01 logo

Data Theft rules and regulations: Things you should know

Though the IT Act appears to be adequate in this regard, it is insufficient in addressing the minute technical intricacies involved in such a crime, leaving gaps in the law and allowing the perpetrators to get away with it. Since this problem affects more than one country and has international implications.

By Sarth SharmaPublished 3 years ago 12 min read
Like

Issues Faced

The most serious problem with data theft is its international nature; for example, systems may be accessed in the United States, data exploited in China, and the effects felt in India. Different sovereignties, jurisdictions, laws, and rules will come into play as a result of this capacity, which is a problem in and of itself. Furthermore, gathering evidence in such circumstances becomes a problem because conducting an investigation in three different countries, all of which do not speak the same language, is nearly impossible, and our cops’ lack of technological know-how adds to the problems. Another issue is a lack of cooperation between various investigating agencies and a shaky extradition process. The most critical of all of these problems is the lack of clear legislation in the country dealing with this crime, which means that even though the perpetrator is apprehended, he can easily get away by using some of our legal loopholes. Data and IT services provide better protection against data theft.

We’ve compiled a list of ten data protection laws from around the world that businesses should be aware of. The IT Security Standards provide a complete guideline in this field.

1. General Data Protection Regulation (GDPR) (EU)

The General Data Protection Regulation (GDPR) of the European Union went into effect on May 25, 2018, and it has had a far-reaching ripple effect, putting data protection into the public eye and onto legislative agendas all over the world.

GDPR is the most dramatic reform in the data privacy policy in the last 20 years, offering unparalleled levels of security and individual empowerment.

The European Union’s current data protection policy imposes new requirements on businesses and organisations to ensure the privacy and protection of personal data, grants data subjects’ certain privileges, and empowers regulators to demand transparency demonstrations or even levy fines in cases of non-compliance. The GDPR’s main principles include legal, equitable, and straightforward processing, clear and explicit consent, mandatory violation notification, the right to access, the right to be forgotten, and privacy by design and default. The regulation has extraterritorial application, which means it extends to all entities that collect and process personal data of EU citizens, regardless of their location.

2. The Personal Information Security and Electronic Records Act (PIPEDA) (Canada)

The Personal Information Security and Electronic Documents Act (PIPEDA), Canada’s federal data protection statute, was passed in 2000. The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how companies obtain, use, and report personal and confidential data in the private sector, among other things. The legislation is divided into ten fundamental values that must be followed by companies.

The Government of Canada released the Data Privacy Act, an update to PIPEDA, on November 1st, 2018, in order to harmonise Canadian standards with those of the EU’s GDPR. This Act modifies PIPEDA by adding additional regulations such as consent provisions, data breach alerts, and a broader scope of implementation. The Government of Canada announced a 10-principle Digital Charter and a Discussion Paper detailing plans to modernise PIPEDA on May 22, 2019.

3. The CCPA (California)

The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, was enacted in response to the increasing importance of personal data in modern business practices, as well as the personal privacy consequences of data collection, usage, and security. The Golden State’s new data privacy legislation, which was signed into law on June 28, 2018, provides users access to and control over personal information collected online, and it requires businesses doing business in California to make structural improvements to their privacy systems. Given California’s status as the world’s fifth-largest economy, the CCPA is expected to have a global effect, similar to the GDPR.

An expanded definition of personal information, new data privacy protections for California residents, a new statutory damages system, and new rules when children’s personal data is used are all main components of the CCPA. The right to know what data is being collected about them and how it is being used, as well as the right to have their data erased, are among the many parallels between California’s new privacy law and its European equivalent, the GDPR. However, there are major differences between the two laws, especially in terms of the extent of implementation and rules concerning acquiescence.

4. The APPI (Japan)

The Act on Personal Information Protection in Japan (APPI) was passed in 2003 and went into effect in 2005. It was substantially revised ten years later, in 2015; the changes went into force on May 30, 2017, one year ahead of the EU’s GDPR.

The APPI safeguards individuals’ personal data in Japan by developing laws for governments and some business operators to obey in order to secure an individual’s rights when it comes to collecting and managing personal data. Whether or not cross-border data transfers occur, entities operating in Japan must comply with APPI. In some ways, the APPI differs from the GDPR; the GDPR offers more rights to data subjects and imposes tighter rules on organisations that handle personal data than the APPI. Following the GDPR, Japan became the first country to receive an adequacy decision from the European Commission (EC), ensuring a seamless flow of data between the EU and Japan as well as facilitating increased data transfers.

