LEGAL PERSPECTIVE IN INDIA ABOUT DATA

HANDLING & BIG DATA SECURITY Session : 15

FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 1

Impact-ful Cybersecurity Facts and
Stats : 2020 (big data and risk
associated with it)

FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 2

1. 95% of cybersecurity breaches are caused by human error. (Cybint)
2. 68% of business leaders feel their cybersecurity risks are increasing. (Accenture)
3. Data breaches exposed 36 billion records in the first half of 2020. (RiskBased)
4. Between January 1, 2005, and May 31, 2020, there have been 11,762 recorded breaches. (ID Theft
Resource Center)
5. The average cost of a data breach is $3.86 million as of 2020. (IBM)
6. In 2020, a Twitter breach targeted 130 accounts, including those of past presidents and Elon Musk,
resulted in attackers swindling $121,000 in Bitcoin through nearly 300 transactions. (CNBC)
7. In 2020, 500,000 stolen Zoom passwords available for sale in dark web crime forums.
8. Companies reportedly spent $9 billion on preparing for the GDPR and, in 2018, legal advice and teams
cost UK FTSE 350 companies about 40% of their GDPR budget or $2.4 million. (Forbes)
9. Worldwide cybercrime costs will hit $6 trillion annually by 2021. (Cybersecurity Ventures)
10. Since 2016, the demand for Data Protection Officers (DPOs) has skyrocketed and risen over 700%, due to
the GDPR demands. (Reuters)
11. The cybersecurity unemployment rate is 0% and is projected to remain there through 2021. (CSO Online)
12. By 2021, 100% of large companies globally will have a CISO position. (Cybersecurity Ventures)

FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 3

https://www.varonis.com/blog/cybersecurity-statistics/
RISK ASSOICATED WITH SOCIAL MEDIA

FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 4

FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 5
BIG DATA SECURITY TECHNOLOGIES
•Encryption: Encryption tools need to work with different analytics toolsets and their output data,
and on common big data storage formats including relational database management systems
(RDBMS), non-relational databases like NoSQL, and specialized filesystems such as Hadoop
Distributed File System (HDFS).

•Centralized Key Management: Centralized key management has been a security best practice for
many years. It applies just as strongly in big data environments, especially those with wide
geographical distribution. Best practices include policy-driven automation, logging, on-demand
key delivery, and abstracting key management from key usage.

•User Access Control: Strong user access control requires a policy-based approach that automates
access based on user and role-based settings.

•Intrusion Detection and Prevention: Intrusion detection and prevention systems are security
workhorses.

•Physical Security: Physical security systems can deny data center access to strangers or to staff
members who have no business being in sensitive areas. Video surveillance and security logs will
do the same.
FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 6
 FOR ACADEMIC PURPOSE
https://www.rd-alliance.org/group/big-data-ig-data-security-and-trust-wg/wik (DR PREETI KHANNA) 7
i/big-data-security-issues-challenges-tech-
concerns
LEGAL PROVISIONS FOR HANDLING
DATA PRIVACY AND SECURITY
FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 8
THERE ARE SOME OF THE KEY LEGAL PROVISIONS GOVERNING
THE PERSONAL DATA AND PRIVACY PROTECTION
Key legislations are under as follows:
1. Information Technology Act, 2000.
2. The rules and regulations that governs the following sectors:

