INTRODUCTION
In an increasingly digitized world, cybersecurity has become a critical issue, impacting individuals, businesses, and governments without mercy. Cybercrime, ranging from identity theft and hacking to ransomware attacks and online fraud, poses a significant threat to national security, financial systems, and personal privacy. Any attack mounted on the aforementioned has the potential to leave entire economies crippled, due to which, the Indian government has implemented legal frameworks aimed at preventing and prosecuting cybercrimes. The primary legislation governing cybersecurity in India is the Information Technology Act, 2000 (“IT Act”). Additionally, judicial interpretations and amendments to this Act have further shaped India's approach towards cybersecurity.
Naturally, given the current scenario we cannot leave AI out of any conversation where computers are being talked about. The rapid integration of Artificial Intelligence (AI) into both defensive and offensive strategies has drastically reshaped the cybersecurity landscape. While AI has bolstered cyber defenses, its use in malicious activities poses unprecedented threats. These AI-driven cyber threats are not only more sophisticated but also exploit the very systems designed to protect users. AI enables highly personalized phishing attacks, allowing cybercriminals to analyse online behaviours, social media activity, and digital footprints to craft emails or messages that are virtually indistinguishable from legitimate communications. This precision significantly increases the likelihood of unsuspecting individuals clicking on malicious links or revealing sensitive information, making phishing more effective than ever. Also known as spear-phishing attacks, these type of phishing attacks, which are highly personalised used to be to like an intensive mission like something out of a Hollywood spy film, where thought, time and resources had to be put towards carrying out a scam against a particular individual as opposed to regular phishing scams, which are carried out en masse with bulk emails being sent with hopes that a few of them will take the bait, actually converting into profits. Due to the advent of AI potential success rate of the spear phishing scam is combined with ease and scale of regular phishing. Deepfake technology presents another potent threat. AI-powered tools can create hyper-realistic video or audio content that mimics real individuals. Cybercriminals have used this to impersonate CEOs or public officials to authorize fraudulent transactions, access sensitive data, or spread misinformation. The impact of such attacks extends beyond financial losses, as they can also erode trust in digital communications and may even cause irreparable damage to a person and his reputation.
INFORMATION TECHNOLOGY ACT
Enacted to provide legal recognition to electronic transactions and safeguard digital systems, the IT Act criminalizes various cyber offenses and provides enforcement mechanisms. Section 43 of the IT Act imposes penalties for unauthorized access to computer systems, including introducing malware, causing damage to data, and conducting denial-of-service attacks. This section provides a civil remedy, allowing individuals or organizations to seek compensation for damages caused by cyber intrusions.
For more serious offenses, Section 66 of the Act deals with hacking, making it a criminal offense. Hacking is defined as any act of accessing a computer system without authorization with the intent to cause harm or destroy data. The punishment under this section includes imprisonment for up to three years and a fine.
Identity theft is also addressed, under Section 66C, which criminalizes the fraudulent use of another person's digital identity, including passwords, digital signatures, and biometric data. This section is crucial for protecting individuals from cyber impersonation and online fraud.
Phishing scams and online cheating, which have been spreading like wildfire since the pandemic hit[i] are covered under Section 66D, which punishes anyone who cheats by personation using computer resources. This provision addresses cybercrimes such as email scams, fraudulent financial transactions, and online impersonation.
One of the most debated sections of the IT Act is Section 69, which grants the government the power to intercept, monitor, and decrypt information in the interest of national security, public order, or to prevent incitement to offenses. While the provision aims to enhance national security, it has also raised concerns about potential misuse and violation of privacy rights.
DIGITAL PERSONAL DATA PROTECTION ACT
India’s recent legislative efforts to address data privacy culminated in the Digital Personal Data Protection Act, 2023 (“DPDP Act”), which establishes a framework for processing personal data in the digital age. Enacted in August 2023, the Act emphasizes transparency and consent, mandating that personal data can only be processed with the Data Principal's informed and unambiguous approval, barring a few exceptions for legitimate state functions, emergencies, or public health. Section 6 of the Act highlights the right of individuals to withdraw consent, facilitated by a Consent Manager, ensuring autonomy over personal information. The Act imposes obligations on Data Fiduciaries to ensure data accuracy, implement security measures, and notify breaches.
CASELAWS
Shreya Singhal v. Union of India[ii]: In this case, the Supreme Court struck down Section 66A of the IT Act. This provision criminalized sending offensive messages through electronic communication, but the court held it unconstitutional for violating the right to freedom of speech and expression under Article 19(1)(a) of the Constitution. The judgment emphasized the importance of clear, specific, and reasonable restrictions on free speech in cyberspace, thereby setting a precedent for balancing cybersecurity concerns with fundamental rights.
Manohar Lal Sharma vs. Union of India[iii]: This case addressed allegations of the misuse of Pegasus spyware to conduct unauthorized surveillance on journalists, activists, and politicians. The Supreme Court reaffirmed privacy as a fundamental right under Article 21 and emphasized that surveillance must satisfy the tests of legality, necessity, and proportionality. It rejected the government's blanket invocation of national security to avoid scrutiny and appointed an independent committee to investigate the matter. The Court stressed that national security cannot be used to justify privacy violations without judicial oversight, marking a pivotal moment in India's cybersecurity and privacy discourse.
[i] MeitY (India), Incidents of cyber attacks across India from 2015 to 2022 (in 1,000s) Statista, https://www.statista.com/statistics/1201177/india-number-of-cyber-attacks/ (last visited January 13, 2025)
[ii] 2015 AIR SCW 1989
[iii] 2021 INSC 682
Disclaimer:
This post is for informational purposes only and does not constitute legal advice. The contents are based on general legal principles and should not be construed as specific advice for any individual or entity. Readers are advised to seek professional legal counsel tailored to their particular circumstances before taking any action based on the information provided.
The sharing of this post does not create an attorney-client relationship between the authors, the firm, and the readers. While every effort is made to ensure the accuracy of the information at the time of publication, laws and regulations are subject to change, and no liability is accepted for any errors or omissions.
For further assistance or professional advice, please contact Sansa Legal directly.
Comments