Scope, Laws and Regulation related to Cyber Laws in Canada, EU, UK, India, Australia and USA (California, New York and Washington)

Introduction

In current times, there is an increasing need of stringent cyber laws as there has been a significant increase in online activities including trading of goods and services, social media, etc. The dependency on internet and information technology and has brought a need to bring cyber laws to regulate and control the cyber space. There has been an unprecedented growth in internet users engaged in ecommerce transactions, ebusiness, eProcurement, egovernance, online mode of payment, online marketing and advertisement. The trading of securities, shares and stocks in made in dematerialized form which has also contributed in increased use of internet. It has forced the governments to bring suitable laws in place to regulate such activities and transactions.

Increase in online activities has also increased the risk of hacking, online frauds, social media extortion, ransomware, lottery frauds, movie piracy and other cyber-crimes which are required to be dealt with suitable legislations. Recently during the period of lockdowns in the ongoing pandemic, there has been a significant increase in e-commerce transactions, use of debit and credit cards for making online payments, UPI Transactions, increased use of mails, phones and messages for communication which also brings to conclusion that there is a need of cyber laws and regulations to protect the interest of various stakeholders^[1]. 

The main objective of the cyber laws is to control cybercrimes including protection from online harassment and stalking, authenticate digital signatures, protection of intellectual property including protection of trademarks and copyrights, data protection and privacy, etc. In recent times, E-Contracts have become common which are required to be enforced under national legislation of countries. There authentication and admissibility is based on the basis of recognition of such contracts under cyber laws of the countries.

Cyber Laws in India

In India Cyber activities are governed and regulated by Information Technology Act, 2000 and The Information Technology Rules, 2011. It was enacted to regulate and recognize E-Commerce, E-Banking and E-Governance in the country and provides for penalties and punishment for the crimes provided in the 2002 Act. The 2008 Amendment in the Act has increased the scope and applicability of the Act.

IT Act, 2002 allows the companies to store its data and to maintain its accounts in electronic format. It also recognizes the electronic signature and the electronic documents are now considered legal under the Act. It aims to protect the privacy of the internet users. It has recognized various electronic documents which can be used in court of law as an evidence. The 2008 Amendment in the Act has increased the scope and applicability of the Act as it has widened some definitions to increase its coverage. It has imposed the liability on the owners of the IP Addresses that distributed Illegal content. It also makes companies liable in case of breach of requirements related to implementation of data security compliances. IT Act provides various Acts which are considered as crime and it prescribed appropriate punishment and penalties for such activities^[2].

Section 43 r/w 66 of the 2002 Act criminalizes the hacking and provides for a three-year imprisonment or a fine up to five lakhs rupees or both. Thus, any illegal access to computer or computer system or network without permission of the person is a crime under the Act and a criminal penalty is prescribed for such acts. Similarly, any denial to person from his own computer source/network which he has right to use and access, then acts are also punishable with similar penalties as mentioned above.

Section 66F of the Act provides the provisions related to cyber terrorism which includes any online activities which are done to threaten the unity, sovereignty, integrity or security of India or which causes fear and panic in the people of India then such Acts are liable for imprisonment of life. Similarly, the Act punishes Online Frauds, Infection of IT System with Malware, Phishing Attacks, Identity Theft/Fraud, Electronic Theft, Breach of Confidentiality, etc.

Apart from IT Act and Rules made thereunder, there are laws related to prevention, monitoring, mitigation, detection and management of various cyber incidents. There laws related to personal data protection, privacy of online communication, breach of confidentiality, Intellectual Property and Information Security. We have the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT Rules, 2013)^[3] which mandates corporation and individuals to intimate the authority under the rules in case of any cyber security attacks and they are tasked to provide assistance in such cases.

For compliances related to security of the information, Information Technology (Reasonable Security Practices and Procedure and Sensitive Personal Data or Information) Rules, 2011, provides protection of personal information of the natural persons including information related to passwords, health and biometric data. Corporation possessing such information are required to place appropriate security systems and protocols to protect such sensitive information.

