Off late several companies had become extremely concerned for moonlighting by their employees. Moonlighting is a term that signifies involving in a second job for profit while being in a full time employment. The 2020 covid pandemic has increased the tendency for moonlighting for employees in several companies including the tech companies as most of the workplaces reduced the salaries of employees and this caused huge financial tension for many. Legally moonlighting may or may not be safe for many: many European countries, US, Canada, Australia etc, may allow employees for moonlighting. Even academicians including teachers, university professors may also choose for a second job when they are off duty. But the problem arises when the employees go for moonlighting with the company data.
Why and how Moonlighting becomes an offence and who are the victims? in 2022, Tesla terminated an employee for showcasing and discussing certain automobile features in his YouTube channel. Interestingly running a YouTube channel had not been considered as moonlighting even though such activities may help the YouTuber to earn profit. But this was considered as offensive by the company because the employee actually criticised certain products using the company data which only he could access being an employee. Now consider the other side of the coin: if this employee had secretly sold the company data to other competing company for profit or may had been engaged in moonlighting works like consumer preference analysis, product marketability analysis, business analysis or even employee data analysis with the help of the confidential data of his employer company, he would have been definitely subjected for legal liabilities and he may even have the chance for being jailed. This may no longer remain simple harmless moonlighting. Rather, it may involve data privacy breach by the concerned employee because he may have violated the integrity and confidentiality of the data owned and maintained by the companies.
Here we have to understand the types of the data and the types of the ‘victims’ that may be affected:
First victim would be the company itself as the company secrets including trade secrets would be affected. The designs, company logo, manufacturing process, company policies for marketing, specific software etc, may fall within the meaning of company’s intellectual properties which many employees fail to acknowledge or may not know.
The second typology of the victims has a wider scope than the first: it includes individuals and their personal data that may have been collected by the companies in the name of customer data, patient data, government beneficiary data, banking related data etc. Presently almost all companies have become body corporates who collect certain kinds of personal as well as sensitive persona data: Tesla itself collects customer data that may include sensitive personal data like birthdates, banking information, social security numbers etc. There are several big tech companies that may be involved directly or indirectly involved in government data collection and processing work.
Moonlighting with such data may become extremely dangerous for the second type of the victims, especially children. There are 5 basic reasons for this:
Children’s data including health data, school data, parent’s financial data etc, may be misused by different types of perpetrators. This may also aide in physical space kidnapping, abduction and assault on the child.
Profiles of children may be sold to criminal gangs operating in deep and dark nets for online child sexual abuse related purposes. Often job seekers or individuals looking for moonlighting opportunities may fall in the trap of such gangs who may make them sell such sensitive personal data for a handsome amount. Here the criminal gangs may finely create a very much convincing agreement for the job seekers that in reality may not have much legal value as employer-employee contract. But the language of such agreements may be so finely constructed that it may actually make the employee fall in legal trouble if the entire operation is unearthed by the law enforcement agencies while the actual criminals may escape the clutches of the law.
Child and adolescent victims may not be aware of the victimhood unless they are made aware of the data breach by their peers or by the acquaintances of their parents. Resultant, their online and offline security may be hugely breached and it may be beyond repairing especially for children who may come from socio-economically challenged backgrounds.
Such kind of illegal moonlighting may enlarge the risks of ransom attacks for hospital, schools, public welfare data etc.
Companies or stakeholders who are engaged in the outsourced work of data collection, processing may also have to face legal action for not providing proper security to the confidential data. In such cases these cases may be held primarily liable as the burden of proof for innocence and strict diligence complied with may fall on the companies.
What is the way out then? EU General Data Protection Regulation has emphasised on the issue of privacy, security and consent for data collection, data processing, data archiving etc. Even though EUGDPR does not mention about moonlighting with confidential data as an offensive behaviour, it however focuses on right to privacy, data collection and processing rules etc. We also have to look into several international conventions including the 2001 Budapest cybercrime conventions which throws light on content related online crimes, intellectual property rights related crimes and online child abuse related issues. All these prohibit data theft and unethical profit gain from misuse of data. Moonlighting with public, personal and sensitive confidential personal data falls off from the line of ethical moonlighting on the basis of skills of the job seeker/employee and thereby it becomes a punishable offence. But we must note that moonlighting with data involving children can be extremely dangerous because immediate harm to children may not be repaired by restorative and reparative justice quickly. But there is still a silver lining behind the vicious cloud of malicious data and activities. Companies and body corporates who primarily deal with public and personal data of general individuals can strengthen their data protection mechanism by applying stricter surveillance on the access on the said data, purpose of access to such data and mapping footprints of the usage of such data. They may also apply stricter policies against moonlighting especially against those employees who may directly deal with confidential data. Further, punishment for such kinds of moonlighting may not be restricted to termination and other penal actions by the primary companies alone. Such employee must also be made liable for breaching the data confidentiality of the children and he must be made to cooperate with the criminal justice machinery to track the data, pull down the data from vicious domains and also should be responsible for payment of compensation. Above all, courts must also consider banning them from using multiple profiles and they must be put under surveillance for their usage of information and communication technology.
