At the point of a gun

The amendment in the IT Act is unsatisfactory, and it should not have been passed without debate

A long-felt need to update the law so as to improve data security in India, sought by the information technology industry, has been enacted, but how! The need was felt from early in the decade and the IT ministry under Arun Shourie (during NDA rule) worked on it before all work stopped during Dayanidhi Maran’s charge in the UPA government. After a couple of spectacular instances of data theft, one of them as a result of a sting operation by a western publication, an amendment to the IT Act was tabled in Parliament. This was immediately condemned as unsatisfactory and the relevant parliamentary standing committee began work on the draft legislation. The government woke up from its languorous pace after the Mumbai terrorist attacks in November, which made clear the need to have the power to intercept computer messages. The amendment was tabled in Parliament on the 16th of December. Till then, the experts dealing with the subject had absolutely no idea as to what was on the government’s mind. The Bill was passed into law early last week, without discussion, as opposition members demonstrated in the well of the house against the remarks of A R Antulay. If this is the way India is to give itself a much-needed law without public scrutiny, and with the terrorist’s gun pointed at its head, then the danger to the republic from within is as serious as the danger from without.

Experts who have taken a quick first look at the new legislation divide themselves into two groups. Those dealing with IT are generally happy. But civil society groups concerned with issues of privacy and individual rights are worried. The new law provides for security of information whereas the emphasis in the earlier 2000 legislation was on security of devices. Now, stealing or misusing information can get a person upto three years in prison and a fine of up to Rs 1 lakh. Such an offence has also been made cognizable and compoundable. A complaint can now be investigated by a police inspector; earlier it was a deputy superintendent of police. As the stringent provisions of the law will result in more investigations, there is a need to strengthen the force dedicated to the task as also to give it proper training. Importantly, the Bill puts a lot of responsibility on the shoulders of any company under whose supervision a breach takes place. Now it, along with its directors and officials, will be liable and there is no limit to the compensation that can be claimed for loss due to breach of data security. The law also makes it mandatory for internet service providers to preserve data for a specified period so that investigations can be carried out.

Those concerned with citizens’ rights are worried that under the new dispensation any offence, not just a cognizable one, can be investigated through interception. If misused, this power to snoop will affect privacy and possibly the freedom of speech and expression. While no one disputes the need to cast a watchful eye over internet traffic, the serious lacuna lies in the absence of safeguards against misuse. There is confusion also over how information will be collected by investigators, how it will be shared, and with whom. This is an unsatisfactory law, and Parliament should not have passed it without debate.