Cybersecurity and Data Protection Regulation in India: An Uneven Patchwork

Kovacs, Anja

doi:10.1007/978-3-030-56405-6_4

CyberBRICS pp 133-181 | Cite as

Cybersecurity and Data Protection Regulation in India: An Uneven Patchwork

Authors
Authors and affiliations

Anja Kovacs

Chapter

First Online: 05 January 2021

131 Downloads

Abstract

Cybersecurity has been an important policy concern for the Indian government since at least the early 1990s. Until today, however, the landscape of its cybersecurity policies remains an uneven patchwork. In particular, as this essay will illustrate, where the concerns of technology users are at odds with the interests of law enforcement and intelligence agencies, the former tend to lose out. Thus, while India was one of the first countries, in 2000, to pass a law dealing with cybercrime and electronic commerce and has, in 2019, also approved law to strengthen consumer protection in the digital age, at the time of writing the country still does not have a horizontal personal data protection law. At the same time, law enforcement and intelligence agencies can legally access and retain user data under a wide range of loosely worded provisions. In the absence of additional checks and balances, the relationship between the citizens of India and the state is, thus, fundamentally reconfigured. Moreover, with the focus so firmly on surveillance and control of digital spaces, other aspects of cybersecurity policy, such as cyberdefence, have taken a backseat.

This is a preview of subscription content, to check access.

Annex

Country Report: India⁹¹

1.

Data Protection

Scope

1. What national laws (or other type of normative acts) regulate the collection and use of personal data?

A draft Personal Data Protection Bill was released in 2018 and is expected to be tabled in Parliament soon. Until then, the Information Technology (Amendment) Act, 2008, provides limited protection. In addition, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and the Aadhaar and Other Laws (Amendment) Act, 2019, address questions regarding personal data specifically in the context of Aadhaar, India’s unique ID. Sectoral directions and regulations, such as those issued by the Reserve Bank of India, also impact personal data. Further draft policies and laws that address aspects of data protection include the draft National e-Commerce Policy, 2019, and the DNA Technology (Use and Application) Regulation Bill, 2019.

2. Is the country a part of any international data protection agreement?

India is not part of any international data protection agreements.

3. What data is regulated?

The draft Personal Data Protection Bill applies to the processing of personal data that has been collected, disclosed, shared or otherwise processed within India, as well as to personal data that is processed by the state, an Indian company or citizen, or any person or body of persons incorporated or created under Indian law.

Section 43A of the IT (Amendment) Act concerns sensitive personal data or information in a computer resource owned, controlled or operated by a body corporate. Section 72A of the IT (Amendment) Act concerns personal information about a person which any person, including an intermediary, may have access to while providing services under the terms of a lawful contract.

4. Are there any exemptions?

The draft Personal Data Protection Bill shall not apply to the processing of anonymised data. It also exempts from a number of provisions in the Act:

1.

necessary and proportionate processing in the interests of the security of the State, authorised by law and in accordance with the procedure established by law;
2.

necessary and proportionate processing in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law, authorised by law;
3.

processing for the purpose of legal proceedings, including any judicial function;
4.

processing for research, archiving, or statistical purposes, where, among other things, the purpose of processing cannot be achieved if the personal data is anonymised;
5.

processing by a natural person for purely personal or domestic purposes.
6.

processing for journalistic purposes, provided the processing is in compliance with any code of ethics issued by the Press Council of India or any media self-regulatory organisation;
7.

manual processing by small entities.

In addition, no data fiduciary shall process such biometric data as may be notified by the Central Government, unless such processing is permitted by law.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, issued under section 87 read with section 43A of the IT (Amendment) Act, do away with the requirement to obtain prior permission from the provider of sensitive personal data or information before disclosing such data or information to a third party where access to such sensitive personal data or information is sought by government agencies mandated to do so under the law.

5. To whom do the laws apply?

The draft Personal Data Protection Bill extends to the whole of India. It applies to the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law. It also applies to data fiduciaries and data processors not present within the territory of India who engage in processing of personal data in connection with any business carried on in India, or any systematic activity of offering goods or services to data subjects within the territory of India, or in connection with any activity which involves the profiling of data subjects within the territory of India.

The IT (Amendment) Act applies to the whole of India as well as to any offence or contravention under the Act committed outside India by any person, irrespective of their nationality, provided the suspected offence involves a computer, computer system or computer network located in India. Section 43A of the IT (Amendment) Act specifically applies to body corporates, i.e. any company, including a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Section 72 of the IT (Amendment) Act applies to any person, including an intermediary, who has secured access to material containing personal information about a person while providing services under the terms of a lawful contract.

6. Do the laws apply to foreign entities that do not have physical presence in the country?

Yes. For details, see above.

Definitions

7. How are personal data defined?

The draft Personal Data Protection Bill defines personal data as ‘data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identify of such natural person, or any combination of such features, or any combination of such features with any other information’.

The IT (Amendment) Act does not provide a definition.

8. Are there special categories of personal data (e.g. sensitive data)?

The draft Personal Data Protection Bill distinguishes ‘sensitive personal data’ (including ‘biometric data’, ‘financial data’, ‘genetic data’, ‘health data’, ‘intersex status’, ‘official identifier’, and ‘transgender status’) from personal data. It further provides the Central Government with the power to notify categories of personal data as ‘critical personal data’ that shall only be processed in a server or data centre located in India.

Section 43A of the IT (Amendment) Act also specifies and defines ‘sensitive personal data and information’; the Reasonable Security Practices and Procedures Rules, 2011, under that section provide further detail.

9. How is the data controller and the data processor/operator defined?

Rather than ‘data controller’, the draft Personal Data Protection Bill uses the term ‘data fiduciary’, which means ‘any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data’. The draft Bill defines ‘data processor’ as ‘any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary’.

The IT (Amendment) Act does not include these definitions.

10. What are the data protection principles and how are they defined?

The draft Personal Data Protection Bill lists the following:

1.

fair and reasonable processing, that respects the privacy of the data subject;
2.

purpose limitation, meaning that the purposes are clear, specific and lawful, although incidental purposes that the data subject would ‘reasonably expect the data to be used for’ are allowed as well;
3.

collection limitation, meaning that only data that is necessary for the purpose of processing should be collected;
4.

lawful processing, meaning that processing shall only be done on the grounds specified in the Bill for personal data and sensitive personal data respectively;
5.

notice (with the draft Bill specifying 14 elements of information which the notice needs to contain), to be provided at the time of collection of the personal data or, if the data is not collected from the data subject, as soon as is reasonably practicable, and to be provided in a clear and concise manner that is easily comprehensible and in multiple languages ‘where necessary and practicable’ – exemption of the notice obligation is provided where processing is required for prompt action;
6.

data quality, which means that the data fiduciary needs to take reasonable steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purposes for which it is processed;
7.

data storage limitation, which means that the data fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed, unless longer retention is mandated by law; and,
8.

accountability, which means that the data fiduciary will comply with all obligations set out in the Act in respect of any processing undertaken by it or on its behalf, and can demonstrate that any processing undertaken by it or on its behalf is in accordance with the Act.

The IT (Amendment) Act does not list data protection principles.

11. Does the law provide any specific definitions with regards to data protection in the digital sphere?

The draft Personal Data Protection Bill also defines ‘automated means’. In addition, its preamble highlights that its formulation in general has to be seen in the context of the growth of the digital economy.

Relevant definitions in the IT (Amendment) Act include those for ‘access, ‘intermediary’ and ‘reasonable security practices and procedures’.

Rights

12. Is the data protection law based on fundamental rights (defined in constitutional law or international binding documents)?

The Preamble to the draft Personal Data Protection Bill specifically states that the right to privacy is a fundamental right and that it is necessary to protect personal data as an essential facet of informational privacy.

The IT (Amendment) Act does not explicitly address this question.

13. What are the rights of the data subjects according to the law?

The draft Personal Data Protection Bill lists the following data subject rights:

1.

the right to confirmation whether the data fiduciary is processing or has processed personal data of the data subject and to access a brief summary of that data and of the processing activities undertaken by the data fiduciary in relation to that data;
2.

the right to, where necessary, correct inaccurate or misleading personal data, to complete incomplete personal data, and to update personal data that is out of date – where the data fiduciary does not agree that there is a need, it has to provide its justification to the data subject in writing and indicate alongside the relevant personal data that it is disputed;
3.

the right to data portability, which means that the data subject has the right to receive their personal data under control of a data fiduciary in a structured, commonly used and machine-readable format, and to have it transferred to another data fiduciary in that format, wherever the processing has been carried out through automated means, except where the processing is necessary for specific functions of the State outlined in the Act, is in compliance of law, or where compliance with this provision would reveal a trade secret of any data fiduciary or would not be technical feasible;
4.

the right to be forgotten, which is defined as the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal under certain conditions and after the Adjudicating Officer has determined that these conditions have been satisfied.

Obligations and Sanctions

14. What are the obligations of the controllers and processors/operators?

In addition to the obligations data fiduciaries and data processors/operators have with regard to the implementation of the general data protection principles and the rights of the data subjects under the draft Personal Data Protection Bill (see above), data fiduciaries have a number of obligations under the Bill that specifically relate to the personal and sensitive data of children. These include processing the personal data of children in a way that protects and advances their rights and interests and incorporating mechanisms for age verification and parental consent. Additional obligations adhere to those data fiduciaries who process large volumes of personal data of children or who operate websites or provide services targeted at children, so-called guardian data fiduciaries.