Often I have been asked by victims, stakeholders and students of law about the jurisdictions of the courts and court system as a whole under the Information Technology Act, 2000 (Amended in 2008). This query carries great significance especially at a time when subscribers, consumers and civil society members are facing numerous problems due to data theft, data diddling, and data leaking etc. by the body corporate, intermediary and service providers themselves. Such issues of piercing the veil of cyber security and data privacy due to inefficient data protection mechanism of the body corporate may in turn help individual predators and even criminal gangs to target individuals including women and children to make it a large scale offence. Let us consider the case of Facebook facial recognition case in the US : even though Facebook as a company has been strongly contesting the case, the federal appeals court has given a green signal for this class suit whereby Facebook can be prosecuted for infringement of data privacy and would be liable to pay a huge compensation to the petitioners. What we understand from here is, such cases in the field of cyber law, may be dealt by courts in the nature of civil cases as well as in the nature of criminal cases.
In India, the primary regulatory provision for cyber issues is the Information Technology Act, 2000(amended in 2008) (IT Act, 2000, amended in 2008). This provision indicates that there are two types of authorities and tribunals/courts who may handle cases in the nature of civil and criminal liabilities, i.e., civil and criminal court and tribunals . We may understand this typology by understanding the nature of the cases under the Information Technology Act first, which is as follows:
In the issue of civil nature of cases, the administrative tribunal system under the IT Act has three tiers.
As may be seen from the above flow chart, at the grass-root level is the Certifying Authorities. A licensed Certifying Authority (CA) who has been granted licence under S.24, issues the digital signature certificates. CAs are controlled by Controllers, who are appointed by central government under S.17 of the Act. This provision also mentions about the appointment deputy /assistant controllers who should work under the instructions of the Controller.
Functions and responsibilities of the controller can be discussed under three broader heads:
S.18 of the IT Act provides essential
functions of the Controller. Apart from S.18, there are certain other
provisions under the IT Act, which speaks about other responsibilities and
powers of the Controller. The functions
under S.18 are as under:
supervision over the activities of the Certifying Authorities;
public keys of the Certifying Authorities;
Laying down the standards to be maintained by
the Certifying Authorities;
the qualifications and experience which employees of the Certifying Authority
the conditions subject to which the Certifying Authorities shall conduct their
Specifying the contents of written, printed or
visual materials and advertisements that may be distributed or used in respect
of an Electronic Signature Certificate and the public key;
the form and content of an Electronic Signature Certificate and the key;
the form and manner in which accounts shall be maintained by the Certifying
Specifying the terms and conditions subject to
which auditors may be appointed and the remuneration to be paid to them;
Facilitating the establishment of any
electronic system by a Certifying Authority either solely or jointly with other
Certifying Authorities and regulation of such systems;
Specifying the manner in which the Certifying
Authorities shall conduct their dealings with the subscribers;
Resolving any conflict of interests between
the Certifying Authorities and the subscribers;
Laying down the duties of the Certifying
Maintaining a database containing the
disclosure record of every Certifying Authority containing such particulars as
may be specified by regulations, which shall be accessible to public.
As such, other than the functions
mentioned above, the Controller may also have the following powers and
Controller may also recognize the foreign certifying authorities with prior approval from the government under S.19.
Controller is the authority to suspend license of the CA in case of any discrepancies in the function of the CA under S.25
Controller has power investigate contraventions or authorize any officer to do the same under S.28.
Controller may also access to computer and data under S.29 if he has reasonable cause to suspect for any contravention of the provisions etc.
