Cyber Law in Digital & Social

Media
Amit K Kashyap
ILNU
Introduction
Cyber Law is the law governing cyber space.

Cyber law encompasses laws relating to:

1. Cyber Crimes

2. Electronic and Digital Signatures

3. Intellectual Property

4. Data Protection and Privacy

Jurisprudence of Indian Cyber Law
● The primary source of cyber law in India is the Information Technology Act,
2000 (IT Act) which came into force on 17 October 2000.
● The Information Technology Act, 2000 is based on the model law on
electronic commerce adopted by the United Nations Covenant on
International Trade Law (UNICITRAL).
● The I.T. Amendment Act 2008 Aims at protection of personal data and
information , and implementation of security practices
● The Amendment deals with new forms of crime like publishing sexually
explicit materials in electronic form ,video voyeurism and breach of
confidentiality and leakage of data by intermediary ,e commerce frauds like
personation known as phishing ,identity theft and offensive messages
through communication services
Cyber Law in Digital & Social Media
● The growth and impact of these websites at an exponential
rate have attracted the cyber offenders to commit
cybercrimes in social media posing threat to privacy of
individuals as well as national security.
● National Investigation Agency through its sources has
informed that every sixth cybercrime in India is committed
through social media. There has been around 70% rise in
cybercrimes annually between 2013 and 2015 according to
data provided by National Crime Records Bureau (NCRB).
● Cyber-attack on social media is generally understood as an
infringement of the Data Protection laws. An individual’s
details like name, address, interests, family, etc. are often
available on various social media web sites.
Types of Cyber Crimes : • Cyber Bullying, cheating by Personation, Identity Theft •
Obscene Material, Offensive/Harassing Messages,Cyber Extortion • Virus Attacks,
Hacking, • Publishing/Circulation of Rumours especially hurting religious, tribal
and communal sentiments • IPR violations, Financial Frauds, Skimming,
Cyberstalking • Cyber Terrorism
Criminal Actions
● 66A: Sending offensive messages through communication service, causing
annoyance etc through an electronic communication or sending an email to mislead
or deceive the recipient about the origin of such messages (commonly known as IP
or email spoofing) are all covered here. Punishment for these acts is imprisonment
upto three years or fine.
● 66B: Dishonestly receiving stolen computer resource or communication device with
punishment upto three years or one lakh rupees as fine or both.
● 66C: Electronic signature or other identity theft like using others’ password or
electronic signature etc. Punishment is three years imprisonment or fine of one lakh
rupees or both.
● 66D: Cheating by personationusing computer resource or a communication device
shall be punished with imprisonment of either description for a term which extend to
three years and shall also be liable to fine which may extend to one lakh rupee.
Data Protection Law
IT Act:
● Section 43A widens the scope of data protection by inclusion of definition of “Sensitive
Personal Data or Information”, and also imposes a responsibility for “Reasonable Security
Practice” to be followed by the data handlers. In case of infringement, data handlers and
cyber offenders can be slapped with an exorbitant penalty which may even exceed Rs. 5
crores.
● Section 72A specifies liability for intermediary if he discloses “personal information” which
he accessed while providing services under a contract and such disclosure was made with
an intention to cause or knowledge that he is likely to cause wrongful loss or wrongful gain
to a person.
● Sections 69 and 69B empower the State to issue directions for interception, monitoring
and even collection of traffic data or information through any computer resource for cyber
security.
● Liability of Intermediaries: Section 79
Data protection

• Data protection obligations include

– lawful procurement
– lawful purpose
– lawful use
– adequacy test - not excessive
– accuracy and updation
– access to persons concerned
– security
Intermediary Guidelines

• Information Technology (Reasonable security practices and procedures

and sensitive personal data or information) Rules, 2011-Replaced
• Information Technology (Guidelines for Intermediaries and Digital
Media Ethics Code) Rules, 2021
– intermediaries to publish their rules and regulations, privacy policy
and user agreement on their websites/applications
• General Data Protection Regulations (GDPR)
• Shreya Singhal v Union of India (2015)
• K. S. Puttaswamy (Retd.) and Anr. vs Union Of India (2019)
 Intermediary Definition
● “Intermediary” under Section 2(1) (w). It reads as –

● “intermediary”, with respect to any particular electronic records, means any

person who on behalf of another person receives, stores or transmits that
record or provides any service with respect to that record and includes
telecom service providers, network service providers, internet service
providers, webhosting service providers, search engines, online payment
sites, online-auction sites, online-market places and cyber cafes;’.
● Under the Information Technology Act, 2000 intermediary was defined as any
person, who on behalf of another person, receives, stores or transmits that
message or provides any service with respect to that message.

● Information Technology Amendment Act 2008 has clarified the definition

“Intermediary” by specifically including
○ the telecom services providers,

○ network providers,

○ internet service providers,

○ web-hosting service providers

● in the definition of intermediaries thereby removing any doubts.

● Furthermore,
○ search engines,

○ online payment sites,

○ online-auction sites,

○ online market places and

○ cyber cafés

● are also included in the definition of the

intermediary since 2009.
 New Provisions
● Under the Information Technology Amendment Act, 2008, Section 79 has
been modified to the effect that an intermediary shall not be liable for any
third party information data or communication link made available or
hosted by him.
● As a result of this provision, social networking sites like Facebook,
Twitter, Orkut etc. would be immune from liability as long as they satisfy
the conditions provided under the section. Similarly, Internet Service
Providers (ISP), blogging sites, etc. would also be exempt from liability.
 Sec 4(3) IPC

● Any person in any place without &

beyond India committing offence
targeting a computer resource
located in India.
 ISP & Copyright Law
● Both EU and USA provide specific exclusion to internet service providers under the
respective copyright legislations.