Data fiduciaries are also obliged to take a number of privacy and accountability measures, including

1.

privacy by design;
2.

transparency regarding their general practices relating to the processing of personal data as well as regarding important processes in the processing of personal data related specifically to the data subject;
3.

appropriate security safeguards;
4.

procedures and mechanisms to address grievances of data subjects in an efficient and timely manner; and,
5.

notification of the Authority of breaches of the personal data processed by the controller where such breach is likely to cause harm to a data subject.

Data fiduciaries need to further ensure the storage on a server or data centre located in India of at least one serving copy of personal data to which the law applies.

Those data fiduciaries classified as ‘significant’ data fiduciaries are also required to appoint a data protection officer; to conduct data protection impact assessments; to keep accurate and up-to-data records of the details of their operations; and to have their policies and the conduct of their processing of personal data audited annually by an independent data auditor. Classification as a significant data fiduciary will depend on such factors as the volume of data processed, the sensitivity of the personal data processed, the turnover of the data fiduciary, the risk of harm resulting from the processing and the use of new technologies for processing.

Data processors can only be engaged or involved in any way by data fiduciaries through a valid contract. Unless permitted by this contract, data processors are not allowed to involve any other data processor in the processing without the authorisation of the data fiduciary. Data processors can further only process personal data in accordance with the instructions of the data fiduciary, unless required to do otherwise under law, and have to treat any personal data that comes within their knowledge as confidential.

The Reasonable Security Practices and Procedures Rules, 2011, under section 43A of the IT (Amendment) Act also briefly outline a number of obligations.

15. Is notification to a national regulator or registration required before processing data?

As per the draft Personal Data Protection Bill, those data fiduciaries or classes of data fiduciaries who have been classified by the Data Protection Authority as ‘significant data fiduciaries’ are required to register with the Authority. Classification as a significant data fiduciary will depend on such factors as the volume of data processed, the sensitivity of the personal data processed, the turnover of the data fiduciary, the risk of harm resulting from the processing and the use of new technologies for processing.

Further, although not required before processing the data, the transfer of sensitive personal data outside the territory of India to a person or entity engaged in the provision of health or emergency services where such transfer is strictly necessary for prompt action requires notification to the Authority within the time period that will be prescribed. Where a data fiduciary seeks to transfer personal data outside the territory of India subject to standard contractual clauses or intra-group schemes that have been approved by the Authority, it also needs to certify and periodically report to the Authority that the transfer is made under a contract that adheres to such standard contractual clauses or intra-group schemes and that it will bear liability for any harm caused in the case of non-compliance.

16. Does the law require privacy impact assessment to process any category of personal data?

As per the draft Personal Data Protection Bill, significant data fiduciaries are required to undertake a data protection impact assessment when they intend to undertake any processing involving new technologies, or large scale profiling, or the use of sensitive personal data such as genetic or biometric data, or any other processing which carries a risk of significant harm to data subjects. In addition, the Data Protection Authority may specify further circumstances or classes of data or processing operations for which a data protection impact assessment by significant data fiduciaries is mandatory. The Data Protection Authority can also specify instances in which significant data fiduciaries need to engage a data auditor under the Act to carry out the data protection impact assessment. Where the Data Protection Authority is of the view that any processing activity undertaken by data fiduciaries other than significant data fiduciaries carries a risk of significant harm to data subjects, it can notify that data protection impact assessments are mandatory for them as well.

17. What conditions must be met to ensure that personal data are processed lawfully?

The draft Personal Data Protection Bill recognises the following grounds for the processing of personal data:

1.

on the basis of consent;
2.

for functions of the State, including the provision of any service or benefit to the data subject from the State and the issuance of any certification, licence or permit for any action or activity of the data subject by the state;
3.

in compliance with law or any order of any court or tribunal;
4.

when necessary for prompt action in medical emergencies and during epidemics, disasters and breakdowns of public order;
5.

for purposes related to employment, where processing on the basis of consent is inappropriate or would involve a disproportionate effort, including recruitment, termination, provision of any benefit to the employee, verification of attendance of the employee and any other activity relating to the assessment of the employee’s performance;
6.

for reasonable purposes, including the prevention and detection of any unlawful activity, whistle blowing, mergers and acquisitions, network and information security, credit scoring, the recovery of debt and the processing of publicly available personal data.

18. What are the conditions for the expression of consent?

The draft Personal Data Protection Bill requires consent to be given no later than at the beginning of processing, with consent being valid when it is free, informed, specific, clear and capable of being withdrawn. Where explicit consent for sensitive personal data is concerned, the Bill sets additional, higher standards for the consent be considered informed, clear and specific.

19. If the law foresees special categories of data, what are the conditions to ensure the lawfulness of processing of such data?

The draft Personal Data Protection Bill recognises the following grounds for the processing of sensitive personal data:

1.

explicit consent;
2.

for certain functions of the State, including the exercise of any function of the State authorised by law for the provision of any service or benefit to the data principal;
3.

in compliance with any law which explicitly mandates such processing or any order of any court or tribunal;
4.

certain categories of sensitive personal data, including passwords, financial data, health data, official identifiers, genetic data and biometric data, may be processed when necessary for prompt action in medical emergencies are during epidemics, disasters and breakdowns of public order.

The Data Protection Authority may specify further categories of personal data as sensitive personal data and may also specify any further grounds on which such specified categories of sensitive personal data may be processed.

The Reasonable Security Practices and Procedures Rules, 2011, under the IT (Amendment) Act require the provider of sensitive personal data or information to provide consent for the purpose for which the data or information will be used before such data or information is collected. Such consent needs to be written and capable of being withdrawn. In the latter case, the body corporate shall have the option not to provide the goods or services for which the sensitive personal data or information was sought.

20. What are the security requirements for collecting and processing personal data?

The draft Personal Data Protection Bill requires the data fiduciary and data processor to implement security safeguards such as the use of de-identification and encryption, steps necessary to protect the integrity of personal data, and steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data, having regard to the nature, scope and purpose of the processing of the personal data, the risks associated with such processing, and the likelihood and severity of the harm that may result from such processing.

Where a breach of personal data is likely to cause harm to any data subject, the draft Personal Data Protection Bill requires the data fiduciary to notify the Data Protection Authority of the breach, as well as of (1) the nature of the personal data that has been breached, (2) the number of data subjects affected by the breach, (3) possible consequences of the breach, and (4) measures taken to remedy the breach. The Authority will determine whether or not the breach should be reported to the data subject.

The Reasonable Security Practices and Procedures Rules, 2011, under the IT (Amendment) Act, specify a number of security precautions to be taken as well, including the adoption of international standards for information security management or other codes of best practices that have been approved and notified by the Central Government.

21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

The draft Personal Data Protection Bill requires every data fiduciary to ensure that at least one serving copy of personal data to which the Act applies is stored on a service or in a data centre located in India. The Central Government may notify certain categories of personal data as exempt from this requirement on the grounds of necessity or strategic interests of the State, but sensitive personal data cannot be exempted. In addition, the draft Personal Data Protection Bill gives the Central Government the power to notify categories of personal data as critical personal data, which shall only be processed in a server or data centre located in India.

Sectoral localisation requirements already exist in India, including as required by the Reserve Bank of India Notification on Storage of Payments Systems Data of April 2018; the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017; the Companies Act, 2013, and the attendant rules; and the Unified Access Licence for Telecom. Localisation requirements of various kinds have also been included in other draft policies and regulations, such as the draft E-Commerce Policy, 2019 and the draft e-Pharmacy Rules, 2018.

22. What are the requirements for transferring data outside the national jurisdiction?

As per the draft Personal Data Protection Bill, personal data other than those categories of sensitive personal data that have been notified as critical personal data may be transferred outside of India where:

1.

the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Data Protection Authority after it has been satisfied that these effectively protect the rights of data subjects under the Act; or,
2.

the Central Government, after consultation with the Authority, has prescribed that transfers to a particular country, or to a sector within a country or to a particular international organisation is permissible as it believes that the relevant personal data shall be subject to an adequate level of protection; or
3.

the Authority approves a particular transfer or set of transfers as permissible due to a situation of necessity.

In addition, in the first two cases, the data subject needs to have consented to the transfer of personal data or explicitly consented in the case of sensitive personal data that has not been notified as critical personal data.

Sensitive personal data that has been notified as critical personal data can be transferred outside of India:

1.

to a particular person or entity engaged in the provision of health services or emergency services where such transfer is strictly necessary for prompt action;
2.

to a particular country, a prescribed sector within a country or to a particular international organisation that has been prescribed, where the Central Government is satisfied that such transfer or class of transfers is necessary for any class of data fiduciaries or data subjects and does not hamper the effective enforcement of the Act.

23. Are data transfer agreements foreseen by the law?

Yes, see above.

24. Does the relevant national regulator need to approve the data transfer agreements?

Yes, see above.

25. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

The draft Personal Data Protection Bill provides for fines and, where a data subject who has suffered harm as a result of any violation files a complaint, compensation for the data subject. Where a violation is listed as an offence in the Bill, it can also attract a prison term, as well as a fine. In addition, the Data Protection Authority can issue warnings, reprimands and orders to cease and desist from committing or causing any violation of the Act; require the data fiduciary or data processor to modify its business; temporarily suspend or discontinue the business or activity of the data fiduciary or data processor that is in contravention of the provisions of the Act; vary, suspend or cancel any registration granted by the Authority in the case of a significant data fiduciary; suspend or discontinue any cross-border flow of personal data; and require the data fiduciary or data processor to take any such action in regards to a matter that arose during an inquiry as the Authority may deem fit.

Section 43 of the IT (Amendment) Act provides for compensation to the victim, while section 72A of the Act attracts a prison term and/or a fine.

