Introduction
Data has evolved from being a mere by-product of technological activities to being considered an indispensable economic asset in the current global economy, powering innovation, governance and commerce. Rapid digital expansion and technological advancements have made nations more vulnerable to data breaches and illegal access. India’s legal system remains fragmented and ineffective in confronting the intricacy of current data theft.
The shift of the right to property from a fundamental to a constitutional right in 1978 has shaped a complex legal framework governing both tangible and digital property in India. Questions come to mind as to whether data can qualify as property under Article 300A due to its monetary value, transferability, and susceptibility to unauthorised acquisition.
The issue of unauthorized access to data, raises another critical concern. Can such unauthorised access to data be qualified as actual theft under Section 303 of the Bharatiya Nyaya Sanhita (hereinafter, “BNS”)? Classification of data as tangible property opens the door for a discussion on how the law should treat digital assets in a time where data breaches and cybercrimes are increasingly common. This article examines these critical issues and argues for stronger legal frameworks to ensure that data and intellectual property are afforded the constitutional protection they warrant in the modern digital era.
Data as Actual Property under Article 300A
According to Article 300A of the Indian Constitution, “No one shall be deprived of his property except by authority of law.” Despite having no clear definition in the Indian Constitution, judgements have often interpreted the term “property” to include intangible assets such as copyrights and other intellectual properties, in addition to land, acknowledging any stake recognised by the law.
To understand the significance of data in the context of property, it becomes imperative to delve into the definition of ‘property’. Reference can be made to the definition given by John Salmond in ‘Jurisprudence’.:
Indian courts have progressively adopted a functional approach to the definition of “property,” focusing on economic value and legal transferability rather than physical form. The Bombay High Court, invoking Salmond’s definition, held that intangible assets like intellectual property and data fall within the scope of Article 300A, as excluding them would undermine the constitutional guarantee in a knowledge-based economy. The Supreme Court upheld this reasoning, emphasising that any interest with measurable economic worth and the ability to be transferred or excluded qualifies as property. This approach was reaffirmed by the Gujarat High Court in 2018. Intellectual property, including trademarks, is considered intangible property and hence protected under Article 300A. However, data presents unique challenges, especially around jurisdiction, enforcement, and evidentiary proof, necessitating more precise statutory safeguards despite its recognition as a form of constitutional property.
Unauthorised Access to Data: Theft in the Digital Age
In today’s digital age, India’s outdated laws struggle to address growing concerns over data breaches, unauthorised access, and the misuse of personal and proprietary information.
“Theft” is defined under section 378 of the Indian Penal Code (IPC), 1860 and section 303 of the BNS as:
“Whoever, intending to dishonestly take any movable property out of the possession of any person without that person’s consent, moves that property in order to such taking, is said to commit theft.”
While courts have interpreted “movable property” broadly, they continue to struggle with treating unauthorised access to data without physical removal as theft. The Karnataka High Court recently quashed proceedings for alleged data theft, noting that copied confidential information does not clearly fall within the scope of “property” under Section 378 IPC. This highlights the judiciary’s ongoing uncertainty in applying traditional theft laws to digital data. Unlike physical theft, wherein a property is permanently lost, data can be copied or replicated without depriving the owner of possession. This significantly complicates the legal classification of data theft.
Although data theft is not explicitly recognised as a distinct crime in India, several laws address unauthorised access. Sections 43 and 66 of the Information Technology (IT) Act of 2000 specify penalties and sanctions for computer-related offences. The Digital Personal Data Protection Act of 2023 focuses on privacy issues rather than data theft.
On the other hand, data theft and unauthorised access are classified as serious crimes under the General Data Protection Regulation (GDPR) of the EU and the Computer Fraud and Abuse Act (CFAA) of the US. India lacks statutory thresholds or specific classifications for such offences. This legal ambiguity weakens enforcement, limits victims’ remedies, and emboldens cybercriminals. It also undermines India’s credibility in global data governance and digital trade, making foreign companies hesitant to trust Indian digital infrastructure. India’s legal framework must evolve to incorporate globally recognised best practices for data protection and cybersecurity.
Many Indian judgements have restored faith regarding the protection of data. It was held in Gagan Harsh Sharma And Another v. State Of Maharashtra Through Sr. Police Inspector And Another that the act of accessing or securing access to computer/computer system or computer network or computer resources by any person without permission of the owner or any person who is in charge of the computer, computer system, computer network or downloading of any such data or information from computer in a similar manner falls within the purview of Section 43 of the Information Technology Act, 2000.