Information Technology (Information Security Practices and Procedure for Protected Systems) Rules, 2018. Under IT Act r/w Protected System Rules, an information facility can be declared as protected system which is considered as Critical Information Infrastructure. CII are such computer based resources which in case of any destruction on tempering can have disastrous effects on economy, public health, national security and safety. The Database of the Aadhaar Number is categorized as CII and is appropriately protected as it contains personal data including biometric details of almost every citizen of the India.

For corporations, Companies (Management and Administration) Rules, 2014 are in place which mandates companies to take appropriate measures and bring system to protect electronic records, prevention of unauthorized access to company’s data, protection from tempering, alteration and security of computer systems, taking backups, securing digital signatures, etc.

For Copyright infringement, Copyright Act is in place to protect owners and assignees of the copyrights. Similarly, Indian Peal Code provides activities which are committed using computer resources in or outside India and which affects computer or computer resource in India, then territorial applicability of the laws comes in play. 

In addition to above, there are many cyber security compliances which are sector specific like one for banks and non-banking financial institutions. For Listed Companies, SEBI provides for guidelines periodically to protect the IT system of the companies and to establish a Risk Management Committee. Similarly, for Banks and NBFS’s, RBI place appropriate Cyber Security Policy and IRDAI brings up policies for the Insurance Companies for their IT protection.

In 2019, Personal Data Protection Bill^[4] was laid before the parliament for consideration which will provide the protection of personal data by creating a dedicated authority i.e. Data Protection Authority. It controls and restricts the use of personal data of individuals by the government, companies incorporated in India and the Foreign Companies dealing with Personal Information of the individuals^[5].

Cyber Laws in Canada

Under Canadian Laws, Cyber Crimes is Protected by Canadian Criminal Code of 1985 which defines various cybercrimes and prescribes various terms of imprisonment for various criminal activities done using computer resources and technology.

Under the prescribed laws, hacking is a criminal offence with a prescribed imprisonment of maximum of five years. However, in some case of significant degree, maximum imprisonment is for ten years. The Denial of Service which includes restricting rightful access and use to computer data of one’s own is considered s mischief under criminal law of Canada and an imprisonment of ten years has been prescribed for the same.

Similarly, the Criminal law provides for various cybercrimes including phishing, infection of IT Systems with Malware, Spyware, Ransomware, Worms etc. which are also considered as Mischief and for the same ten-year imprisonment is prescribed. It also provides protection and regulation of identity theft/fraud by prescribing a maximum imprisonment of ten years.

The Copyright Act protects and regulated electronic theft which includes breach of confidentiality by the employees or copyright infringement. Violation of Copyright Act brings up a fine of up to 1 Million or five years of imprisonment or both.

The Canadian Laws related to cybercrimes are applicable to all Canadian citizens irrespective of their location and in case a cyber-attack is made of Canadian citizen by a foreign national then it is deemed as crime took place in Canada and is charged under Criminal Code.

Apart from Criminal Code, The Competition Act, The Personal Information Protection, Electronic Documents Act and Telecommunications Act are in place to regulate various cyber activities which are prejudicial to national security, interest and civil rights in form of privacy. These laws prohibit illegal transmission of data to some other sources other than destination wanted by sender, installation of software on computer systems without the authorized consent of the owner of the computer resource. The above laws provide with a fine of $1 Million for individuals and $10 Million for corporation for violation of express provision of the law^[6].

Canada has also had some legislations which specifically protects Personal Data Protection. The Federal Personal Data Protection and Electronic Documents Act, 2000 provides protection to the personal information of the employees of the organizations through federal control and regulation. Some Provinces of Canada has similar personal information protection laws which protects the information retained by the private sector organizations. Similarly, each province in Canada provides laws for protection of personal information held by government institutions. Moreover, there are suitable laws for protection of information related to health possessed by the doctors and hospitals. Thus, Canada has a strong cyber laws for protection from unauthorized use of personal information and to control and regulate the cyber activities to uphold the civil rights of its people.