5. LGPD (Brazil)

Brazil adopted the General Data Protection Law (“Lei Geral de Proteço de Dados” or “LGPD”) on August 14, 2018, which will take effect on August 15, 2020. The new data protection system, which is largely influenced by the GDPR, sets guidelines for the online and offline collection of personal data in both the public and private sectors, regardless of the position of the data processor.

The law seeks to replace and complement current legal codes, with one of the goals being to bring Brazil’s data care in line with European standards.

Data subjects’ rights (e.g., the right to request access to their data as well as the right to be forgotten), the need for data protection officers, data protection impact evaluations, and data breach alerts are all key parallels between the LGPD and GDPR. However, the LGPD goes beyond and beyond European regulation in many ways, such as legal bases and mandatory violation notices.

6. PDPA (Singapore)

In Singapore, personal data is covered by the Personal Data Protection Act (PDPA), which was passed in 2012 and went into effect in 2014. The PDPA is a data security system that governs the collection, use, disclosure, and storage of personal data for all private sector organisations.

It respects both individuals’ rights to personal data privacy and organisations’ needs to obtain, use, and reveal personal data for legitimate and fair purposes.

The PDPA, like the GDPR, has extraterritorial application and refers to anyone who does not have a physical presence in Singapore.

7. PDPA (Thailand)

The Personal Data Protection Act (PDPA), Thailand’s first unified law regulating data protection in the country, was published on May 27, 2019. By May 27, 2020, organisations gathering and processing personal data must be consistent with the PDPA.

Thailand’s government has generally taken principles from the GDPR, with a few tweaks to suit the country’s needs. It did so on purpose to prove that Thailand has an “adequate” standard of data security in contrast to the EU. The PDPA contains a new concept of personal information, special categories of confidential data, consent provisions for minors, data subjects’ privileges, extraterritoriality, and limits on personal data transfers to third countries, among other items.

8. PDPB (India)

On July 27, 2018, the national government’s “Srikrishna Committee” released its long-awaited draught legislation for a new Personal Data Protection Bill (PDPB). The proposed mechanism aims to control how government and private entities (data fiduciaries) in India and abroad process personal data of individuals (data principals). It also explains how to gather, process, and store data.

The GDPR has had a major effect on the Bill, which incorporates several concepts such as access and correction, portability, and erasure; however, human rights are constrained in relation to EU law. The draught bill may be revised before being submitted to Parliament, which could request additional changes, but it will serve as the foundation for the final bill.

Is India’s legal system adequate?

The problem of data theft, which has emerged as one of the most significant cybercrimes in the world, has received little attention from Indian legislators. Unlike the United Kingdom, which has the Data Protection Act of 1984, India lacks clear legislation to address this issue, despite having the Information Technology Act of 2000 to address the ever-growing threat of cybercrime, including data theft. The reality is that our Information Technology Act of 2000 is woefully inadequate to combat such crimes. The various provisions of the Information Technology Act of 2000 that deal with the issue to some degrees are discussed briefly below.

  • Section 43

This section protects computer systems from destruction and unauthorised access by enforcing a heavy penalty of up to one crore. This section also covers the illegal uploading, retrieval, and copying of data. This section’s clause ‘C’ imposes a penalty for the unintended introduction of computer viruses or pollutants. Clause ‘G’ outlines the consequences of assisting unauthorised entry.

  • Section 65

This section contains the source code for computers. Anyone who knowingly or intentionally conceals, kills, alters, or allows another to do so faces a sentence of up to 3 years in prison or a fine of up to 2 lakh rupees. As a result, electronic source records have been shielded from tampering.

  • Section 66

This section has been designed to protect against hacking. According to this section, hacking is described as any act committed with the purpose to cause wrongful loss or damage to another individual, or with the knowledge that wrongful loss or damage would be caused to another person, and information stored in a computer resource must be destroyed, erased, changed, or its value and usefulness diminished. The hacker faces a sentence of up to three years in prison or a fine of up to two lakh rupees, or both, under this clause.

