Data Theft And The Indian Criminal Law
A woman with her computer can steal more than a hundred women with guns
Data is the “new oil”, and has arguably replaced oil as the world’s most valuable resource. Internet and smartphones have made data ubiquitous, plentiful and more valuable than ever before. Other than the data voluntarily shared, every technological action leaves digital footprints, which are harvested by algorithm-wielding companies, to know more about us. The digital traces that one unwittingly leaves carry valuable information as to one’s personality, attributes, preferences, buying choices, which are often used by companies to predict behavior1 and to even engineer the choices that we make.
To cut a long story short, data is extremely valuable, and history tells us that if there is something which is plentiful and valuable, someone is probably going to try and steal it. India, which has the second highest number of Internet users in the world after China, is all the more vulnerable, not merely because of the sheer number of users and volume of data involved, but also because of the lack of a legal regime dedicated to data protection and privacy. Greater the threat, greater the need for protection. Though the scoreline thus far may have read: Data thieves–1 & Data principals–0, the new Personal Data Protection Bill, 2018 promises to change this and has certainly pulled the discussion right back into the limelight.
This blog seeks to examine the Indian criminal law position on data theft from the standpoint of three legislations/bills: the Indian Penal Code (IPC), Information Technology Act (IT Act) and the recently proposed Personal Data Protection Bill, 2018 (“DPP Bill”).
Data theft and IPC
Thomas Babington Macaulay (the highly polarizing architect of the IPC) did not fashion the offence of theft with data or information in mind. It was beyond his fathom that the offence of theft would apply to electronic impulses or signals. However, despite the existence of specific provisions under the IT Act (discussed later in the blog), the traditional offence of theft under the IPC is routinely pressed into action by the police, even in cases of data theft. But is this legally sustainable? Let us begin at the very beginning, and look at the definition of theft under the IPC:
Section 378 of the IPC reads:
- Theft — Whoever, intending to take dishonestly any moveable property out of the possession of any person without that person’s consent, moves that property in order to such taking, is said to commit theft.
A bare reading of this provision reveals:
- That the property, in order to be a subject-matter of theft, needs to be a ‘moveable property’.
- The property has to be of such a nature that it is capable of being “taken out of possession of a person” and should be “moved” in order to achieve that end.
This is the legal benchmark required to be satisfied in order to constitute the offence of ‘theft’ under the IPC. Does a ‘data theft’ situation really satisfy this benchmark? The answer appears to be a clear ‘No’, and this is for more reasons than one:
Firstly, data is not moveable property. ‘Moveable Property’ is defined by Section 22 of IPC as ‘corporeal property’. A thing is ‘corporeal’ if it has a body, material and a physical presence. Data clearly does not qualify, as it is incorporeal, non-tangible and ephemeral sort of a property. This by itself may take ‘data’ outside the purview of Section 378 of the IPC. This argument may be hammered all the way home by the application of the principle of ‘strict construction of penal statutes’, which mandates that any ambiguity in a statute defining a crime or imposing a penalty should be resolved in favor of the accused and one should not, by way of a tortured/strained reading, attribute criminality. The benefit of the doubt always goes to the accused. Put differently: “Blurred signposts to criminality will not suffice to create it”. This by itself should leave no manner of doubt that theft of data was never supposed to be covered by the IPC.
Secondly, even assuming (without admitting) that data is ‘moveable property’, even then the act of stealing ‘data’ may not necessarily entail ‘moving’ of data in the physical sense of the term as the data continues to be in the possession of the true owner. The data thief may have merely copied the data, with the original data remaining unmoved in the hands of the true owner. Therefore, the actus reus (the act/omission or consequence that the law seeks to prevent) for the offence of theft, which is the ‘moving’ of property, may be incompatible with the very concept of ‘data’ which is technically nothing but information converted (as distinct from taken or moved) to binary digital form or electronic impulses.
Though a direct decision on the point of applicability of IPC to cases of data theft is still awaited, the Calcutta High Court’s analysis in the case of Adventz Investments and Holdings Limited & Ors. vs. Birla Corporation &Anr, albeit in a slightly different factual context, is rather spot-on:
“So far as information per se is concerned, in my opinion, the same does not constitute “moveable property” within the meaning of Section 22 of the IPC. The said provision gives an inclusive definition to include every form of corporeal property. Even if we read intangible property into that definition, such property must be capable of being taken out of the possession of the person who has the right to retain it in the context of Section 378 of the IPC. Moveable Property, forming subject matter of theft, ought to have linear characteristic, implying that if such property is removed, the original owner would lose possession of it. This characteristic of moveable property would have to be distinguished from intellectual property, of whose infringement can be committed by mere reproduction without affecting possession of the property with its owner or lawful custodian. Since one of the basic ingredients of theft is “taking” of the property, meaning physical acquisition after removal, theft has to relate to traditional form of property having linear feature. Legislatures across the world have developed separate legal regime in respect of intellectual property-under which copying constitute the offence.”
