Important Developments In The Indian Cyberlaw In 2022

As the year 2022 comes to an end, it is important to go back and see what all have been the major cyber legal developments in India in this year. 

The year 2022 has been a very fascinating year. It had a lot of actions. This was the year where the Government of India was very productive in coming up with enabling legal frameworks in the cyber ecosystem. 

The year 2022 actually built on the consolidation of the cyber legal jurisprudence in India in the year 2021. The year 2022, since the beginning, had discussions on the report of the Joint Parliamentary Committee on Personal Data Protection Bill, 2019 which was effectively presented in the Parliament of India in December, 2021.  This was so because the report was itself issued as a divided house. While the majority of the report tended to endorse and support the Personal Data Protection Bill, 2019, a number of dissent notes were issued by the members who were completely opposing the said Bill as being violative of the rights of the digital stakeholders. 

Those discussions on data protection continued in the entire year.  What was important in the Joint Parliamentary Committee report was that the majority of the report recommended multiple dozen amendments to the new law apart from recommending it to incorporate and cover non-personal data. 

Consequently, as the nation was preparing to look at a more nuanced version of the Personal Data Protection Bill, 2019, in the second half of the year 2022, the Government took everybody by surprise by withdrawing the Personal Data Protection Bill, 2019 from the Parliament. The Government stated that it did so because it wanted to come up with a more holistic comprehensive legislation on data protection. 

In November, 2022, the Government came up with the Draft Digital Personal Data Protection Bill, 2022 for public comments. A period of 30 days was given for the public comments on the new draft data protection law which was subsequently extended till 2nd January, 2023. The public consultation on the draft is an important process as it is important to understand and collate the competing and diverse thought processes on the new data protection law from various stakeholders. 

Hence, data protection as a subject continued to dominate the important cyber legal developments in the year 2022 in the Indian context. 

Hopefully, the new law on data protection should see the light of the day in the year 2023. 

One of the most significant cyber legal developments in the year 2022 in India was the implementation of the Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (IT Directions 2022), issued by the Indian nodal agency on cyber security being the Indian Computer Emergency Response Team (CERT-In), Ministry of Electronics & Information Technology, Government of India. Under these Directions, India has sought to fill-up the lacunae that exists in the Indian cyber legal ecosystem given the fact that India does not have a dedicated law on cyber security. These Directions are mandatory and have paved the way for mandatory reporting of cyber security breaches in the Indian context. The said reporting has to be done within 6 hours of receipt of knowledge of the same. 

Non-compliance with the said offence actually becomes an offence under Section 70B(7) of the Information Technology Act, 2000 punishable with one year imprisonment and fine. The Government notified the IT Directions 2022 in April, 2022 and gave 60 days time period for all stakeholders to comply with the same. These Directions are applicable to all intermediaries, service providers, body corporates, data centres and governmental institutions and they came into effect from 28th June, 2022. 

The Government initially did give some relaxations and exempted MSMEs from the applicability of the said Directions.  These Directions are now enforced and have the applicability of the force of law. The said IT Directions have taken majority of stakeholders by surprise as the preparedness levels with the IT Directions needs much to be desired. 

Further, the said Directions are important as they have exposed the companies and their top managements to potential criminal liability.   The said criminal liability has been invoked in the context of the IT Directions, 2022 in continuation of a trend that began with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. It is pertinent to note that the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 under Rule 7 thereof, has stipulated not just intermediaries losing their statutory exemption from legal liability on their failure to comply with the said Rules, but also making the said intermediaries liable for being punished for offences under the Information Technology Act, 2000 and the Indian Penal Code, 1860. 

The criminal liability which effectively started in the IT Rules, 2021 got further consolidated by the criminal exposure stipulated under the IT Directions 2022.  These Directions have sought to give the required seriousness push for compliance issues. Though, everything is dependent upon how the said Directions are going to be effectively enforced and implemented. Their enforcement to a large extent will determine whether there will be any deterrent effect of the said IT Directions 2022. 

What India has done in terms of mandatory reporting of a data breach is nothing, other countries have already done the same. However, trying to enforce the same in the context of the Indian cyber legal ecosystem itself presents a huge number of new legal challenges. In the absence of a dedicated law on cyber security, IT Directions 2022 seek to cover the lacunae that exist in the cyber legal frameworks in the Indian ecosystem. 

All in all, Indian Cyberlaw got enriched by significant developments in the year 2022.

The author Dr. Pavan Duggal, Advocate, Supreme Court of India, is an internationally renowned expert authority on Cyberlaw and Cybersecurity law. He has been acknowledged as one of the top four Cyber lawyers in the world. He is the Honorary Chancellor of Cyberlaw University and also the Chairman of the International Commission on Cybersecurity Law. You can reach him at pavan@pavanduggal.com.  More about Dr. Pavan Duggal is available at www.pavanduggal.com.