Cyber Laws in Australia

In Australia, cyber activities are controlled and regulated by both State and Federal legislations. The Criminal Code Act, 1995 provides for various acts which are considered as cybercrimes. Hacking is an offence provided by the Criminal Code^[7] and as the applicability of the Criminal Code is throughout Australia, thus, it provision are applicable. Unauthorized access to other’s computer system or resource without consent is also a criminal offence with an imprisonment for two years. Similarly, Denial of Service in form of restricting the access to the computer system to one who has right to access can attract a maximum imprisonment for ten years. Similarly, Phishing is penalized with a maximum of ten years’ imprisonment.

Wiful infection of IT with malware, spyware, ransomware, etc. can attract an imprisonment of up to two years. For Identity Fraud and Theft, five years are prescribed by the Criminal Code Act of 1995. Offences related to Electronic theft including breach of confidentiality, etc, telecommunication frauds are also covered by the criminal act.

As each state has its own laws related to cyber space, for the sake of understanding, the laws of South Wales^[8] are as follows – The Privacy Act, The Crimes Act, 1914, The Security if Critical Infrastructure Act, 2018, the Criminal Code, 1995 and the Telecommunications (Interception and Access) Act, 1979Any act which constitute an offence under Australian laws and is committed in territory of Australia including its extended territory, then such acts come within the jurisdiction of the Australian Courts.

In 2012, Australia passed Cybercrime Legislation Amendment Act so as to accede to Council of Europe Convention on Cybercrime, the only Cyber Crime Convention. The above amendment has brought various amendments in the existing laws related to cybercrimes so as make them harmonious with the international convention on cybercrimes.

Cyber Laws in United States Of America

The cyber laws, rules and regulations in the United States are scattered as there is no uniform law applicable to everyone. States have the power to make their own laws and it would not be wrong to say that many states in the US are adopting higher standards laws in comparison to the US Federal Laws. In order to deal with the Cyber security breaches and imposing civil and criminal liability, US Federal law Computer Fraud and Abuse Act (“CFAA), 18 U.S.C. sec. 130, comes into the picture. The act recognises following types of activities against the law and prohibits the same:

1. Any act of accessing a computer which is outside the scope of authorization or completely unauthorised for the purpose of obtaining National Security Information
2. Any act of accessing a computer used in cross border commerce or receiving information for such commerce or interstate information, which is outside the scope of authorization or completely unauthorised
3. Accessing information from a non public computer to which the US government has the access
4. Any act of defrauding by knowingly accessing a protected computer system
5. Act of illegal exchange of passwords
6. Extorting for information via threat to damage a computer or compromising with the confidentiality of the information saved on the computer system
7. Cyber Extortion for asking a ransom of money or property.^[9]

All these above situations are penalized in a range of 1 to 20 years in prison. Apart from the above, other Federal Laws include Electronic Communications Protection Act, (“ECPA”) which deals with the protection of exchange of communications or stored communications. The act saves the users from unauthorised access or outside the scope of provided access to their Electronic communications service facility and violation of this leads to criminal penalty. This act only includes email service providers or employers granting emails to their employees. Therefore, it excludes the personal computer systems.^[10] Title I of the ECPA, (Wiretap Act, 18 USC sec. 2511)^[11] prohibits the interception of the electronic communications in transit subject to the law enforcement departments, service providers and employers. For the purpose of protecting the spam email which includes using a computer system for sending spam emails with the help of unauthorised access or registering false information, CAN-SPAM Acts prohibits such activities and in case of violation, penalizes the same with up to three years of imprisonment.

All the above are federal laws, however, the state laws are more specific. Therefore, for a better understanding we will be discussing the cyber laws, regulations, rules of California, Washington and New York.

Cyber Laws in California

The United States most detailed data privacy law is the California Consumer Privacy Act (CCPA). This act has been made effective from 1 January 2020. Inspired mainly by the European Union General Data Protection Regulations (EU GDPR)^[12]. The act is applicable on all the business entities working in California from California or remotely.