Actors

26. What actors are responsible for the implementation of the data protection law?

The draft Personal Data Protection Bill provides for the establishment of a Data Protection Authority of India, which will be the main actor responsible for implementation. It also provides for the establishment of an Appellate Tribunal. Appeals to decisions or orders of the Appellate Tribunal are to be made to the Supreme Court of India.

An adjudicating officer appointed by the Central Government will adjudicate matters in which the claim for injury or damage under section 43A of the IT (Amendment) Act does not exceed Rs. five crores (Rs. 50 million). The jurisdiction in respect of claims for injury or damage exceeding that amount vests with the competent court. Appeals to an order from an adjudicating officer can be made to the Cyber Appellate Tribunal. Appeals to decisions or orders from the Cyber Appellate Tribunal are to be made to the High Court.

27. What is the administrative structure of actors responsible for the implementation of the data protection law (e.g. independent authority, executive agency, judiciary)?

The Data Protection Authority will be a body corporate, with the chairperson and members appointed by the Central Government on the recommendation of a selection committee. When the Authority calls for information from or conducts inspections and inquiries into the affairs of data fiduciaries in accordance with the provisions of the Act, it shall have the same powers in a number of respects as those vested in a civil court under the Code of Civil Procedure, 1908. For the purpose of imposing penalties and awarding compensation, the Authority will have a separate adjudication wing, with the number, qualification, jurisdiction and manner and terms of appointment of the adjudicating officers to be prescribed by the Central Government; the draft Bill requires this to be done in a manner that ensure the operational segregation, independence and neutrality of the adjudication wing.

The Appellate Tribunal, though it has the powers to regulate its own procedures, shall be deemed to be a civil court in a number of respects and every proceeding before the Appellate Tribunal shall be deemed to be a judicial proceeding.

Under the IT (Amendment) Act, the adjudicating officer shall have the powers of a civil court which are conferred on the Cyber Appellate Tribunal, and all proceedings before it shall be deemed judicial proceedings. The Cyber Appellate Tribunal, though it has the powers to regulate its own procedures, too, shall be deemed to be a civil court in a number of respects, and every proceeding before it shall be deemed to be a judicial proceeding.

28. What are the powers of the actors responsible for the implementation of the data protection law?

The draft Personal Data Protection Bill requires the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the Act, and promote awareness of data protection. It contains a large number of powers and functions to help concretise that mandate, including the power to issue codes of practice, to issue directions to data fiduciaries and data processors, to call for information from data fiduciaries and data processors, to conduct an inquiry, to engage in search and seizure, and to take action pursuant to an inquiry.

When the Authority calls for information from or conducts inspections and inquiries into the affairs of data fiduciaries in accordance with the provisions of the Act, it shall have the same powers in a number of respects as those vested in a civil court under the Code of Civil Procedure, 1908, including the discovery and production of books of account and other documents at such time and place as may be specified; the inspection of any book, document, register or record of any data fiduciary; summoning and enforcing the attendance of any person and examining them under oath; and issuing commission for the examination of witnesses or documents.

The Appellate Tribunal is to hear appeals from orders of the Authority and of the adjudicating officers of the Authority’s adjudication wing, as well as challenges to search and seizure orders by the Authority. It, too, has a number of powers as vested in a civil court under the Code of Civil Procedure, 1908, including those listed above for the Data Protection Authority as well as, among other things, receiving evidence on affidavits and dismissing an application for default or examining it, ex parte.

Under the IT (Amendment) Act, the adjudicating officer shall have the powers of a civil court, which are conferred on the Cyber Appellate Tribunal. The Cyber Appellate Tribunal has the powers of a civil court under the Code of Civil Procedure, 1908, in a number of respects while trying a suit; these powers largely, though not completely, overlap with those of the Appellate Tribunal established under the draft Data Protection Bill.

2.

Consumer Protection

Scope

29. What national laws (or other type of normative acts) regulate consumer protection?

In August 2019, the Consumer Protection Act, 2019 was adopted, which will replace earlier legislation from 1986. Draft Consumer Protection (e-Commerce) Rules, 2019, made under section 101 of the Consumer Protection Act, were made available for public consultation in November 2019. The draft National E-Commerce Policy 2019, too, has sections that are of relevance. Existing sectoral regulation such as the Food Safety and Standards Act, 2006, continues to apply as well.

30. Is the country a party of any international consumer protection agreement?

Since 2009, India is a party to the Convention for the Unification of Certain Rules for International Carriage by Air (also known as the Montreal Convention).

31. To whom do consumer protection laws apply?

The 2019 Act extends to the whole of India. The draft e-Commerce Rules are intended to regulate every e-commerce entity carrying out or intending to carry out e-commerce business in India as well as sellers selling or advertising their products or services through an e-commerce platform. Entities or businesses notified otherwise by the government are excluded.

32. Do the laws apply to foreign entities that do not have physical presence in the country?

The draft e-Commerce Rules require all e-commerce entities that seek to carry out e-commerce business in India to register as a legal entity under the laws of India.

Definitions

33. How is consumer protection defined?

Neither the Consumer Protection Act nor the draft e-Commerce Rules define consumer protection.

34. How are consumers defined?

The Consumer Protection Act defines a ‘consumer’ as any person who buys any goods or hires or avails of any service for a consideration, including where this has been paid or promised only in part or where it is bought under a system of deferred payment. It includes any user of the good and any beneficiary of the service other than the person who buys the good or hires the service, where such use is made, or such service is availed of with the approval of the buyer. It does not include a person who buys such goods or avails of such service for resale or for any commercial purpose, except if the latter refers to the purpose of earning his livelihood by means of self-employment.

35. How are providers and producers defined?

The Consumer Protection Act defines an ‘electronic service provider’ as ‘a person who provides technologies or processes to enable a product seller to engage in advertising or selling goods or services to a consumer and includes any online marketplace or online auction sites’. A ‘product service provider’, in relation to a product, means ‘a person who provides any service in respect of such product’.

The Consumer Protection Act does not define ‘producer’, but ‘manufacturer’ and ‘product manufacturer’. A ‘manufacturer’ is ‘a person who (i) makes any product or parts thereof; or (ii) assembles parts thereof made by others; or (iii) puts or causes to be put his own mark on any products made by any other person’. A ‘product manufacturer’ is defined as a person who does any of the above or ‘(iv) makes a product and sells, distributes, leases, installs, prepares, packages, labels, markets, repairs, maintains such product or is otherwise involved in placing such product for commercial purpose; (v) designs, produces, fabricates, constructs or re-manufactures any product before its sale; or (vi) being a product seller of a product, is also a manufacturer of such product’.

36. Does the law provide any specific definitions with regards to consumer protection in the digital sphere?

In the Consumer Protection Act, 2019, as compared to the 1986 Act, a number of definitions have been included or expanded to address consumer protection in the digital sphere. For example, the law states explicitly that where the expressions ‘buys any goods’ and ‘hires or avails any services’ is used in the definition of ‘consumer’, this includes offline or online transactions through electronic means. In addition, the definition of ‘advertisement’ includes any audio or visual publicity, representation, endorsement or pronouncement made by means of electronic media, Internet or website. The definition of ‘unfair trade practices’ includes permitting the publication of advertisements, whether in any newspaper or otherwise, including by way of electronic record, for the sale or supply at a bargain price of goods or services that are not intended to be offered for sale or supply at the bargain price, or not for a period and in quantities that can be considered reasonable seeing the nature of the market, business and advertisement. The law also defines ‘e-commerce’.

The draft e-Commerce Rules further define ‘e-commerce entity’, ‘inventory-based model of e-commerce’ and ‘market-based model of e-commerce’. Definitions of ‘electronic record’ and ‘information’ in the draft Rules have been replicated from the Information Technology Act.

Rights

37. Is the consumer protection law based on fundamental rights (defined in constitutional law or international binding documents)?

Neither the Consumer Protection Act nor the draft e-Commerce Rules explicitly address this question.

38. What are the rights of the consumer defined by the law with reference to digital good and services?

The Consumer Protection Act only defines consumer rights in a general manner, to include the following:

(i)

the right to be protected against the marketing of goods, products or services which are hazardous to life and property;
(ii)

the right to be informed about the quality, quantity, potency, purity, standard and price of goods, products or services, as the case may be, so as to protect the consumer against unfair trade practices;
(iii)

the right to be assured, wherever possible, access to a variety of goods, products or services at competitive prices;
(iv)

the right to be heard and to be assured that consumer’s interests will receive due consideration at appropriate fora;
(v)

the right to seek redressal against unfair trade practices or restrictive trade practices or unscrupulous exploitation of consumers; and,
(vi)

the right to consumer awareness.

The draft e-Commerce Rules do not explicitly address the rights of the consumer.

39. Is consumer protection law applicable to users of zero price services, i.e. free of charges?

With the exception of specialised services (such as remote surgery), zero rating by Internet access providers is not allowed in India. The definition of ‘service’ in the Consumer Protection Act explicitly includes within its scope the provision of facilities in connection with telecom but does not include the rendering of any service free of charge.

Obligations and Sanctions

40. Does the law establish specific security requirements to provide digital services or goods?

The Consumer Protection Act does not explicitly address this question.

The draft e-Commerce Rules require e-commerce entities to ensure that personally identifiable information of customers is protected and that such data collection, use and storage comply with provisions of the Information Technology (Amendment) Act, 2008, which includes, among others, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules. The draft e-Commerce Rules also require payments for sale to be facilitated in conformity with the guidelines of the Reserve Bank of India, which include security requirements as well.

41. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

Where a violation is listed as an offence in the Consumer Protection Act, it can attract a prison term as well as a fine. The court can also suspend the licence of anyone found guilty for a period of up to 2 years or cancel the licence in case of a second or subsequent conviction.

