 "Why India's IT Act needs an overhaul")
The government is finally looking at revamping the Information Technology Act, 2000, which deals with cyber crimes and e-commerce. The move comes at a time when there is a growing feeling among legal experts that the current Act, last amended in 2008, does not adequately cover certain aspects of cyber security, mobile crimes and issues around abuse and misuse of the social media. There has also been a raging debate on the need for comprehensive data protection and privacy legislation given the thrust on e-delivery of government services and digital businesses.
According to cyber security expert and Supreme Court lawyer Pavan Duggal, the IT Act came into play as sector-specific e-commerce legislation. "Overtime, it has transformed into India's omnipotent digital legislation. In the past 16 years, the Act has gone on to encompasses everything digital, including the mobile, cyber, internet and the World Wide Web", he says.
To keep up with the changing times, the Act was amended in 2008. It introduced the Section 66A that penalised the use of "offensive messages". Section 69 gave power to authorities to intercept, monitor or decrypt information, and introduced penalties for child pornography, cyber terrorism and voyeurism.
Subho Ray, president, Internet and Mobile Association of India, feels that the tone of the Act has been punitive than being developmental. "The IT Act should have defined broad parameters that govern the digital economy," he said. Given the proliferation of digital media in recent years, the Act needs to expand the definition of intermediaries, he adds.
Many in the industry feel that all stakeholders should be widely consulted before making changes in the IT Act.
There has been a growing demand from the IT sector for privacy and data protection legislation. "A comprehensive privacy regime is needed due to accelerated adoption of digital technologies in Internet, banking, e-commerce and e-governance services. There ought to be well-defined guidelines on how organisations deal with personally identifiable information," says Rama Vedashree, CEO of Data Security Council of India, an industry body set up by Nasscom to strengthen the security and privacy culture in the country.
Vedashree points out that privacy is becoming an important determinant in a country's share in the global digital market, impacting cross-border data flows. "In the absence of comprehensive privacy laws, the Indian outsourcing industry may lose existing and new business opportunities to countries with stronger privacy and data protection laws," she adds.
Some provisions for privacy protection were brought in when the IT Act was amended in 2008 for certain sensitive personal data. However, the provisions did not apply to government data. The proliferation of personal data generated at the level of government bodies - given the National Democratic Alliance government's thrust on e-governance - has alarmed several IT experts.
Interestingly, an expert group headed by judge A P Shah appointed by the United Progressive Alliance government in 2012 to arrive at the principles of the privacy law recommended that privacy safeguards should apply to both government and private sector entities. The group had also recommended setting up of self-regulating organisations by industry to develop base-level legal framework that would protect and enforce an individual's right to privacy. The entities that collect and process the data should be made accountable for ensuring privacy, the expert group had said.
However, nothing much has moved since then, say industry players. "The recommendations were put on the back burner. However, now that the government is looking to revamp the IT Act, it is time to start discussions again," says an IT industry player.
"Although not a substitute, certain requirements can be incorporated in the IT Act and other laws such as Consumer Protection Act, till the time we have comprehensive privacy legislation," says Vedashree.
Duggal, too, feels that the government might decide to incorporate some provisions of the privacy and data protection legislation in the IT Act as an interim measure.
The ball is now in the government's court to arrive at a comprehensive legislation to regulate the digital economy.