The threshold made for the application of the act to the entities include either the entity is having more than 25 mn US $ gross revenue or involved in the buying, selling or receiving personal information of more than 50000 users or consumers, households, devices or any entity which is gaining atleast 50 percent of their revenue from the sale of personal information.  The purpose of this act is to protect the personal data collected by the entities against the use which is not consented by the users. Also, the law prohibits any type of discriminatory practices based on the data which is possessed by the business entities.^[13] The law also provides the users with rights similar to EU GDPR like disclosure, access etc. Another right that has been possessed by the users to prevent their information from get transferred to the third party and the users at any point of time can ask the business to remove the personal data of the user stored with them.

The law is specifically to protect the residents of California from any sort of breach of privacy of personal information obtained by the entities and for the same purpose, “personal information” has been defined as any data which can trace the identification of the user or his/her family. The law imposes strict penalties to the entities not in compliance with the CCPA. The damages are mainly ranges from the fine of 2500 US$ to 7500 US $ per violation.

Cyber Laws in New York

Among the many states in the United States, New York will be one of the few states which has many laws for the protection of Cyber crime. New York Penal Law Sec. 156 deals with the offences involving computers. It lays down several offences in relation to the use of computers. Firstly, it penalizes the unauthorised use of computers by the person who access computer without authorization. Also, the acts of computer trespass such as unauthorised use of computer for accessing information and with the intent to commit a felony. The act of computer tampering  which means the access of data on a computer in an unauthorised manner and alters the same with intention to destroy computer data or programme. New York penal law also penalizes the making copies and possession of computer related material when the person is not being empowered to do so.

Another transformation in the field of Cyber law cam in 2017, when New York State Department of Financial Services, adopts new rules Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500) which imposes an obligation on Financial Institutions for the adhering cyber security obligation. It imposes an obligation of the Financial Institutions to meet some minimum standards of security for the protection of information assets under their control. These new rules also imposes obligation to appoint a Chief Information Security Officer and conduct audit trials.^[14]

NYS Information Security Breach and Notification Act is inclusive of the sec. 208 of the State Technology Law and Sec. 899-aa of the General Business law. This notification imposes an obligation over the State entities, persons or business possessing the data of the public must notify the users whose data was exposed in case of any breach of data. The cyber laws of New York state includes the recent New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The act raises the obligation on the entities for cyber security in addition to the previous law. Firstly, it increases the scope of information which is under the purview of breach notification by including biometrical and email information with the same. Moreover, the application of this act is wide as it includes all the entities possessing the information of the New York residents. The definition of breach of data has been widened which includes the unauthorised access of any private information.

Cyber Laws in Washington

In the state of Washington, the cyber law dealing with cyber crimes is the Washington Cyber Crime Act (Title 9A.52.110, et seq.). It discusses and penalizes the computer crimes such as fraud, data theft, or damage to the computer. It also includes the act of cyber bullying. The major crimes deal in the acts are cyber stalking. It penalizes any trespass to the information over a computer without authorization and  in order to any other crime as per the state law. The other wrong includes the interference in data service by transmitting the data, program or intentionally interrupts the data service without authorization. Any act of spoofing which includes the transmission or representation of data, for achieving unauthorised access to data with the intent to commit any other state crime. Data theft and data tampering are also prohibited by the Washington Cyber Crime Act.^[15]

NIST Cyber Security Framework

This framework is a type of guidance for the private organizations functioning in United States in order to enhance their cyber security and response to attacks. NIST Cyber Security Framework has been divided into three tiers and various categories. There are total of 108 sub categories and for each of these sub categories, information and security standards are provided in the framework.