The Central Consumer Protection Authority (the Central Authority) can order the recalling of goods or withdrawing of services; the reimbursement of the prices of goods and services recalled to the purchasers; and the discontinuation of practices which are unfair and prejudicial to the consumers’ interest. It can also issue directions to all relevant parties to discontinue or modify false or misleading advertisements, prohibit the endorser of a false or misleading advertisement from making further endorsements and impose penalties.

The Consumer Disputes Redressal Commissions at district, state and national level can order the opposite party to remove defects pointed out; to replace the goods with new goods; to reimburse the price or charge paid by the consumer with interest; to provide compensation to the consumer; to discontinue unfair or restrictive trade practices and not to repeat them; not to offer the hazardous or unsafe goods or services for sale or withdraw them from sale and to cease to manufacture them; to issue corrective advertisement; to provide for adequate costs to parties; and to cease and desist from issuing misleading advertisements. In addition, the State and National Commissions can declare any terms of contract, which is unfair to any consumer, null and void.

Actors

42. What bodies are responsible for the implementation of the consumer protection law?

The principal actors provided for under the Act are the Central Consumer Protection Authority (the Central Authority), including its investigation wing, and Consumer Disputes Redressal Commissions at the district, state and national levels (the Commissions), each of which will have a Consumer Mediation Cell attached to them. The Act also provides specific powers to the district collectors. Appeals to orders of the National Consumer Disputes Redressal Commission are to be heard by the Supreme Court.

The Act also sets up Consumer Protection Councils at the national, state and district levels, to give advice on the promotion and protection of consumers’ rights under the Act. Its members include the minister in charge of consumer affairs at the state and national levels, and the district collector at the state level.

43. Is there a specific consumer protection body? If so, what is its administrative structure?

The objective of the Central Consumer Protection Authority is to regulate matters relating to the violation of rights of consumers, unfair trade practices and false or misleading advertisements which are prejudicial to the interests of the public and consumers, and to promote, protect and enforce the rights of consumers as a class.

The Central Authority, still to be set up at the time of writing, shall be headed by a Chief Commissioner, as well as having a number of other Commissioners as prescribed, all to be appointed by the Central Government. Headquartered in Delhi, it may have regional and other offices in any other part of India, as per the Central Government’s decision. The Central Government shall provide a number of officers and other employees to the Central Authority, as considered necessary for the Central Authority’s efficient functioning. The Central Authority may further engage a number of experts and professionals of integrity and ability with relevant specialised knowledge and expertise. The Central Authority will have an investigation wing, to conduct inquiries or investigations under the Act, as directed by the Central Authority. The Director-General of the investigation wing, as well as other officials, may be appointed by the Central Government.

44. What are the powers of the bodies responsible for the implementation of the consumer protection law?

The Consumer Protection Act lists a large number of powers and functions of the Central Authority, including to inquire or cause an inquiry or investigation into violations of consumer rights or unfair trade practices; to file complaints before the District, State and National Commissions; to intervene in proceedings before the Commissions that concern allegations of violation of consumer rights or unfair trade practices; to review matters relating to, and factors inhibiting enjoyment of consumer rights and recommend appropriate remedial measures; to mandate the use of unique and universal goods identifiers and to issue guidelines to prevent unfair trade practices; and to issue safety notices. It can also recommend adoption of international covenants and best international practices on consumer rights, undertake research, raise awareness, and provide advice to Government Departments.

Where the investigation wing of the Central Authority or the District Collector engage in an inquiry or investigation, they will have powers of search and seizure. District Collectors may investigate complaints within their jurisdiction on a complaint or reference from the Central Authority or a Commissioner of a regional office.

The specific actions that the Central Authority can take, following an investigation, have been documented above, in the section on sanctions and remedies.

The District, State and National Commissions are quasi-judicial bodies that can entertain consumer complaints of different value and have the same powers in a number of respects as those vested in a civil court under the Code of Civil Procedure, 1908. Every proceeding before the Commissions shall be deemed a judicial proceeding. With the agreement of all parties involved, the Commissions can refer any complaint to the Consumer Meditation Cell attached to the relevant Commission. The Commissions can also review their own orders. The State and National Commissions will further hear appeals to decisions of the preceding level. In addition, they can, in particular circumstances, call for the records and pass appropriate orders in any consumer dispute pending before or decided by the preceding level and can transfer cases pending before the lower level(s). Where a person fails to comply with an order by a Commission, the Commission shall have the power of a Judicial Magistrate of first class for the trial of that offence. The specific actions that a Commission can take following an investigation have been documented in the section on sanctions and remedies.

3.

Cybercrime

Scope

45. What national laws (or other type of normative acts) regulate cybercrime?

The main act in India to specifically regulate cybercrime is the Information Technology (Amendment) Act, 2008. Other laws include relevant sections as well, however, such as, for example, the Copyright Act, 1957, and the Protection of Children from Sexual Offences (Amendment) Act, 2019. In addition, the Indian Penal Code and the Indian Evidence Act, 1872 too, continue to apply.

46. Is the country a part of any international cybercrime agreement?

India has not signed any international cybercrime agreement.

47. What cybercrimes are regulated?

The IT (Amendment) Act addresses a wide range of cybercrimes, from hacking-related offences over crimes related to impersonation and fraud, and from violations of privacy concerning the private areas of any person to offences related to obscenity and sexually explicit material, including child sexual abuse images.

Other laws, such as the Copyright (Amendment) Act, 2012 and the Protection of Children from Sexual Offences (Amendment) Act, 2019, address crimes specific to the domain they cover (in the case of these examples, copyright violations and child sexual abuse images respectively).

While most provisions of the Indian Penal Code have general applicability, some recognise cyberspace related aspects of a crime specifically. For example, the offence of stalking is defined in the Indian Penal code to explicitly include monitoring ‘the use by a woman of the internet, email or any other form of electronic communication’.

48. To whom do the laws apply?

The IT (Amendment) Act applies to the whole of India as well as to any offence or contravention under the Act committed outside India by any person, irrespective of their nationality, provided the suspected offence involves a computer, computer system or computer network located in India.

49. Do the laws apply to foreign entities that do not have physical presence in the country?

Yes, see above.

Definitions

50. How is cybercrime generally defined by the national law?

The IT (Amendment) Act does not define cybercrime.

51. What are the cybercrimes provided for by the law and how are they defined?

The IT (Amendment) Act includes offences such as:

tampering with computer source documents;
computer related offences such as damaging computers and computer systems;
dishonestly receiving stolen computer resources or communication;
identity theft and cheating by personation;violating the privacy of the private area of any person;
publishing or transmitting obscene or sexually explicit material, or material depicting children in a sexually explicit act;
publishing an electronic signature certificate while knowing it to be false in certain particulars or publishing it for a fraudulent or unlawful purpose.

While constituent elements of the crime are at times defined in detail, the crimes as such are not.

52. How is a computer system defined?

The IT (Amendment) Act defines a ‘computer system’ as ‘a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programs, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions’.

53. How are computer data defined?

The IT (Amendment) Act defines data as ‘a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer’.

54. How are forensic data defined?

The IT (Amendment) Act does not define forensic data, nor does the Indian Evidence Act. The IT (Amendment) Act does define ‘electronic form evidence’ as ‘any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cellphones, digital fax machines’.

55. How are service providers defined?

The IT (Amendment) Act does not define the term ‘service providers’. However, it defines ‘intermediary’, ‘with respect to any particular electronic records’, as ‘any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, Internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes’.

56. Does the national law provide any other definitions instrumental to the application of cybercrime legislation?

The IT (Amendment) Act also defines ‘access’, ‘addressee’, ‘affixing [electronic signature]’, ‘asymmetric crypto system’, ‘communication device’, ‘computer’, ‘computer network’, ‘computer resource’, ‘cybercafé’, ‘cyber security’, ‘digital signature’, ‘electronic form’, ‘electronic record’, ‘electronic signature’, ‘function’ in relation to a computer, ‘information’, ‘key pair’, ‘originator’, ‘private key’, ‘public key’, ‘secure system’, ‘security procedure’, ‘subscriber’ and ‘verify’ as well as a number of terms related to the implementation and enforcement of the Act, including to the institutions involved and their roles and functions.

Rights

57. Is the cybercrime law based on fundamental rights (defined in constitutional law or international binding documents)?

The IT (Amendment) Act does not explicitly address this question.

58. What are the rights of the victim and the accused?

The IT (Amendment) Act specifies that no compensation awarded, penalty imposed, or confiscation made under the Act shall prevent the award of compensation or imposition of any other penalty or punishment under any other law for the time being in force. It allows for the compounding of contraventions or offences in some circumstances, and also specifies that offences with up to 3 years of imprisonment are available. Beyond this, rights that are specific to cybercrime are not specified in either the IT (Amendment) Act or the Indian Evidence Act.

Procedures

59. Is there a specific procedure to identify, analyse, relate, categorise, assess and establish causes associated with forensic data regarding cybercrimes?

The Indian Evidence Act was amended by the IT (Amendment) Act to include electronic records explicitly in the definition of ‘documentary evidence’, as well as to include terms such as ‘digital signature’, ‘electronic form’ and ‘secure electronic record’, as defined by the IT (Amendment) Act, in the evidentiary mechanisms that the Indian Evidence Act provides for. This includes a lengthy section on the admissibility of electronic evidence (section 65B of the Indian Evidence Act).

60. In case of transnational crimes, how is cooperation between the national law enforcement agency and the foreign agents regulated?

