In a world where technology has become a part of life, now more so than ever, concerns with regard to one’s personal data and digital foot prints are bound to arise. The issue of cyber security has been in the forefront ever since internet became a necessity but the discussion for the same was first fuelled when Edward Snowden accused the US government of illegally spying on its citizens. Recently, the topic of protection of data on the internet again hit the headlines due to the Zhenhua data leak. Zhenhua data leak is one of the biggest data breaches of all time. A Chinese firm, Zhenhua Data Information Technology Firm Ltd reportedly collected the personal information of millions of users across the world. The data leaked is said to have contained information of various high profile politicians and businessmen like Ratan Tata, Narendra Modi and Bipin Singh Rawat .The firm is said to have ties with Chinese intelligence. If the ties are proven, this can count as espionage.

In this article, the author attempts to comprehend the national and international laws on the topic of illegal breach of data and its implications in the current situation. The author will also try to analyse the situation and suggest ways in which this can be avoided in the future.

Laws Guarding The Data

The timing of this data leak cannot be ignored. Currently, the world is battling a pandemic and many countries have outrightly blamed China for the same and its aftermath. At such a precarious time, if the connection of this data leak is traced back to the Chinese government, it could lead to serious repercussions for the nation and the world as a whole.

To understand the gravity of the situation and the alleged crime, it is important to comprehend the laws surrounding the same. These laws can easily be classified into two categories:


India has taken various steps, via statutory laws, to safeguard the public and their personal information on the internet and prevent the misuse of the same. The breach of a person’s private information is a direct result of the violation of right to privacy. Though the same has not been granted as a separate fundamental right, but as an extension of Article 21. In the case of Puttaswamy v. Union of India, Article 21 was considered to be the “bedrock of privacy” and an infringement of privacy is in violation of the same. Article 21 states that a person should not be deprived of his personal liberty except by procedure established by law and the law should be just, fair and reasonable. However, a data leak of personal information is in direct violation of the same.

Aside from this, various sections of the Information Technology Act lay out measures to prevent misuse and mishandling of data. Section 72A of the IT Act lays out punitive and compensatory measures in case of misuse of personal data by companies or aggregators. Section 43 of the Act also lays out provisions to punish companies for mishandling of information which leads to “wrongful loss or gain to any person”. The section also prescribes punishment for stealing of personal data. Section 66E also talks about violation of the right to privacy.

Though these laws have a narrow scope, they are a step in the right direction for the laws to catch up with the technology of the time.


Unfortunately, there is no uniform system governing cyber law internationally and which deals with data leaks and the breach of personal information. Though there have been many attempts to reach a consensus on the issue through the United Nation’s Doha Conference on cyber law, ITU, ICANN and IANA, none have been able to overcome the challenges posed or to reach a consensus regarding a law for the same.

This can be attributed to many factors, the main being that the countries do not want to lose their sovereignty on the matter. Many countries like the US have themselves been accused of illegally spying on people and collecting their personal information (Edward Snowden leaks) and therefore it makes it difficult to determine as to how collection of illegally obtained data is wrong on the part of private entities but acceptable on the part of the government.

However, in the current case of the Zhanzhua data leaks, the profiling of the victims is systematic in nature and has targeted powerful people from across the globe. This has led countries to launch their own investigations into the matter. India has also set up a committee to look into the matter. If this data leak is connected to the Chinese government, the country will be in violation of a number of international agreements and charters including Article 17(1) of ICCPR(which states that there should be no arbitrary and unlawful interference with a person’s privacy and correspondence and the European Convention of Human Rights.

How Can Data Breaches Be Avoided And The Way Forward?

In the past few years, there have been a number of data breaches which have compromised the security of the public. The most highlighted were the Yahoo breach, the Marriot- Starwood breach and the Equifax data breach. While we cannot reduce our dependency on technology, apt measures must be deployed by companies to safe guard the information collected by them.

There are some basic measures, which if employed correctly, can protect the data.

1) Encryption of information - This has recently been adopted by WhatsApp. Through this method, the data of the users is encrypted end-to-end and is available only to the users and no one else.

2) Vulnerability checks - It is important that all major companies and government institutions do a regular check in their systems from time to time to look for vulnerabilities and to patch up the loopholes present.

3) “Need to know” access - The access to data should be only on a need to know basis. It should be ensured that only the people with high level clearance should be able to access critical data in a secure setting.

However, security measures only from the side of users cannot alone stop the misuse of data. Though it is understandably difficult to come up with an international consensus on the topic, even domestically India does not have hard hitting laws for data protection.

For the longest time, the laws enumerated in the Information Technology Act, 2000 were the only laws protecting online data. Though they were a step in the right direction, they are not enough.

Fortunately, in 2019, the government presented the Personal Data Protection Bill in the parliament. As per this bill, the consent of the individual will be required before collection of his or her personal data (Section 11). One of the major selling points of this bill is that it will be applicable even on entities which are not established in India but however do deal with the personal information and data of Indians. Section 33 of the bill talks about data localisation i.e. that “sensitive and critical data” of Indians will be stored in India and not outside. This bill would have proved to be beneficial in the Zhenzhua data leak case had it been passed earlier.

This bill is currently being reviewed by the Standing Committee.


While technology has become an integral part of life, people’s personal data stays vulnerable to misuse hacks. The protection of the same needs to be done using a two- pronged strategy: the steps taken by the people themselves to protect their online data and the role of the governments through laws, to take stern action against those who set out to collect or misuse personal data.

The international laws on this subject are insufficient and the national laws, with regard to India, though a step in the right direction, are not enough to tackle problems which present themselves as a result of ever-evolving technology. However, the Personal Data Protection Bill might be exactly what we need to deal with instances of misuse or illegal collection of data, like in the Zhenhua data leak case, and appropriately punish the parties responsible.

Title Image Source: Tech Jockey

This article has been written by Megha Gupta. Megha is a fourth year law student at Dr. Ram Manohar Lohiya National Law University, Lucknow. She takes keen interest in constitutional law, human rights and IP Law.