 
Holding Cybercriminals accountable: The Legal Impact of Section 43 

Section 43 creates liability for those who gain illegal and unauthorized access to electronic devices, networks or data and imposes sanctions for such actions. It holds such cyber criminals accountable for any loss or damages caused by making them compensate the affected parties. In this way the victims are able to receive proper help through legal means. Such provisions of the said section allow the victim to seek compensation against cybercrimes and empower individuals to take legal action against such perpetrators thereby safeguarding the society. Such implications elaborate the importance of implementing adequate security measures for data protection, handling sensitive information and prevent unauthorized access leading to data breaches. Compliance with the provisions of Section 43 is essential to avoid legal consequences and regulatory sanctions. Organizations must adhere to data protection laws and cybersecurity regulations to mitigate the risks of liability arising from unauthorized access to data. 

Case Analysis: Pune Citibank Mphasis Call Centre Fraud 

In 2005, US$3, 50,000 was wrongfully transferred to four customers residing in the US from the Citibank accounts. Certain employees of a call centre acquired the PIN required for initiating the transaction by gaining confidence from the affected individuals. They misled those customers by making a false promise to help them to come out of difficult situations and eventually the collected numbers were used in committing fraud. In this way a huge amount of money was transferred to the counterfeit accounts through the internet. The accused, namely Ivan Thomas, Siddhartha Mehta and Stephen Daniel were not the employees of Mphasis. 

Rule of law 

Section 43(a) of The Information Technology Act, 2000 provides that a person will be held liable and has to pay penalty or be punished if he damages a computer, computer system or network or accesses them without proper authorization or permission. 

Section 66 provides the punishment for the above mentioned action. The accused will be punishable with imprisonment for a term which may extend to three years or he has to pay fine which extends upto five lakh rupees or he has to face both the consequences. 

Issues 
  • Whether this case is included in the area of “Cybercrimes” 
  • Whether section 43(a) and 66 of Information Technology Act, 2000 are applicable in the present case. 
Analysis 

The accused in this case were the ex-employees of Mphasis BFL’s call centre in Pune. In India, call centers usually use the highest security. Therefore, the employees are thoroughly checked whenever they enter and leave their workspace to prevent them from copying down the customer’s account numbers. When the employees joined the call center they were trained to have cordial conversations with the global customers of Citibank who seek customer support or service for solving issues related to their credit cards or bank accounts. Thus in the present case, the employees must have memorized the number and went to the cyber café; immediately after leaving the office and accessed the accounts of the Citibank customers. Eventually, when the fake bank accounts were opened in Pune, money got transferred into those accounts and fake emails were created as well. The service used by them to transfer the funds was SWIFT i.e., Society for Worldwide Interbank Financial Telecommunication. The original account holders never came to know about the transfer of funds as they received no confirmation which they would have received during the transfer of funds. In March 2005, the money was transferred to a large no. of bank accounts which were made with the assistance of two ICICI home load agents whose role was to provide those illegal accounts. They were non employees and also among those who were arrested. Citibank was not at all aware of these fraudulent transactions and later came to know about it when one account holder of Citibank complained. 

The Citigroup Investigation Services in Mumbai were alerted and headed by Rajendra Bhagwat. The team by contacting the recipient banks confirmed the fraud. Later, when the accused arrived to gather information about the transfer in Rupee Co-operative Bank in Pune, the police immediately confined the suspects and made a total of 16 arrests. The apprehensions were carried out under the guidance of Sanjay Jadhav, the Assistant Commissioner of Police. 

Such a fraudulent case raised a large no. of concerns regarding the role of “Data Protection”. It can be concluded that this case is included in the area of Cybercrimes because the fraud was initiated by accessing computer systems and records without proper authorization. ”. Information Technology Act, 2000 is broad enough to make adjustments to these aspects of crimes which is not codified under the Act but is available in other statutes. If we consider The Indian Penal Code, 1860, it provides punishments for any offence committed with regards to physical documents. But this is applicable for electronic documents as well because the IPC is applicable to all offenses within India, irrespective of the medium used. Thus, punishments for offenses related to electronic documents are as severe as offenses related to physical documents. This ensures that law does not fall behind the evolving technology and can address crimes involving electronic documents effectively. 

Therefore it can be perceived that cheating, conspiracy and breach of trust are relevant in the present case under the sections of the Information Technology Act, 2000. In the Act, the offense is recognized under Section 43(a) and Section 66. If an offense is committed using electronic documents, the person responsible can be held liable and punished in the same way as if the offense was committed using written documents. 

Judgment 

The final verdict confirmed that Section 43(a) of IT Act, 2000 is applicable in the said case because it involved the exercise of unauthorized access for committing fraudulent transactions. The accused were also proved guilty under S.66 of the same act and s.420, 456, 467 and 471 under The Indian Penal Code, 1860 which deals with cheating, forgery and dishonest inducement. 