The IT (Amendment) Act does not address this question. Most commonly, requests to foreign agents for the content of stored electronic communication are made through the MLAT process. As specified in the Allocation of Business Rules of the Government of India, the Ministry of Home Affairs is the nodal Ministry and the Central authority for seeking and providing mutual legal assistance in criminal law matters. Section 105 of the Criminal Procedure Code speaks of reciprocal arrangements to be made by the Central Government with foreign governments with regard to the service of summons/warrants/judicial processes. Accordingly, the Ministry of Home Affairs (MHA) has entered into Mutual Legal Assistance Treaties/Agreements on criminal matters with 39 countries, which provide for the serving of documents. Requests can also be made through the letters rogatory process, which involves the courts in both countries. Such requests can be based on MLATs, Memorandums of Understanding (MoUs) or reciprocity and they, too, need approval from the MHA. Investigating agencies can take the help of the International Police Cooperation Cell (IPCC) of the Central Bureau of Investigation (CBI), an Indian intelligence agency, in preparing such requests. The IPCC is also the nodal point in India for cooperation with and through INTERPOL. Finally, the Indian Computer Emergency Response Team (CERT-IN) also has signed MoUs with agencies in a number of countries to further cooperation on cybersecurity.

61. Are there any exceptions to the use of mutual legal assistance procedures to investigate the crime?

There are. For example, the India-US MLAT excludes political offences as well as offences under military law, subject to some exceptions, while the India-Malaysia MLAT excludes, among other things, requests where there is substantial ground to believe that these were made for the purpose of investigating, prosecuting, punishing or otherwise causing prejudice to a person on account of the person’s race, religion, sex, ethnic origin, nationality or political opinions.

62. Does the national law require the use of measures to prevent cybercrimes? If so, what are they?

Specific measures are specified in the rules attendant to several provisions of the IT (Amendment) Act, such as those made under section 16, regarding secure procedures and practices for electronic records and signatures, and under section 43A, regarding compensation for failure to protect data. Further, under section 70B, CERT-IN can provide guidance that needs to be adhered to. Under section 89, the Controller is granted the power to make regulations on matters such as standards.

Obligations and Sanctions

63. What obligations do law enforcement agencies have to protect the data of the suspect, the accused and the victim?

The Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009, made under section 69B of the IT (Amendment) Act, prohibit the disclosure or use of traffic data or information by the agency authorised to monitor or collect traffic data for any purpose other than the forecasting of imminent cyber threats or general trends of port-wise traffic on the Internet, or general analysis of cyber incidents, or for investigation or in judicial proceedings before a competent court in India. Section 69B provides the Central Government with the power to authorise the monitoring and collection of traffic data through any computer resource for cyber security. Beyond this, neither the IT (Amendment) Act nor the Indian Evidence Act address this question explicitly in the context of cybercrime. In the draft Personal Data Protection Bill, 2018, processing for the prevention, detection, investigation and prosecution of contraventions of law or for the purpose of legal proceedings are included in the exemptions, severely restricting law enforcement agencies’ obligations to protect personal data.

64. What are the duties and obligations of the National Prosecuting Authorities in cases of cybercrime?

Section 80 of the Act outlines the power of police officers and other officers to enter, search, etc. Procedural guidelines under section 69B of the Act are provided in the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009. Further details on the duties and obligations of the prosecuting authorities specifically in cases of cybercrime are not provided in either the IT (Amendment) Act or the Indian Evidence Act.

65. Does the law impose any obligations on service providers in connection with cybercrime?

Section 79 of the IT (Amendment) Act and the attendant rules provide intermediaries with exemption from liability, provided that they, among other things, observe due diligence while discharging their duties under the Act. This includes warning users, in their rules and regulations, privacy policy and user agreement, about content that violates the law; taking prompt action when informed about the presence of violative content on their platform; and providing any assistance required to government agencies when required by a lawful order to do so. Intermediaries are also required to take all reasonable measures to secure their computer resources and the information they contain, as outlined in section 43A of the IT (Amendment) Act and the attendant rules; to report and share information on cybersecurity incidents with CERT-IN; and to ensure that technical or infrastructural modifications do not facilitate circumvention of the law. Proposed changes to the Intermediary Guidelines Rules, 2011, under discussion at the time of writing, would add further obligations. Cyber cafés are subject to an additional set of rules, with their own set of requirements.

Intermediaries are also required to provide any assistance necessary to assist the government in exercising its powers to intercept, monitor or decrypt any information through any computer resources (section 69 of the IT (Amendment) Act and the attendant rules); to block for public access information through any computer resource (section 69A of the IT (Amendment) Act and the attendant rules); or to monitor and collect meta data through any computer resource for cyber security (section 69B of the IT (Amendment) Act and the attendant rules).

In addition, section 67C of the IT (Amendment) Act requires intermediaries to preserve and retain information for the duration and in the manner prescribed by the Central Government.

66. To which extent can a legal person be held liable for actions in connection with cybercrimes?

Section 85 of the IT (Amendment) Act holds that where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and be punished accordingly.

Liability of companies is also addressed in select other provisions in the Act. For example, section 43A provides for compensation where a body corporate fails to protect data. Section 70B specifies that body corporates who do not comply with directions issued by CERT-IN are punishable with imprisonment and fine.

Actors

67. What bodies implement the cybercrime legislation?

The IT (Amendment) Act designates CERT-IN as the national agency for incident response. CERT-IN, the Controller of the Certifying Authorities for electronic signature certificates, and a number of government bodies and agencies can all issue directions. The Controller and adjudicating officers to be appointed by the government can investigate contraventions of the Act or specific sections of it. Appeals to orders made by the Controller or an adjudicating officer can be made to the Cyber Appellate Tribunal. Further appeals need to be made to the High Court. Although India has a growing number of cybercrime police cells, any police officer not below the rank of Inspector can investigate offences under the Act. Further, the Central Government has appointed a number of government bodies as Examiners of Electronic Evidence, to provide expert opinion on electronic evidence before any court or other authority.

68. Is there a special public prosecutor office for cybercrime? If so, how is it organised?

The IT (Amendment) Act does not address this question.

69. Does the cybercrime legislation create any specific body?

The IT (Amendment) Act establishes CERT-IN, the Controller of Certifying Authorities for electronic signatures and the Cyber Appellate Tribunal.

4.

Public Order

Definitions

70. How are public order, threats to public order and the protection of public order defined?

None of these terms are defined as such in Indian law.

71. Is the protection of public order grounded in constitutional norms?

The laws that apply to public order and cyberspace do not explicitly address this question.

Measures

72. What cyber measures address threats to public order?

In the IT (Amendment) Act, public order is listed as one of the grounds on which

the Central Government, State Governments, or any officer specifically authorised by them can issue directions for intercepting, monitoring or decrypting of any information generated, transmitted, received or stored in any computer resource (section 69);
the Central Government or any officer specifically authorised by it can issue directions to block for public access any information generated, transmitted, received, stored or hosted in any computer resource (section 69A).
In addition, Internet shutdowns, frequently ordered to address alleged threats to public order, are imposed under:
- Section 144 of the Criminal Procedure Code, which grants a District Magistrate, a Sub-divisional Magistrate or any other Executive Magistrate specially empowered by the State Government in this behalf, the power to issue orders in urgent cases of nuisance or apprehended danger;
- Section 5(2) of the Indian Telegraph Act, 1885, which, on the occurrence of a public emergency or in the interest of public safety, allows the Central Government or a State Government or any officer specially authorised by them to direct that any message or class of messages to or from any person or class of persons or relating to any particular subject, shall not be transmitted or shall be intercepted or detained, or shall be disclosed to the government or officer making the order, if it is necessary or expedient to do so in the interests of, among other things, public order;The Temporary Suspension of Telecom Services (Public Emergency and Public Safety) Rules, 2017, notified under section 7 of the Indian Telegraph Act, which provides the Central Government with the power to make rules for the conduct of telegraphs.
- Section 66F of the IT (Amendment) Act provides for punishment for cyber terrorism, which is believed to have taken place, among other things, when a person knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to any restricted information, data or computer database which, there is reason to believe, may be used to cause or is likely to cause injury to, among other things, public order.

Actors

73. What public authorities are responsible for the implementation of surveillance techniques?

In December 2018, the Cyber and Information Security Division of the Ministry of Home Affairs, Government of India, publicly released an order authorising ten security and intelligence agencies to intercept, monitor and decrypt information in any computer resource, a power granted by section 69 of the IT (Amendment) Act. These agencies are the Intelligence Bureau; the Narcotics Control Bureau; the Enforcement Directorate; the Central Board of Direct Taxes; the Directorate of Revenue Intelligence; the Central Bureau of Investigation; the National Investigation Agency; Cabinet Secretariat (RAW); the Directorate of Signal Intelligence (for service areas of Jammy & Kashmir, North-East and Assam only); and the Commissioner of Police, Delhi. A similar order has not been issued publicly for section 69A.

Internet shutdowns can be ordered under section 144 of the Code of Criminal Procedure by a District Magistrate, a Sub-divisional Magistrate or any other Executive Magistrate specially empowered by the State Government in this behalf. Where Internet shutdowns are ordered under the Temporary Suspension of Telecom Services Rules, the order can be given by the Secretary in the Ministry of Home Affairs, in the case of the Central Government, and the Secretary to the State Government in-charge of the Home Department, in the case of a State Government. In ‘unavoidable circumstances’, other officers who have been duly authorised to do so, can issue the order as well. Details on the agencies responsible for ordering Internet shutdowns under section 5(2) of the Indian Telegraph Act are not publicly available; the Act only notes that such an order needs to be given by the Central or a State Government or an officer authorised by them to do so.

74. What are obligations of these public authorities?

Procedural guidelines under section 69 of the IT (Amendment) Act, outlining a number of obligations, can be found in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, while procedural guidelines under section 69A of the same Act can be found in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009. The Temporary Suspension of Telecom Services also provide procedural guidelines. Where orders are issued under section 144 of the Code of Criminal Procedure or section 5(2) of the Indian Telegraph Act, the obligations of the authorities have not been detailed.