This was a case where a person was accused of making copies of a file which he had no authority to look into. This case did not concern ‘data theft’ per se, but the judgment is laudable as it recognizes the underlying principle correctly; the principle that ‘information’ by itself (without a physical manifestation) cannot be the subject matter of theft and the offence of theft in IPC is premised on ‘physicality’ and ‘linearity’ of the property in question.
Exclusion of IPC by IT Act
An alternative approach to countering application of IPC to data theft may be the principle of ‘generalia specialibus non-derogant’ i.e., the provisions of a general statute (the IPC) must yield to those of a special one (IT Act). In fact, the question whether the application of the IPC would be excluded by the IT Act was the exact question that arose before the Supreme Court in Sharat Babu Digumarti v. Govt. of NCT of Delhi, which ruled that a more specific penal law eclipses the more general one. The only condition for applicability of this doctrine being that both the laws should occupy the same field and seek to punish the act from the same standpoint. The decision was delivered in the context of the offence of obscenity over the internet which is punishable via a special provision in the shape of Section 67 of the IT Act, and which may also fall within the definition of the traditional offence of obscenity u/s 292 of the IPC. The SC applied the doctrine of ‘special law over general law’ and held that if offence under Section 67 of the IT Act is not made out, the accused cannot be prosecuted for an offence under Section 292 of the IPC either. The court held: “Once the special provisions having an overriding effect do cover a criminal act and the offender, he gets out of the net of IPC (sic) and in this case, Section 292. It is apt to note here that electronic forms of transmission are covered by the IT Act, which is a special law. It is settled position of law that a special law shall prevail over the general or prior laws. When the Act in various provisions deal with obscenity in electronic form, it covers the offence under Section 292 IPC.”
The IT Act and data theft
Post-2008, certain provisions were added to the IT Act with a view to tackling data theft. Section 66 of the IT Act provides ‘liability’ for the offence of data theft. Section 66 of the IT Act reads as under:
- Computer-related offences- If any person, dishonestly or fraudulently, does any act referred to in Section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
Explanation - For the purposes of this section,—
(a) the word “dishonestly” shall have the meaning assigned to it in Section 24 of the Indian Penal Code (45 of 1860);
(b) the word “fraudulently” shall have the meaning assigned to it in Section 25 of the Indian Penal Code (45 of 1860).]
But this, by itself, doesn’t say much and in turn takes us to Section 43 of the IT Act, which renders culpable a series of the computer-related act, with data theft being one of them. Section 43 of the IT Act provides:
- Penalty and compensation for damage to computer, computer system, etc.
If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, or computer resource —
- accesses or secures access to such computer, computer system or computer network;
- downloads, copies or extracts any data, computer database or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
- damages or causes to be damaged any computer, computer system or computer network, data, computer database or any other programmes residing in such computer, computer system or computer network;
- destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
- steal, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage;’
A conjoint reading of Sections 43 and 66 reveals that if any of the above acts are done with the necessary mens rea (guilty state of mind), that is to say, dishonestly or fraudulently, then the same may be punishable with imprisonment of upto three years. Also, by virtue of Section 77B of the IT Act, such an offence would be cognizable (for the uninitiated—it means that the police can register an FIR and arrest without warrant). However, such an offence is bailable, that is to say—the accused is entitled to bail as a matter of right (at the police station itself). The fact that the offence of data theft is bailable under the IT Act, but theft is non-bailable under the IPC, explains the great enthusiasm on the part of the often trigger-happy police to invoke the IPC over the more suitable provisions of the IT Act.
Data theft under the DPP Bill
In contrast to the very few data theft related provisions under the prevailing IT Act, the proposed penalties imposed under the DPP Bill are at par with the General Data Protection Regulations (GDPR) and other more progressive data protection regimes.