The Apex Court has established that information contained in a document, if replicated, can be the subject of theft. The court emphasized that even temporary retention of property can result in wrongful loss, thereby categorizing the act as theft. The judgement of the Patna High Court in Aditya Multicom Pvt. Ltd., Through Its Authorized Signatory, Pankaj Singh Alias Pankaj Kumar Singh v. State Of Bihar discusses illegal mining activities and the unauthorized extraction of resources, equating such actions to theft under Section 378 IPC. Although the case focused on tangible resources, the Court’s reasoning that theft lies in interference with lawful possession and deprivation of exclusive use can be applied to digital data. In digital contexts, unauthorized copying similarly undermines exclusive control and causes economic detriment, which satisfies the essential elements of theft.
Global Judicial Approaches to Data Theft
Foreign courts have had contrasting opinions regarding the classification of data theft as actual theft. In the leading authority for the orthodox view, Oxford v Moss, the court held that confidential information did not fall within the definition of “property” under the Theft Act, 1968, (UK) and hence a conviction for theft was not upheld, as information was not considered a form of intangible property capable of being “stolen” in law, nor could it be subject to permanent deprivation.
The Supreme Court of Canada held in 1988 that confidential information did not constitute “property” under section 322 of the Criminal Code, as it could not be the subject of a proprietary right nor could it be taken or converted in a way that results in deprivation, thereby precluding a conviction for theft.
In 2015, the New Zealand Supreme Court held in the case of Jonathon Dixon v R, that digital files qualify as “property” under the Crimes Act, as they possess economic value, can be owned or transferred, and have a material presence; thus, unauthorized access and copying of such data can amount to theft. The court had previously held in 2004 that electronic records, including text messages, possess a “physical existence” under the law, highlighting that digital content occupies tangible space on storage media and can therefore be treated as property. Thus, it becomes imperative for India to adapt its property and criminal laws to the demands of the digital age. While frameworks like the GDPR and the CFAA are not binding international standards, they illustrate how leading jurisdictions have effectively addressed challenges of data protection and digital theft. Similarly, foreign judicial pronouncements on data as property offer persuasive guidance that India can draw upon to strengthen its legal response to evolving cyber threats. Recognising unauthorised access to data as theft under property law and criminal law would align India with global standards of data protection, prevent economic losses, especially for corporations, and ensure stronger safeguards against the increasing risk of cybercrimes.
Conclusion and Way Forward
Data has become a vital economic resource in the digital age, but India’s legal system struggles to protect it adequately. The rules safeguarding data and intellectual property still have many gaps, even after improvements like the Personal Data Protection Act. Article 300A of the Constitution requires that data be regarded as property, although more specific legal recognition is required.
A significant step forward would be to restore digital property as a fundamental right under Article 31, similar to how traditional property rights were protected before their reclassification as constitutional rights. This would ensure the protection of data and intellectual property and would help bring India’s legal framework into compliance with global norms.
Data access without authorisation needs urgent legislative change. In 2023, India reported over 1.59 million cybersecurity incidents, and the average cost of a data breach rose to ₹17.9 crore, with social engineering and insider threats being major contributors. These breaches severely impact economic stability, consumer trust, and national innovation. Under Indian law, cybercrimes and data breaches must be specifically classified as theft. It would be easier to prosecute data theft and clarify legal interpretations if Section 303 of the BNS were amended to encompass digital property. This acknowledgement would increase legal remedies for victims of data breaches, discourage hackers, and fortify intellectual property protection.
Another suggestion is the creation of an independent Data Protection Authority having the power to investigate and punish. This authority would control cross-border data transfers and make sure that national laws are adhered to, especially when foreign businesses handle Indian individuals’ data.
To increase understanding and build confidence in the digital economy, public education on digital rights is crucial. In order to balance national interests with its commitments to international commerce, India’s legislative approach to data sovereignty should establish control over digital assets while encouraging international collaboration, maybe through data localisation requirements.
In conclusion, legislative changes that acknowledge digital property as a basic right, more precise definitions of data theft, and improved enforcement are all necessary for India’s journey towards robust data protection and sovereignty. These steps will safeguard citizens’ digital rights and ensure India remains competitive in the global digital economy.
The Author is a third year student of National Law Institute University, Bhopal.
Image Credits: Rostislav Uzunov
Constitutional Law Society 
Leave a comment