75. Can private actors be involved in the implementation of cyber measures to address threats to public order?

Where public order is concerned, intermediaries are required to provide any assistance necessary to assist the government in exercising its powers to intercept, monitor, or decrypt any information through any computer resources (section 69 of the IT (Amendment) Act and the attendant rules) and to block for public access information through any computer resource (section 69A of the IT (Amendment) Act and the attendant rules).

Section 79 of the IT (Amendment) Act and the attendant Intermediaries Guidelines Rules, 2011, provide intermediaries with exemption from liability, provided that they, among other things, observe due diligence while discharging their duties under the Act. This includes taking prompt action when informed about the presence of violative content on their platform, such as content that is a threat to public order; and providing any assistance required to government agencies when required by a lawful order to do so. Proposed changes to the Intermediary Guidelines Rules 2011, under discussion at the time of writing, would add further obligations, including on the ground of threats to public order.

Where Internet shutdowns are concerned, telecom operators are also required to comply with any orders made under section 144 of the Criminal Code of Procedure and under section 5(2) of the Indian Telegraph Act, as well as under the Temporary Suspension of Telecom Services Rules, in addition to the general obligations imposed on them under their license conditions.

5.

Cyberdefence

Scope

76. Is there a national cyberdefence strategy or is cyberdefence mentioned in the national defence strategy?

India does not have a formal national security strategy or national cyberdefence strategy.

77. What is the legal status of the national defence or cyberdefence strategy?

India does not have a formal national security strategy or national cyberdefence strategy.

78. What national laws or other normative acts regulate cyberdefence in the country?

Of primary importance to understand India’s developing policy on cyberdefence is the Joint Doctrine Indian Armed Forces 2017. Other military documents that touch on the issue are the Indian Army Land Warfare Doctrine 2018, the Basic Doctrine of the Indian Airforce 2012, the Indian Maritime Security Strategy 2015 and the Indian Maritime Doctrine 2015.

The National Cybersecurity Policy, 2013, highlights the need for a Cyber Crisis Management Plan for dealing with cyber related incidents impacting critical national processes or endangering public safety or security of the nation, as well as addressing the need to ensure the protection and resilience of critical information infrastructure and the need to reduce supply-chain risks. Several sections of the IT (Amendment) Act and of the Indian Telegraph Act are of relevance as well.

79. Is the country party of any international cooperation agreement in the sphere of cyberdefence?

There is no publicly available information on whether India became a party to the Agreement on Cooperation in Ensuring International Information Security between the Member States of the Shanghai Cooperation Organisation (SCO) when it became a full member of the SCO in 2017.

80. Does the national cyberdefence strategy provide for retaliation?

The Joint Doctrine Indian Armed Forces notes that India’s national security policy ‘shall entail inherent right of self-defence’, among other things. Other documents of the armed forces, too, mention retaliation; the Indian Army Land Warfare Doctrine 2018 specifically mentions a mandate to retaliate in cases of information warfare.

Definitions

81. How are national security and national defence defined?

The Joint Doctrine Indian Armed Forces notes that ‘national security to us implies the protection, preservation and promotion of our national interests against internal and external threats and challenges. Maintenance of our national security is critical as it provides us the necessary freedom, and removes all fear and hindrance in our pursuit of prosperity and happiness. India’s security is an integral component of its development process. National security and the underpinning strategies have both national and international dimensions. National Security not only entails military security but also influences our politico-diplomatic structure, water, economy, energy, food, health, education, technology, cyber, space, nuclear deterrence and environment’. The Joint Doctrine does not define ‘national defence’.

82. How are cybersecurity and cyberdefence defined?

The Joint Doctrine Indian Armed Forces does not define ‘cybersecurity’ or ‘cyberdefence’.

83. How are threats to national security and cyberthreats defined?

While not providing a definition as such, the Joint Doctrine Indian Armed Forces classifies threats into internal and external threats and challenges. The latter are further broken down into traditional and non-traditional threats. The Joint Doctrine does not provide a similar discussion of cyberthreats.

84. How is a cyberattack defined?

The Joint Doctrine Indian Armed Forces does not define ‘cyberattack’.

85. Does the national law provide any other definitions instrumental to the application of cyberdefence legislation?

The Joint Doctrine discusses ‘national security policy’, ‘national security strategy’, ‘armed forces doctrine’, ‘national power’, ‘military instrument of national power’, and ‘cyber power’, as well as laying out India’s national security objectives and national military objectives. The national security objectives contain explicit reference to the defence of cyberspace.

National Framework

86. Is cyberdefence grounded on the constitutional provisions and/or international law?

The Joint Doctrine Indian Armed Forces takes as its starting point India’s national values, aim and interests as enshrined in its Constitution.

87. Which specific national defence measures are related to cybersecurity?

The Joint Doctrine Indian Armed Forces emphasises the need for greater integration of the structures of the army, navy and air force in order for the Indian armed forces to be able to effectively address cyberthreats. In specific, it notes the launch of the Defence Communication Network (DCN), which seeks to ready the armed forces for network centric wars by enabling all stakeholders to share situational awareness for a faster decision-making process. It also highlights the setting up of the tri-service Defence Cyber Agency, as one step towards coordination and integration of the efforts of the army, navy and air force where cyberspace is concerned. It further notes that ‘cyber defence structures envisage monitoring of own cyberspace at the metadata level, real-time detection of threats in data flow, identifying types and sources of threats and responding suitably to limit and mitigate the adverse impact. The necessary crisis management plans are being incorporated to deal with the potential fallout’.

Several sections of the IT (Amendment) Act are of relevance as well, in particular section 66F, Punishment for cyber terrorism; section 69, Powers to issue directions for interception or monitoring or decryption of any information through any computer resource; and section 69A, Power to issue directions for blocking for public access of any information through any computer resource. Threats to the sovereignty or integrity of India, the security of the State and friendly relations with foreign states are included in the grounds on which each of these provisions can be invoked. Sections 69 and 69A can also be invoked where it is necessary or expedient to do so in the name of the defence of India. Section 69B of the IT (Amendment) Act further allows for the monitoring and collection of traffic data for cybersecurity.

Section 5 of the Indian Telegraph Act allows the government to take possession of licensed telegraphs and to order that messages shall be intercepted or detained or not transmitted when there is a public emergency or in the interest of public safety, again when it is necessary or expedient to do so in the interests of, among other things, the sovereignty and integrity of India, the security of the state, or friendly relations with foreign states. A number of obligations imposed on telecom operators in their licence agreements are justified on the ground of national security as well.

88. Is there a national defence doctrine and does the law or strategy refer to it?

The Joint Doctrine Indian Armed Forces is the main national defence doctrine. As noted earlier, India does not have a formal national security strategy or national cyberdefence strategy.

89. What measures are mentioned in the national law and strategy in order to implement cyberdefence?

See above.

90. How can Internet users’ online activities be limited for the reasons of protection of national security and cyberdefence?

As noted above, section 69 of the IT (Amendment) Act provides the government with the powers to issue directions for interception or monitoring or decryption of any information through any computer resource, while section 69A of the Act provides it with the power to issue directions for blocking for public access of any information through any computer resource. Threats to the sovereignty or integrity of India, the security of the State and friendly relations with foreign states, as well as the defence of India are included in the grounds on which each of these provisions can be invoked.

Section 5(2) of the Indian Telegraph Act allows the government to take possession of licensed telegraphs and to order interception of messages when there is a public emergency or in the interest of public safety, again when it is necessary or expedient to do so in the interests of, among other things, the sovereignty and integrity of India, the security of the state, or friendly relations with foreign states.

91. Does the national law or strategy foresee any special regime to be implemented in case of emergency in the context of cyberdefence?

While a number of actors are highlighted as playing a pivotal role in the context of a national level threat, neither the relevant laws nor the Joint Doctrine Indian Armed Forces provide a specific regime to address such situations.

92. Is there any specific framework regulating threats to critical infrastructure?

Section 70 of the IT (Amendment) Act allows for the appropriate government to declare any computer resource which directly or indirectly affects the facility of critical information infrastructure to be a protected system. Section 70A of the Act provides for the Central Government to designate any organisation of the Government as the national nodal agency for the protection of critical information infrastructure.

Actors

93. What actors are explicitly mentioned as playing a role regarding cyberdefence in the law or national cyber defence strategy or defence strategy?

The Joint Doctrine Indian Armed Forces mentions the Defence Cyber Agency, the Defence Information Assurance and Research Agency, the National Security Council Secretariat and the National Cyber Coordination Centre under the Ministry of Communications and Information Technology.

In addition, in 2014, the Government of India designated the National Critical Information Infrastructure Protection Centre (NCIIPC) as the national nodal agency for critical information infrastructure protection, as per the powers vested in it under section 70A of the IT (Amendment) Act.

94. Is there a specific cyber defence body?

The Defence Cyber Agency, mentioned in the Joint Doctrine Indian Armed Forces, and the NCIIPC, designated the national nodal agency for critical information infrastructure protection under section 70A of the IT (Amendment) Act in 2014, are bodies that are specifically concerned with cyber defence or aspects of it.

95. What are the tasks of aforementioned actors?

The NCIIPC is responsible for all measures relating to critical information infrastructure, including research and development. Further details on its tasks can be found in the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013, that designated the NCIIPC as the national nodal agency for critical information infrastructure protection.