Chapter XIII of the DPP Bill deals with certain offences relating to‘data’:
- Section 90 of the DPP Bill renders culpable the obtaining, transferring, or selling of personal data by any person, provided two conditions are fulfilled:
- The act (of data theft, amongst other things) should be done knowingly, intentionally or recklessly;
- Such an act of obtainment, disclosure, transfer, or sale (of data) results in significant harm to the data principal.
- Any contravention is punishable with imprisonment up to three years and/or fine which may extend upto Rs 2 lakhs.
- If the personal data obtained, copied or transferred is sensitive personal data, then that is treated as an aggravating circumstance and the act becomes punishable under Section 91 of the DPP Bill which provides for imprisonment of upto five years and/or fine which may extend upto Rs 3 lakhs.
- Re-identification of de-identified data is also a penal offence Section 92 of the DPP Bill, attracting punishment of upto 3 years of imprisonment.
- Such offences have also been made cognizable and non-bailable.
- In cases of offences committed by companies, the person-in-charge of the conduct of the business of the company, and in the cases of offences by a government department, the head of the department would also be held responsible. However, those individuals can escape liability on proof that such offence was committed without their consent or that they put in all reasonable efforts to prevent such commission of an offence.
Effect of DPP Bill on the IT Act
Notably, the DPP Bill does not repeal Sections 43 and 66 of the IT Act, therefore, data theft/removal would remain an offence both under the IT Act as well as the DPP Bill. This may be for the simple reason that Sections 43 and 66 of the IT Act together cover a large spectrum of computer-related offences, with data theft/removal/copying being only one of the species of offences dealt with under that section. Be that as it may, it will be interesting to see if the courts accept the argument of ‘special law over general law’, and allow the provisions of the DPP Bill to supersede the provisions of the IT Act, insofar as they concern data theft. Notably, the proposed DPP Bill has a ‘non-obstante clause’ in Section 110, which gives the DPP Bill an overriding effect over any other existing law. This may bolster the argument that the DPP Bill ought to supersede the IT Act in data theft cases.
Until the DPP Bill materializes into an Act, the offence of data theft, being squarely covered by the provisions of the IT Act, should be dealt with under the provisions of the IT Act only. The invocation of IPC in such cases by the police is not only a disingenuous practice but also legally unsustainable and ought to be discouraged. It is hoped that a technocrat judge will rise to the occasion and conclusively declare the non-applicability of IPC to data theft situations. That said, the DPP Bill is definitely a huge leap forward in building a stronger data protection regime.
Authored by Bharat Chugh, Advocate and Partner Designate: L&L Partners, Law Offices. The author is also a former judge in Delhi. The views of the author are personal. The author can be reached at firstname.lastname@example.org.
 Another random dude from Silicon Valley, who loves the Godfather.
 This may be because of a host of reasons: habit, intellectual lethargy, incompetence, a general tendency to over-prosecute (erring on the side of prosecution!) and also the fact that offence of theft under the IPC is non-bailable, whereas data theft under the IT Act is bailable in nature. Power to arrest and confine in custody is one of the biggest weapons in the arsenal of the police and the most misused of all their powers. This is discussed in greater detail in the following paragraphs.
 Analogy may also be drawn to ‘electricity’ which has been held not to be movable property (Avtar Singh v. State of Punjab (1965) 1 SCR 103 (Paras 5,7)
 This may be contrasted with the position in UK where Section 4(1) of the Theft Act, 1968 provides: ‘Property includes money and all other property, real or personal, including thins in action and other intangible property’.
 United States v. C.I.O – 335 U.S 106, 142 (1948) (Rutledge, J., concurring).
2015 SCC OnLine Cal 6422.
2016 SCC OnLine SC 1464
 Significant harm is defined in Section 3(37) of the DPP Bill as ‘harm’ that has an aggravated effect, having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm.
Harm is defined in Section 3(21) of the DPP Bill as including – i) bodily mental injury; ii) loss, distortion, or theft of identity; iii) financial loss or loss of property; iv) loss of reputation, or humiliation; v) loss of employment; vi) any discriminatory treatment; vii) any subject to blackmail or extortion; viii) any denial or withdrawal of a service, benefit or good resulting from an evaluative decision about the data principal; ix) any restriction placed or suffered directly and indirectly on speech, movement, or any other action arising out of a fear of being observed or surveilled; or
Though, it may be noted that the DPP Bill expressly repeals Section 43A of the IT Act, which deals with civil consequences/damages for unauthorised disclosure of certain types of sensitive personal data. That said, it does not purport to repeal the other sections of the IT Act penalising data theft situations.