  • Section 70

This section safeguards the information stored on the secured system. Safe devices are computers, computer systems, or computer networks that have been designated as such by the appropriate government by the publication of gazette information in the official gazette. Any access to that system, or any attempt to secure access to that system, in violation of the provisions of this section, would subject the person accessed to a penalty of up to ten years in prison and a fine.

  • Section 72

This segment protects against data breaches in terms of confidentiality and privacy. According to this, anyone who has been given powers under the IT Act and related rules to secure access to any electronic record, book, log, correspondence, information paper, or other material and then discloses it to another person is punishable by up to two years in prison or a fine of up to one lakh rupees, or both.

9. NDB (Australia)

On February 22, 2018, the Notifiable Data Breach (NDB) Scheme, which is part of Australia’s Privacy Act and contains 13 guidelines about organisations’ responsibility for personal data management, went into effect. Companies that manage personal data, such as bank account information or medical records, must report data breaches to the Office of the Australian Information Commissioner under the NDB Scheme (OAIC). They must also notify anyone whose information has been compromised.

The NDB Scheme, like the GDPR, is designed to encourage affected people to take the required steps to protect their personal information, and it imposes significant penalties on businesses that fail to comply.

10. Administrative Data Security Measures (China)

China’s Cyberspace Administration (the “Measures”) issued a draught of its Data Security Administrative Measures (the “Measures”) for public consultation on May 28, 2019. As a result, China has entered the list of countries calling for tighter data security laws around the world.

The Measures add to China’s Cybersecurity Law, which went into force on June 1, 2017, by establishing strict and comprehensive rules for network operators who collect, store, distribute, process, and use data on Chinese soil. Network operators who collect confidential personal information or critical data for the purpose of conducting business must register with the cyberspace administrative departments. The Personal Information Protection Specification was released in March 2018, and it included comprehensive guidelines for data processing enforcement. The Initiatives are structured to include legally binding technical standards and best practices in the field of data protection.

Is Data Theft protected by the IPC?

The Indian Penal Code, Section 378, describes ‘theft’ as follows:

Theft — Someone who moves movable property out of the hands of another person without that person’s permission with the intent of taking that property dishonestly is said to be committing theft.

Movable property is described as follows in Section 22 of the I.P.C., 1860:

Land and objects attached to the earth or permanently fastened to something attached to the earth are excluded from the definition of movable property.

Data is not protected under the concept of “theft” since Section 378 I.P.C. only applies to movable property, i.e., corporeal property, and data is intangible. However, if Data is stored on a movable medium (CD, floppy disc, etc.) and the medium is stolen, the theft is protected under the concept of ‘theft.’ However, if Data is distributed electronically, rather than intangibly, it is not considered fraud under the IPC.

Data, in its intangible nature, can be compared to electricity at best. In the case of Avtar Singh vs. State of Punjab, the Hon’ble Supreme Court was asked if electricity could be stolen (AIR 1965 SC 666). However, when Section 39 of the Electricity Act made Section 378 of the IPC applicable to electricity, it became explicitly protected under the scope of Theft. As a result, it is critical that a clause similar to that found in the Electricity Act be incorporated into the IT Act of 2000, extending the scope of section 378 IPC to data theft in particular.

Summary

In today’s world, it is important for an emerging IT superpower like India to have robust legislation in place to protect its burgeoning IT and BPO industries (the worst-affected industries) from such crimes. Web Development Company are aware of these laws and legislations. Kindly check out for help. Though the IT Act appears to be adequate in this regard, it is insufficient in addressing the minute technical intricacies involved in such a crime, leaving gaps in the law and allowing the perpetrators to get away with it. Since this problem affects more than one country and has international implications, India should seek to become a signatory to any international convention or treaty on the subject. It is also past time for our national police forces to be equipped to deal with such crimes.

Source: https://faidepro.medium.com/data-theft-rules-and-regulations-things-you-should-know-5f89c37fe635

cybersecurity
Like

About the Creator

Sarth Sharma

Technical and SEO writer. Loves trying different writing style and cycling.

Reader insights

Be the first to share your insights about this piece.

How does it work?

Add your insights

Comments

There are no comments for this story

Be the first to respond and start the conversation.

Sign in to comment

    Find us on social media

    Miscellaneous links

    • Explore
    • Contact
    • Privacy Policy
    • Terms of Use
    • Support

    © 2024 Creatd, Inc. All Rights Reserved.