Little information is publicly available on the mandate and tasks of other actors. Formally established in 2019, the exact mandate of the Defence Cyber Agency has not been made public. The Joint Doctrine Indian Armed Forces describes it as a tri-service advice mechanism, but media reports indicate that its mandate may go beyond that. The Joint Doctrine also describes the Defence Information Assurance and Research Agency as the nodal agency mandated to deal with all cyber security needs of the tri-services and the Ministry of Defence. Media reports indicate that the Agency might have been incorporated in the Defence Cyber Agency. Also according to the Joint Doctrine, the efforts at cyberdefence undertaken by various stakeholders are synchronised by the National Security Council Secretariat (NSCS) through the National Cyber Coordination Centre (NCCC) under the Ministry of Communications and Information Technology. The NSCS is a specialised unit in the Prime Minister’s Office under the direct charge of the National Security Advisor and headed by the Deputy National Security Advisor. The NCCC, according to the Joint Doctrine, is entrusted with the responsibility of coordination, identification and mitigation of cyber risks, threats and vulnerabilities. In media reports it has been described as a cybersecurity and e-surveillance agency.

References

Bhatia, Gautam (17 February 2016). Free Speech and Public Order. Centre for Internet and Society. <https://cis-india.org/internet-governance/blog/free-speech-and-public-order-1>.
Bommakanti, Kartik (2019). Electronic and Cyber Warfare: A Comparative Analysis of the PLA and the Indian Army. ORF Occasional Paper 203. New Delhi, July 2019. Observer Research Foundation. <https://www.orfonline.org/research/electronic-and-cyber-warfare-a-comparative-analysis-of-the-pla-and-the-indian-army-53098/>.
Chawla, Gunjan (4 October 2019). India’s New Cyber Defence Agency – II: Balancing Constitutional Constraints and Covert Ops? Medianama. <https://www.medianama.com/2019/10/223-india-defence-cyber-agency-part-2/>.
Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (2018). A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians. New Delhi, 27 July 2019. Ministry of Electronics and Information Technology, Government of India. <https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf>.
Comptroller and Auditor General of India (2016). Report of the Comptroller and Auditor General of India for the Year Ended March 2015. Union Government (Communications and IT Sector). Report No. 29 of 2016. New Delhi, 2016. Comptroller and Auditor General of India. <https://cag.gov.in/content/report-no-29-2016-compliance-audit-communication-it-sector-union-government>.
Concerned People (2018). Solving for Data Justice: A Response to the Draft Personal Data Protection Bill. New Delhi, 18 October 2018. Internet Democracy Project. <https://internetdemocracy.in/reports/datajustice/>.
Corbridge, Stuart & Harriss, John (2003). Reinventing India: Liberalisation, Hindu Nationalism and Popular Democracy. Second edition. New Delhi, Oxford University Press.Google Scholar
Das, Debak (4 November 2019). An Indian Nuclear Power Plant Suffered a Cyberattack. Here’s What You Need to Know. Washington Post. <https://www.washingtonpost.com/politics/2019/11/04/an-indian-nuclear-power-plant-suffered-cyberattack-heres-what-you-need-know/>.
Datta, Bishakha (2017). Guavas and Genitals: An Exploratory Study on Section 67 of the Information Technology Act, India. Mumbai: Point of View.Google Scholar
Datta, Saikat (2016). Cybersecurity, Internet Governance and India’s Foreign Policy: Historical Antecedents. New Delhi, January 2016. Internet Democracy Project. <https://internetdemocracy.in/reports/cybersecurity-ig-ifp-saikat-datta/>.
Datta, Saikat & Venkatanarayan, Anand (30 October 2019). Cyberattack Scare Dogs India’s Nuclear Plants. Asia Times. <https://www.asiatimes.com/2019/10/article/cyberattack-scare-dogs-indias-nuclear-plants/>.
Duggal, Pavan (2005). Cyber Law and Its Implementation in India. Bagga, R.K.; Keniston, Kenneth & Mathur, Rohit Raj (eds.), The State, IT and Development. New Delhi, Sage.Google Scholar
Dutta, Prabhash K (24 August 2017). Right to Privacy: 5 Bills Yet No Law, How Parliament Has Dealt With Personal Data Protection. India Today. <https://www.indiatoday.in/india/story/right-to-privacy-fundamental-right-parliament-1031136-2017-08-24>.
Frankel, Francine R. (2005). India’s Political Economy 1947-2004: The Gradual Revolution. Second Edition. New Delhi, Oxford University Press.Google Scholar
Galiya, Stuti (20 August 2019). India: Consumer Protection Act, 2019 – Key Highlights. Mondaq. <http://www.mondaq.com/india/x/838108/Dodd-Frank+Wall+Street+Reform+Consumer+Protection+Act/CONSUMER+PROTECTION+ACT+2019+KEY+HIGHLIGHTS>.
Gandhi, Jatin (27 March 2018). Srikrishna Committee Report on Data Protection and Privacy by May-End. Hindustan Times. <https://www.hindustantimes.com/india-news/srikrishna-committee-report-on-data-protection-and-privacy-by-may-end/story-KYTHD6DxcgkA9VwtZ24OrN.html>.
Glanz, James; Rotella, Sebastian; & Sanger, David E. (21 December 2014). In 2008 Mumbai Attacks, Piles of Spy Data, But an Uncompleted Puzzle. New York Times. <https://www.nytimes.com/2014/12/22/world/asia/in-2008-mumbai-attacks-piles-of-spy-data-but-an-uncompleted-puzzle.html>.
Gopalakrishnan, Kris S. (26 April 2016). Indian IT and ITeS Journey: Liberalisation and Beyond. Live Mint. <https://www.livemint.com/Opinion/fNjocJ9cwlGCDqLWt2OjXP/Indian-IT-and-ITeS-journey-Liberalization-and-beyond.html>.
Greenleaf, Graham (1 June 2014). India’s Draft the Right to Privacy Bill 2014 – Will Modi’s BJP Enact it? Privacy Laws & Business International Report. N°. 129. Pp. 21-24. Available at SSRN. <https://ssrn.com/abstract=2481796>.
Group of Experts on Privacy Chaired by Justice A.P. Shah (2012). Report of the Group of Experts on Privacy (Chaired by Justice A.P. Shah, Former Chief Justice, Delhi High Court). New Delhi, 16 October 2012. Planning Commission, Government of India. <planningcommission.nic.in/reports/genrep/rep_privacy.pdf>.
Gupta, Apar (18 September 2007). The Personal Data Protection Bill, 2006. India Law and Technology Blog. <https://iltb.net/the-personal-data-protection-bill-2006-7c66721ef8d>.
Guruswamy, Menaka (27 September 2010). Regulating the Gentleman’s Game: Intelligence Reform in India. Centre for the Advanced Study of India, University of Pennsylvania. <https://casi.sas.upenn.edu/iit/guruswamy>.
Headquarters Integrated Defence Staff (2017). Joint Doctrine Indian Armed Forces. New Delhi, April 2017. Directorate of Doctrine, Headquarters Integrated Defence Staff, Ministry of Defence. <https://www.ids.nic.in/IDSAdmin/upload_images/doctrine/JointDoctrineIndianArmedForces2017.pdf>.
Hooda, DS (26 June 2019). India’s New Defence Cyber Agency Will Have to Work around Stovepipes Built by Army, Navy & Air Force: Lt Gen DS Hooda. News18. <https://www.news18.com/news/opinion/new-defence-cyber-agency-will-have-to-work-around-stovepipes-built-by-army-navy-air-force-lt-gen-hooda-2204033.html>.
IAMAI (2019). India Internet 2019. New Delhi, 26 September 2019. IAMAI and Nielsen.Google Scholar
Institute for Defence Study and Analyses (2012). A Case for Intelligence Reforms in India. IDSA Task Force Report. New Delhi, 2012. Institute for Defence Study and Analyses. <https://idsa.in/system/files/book/book_IntellegenceReform.pdf.>.
Internet Democracy Project (2018). Is the Fourth Way Going Far Enough? Our Submission to Meity on Draft Personal Data Protection Bill 2018. New Delhi, 12 October 2018. Internet Democracy Project. <https://internetdemocracy.in/reports/pdpb/>.
Jain, Rohit (29 August 2019). Consumer Protection Act 2019 Ushers in More Benefits for Consumers. Bloomberg Quint. <https://www.bloombergquint.com/law-and-policy/will-the-new-consumer-protection-act-make-consumers-king>.
Jasrotia, Sahil Singh; Sharma, Roop Lal & Mishra, Hari Govind (2019). Disruptions in Indian Telecom Sector: A Qualitative Study on Reliance Jio. Indore Management Journal. Vol. 11, n°. 1. Pp. 37-45. <https://www.iimidr.ac.in/wp-content/uploads/Vol11-1-03.pdf>.
Joshi, Manoj & Das, Pushan (2015). India’s Intelligence Agencies: In Need of Reform and Oversight. ORF Issue Brief No. 98. New Delhi, July 2015. Observer Research Foundation. <https://www.orfonline.org/wp-content/uploads/2015/07/IssueBrief_98.pdf>.
Kanwal, Gurmeet (2018). Introduction: The Need for Defence Reforms. Kanwal, Gurmeet & Kohli, Neha (eds.), Defence Reforms: A National Imperative. New Delhi, Pentagon Press and Institute for Defence Studies and Analyses. <https://idsa.in/system/files/book/book-defence-reform.pdf>.
Kovacs, Anja & Ranganathan, Nayantara (2017). India. Association for Progressive Communications (ed.), Unshackling Expression: A Study on Laws Criminalising Expression Online in Asia. South Africa, Association for Progressive Communications. <https://www.giswatch.org/sites/default/files/giswspecial2017_web.pdf>.