Department of Defense

DoD has made five strategic goals as their cyber security strategy. The first goal is to be ready with the forces capable of doing cyber security operations. The second goal is related to the standards of technology. It aims to raise the bar by adopting high standards to mitigate risk and secure DoD Data. The third goal is to achieve the US Homeland and state from the cyber attacks. Fourth goals is to prevent conflict by maintain viable cyber options and plan. The final goal is international cooperation and alliances to enhance international security.^[16]

Homeland Security

Cybersecurity and Infrastructure Security Agency Act, 2018 has been signed and adopted to establish Cybersecurity and Infrastructure Security Agency (CISA). The function of the CISA is to protect the national capacity from cyber attacks and provide ways to develop cyber security in coordination with the government. CISA focuses on protecting the .gov domain and combatting cyber crime against the federal agencies and federal networks.^[17]

Cyber Laws in European Union (EU)

EU has always been one of the prime places to look for an updated cyber law framework. In 2016, EU provides all the member states a strict laws with hugh fines for the protection of personal data of the users in the form of EU General Data Protection Regulations. Recently, in 2019, EU again came up with its new Cyber Security Act^[18]  which has been made effective from 7 June 2019. The importance of the act was to strengthen the EU cybersecurity agency, ENISA and setting up an EU cyber security certification framework. The new certification is the credit and conformity about the products, services of applicants in all EU member states. The process involves ENISA’s coordination with the applicant in preparing cybersecurity schemes which will be further submitted to EU Commission for adoption. If the scheme has been adopted, then it will be act as a certification for the products, services of the candidates in all member states. Another measure adopted by the EU for cyber security is the NIS Directive (The Directive on security of network and information systems). The aim of the Directive is to enhance the cyber security framework in EU and all the member states has to incorporate this notification into their domestic laws. The act ensures that the member states be prepared with the Computer Security Incident Response Team (CSIRT) and a competent national NIS authority. Seeing the reliance of almost all the sectors over the ICTs, it became imperative to provide security from any sort of cyber-crime across states. European Commission from time to time came with the directives to combat cyber crimes such as in 2011 – A Directive on combating the sexual exploitation of children online and child pornography, has been adopted for addressing the concerns for sexual abuse with minors and taking measure against websites soliciting child pornography. In 2013 – A Directive on attacks against information systems has been adopted which address the cyber attacks and directed the member states to enhance their cyber crime laws. In 2018- The Commission has proposed a Regulation and Directive facilitating cross-border access to electronic evidence for criminal investigations.

Apart from the above concerned laws dealing majorly with cyber crime and enhancing cyber security, the EU GDPR acts as a shield for protecting the privacy of the personal information shared by the users. EU GDPR became effective in 2016, provides the users with many rights such as Access, disclosure, forgotten, erase etc. Moreover, the prime aspect of EU GDPR is that the regulation has given importance to the consent of users and also recognised the consent of the minor children. The framework includes heavy fines for violations and the same is being used as a standard by many nations for developing their own laws.

Cyber Laws in United Kingdom (UK)

Apart from the application of laws of the European Union, UK has its own act to protect the cyber breaches. Different laws deal with different aspect of cyber security.

Computer Misuse Act, 1990

It describes the offence of hacking, denial of service attacks, possession of hacking tools, electronic theft. Hacking is to use of one computer from one place and take control over the information of another computer or its data program, provided it must be done without any consent of the user. Also, possessing tools that help in commit hacking and the possession is with intent to perform hacking is an offence. Denial of Service Attack is to curtail the access to program, data or operation held in another computer from a different computer, provided the same is not authorized by the owner. Electronic theft acts as both financial crime and cyber crime. All these acts of cyber crime are punishable under the Computer Misuse Act, 1990.

Fraud Act, 2006

This is another law dealing with some aspects of cyber-crime and makes it punishable such as personation, sending an email with the name of another firm and reflecting to be it true includes a 10 years imprisonment. This is called identity theft or identity fraud, which means a person represent to be another knowing that the same is misleading for achieving some profits or gain or causing a loss or risk of loss to another.

Data Protection Act, 2018

Under this law, UK has made obligatory to organisations to adopt measures in terms of technical and organization specifications in order to attain the standard of cyber security. The same can be checked by the Information Commissioner’s Office and failure in following the standards will be a criminal offence. Apart from that Network and Information’s System regulation 2018 has also implemented the Network and Information’s System Directive in UK Law for enforcing security measures.