Apart from this, controller also
has powers for dispute resolution: As such, .controllers can take over matter
for regulating and resolving any conflict of interests between the Certifying Authorities
and the subscribers.
Adjudicators along with the
controllers form the second tier of tribunal system for civil nature of cases
under the IT Act. Adjudicating officers
are appointed by the Central Government under S.46 of the IT Act for holding inquiry
(in the manner prescribed by the Central Government) in cases where any person
has committed a contravention of any of the provisions of this Act or of any
rule, regulation, direction or order made thereunder which renders him liable
to pay penalty or compensation. Such officer should not be below the rank of a
Director to the Government of India or an equivalent officer of a State
Government.S.46 clearly mentions that no person shall be appointed as an
adjudicating officer unless he possesses such experience in the field of
Information Technology and legal or judicial experience as may be prescribed by
the Central Government. The adjudicating officer appointed under S.46(1) are empowered to exercise jurisdiction to
adjudicate matters in which the claim for injury or damage does not exceed
rupees five crore. In case the jurisdiction in respect of claim for injury or
damage exceeds Rs. five crore, the jurisdiction to try such cases then shall
vest with the competent court. Every adjudicating officer shall have the powers
of a civil court which are conferred on the Cyber Appellate Tribunal under
sub-section (2) of section 58. As such, all proceedings before the adjudicator (a)
shall be deemed to be judicial proceedings within the meaning of sections 193
and 228 of the Indian Penal Code; (b) shall be deemed to be a civil court for
the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973. And
(c) shall be deemed to be a Civil Court for purposes of order XXI of the Civil
Procedure Code, 1908
But, the adjudicating officer cannot
fix the quantum of punishment (especially fines, damages and compensation) at
his own whimsies and fancies. S.47 says while adjudging the quantum of
compensation under Chapter IX, the adjudicating officer shall have due regard
to the following three factors, namely –
amount of gain of unfair advantage, wherever quantifiable, made as a result of
amount of loss caused to any person as a result of the default;
repetitive nature of the default
As such, adjudicators are
responsible to handle cases of data infringement, unauthorised access to
computer, offences to the computer (of civil nature), and fraudulent data
leaking cases etc. under chapter IX of the IT Act.
At the top tier of the tribunals
for dealing with cases of civil nature under the Information Technology Act,
2000(amended in 2008) exists the Cyber Appellate Tribunal. S.48 of the
Information Technology Act, 2000 (amended in 2008) stated that the central
government shall by notification establish one or more appellate tribunals to
be known as Cyber Appellate Tribunal. However, it has been observed by several
cyber law practitioners that the Cyber Appellate Tribunals in some places in
India were not functioning properly. As such, since 2017 The Telecom Disputes
Settlement and Appellate Tribunal (TDSAT) established under section 14 of the Telecom
Regulatory Authority of India Act, 1997 (24 of 1997), (TRAI Act) has
substituted CAT & working as Appellate Tribunal for the purposes of IT Act.
It also exercises the jurisdiction, powers and authority conferred on it by or
under IT Act. The TDSAT shall consist of a Chairperson, and not more than two members to be appointed by the Central Government.
Prior to the coming into existence of TDSAT
within the meaning of Appellate tribunal under the IT Act, online High Court
judges could qualify to be appointed as Chairpersons of the cyber appellate tribunal as per S.50 of
the IT Act. However, presently as per S.4 of the TRAI Act, the Chairperson
and other members of the Authority shall be appointed by the Central
Government only if such candidate has special
knowledge of, and professional experience in, telecommunication, industry,
finance, accountancy, law, management or consumer affairs. Further, a person who is, or has been, in the
service of Government shall not be appointed as a member unless such person has
held the post of Secretary or Additional Secretary, or the post of Additional
Secretary and Secretary to the Government of India or any equivalent post in
the Central Government or the State Government for a period of not less than
three years (as per Proviso to S.4 of the TRAI Act). s. 57, IT Act,
2000(amended in 2008) speaks about the jurisdiction & limitations of the
Appellate authority , which to large extent is practiced by the TDSAT now.
According to S.57, any person aggrieved by an order made by controller or an
adjudicating officer under this Act may prefer an appeal to Appellate Tribunal
having jurisdiction in the matter. However, no appeal shall lie to the
Appellate Tribunal from an order made by an adjudicating officer with the
consent of the parties. Every appeal under 57(1) shall be filed within a period
of forty-five days from the date on which a copy of the order made by the
Controller or the adjudicating officer is received by the person aggrieved and
it shall be in such form and be accompanied by such fee as may be prescribed. Appellate
Tribunal may entertain an appeal after the expiry of the said period of
forty-five days if it is satisfied that there was sufficient cause for not
filing it within that period.