Kovacs, Anja & Ranganathan, Nayantara (2019). Data Sovereignty, of Whom? Limits and Suitability of Sovereignty Frameworks for Data in India. Data Governance Network Working Paper 03. Mumbai, November 2019. Data Governance Network. <http://datagovernance.org/report/data-sovereignty>.
Krishnan, Vinayak & Sinha, Roshni (2019). Draft Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018. Rules & Regulation Review. New Delhi, 30 January 2019. PRS Legislative Research. <prsindia.org/sites/default/files/bill_files/IT%20Intermediary%20Guidelines%20Amendment%20Rules%20Brief-For%20Upload.pdf>.
Law Commission of India (2017). Hate Speech. Report 267. New Delhi, March 2017. Law Commission of India. <lawcommissionofindia.nic.in/reports/Report267.pdf>.
Mankotia, Anandita Singh (24 July 2019). Data Protection Bill: Changes Likely in Proposed Data Privacy Rules: Only Critical Data May Need to Be Housed in India. Economic Times. <https://economictimes.indiatimes.com/tech/internet/changes-likely-in-proposed-data-privacy-rules-only-critical-data-may-need-to-be-housed-in-india/articleshow/70355298.cms?from=mdr>.
Ministry of Electronics and Information Technology (2017). Constitution of a Committee of Experts to Deliberate on a Data Protection Framework for India. Office Memorandum No. 3(6)/2017-CLES. New Delhi, 31 July 2017. Ministry of Electronics and Information Technology, Government of India. <https://meity.gov.in/writereaddata/files/MeitY_constitution_Expert_Committee_31.07.2017.pdf>.
Ministry of Electronics and Information Technology (2018). Comments Invited on Draft Intermediary Guidelines 2018. New Delhi, 24 December 2018. Ministry of Electronics and Information Technology, Government of India. <https://meity.gov.in/comments-invited-draft-intermediary-rules>.
Ministry of Home Affairs (2011). Draft Bill on Right to Privacy. Office Memorandum No. II/20034/250/2011-IS-II. New Delhi, 29 September 2011. Ministry of Home Affairs, Government of India. <https://cis-india.org/internet-governance/draft-bill-on-right-to-privacy>.
Na, Vijayashankar (9 July 2018). Cyber Appellate Tribunal Back in Action through TDSAT. Naavi. <https://www.naavi.org/wp/cyber-appellate-tribunal-back-in-action-through-tdsat/>.
Nappinai, N.S. (2010). Cyber Crime Law in India: Has Law Kept Pace with Emerging Trends? An Empirical Study. Journal of International Commercial Law and Technology. Vol. 5., n° 1. Pp. 22-28.Google Scholar
Narrain, Siddharth (2016). Hate Speech, Hurt Sentiment and the (Im)Possibility of Free Speech. Economic and Political Weekly. Vol. 51, n°. 17. <https://www.epw.in/journal/2016/17/special-articles/hate-speech-hurt-sentiment-and-impossibility-free-speech.html>.
Pal, Sherill (6 February 2019). Intermediary Liability: Un-safe Harbour? Fortune India. <https://www.fortuneindia.com/opinion/intermediary-liability-un-safe-harbour/102944>.
Pandit, Rajat (29 April 2019). Forces Prepare to Deal with Cyber-attacks on Key Infrastructure. Economic Times. <https://economictimes.indiatimes.com/news/defence/forces-prepare-to-deal-with-cyber-attacks-on-key-infrastructure/articleshow/69091292.cms>.
Planning Commission (2011). Constitution of Group of Experts to Deliberate on Privacy Issues. Office Memorandum No. 13040/47/2011-CIT&I. New Delhi, 26 December 2011. CIT & I Division, Planning Commission, Government of India. <https://cis-india.org/internet-governance/constitution-of-group-of-experts.pdf>.
Ranganathan, Nayantara (9 August 2018). India’s Data Protection Draft Ignores Key Next-Generation Rights. Asia Times. <https://www.asiatimes.com/2018/08/opinion/indias-data-protection-draft-ignores-key-next-generation-rights/>
Rej, Abhijnan & Joshi, Shashank (2018). India’s Joint Doctrine: A Lost Opportunity. ORF Occasional Paper 139. New Delhi, January 2018. Observer Research Foundation. <https://www.orfonline.org/research/india-joint-doctrine-lost-opportunity/>.
Reserve Bank of India (2018). Storage of Payment System Data. Circular DPSS.CO.OD.No 2785/06.08.005/2017-18. Mumbai, 6 April 2018. Reserve Bank of India. <https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0>.
Saikia, Arunabh (7 April 2018). India’s Internet Shutdown: Most States Block Services without Following Centre’s Rules. Scroll. <https://scroll.in/article/874565/internet-shutdown-most-states-continue-to-block-services-without-adhering-to-the-centres-new-rules>.
Sagar, Pradip R. (1 June 2019). Three-pronged Plan. The Week. <https://www.theweek.in/theweek/current/2019/05/31/three-pronged-plan.html>.
Sagar, Pradip R. (9 November 2019). Tech, A Risk. The Week. <https://www.theweek.in/theweek/cover/2019/11/09/tech-a-risk.html>.
Samanta, Pranab Dhal (7 January 2019). Government Exploring Ways to Exempt Security Agencies from Data Protection Bill. Economic Times. <https://economictimes.indiatimes.com/news/politics-and-nation/government-exploring-ways-to-exempt-security-agencies-from-data-protection-bill/articleshow/67413173.cms?from=mdr>.
Sarkar, Torsha (12 August 2019). Rethinking the Intermediary Liability Regime in India. CyberBRICS. <https://cyberbrics.info/rethinking-the-intermediary-liability-regime-in-india/>.
Sawhney, Pravin (17 August 2019). Where Does CDS Fit In? The Tribune. <https://www.tribuneindia.com/news/archive/where-does-cds-fit-in-818565>.
Shourie, Arun (2003). Statement by H.E. Mr. Arun Shourie, Minister for Information Technology, Communications and Privatisation, Government of India, at the World Summit on Information Society. Geneva, 11 December 2003. Permanent Mission of India to the Offices of the United Nations, Its Specialised Agencies and Other International Organisations in Geneva. <http://www.itu.int/net/wsis/geneva/coverage/statements/india/in.html>.
Sinha, Amber (2017). Social Media Monitoring. Bangalore, 13 January 2017. Centre for Internet and Society. <https://cis-india.org/internet-governance/files/social-media-monitoring/at_download/file>.
Sircar, Sushovan & Sachdev, Vakasha (30 October 2019). Kudankulam Cyber Attack Did Happen, Says NPCIL a Day after Denial. Bloomberg Quint. <https://www.bloombergquint.com/politics/kudankulam-nuclear-power-plant-malware-attack-correct-confirms-npcil>.
SFLC.in (2014). India’s Surveillance State. New Delhi, March 2014. SFLC.in. <https://sflc.in/sites/default/files/wp-content/uploads/2014/09/SFLC-FINAL-SURVEILLANCE-REPORT.pdf>.
SFLC.in (2018). Living in Digital Darkness: A Handbook on Internet Shutdowns in India. New Delhi, May 2018. SFLC.in. <https://sflc.in/sites/default/files/reports/Living%20in%20Digital%20Darkness%20-%20A%20Handbook%20on%20Internet%20Shutdowns%20in%20India%2c%20May%202018%20-%20by%20SFLCin.pdf>.
Srikumar, Madhulika; Srinivasan, Sreenidhi; Kennedy-Mayo, DeBrae & Swire, Peter (2019). India-US Data Sharing for Law Enforcement: Blueprint for Reforms. New Delhi, January 2019. Observer Research Foundation and Cross-Border Requests for Data Project of the Georgia Tech Institute for Information Security and Privacy. <https://www.orfonline.org/research/india-us-data-sharing-for-law-enforcement-blueprint-for-reforms-47425/>.
Srivas, Anuj (12 December 2016). The Tragic and Comedic Functioning of India’s Cyber Appellate Tribunal. The Wire. <https://thewire.in/banking/tragic-comedic-functioning-indias-cyber-appellate-tribunal>.
Suhag, Roopal & Sinha, Roshni (2018). The Consumer Protection Bill 2018. Legislative Brief. New Delhi, 27 April 2018. PRS Legislative Research. <prsindia.org/sites/default/files/bill_files/Legislative%20Brief%20-%20Consumer%20Protection%20Bill%2C%202018_0.pdf>.
Tewari, Ruhi & Nayak, Malathi (23 December 2008). Govt Pushes Through IT Bill; Wins Digital Snooping Right. Live Mint. <https://www.livemint.com/Home-Page/wRQFhAdHHDhAHWBj6qEUBJ/Govt-pushes-through-IT-Bill-wins-digital-snooping-right.html>.
Upadhya, Carol (2011). Software and the ‘New’ Middle Class in the ‘New India’. Baviskar, Amita & Ray, Raka (eds.), Elite and Everyman: The Cultural Politics of the Indian Middle Classes. New Delhi, Routledge.Google Scholar
Varma, Satvik (2 September 2019). Consumer Protection Act 2019: Enhancing Consumer Rights. Bar and Bench. <https://www.barandbench.com/columns/consumer-protection-act-2019-enhancing-consumer-rights>.
Vivekananda International Foundation (2019). Credible Cyber Deterrence in Armed Forces of India. VIF Taks Force Report. New Delhi, March 2019. Vivekananda International Foundation. <https://www.vifindia.org/sites/default/files/Credible-Cyber-Deterrence-in-Armed-Forces-of-India_0.pdf>.

Copyright information

Authors and Affiliations

Anja Kovacs
- 1
Email author

1.Internet Democracy ProjectNew DelhiIndia

Cybersecurity and Data Protection Regulation in India: An Uneven Patchwork

Abstract

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite chapter