Law Regarding Data Theft in India

In today’s world we all use the internet for most of our work, may it be for paying our bills, bank transfers, verification, etc. This means that a lot of our personal data is there on these online resources. This data can be exploited by others if it falls in the wrong hands. So to avoid such situations and circumstances, there is a need for proper laws and legislation so that this personal data can be protected. In India, there is no proper legislative framework for the protection of data theft.. As we all know, India is one of the largest hosts of outsourced data processing and it could also become the epicenter of the highest number of cyber-crimes if proper legislation is not introduced. The Data Security Council of India (DSCI) and the Department of Information Technology(DIT) must also rejuvenate their efforts in this regard on similar lines. Not only this, if we want to protect the data, some of the best solutions will be available if there are proper laws made along with suitable public and employee awareness. If we want to reduce cyber-crime in India we need to have strong cyber laws. Not only this but it must also be supported by sound cybersecurity and effective cyber forensics.

Charges that can be filed under such offenders:

  • Section 43A of the IT Act: Talks about how if a body corporate possesses any kind of sensitive data shows any kind of negligence in the maintenance or implementation of keeping that data secure, and due to this any loss or gain is caused to any person, in such cases the body corporate will have to compensate the person who has been affected. The term body corporate is wide enough to include a company, a firm, sole proprietorship, or other association of individuals engaged in professional or commercial activities. Though this law exists, the flaw with this section is that it does not clearly define the term sensitive personal data or information.
  • Section 43 (b) of the IT Act :

This section gives protection against unauthorized downloading, copying, extracting information, data, or a database, by imposing heavy civil compensation which could run into crores of rupees.

  • Section 43 (c)

This section helps to provide compensation in case of unauthorized introduction of computer viruses or other contaminants.Section 43(c)(i) provides compensation for destroying, deleting, or altering any information residing on a computer or diminishing its value.

  • Section 65 of IT Act:

According to this section, if anyone intentionally conceals, destroys, alters, or does any such activity to the data, in that case, he will be punished. This protection was provided to curb tampering of computer source documents.

  • Section 66 of the IT Act

This section talks about offenses related to computers. According to this section, if a person dishonestly or by fraud commits any act mentioned in section 43 of the IT Act will be punished under this act.

  • Section 70 of the IT Act:

This section safeguards data stored in the protected system. According to this section, if the data stored in a protected system, that is the government. In such a case, if anyone tried to access or attempts to steal this data will be held liable.

  • Section 72 of the IT Act:

According to this section, there is a limitation to information that is obtained under power. Section 72 is wider and it also extends to the disclosure of personal information of a person when done without consent for providing services under a lawful contract and not merely a disclosure of information obtained under powers granted under the IT Act. This act was instituted for protection against personal data.

  • Section 22 of Indian Penal Code, 1860 

According to this section, if data is stored in a medium like a CD, floppy, USB, etc, then the person who does this act will be held liable. But the flaw in this act is that if the data is transferred electronically, it won’t fall under the ambit of this section.

  • Section 405 and Section 408 of the Indian Penal Code, 1860

This section talks about the criminal breach of trust. This section applies to those who have been entrusted with property or with any dominion over property and uses it wrongfully or dishonestly for their use or else in a way that violates the law and in turn due to this the other person suffers loss. This can be either express or implied.

  • Section 2(o) and Section 63 of the Copyright Act

According to this section, if the data that is stolen is shared with another party, the victim can file a complaint of criminal conspiracy, collusion, and common intention under this act. By stealing the data, the person acts as an accomplice in the commission of the act. The term “literary work” includes computer databases.

Indian Judiciary on the regulation of personal data:

In the case of Balu Gopalakrishnan v. State of Kerala[1], the High Court passed an interim order for the data related to the export of COVID-19 to the US-based entity, Sprinkler for data analytics. The court said that the implementation of certain measures is necessary before granting permission to such information. This judgment established an important benchmark for all public-private partnerships in the post-COVID-19 era in the field of data protection.

In another case, Subhranshu Rout and  Gugul v. State of Odisha[2], the High Court observed the importance of the right to be forgotten and the need for it to be addressed in legislation. In this case, objectionable content about a woman was posted online. Though the victim did not make any argument regarding this, the court encouraged the victim to take appropriate orders so that she could protect her fundamental right to privacy even in the absence of an explicit right to be forgotten. Such a right helps to safeguard a woman’s right online.

 Analysis of laws related to data theft in India:

Data theft has emerged as one of the major cyber-crimes that have been committed worldwide. A large number of cyber-crimes are being committed on a large scale and not only in India but even across continents. There have been several efforts to make data protection law a separate discipline. There is a need for comprehensive data protection legislation that will protect the rights of data subjects, that will vehemently prohibit the use of collected data for any purpose other than for which it has been. Though we have  Information Technology Act, 2000, this is not for data protection or privacy. It is generic legislation. It only deals with it in a piecemeal fashion. Not only this, but it is also a violation of Articles 21 and 14. Data theft is the encroachment of privacy, hence it falls under the ambit of article 21[3]. On the other hand, Article 14[4] which is a guarantee against arbitrary state action. A draft of the new e-commerce policy has reportedly been in the works[5] and proposes to set up an e-commerce regulator with wide-ranging powers over e-commerce entities and platforms. The draft contained wide-ranging proposals on sharing source codes, algorithms, and other data with the Government, use of non-personal data of consumers, anti-piracy, cross-border data flows, etc. As per more recent media reports, the Central Government is in the ‘final stages of drafting India’s e-commerce policy[6] and may set up an ‘investigation body’ to look into violations by e-commerce entities[7]


It is very important to reform laws related to data protection in India. 2020 has laid the groundwork for a pipeline of developments on the privacy and data protection front. We have seen that the scope of scope and purpose of the PDP Bill broadened before it is tabled before the Parliament in 2021. Significant regulations can be expected on the economic and commercial usage of non-personal data, as well as ownership aspects.. However, in the backdrop of the PDP Bill, we expect to continue to see industry-specific data policies and regulation by sectoral regulators such as drone-related policies which may give rise to new issues including cybersecurity and mandatory disclosure to the Government. It is also clear that the judiciary is more cognizant of privacy rights than ever before, which is a sign of a strong data protection regulation ahead.

[1] Balu Gopalakrishnan v. State of KeralaWP (C) 9498/2020

[2]Subhranshu Rout and Gugul v. State of Odisha  BLAPL No. 4592 of 2020

[3] Article 21 states that: “No person shall be deprived of his life or personal liberty except according to procedure established by law”.

[4] Article 14 states that “the State shall not deny to any person equality before the law or the equal protection of the laws within the territory of India”.

[5] Available at (Last accessed on May 26, 2021)

[6] Available at (Last accessed on May 26, 2021)

[7] Available at (Last accessed on May 26, 2021)

Author: Nikita Barreto from Christ University.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s