Similarities and Differences Between All Countries

Every country has made its laws, rules and regulations for regulating cyber activities and to prevent cybercrimes. As cybercrimes has involvement of internet, thus, cybercrimes can take place in any part of the world with a universal target. There are issues related to cross border cybercrimes which are related to jurisdiction of the Courts and the applicability of the laws. In light of the present issues, there a need of uniform international laws related to cybercrimes which can be applicable to all the countries in a uniform manner. Council of Europe Convention on Cybercrime can be good example for a universal convention related to cyber activities. Such laws must also cover issues related to jurisdiction of the Courts where the Crime is initiated and where it actually completed or the target country.

Conclusion

With increasing digitalization, the threat and the security of the information of the users, data of government and other organizations has also been increased. The dire need to change law is not much rather now it is imperative to raise standards of the cybersecurity. After the analysis of all these nations in terms of law, it would not be wrong to say that most of the nations are still thriving for a national cyber security. However, amongst the other actor which was hardly recognised in the past from a data security perspective, now, personal data of the users is also achieving standards. The friction between the actors is still there as personal data needs to be protected but the other actors are taking the same as a method to drive money. The sale of personal data has become effective business among many business entities. So far now, EU has tried to impose heavy penalties for violation of its GDPR regulations. On the other hand, government organization are still under threat as the same cannot be overpowered only with fines. A robust scheme of cyber security is needed in terms of legal as well as technical capacity.

^[1] Vineet Verma, Importance of Cyber Laws of India, Legal Services India, http://www.legalserviceindia.com/legal/article-1019-importance-of-cyber-law-in-india.html

^[2] The Information Technology Act, 2000,  http://lawmin.nic.in/ld/P-ACT/2000/The%20Information%20Technology%20Act,%202000.pdf

^[3] G.V. Anand Bhushan, India: Cyber Security Laws and Regulations, 2020, https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/india

^[4] Angelina Talukdar, India: Key Features Of The Personal Data Protection Bill, 2019, Mondaq, https://www.mondaq.com/india/data-protection/904330/key-features-of-the-personal-data-protection-bill-2019

^[5] PRS Legislative Research, The Personal Data Protection Bill, 2019, https://www.prsindia.org/billtrack/personal-data-protection-bill-2019#:~:text=Ravi%20Shankar%20Prasad%2C%20on%20December,Protection%20Authority%20for%20the%20same.&text=For%20instance%2C%20personal%20data%20can,specific%2C%20clear%20and%20lawful%20purpose.

^[6] Lyndsay Wasser, Canada : Cyber Security Laws and Regulations, 2020, https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/canada

^[7] John Swinson, Australia’s Cyber Crime Legislations, https://www.lexology.com/library/detail.aspx?g=4ab62fdd-f177-47eb-b02d-e327cf9833a9

^[8] Dinnis Miralis, Australia : Cyber Security Laws and Regulations, 2020, https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/australia

^[9] Computer Fraud and Abuse Act (“CFAA), 18 U.S.C.

^[10] Electronic Communications Protection Act, Stored Communications Act (Title II of the ECPA), 18 USC 2702.

^[11] Electronic Communications Protection Act, Wiretrap Act (Title I of the ECPA), 18 USC 2511.

^[12] European Union General Data Protection Regulations (EU GDPR), 2016.

^[13] California Consumer Privacy Act (CCPA), 2020.

^[14] Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500)

^[15] Washington Cyber Crime Act (Title 9A.52.110, et seq.).

^[16] The DoD Cyber Strategy, The Department of Defense, https://archive.defense.gov/home/features/2015/0415_cyber-strategy/final_2015_dod_cyber_strategy_for_web.pdf.

^[17] Cyber Security, Homeland Security, https://www.dhs.gov/topic/cybersecurity#:~:text=on%20november%2016%2c%202018%2c%20president,infrastructure%20security%20agency%20(cisa).

^[18] Cybersecurity Act (Regulation (EU) 2019/881 of April 17, 2019)

Author: Manthan Agarwala.

Related Posts:

• Doctrine of Functus Officio
• The 86th Constitutional Amendment
• Public Service Commissions Under Union and State
• Difference Between Fundamental Rights and Directive Principles of State Policy
• Powers and Functions of President of India