● In order to clarify the issue and put the controversy to rest, Indian legislators need to
insert a similar provision proving immunity to ISP in the Copyright Act, 1957.

● The most controversial portion of the IT Amendment Act 2008 is the proviso that has
been added to Section 81 which states that the provisions of the Act shall have
overriding effect.
Section 81 - Act to have overriding effect
● Provided that nothing contained in this Act shall restrict any person from
exercising any right conferred under the Copyright Act, 1957 (14 of 1957) or
the Patents Act, 1970.“

● This provision has created a lot of confusion as to the extent of immunity

provided under section 79.
● This section therefore says that the provisions of the IT Act will override any
conflicting provisions in other Acts.

● The 2008 Amendment added a proviso to section 81 that limits its

application to the Copyright and Trademark Acts.

● It says that ``nothing contained in this Act shall restrict any person from
exercising any right conferred under the Copyright Act, 1957 or the Patents
Act, 1970''.
● Liability of Intermediary Recent Changes
● The safe harbour protection available to intermediaries is
conditional upon their observing due diligence while
discharging their duties and observing guidelines issued by
the Government in this regard.
○ These guidelines have were issued in the form of the
Information Technology (Intermediary Guidelines) Rules,
2011. later replaced by The Information Technology
(Intermediary Guidelines and Digital Media Ethics Code)
Rules, 2021 (IL & DMEC Rules)
 Summary
Part II of the Intermediary and Digital Media Guidelines discusses the due diligence and grievance
redressal requirements that are to be followed by an intermediary.
Due Diligence by Intermediary
Every intermediary—including SMIs and SSMIs—must:
● Publish a privacy policy with a warning not to host, display, upload, publish, or transmit any information that
is untrue or defamatory, obscene, invasive of privacy, or violative of any law in force or threatens the unity,
integrity, and sovereignty of the State on its website and mobile application. The privacy policy should state
that hosting or publishing such information may result in account cancellation.
● Inform users at least once a year that the intermediary may terminate the user agreement if they violate
rules, laws, or privacy policies.
● Remove any illegal information or data related to contempt of court, defamation, or the integrity and
sovereignty of India, public order, decency, or morality within 36 hours of obtaining an order under Section
79(3)(b) of the Act. To the intermediary's Grievance Officer.
● Inform users of the intermediary's rules, regulations, privacy policy, and any changes at least once a year.
● Keep all illegal data for 180 days after blocking access for investigating reasons.
● Keep user data for 180 days following account closure.
● Respond to a written order from the investigative agency within 72 hours.
● Appointment of Chief Compliance Officer, Nodal Contact Person, and Grievance Officer: Social media intermediaries
must appoint a Chief Compliance Officer, a Nodal Contact Person, and a Grievance Officer who must be residents of
India. These individuals are responsible for addressing complaints or grievances received from users and
coordinating with government agencies.
● Grievance Redressal Mechanism: Social media intermediaries are required to establish a robust grievance redressal
mechanism to address complaints or grievances from users. The grievances must be acknowledged within 24 hours
and resolved within 15 days.
● Traceability of Messages: Social media intermediaries are required to enable the identification of the originator of
messages that are deemed to be related to the sovereignty and integrity of India, security of the state, or public order.
This is aimed at addressing concerns related to fake news, misinformation, and harmful content.
● Compliance with Codes of Ethics: Social media intermediaries are required to adhere to a code of ethics, which
includes the prohibition of content that is obscene, defamatory, threatening, or invasive of privacy. They are also
required to display appropriate ratings for content and establish mechanisms to address concerns related to content
classification.
● Data Protection: Social media intermediaries are required to have mechanisms in place to secure user data and
comply with data protection laws in India. They are also required to provide users with the option to verify their
accounts and to voluntarily disclose the origin of any sponsored content.
● Cooperation with Government Agencies: Social media intermediaries are required to provide necessary information
and assistance to government agencies for the purpose of investigation or prevention of offenses related to
sovereignty and integrity of India, security of the state, or public order.
● Compliance Reporting: Social media intermediaries are required to submit periodic compliance reports to the Indian
government, detailing their compliance with the guidelines.
 Data PRotection Bill

India does not have a standalone comprehensive data protection law.

However, the Personal Data Protection Bill, 2019 (PDPB) has been
proposed and is currently under consideration by the Indian government.
The PDPB aims to regulate the collection, processing, storage, and
transfer of personal data in India and provide a framework for protecting
the privacy rights of individuals.
GDPR AND ITS COMPLIANCE
WHO NEEDS TO COMPLY?

1. Any company having operation/presence in the EU.

2. Any company not having operation/presence in the EU but stockpiles and uses information of EU citizenry.
3. The employee strength should be more than 250.
4. Less than 250 employees, yet its data processing affects data subjects' rights and freedoms, is ongoing, or
involves certain sensitive personal data.

The compliance is thus for every company directly or indirectly involved in stocking and using the information of the
citizens of the EU.

WHAT ARE THE MAJOR COMPLIANCES THAT COMPANIES HAVE TO COMPLY WITH?

There is one standard that every company eligible under GDPR has to comply with. There are several compliances,
some of the major compliance are as follows:

1. Visitors to the website are informed of the data collection.

2. By clicking a button or taking another action, visitors voluntarily consent to this information collection.
3. If any of the personal data held by a website is ever compromised, the site promptly notifies its visitors.
4. An evaluation of the website's data security is required.
5. Whether a current employee may fulfil this role without needing to hire a dedicated Data Protection Officer (DPO)