The necessity of the 2008 Amendment Act 

The Information Technology Act, 2000 principally focused on dealing with electronic records and e-commerce. But with the increasing online wrongdoings occurring in the digital era, Information Technology (Amendments) Act, 2008 altered its focus to cyber terrorism and cybercrime. First the IT Act, 2008 was introduced in 2005 as a draft of the proposed amendments, but as it had to face various objections and also received many suggestions to consider , the bill was again introduced in 2006 with notable changes. After including further additions and modifications to the 2006 bill, it finally passed in December, 2008 ultimately become a law, i.e., the Information Technology (Amendment) Act.2008. 

Two new offences were added in Section 43, which is destroying, deleting or altering information in a computer resource to diminish its value and stealing concealing or destroying any computer source code with intention to cause damage. A huge importance was given to protection of body corporate data by inserting section 43A where the corporate bodies are responsible to adopt proper security measures and practices in order to protect sensitive personal information in computer systems and to maintain its secrecy. If the corporate bodies are unable to perform their obligations properly then they have to face the consequences by way of making compensation7. Even though section 43 provides that corporate bodies must maintain reasonable security practices and procedures, it not clearly define that what exactly are the reasonable security measures and procedures for safeguarding sensitive personal information or data. Thus if we refer to Section 43A then we can see that the Reasonable Security Practice and Procedures are determined: 

  1. Between the  parties by mutual agreement 
  2. As specified by any law for the time being in force 
  3. If specified by the Central Government in consultation with such professional bodies or associations as it may deem fit.  
Tackling the IT Act’s obstacles 

The Information Technology Act, 2000in India has been a major beneficial step to address cybercrime and data protection. Section 43 of this act aims to deal with unauthorized access, penalties for hacking, damaging computer systems and introducing malware. Even though this aims for a positive approach, it has significant weaknesses due to its inadequate portions. 

One of the main issues or challenges of Section 43 of IT Act is the lack of precision or vagueness in the definition of “damage” and the evaluation of compensation for such damage. The provision for compensation is not clear and there is no specific calculation that upto how much amount the compensation must be paid. This inconsistency can make it difficult to hold a person liable correctly as there will be confusion while enforcing this provision. There is no said amount then questions may arise like to what extent a sum of money can be charged for what extent of the crime committed. Lack of clarity will lead to unjustified decision making. 

Section 43 also provides for the use of electronic signatures and authentication for secure transactions. For such secure transactions it is crucial to protect sensitive information and personal data and one way to do so is user authentication. It is the process of verifying the identity of a user before granting them access to sensitive information. But there are certain loopholes which makes user identification difficult. Main reason is that no matter how much technology advances, it has no use if people are not properly educated about its advancements. User authentication tools like two-factor authentication, biometrics, provisioning and deprovisioning user credentials (provisioning means to create and access user  account and credentials and de-provisioning means to revoke such credentials when access is no longer required) can enhance security measures but it is of no use if people do not know how to access such technology effectively. Moreover, vital investments in infrastructure and training, especially in government sectors are required for proper use of authentication tools and enhancing data privacy. 

Section 43A in the amended IT Act introduces corporate responsibility for data protection, where corporate bodies are obligated to protect the sensitive personal information or data in a computer resource which are under their control. They may be liable to pay damages in case they fail to abide by their obligation. However as there is no specified maximum limit for compensation, vexatious and misuse of the provision may take place. This can create uncertainty and potential financial risk for companies, making it difficult for them to plan and budget for data protection costs. 

In addition, the IT Act faces challenges in terms of jurisdictional coincide with other laws and regulatory bodies. For example, the Adjudicating Officer established under the IT Act and the Data Protection Board of India (DPB) may have intersecting jurisdiction in those cases which involve data breaches by companies. Outlining the specific edges where data protection ends and cybersecurity begins can be a difficult task, and conflicts between the DPDP Act and the IT Act can arise. 

The IT Act delegates the Central Government to define methods or modes of encryption to secure flow of data and information on the internet alongside promoting e-commerce and egovernance. However as there is a need for compatibility with existing systems and the need to balance security with usability, it becomes difficult to effectively implement encryption standards. Encryption standards may not always be compatible with existing systems and thus it can lead to additional investments and difficulties in implementing them. This can be a major issue for organizations who may have lack of financial resources or have already invested heavily in existing infrastructure. In addition to this, encryption regulations may have consequences for privacy and security. For example, regulations that require companies to provide entry to encrypted data could compromise the confidentiality of users and make their data more exposed and unprotected to cyber attacks. This could lead to a lack of trust in digital services and a hesitation to use them. 

Suggestions 

It is crucial to take certain measures for protecting personal data like- 

  1. Enhancing awareness and training programs for employees on data protection and cybersecurity protocols. 
  2. Conducting regular audits and assessments of data security measures to identify vulnerabilities and address them promptly 
  3. Implementation of encryption technologies and access controls to safeguard personal data and intellectual property 
  4. Investing in advanced cybersecurity tools and technologies to enhance data protection capabilities. 
Conclusion 

In conclusion, the Information Technology Act of 2000, particularly Section 43, plays an important role in protecting personal information and intellectual property in the current digital era. This legislation’s main objective is to prevent unauthorized access into computer systems or networks, thereby preventing cybercrimes. It is also important for individuals to take initiative and correct steps to protect their own personal data and contribute in creating a safe environment for all. 

Author- Olivia Nahak 

College- Sister Nivedita University, Kolkata