Court for dispute resolution of criminal nature: Information
Technology Act, 2000(amended in 2008) does not specifically mention about any
court which may handle cases of criminal nature under this Act. But S.77A of
the Information Technology Act is mentionable here, which speaks about
compounding of offences According to S.77A of the IT Act, 2000(amended
in 2008), a court of competent jurisdiction may compound offences, other than
offences for which the IT Act provides punishment for life or imprisonment for
a term exceeding three years. As per
S.77A, the court however, shall not compound offences falling under the
categories as below:
the accused is, by reason of his previous conviction, liable to either enhanced
punishment or to a punishment of a different kind:
such offence affects the socio economic conditions of the country.
Has been committed against a child below the
age of 18 years or a woman.
the IT Act states that a person accused
of an offence under this Act may file an application for compounding in the
court in which offence is pending for trial and the provisions of sections 265B
and 265C of the Code of Criminal Procedure, 1973 (2 of 1974) shall apply. From
the above discussion, it may be inferred that any competent criminal court
under Cr.P.C which are competent to handle cases involving offences and punishments
as has been prescribed under Chapter XI under the IT Act, may be considered as
competent court for the purpose of this Act. Now, the question which may arise
is, which criminal courts may handle cases of criminal nature under IT Act,
2000 (amended in 2008). For this, we may need to understand the patterns of
punishments under Chapter XI of the IT Act, 2000 (amended in 2008). These can
be listed as below:
Imprisonment for a term which may extend to two
years, or with fine which may extend to one lakh rupees, or with both.
Imprisonment of either description for a term
which may extend to three years or with fine which may extend to rupees one
lakh or with both
Imprisonment of either description for a term
which may extend to three years and shall also be liable to fine which may
extend to rupees one lakh.
Imprisonment which may extend to three years or
with fine not exceeding two lakh rupees, or with both
Imprisonment up to three years, or with fine
which may extend up to two lakh rupees, or with both.
Imprisonment for a term which may extend to
three years or with fine which may extend to five lakh rupees or with both.
Imprisonment extending to imprisonment for life.
Imprisonment in first conviction of either
description for a term which may extend to three years and with fine which may
extend to five lakh rupees and in the event of second or subsequent conviction
with imprisonment of either description for a term which may extend to five
years and also with fine which may extend to ten lakh rupees.
On first conviction with imprisonment of either
description for a term which may extend to five years and with fine which may
extend to ten lakh rupees and in the event of second or subsequent conviction
with imprisonment of either description for a term which may extend to seven
years and also with fine which may extend to ten lakh rupees
Now, to find the answer as which court may try cases of criminal nature under the IT Act, the above mentioned list has to be matched with the powers of various criminal courts under Ss.28 & 29 of Cr.P.C. The powers of the courts under the Cr.P.C can thus be categorized as follows:
As such it may be understood that cybercrimes and offences recognised under Chapter XI with various degrees of punishment may be dealt by various criminal courts as has been discussed under Ss.28 and 29 of the Criminal Procedure Code. But, in such cases also, the aggrieved party (including the offender) may make an appeal to the appropriate courts including the Session’s court, High Court and also to Supreme court. However, in case the offence includes any offence targeting children, then along with Information Technology Act, 2000(amended in 2008), provisions of Protection of Children from sexual offences Act may also be applied. In such cases, the offence may necessarily be dealt with by courts designated under POCSO Act : such courts may be Special Court or Children’s Court or the Sessions court itself.
Note: Please do not violate the copyright of this writeup. If you wish to use this writeup for your report/assignment/project etc, please refer it as Halder Debarati (2019) Court system under Information Technology Act, 2000 (amended in 2008). Published in http://www.internetlegalstudies.com on 12-08-2019
 For example see @https://www.theguardian.com/technology/2019/aug/09/facebook-facial-recognition-lawsuit-can-proceed-us-court?CMP=share_btn_fb&fbclid=IwAR3RvbLbL9TmFCkeBgypZORu4dRYnQNFvbWuFfIoQN1m-n80UlFO8_26qIk