1. Telecommunications.
2. Banking.
3. Medical and Healthcare.
4. Insurance.
3. The Right to Information Act, 2005.
4. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016
and the rules framed thereunder;
5. General Data Protection Regulations-GDPR (EU): The GDPR is the new EU legal framework governing
the use of personal data across the EU. It lays down rules relating to the protection of natural persons
with regard to the processing and free movement of personal data. FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 9
FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 10
 AMENDMENTS AS INTRODUCED BY THE IT AMENDMENT ACT, 2008
The following important sections have been substituted and inserted by the IT Amendment Act, 2008:
1. Section 43A – Compensation for failure to protect data.
2. Section 66 – Computer Related Offences
3. Section 66A – Punishment for sending offensive messages through communication service, etc. (This provision
had been struck down by the Hon'ble Supreme Court as unconstitutional on 24th March 2015 in Shreya Singhal
vs. Union of India)
4. Section 66B – Punishment for dishonestly receiving stolen computer resource or communication device.
5. Section 66C – Punishment for identity theft.
6. Section 66D – Punishment for cheating by personation by using computer resource.
7. Section 66E – Punishment for violation for privacy.
8. Section 66F – Punishment for cyber terrorism.
9. Section 67 – Punishment for publishing or transmitting obscene material in electronic form.
10. Section 67A – Punishment for publishing or transmitting of material containing sexually explicit act, etc, in
electronic form.
https://www.mondaq.com/india/Privacy/655034/Data-Protection-Laws-In-India--Everything-You-Must-Know
FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 11
11. Section 67B – Punishment for publishing or transmitting of material depicting children in sexually
explicit act, etc, in electronic form.
12. Section 67C – Preservation and Retention of information by intermediaries.
13. Section 69 – Powers to issue directions for interception or monitoring or decryption of any information
through any computer resource.
14. Section 69A – Power to issue directions for blocking for public access of any information through any
computer resource.
15. Section 69B – Power to authorize to monitor and collect traffic data or information through any
computer resource for cyber security.
16. Section 72A – Punishment for disclosure of information in breach of lawful contract.
17. Section 79 – Exemption from liability of intermediary in certain cases.
18. Section 84A –Modes or methods for encryption.
19. Section 84B –Punishment for abetment of offences.
20. Section 84C –Punishment for attempt to commit offences.
https://www.mondaq.com/india/Privacy/655034/Data-Protection-Laws-In-India--Everything-You-Must-Know
FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 12
GDPR - GENERAL DATA PROTECTION REGULATION
Data protection principles: If you process data, you have to do so according to seven protection and accountability principles outlined in Article
5.1-2:

Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the
data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the
data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for
the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for
the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate
security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR
compliance with all of these principles.
https://gdpr.eu/what-is-gdpr/
FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 13
 ONE REAL-WORLD EXAMPLE OF NOT ABIDING BY DATA
PRIVACY LAWS
While under GDPR compliance, companies need to use the same level of data security for both
stored personally identifiable information such as social security numbers, as well as cookies. And
even though the GDPR applies to the EU, it also applies to anyone that has dealings within the EU.

In January 2019, Google was fine $57M under the new GDPR law.

This shows even the biggest of companies are still struggling with what this means to them and how to
incorporate the right security and compliance measures within their business ecosystems.

The complaint came from a privacy group that accused Google of not properly adjusting their data
collection policies with the new GDPR regulations

FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 14

 A NEW WAY FORWARD-
PERSONAL DATA PROTECTION
BILL 2019
“TO PROTECT PRIVACY”
FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 15
▪Modeled on the basis of the legal framework drafted by a committee chaired by Justice B.N. Srikrishna,
The Personal Data Protection Bill is still on the table of the Parliament.

▪The Committee released a White Paper on Data Protection in 2017 ('White Paper'), and a submitted its
final report titled, 'A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians' ('the
Report') along with a draft law, 'The Personal Data Protection Bill, 2018' 'the Bill') in July 2018.

▪A new Data Protection Bill was introduced in the Indian House of the People (i.e., the Lok Sabha) in
December, 2019 (the Bill).

▪The bill is modeled largely on existing frameworks for protecting privacy in other jurisdictions, including
the GDPR and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.

▪The Bill amends the Information Technology Act, 2000 with more clarity with respect to defining
Sensitive Personal Data and Data Breach

FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 16

 CATEGORIES OF DATA AS DEFINED
Personal data is data about
or relating to a natural person
who is directly or indirectly
identifiable by:
• name
• contact details
• address
• educational details.
Sensitive personal data includes Critical personal
data such as: data:
Categories
• financial data/biometric of personal data
data/genetic data to be notified by
• health data the Central
• official identifier Government in
• sex life/intersex status the future.
• sexual orientation/transgender
status
• caste or tribe/religious or political
belief or affiliation
• any other data categorised as
sensitive personal data
by the authority under concerned
sectoral regulators. FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 17

Applicability
The Bill governs the processing of
personal data by:
(i) government,
(ii) companies incorporated in India,
and
(iii)foreign companies dealing with
personal data of individuals in India.
Obligations of data fiduciary
Personal data can be processed only for
specific, clear and lawful purpose.
Additionally, all data fiduciaries must undertake
certain transparency and accountability
measures such as:
(i) implementing security safeguards (such as
data encryption and preventing misuse of
data)
(ii) instituting grievance mechanisms to
address complaints of individuals.
(iii) They must also institute mechanisms for
age verification and parental consent when
processing sensitive personal data of
children.
FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 18
 Right of the Individual
The Bill sets out certain rights of the individual (or
data principal). The right to:
(i) obtain confirmation on whether their personal
data has been processed
(ii) seek correction of inaccurate, incomplete, or
out-of-date personal data,
(iii) have personal data transferred to any other
data fiduciary in certain circumstances, and
(iv) restrict continuing disclosure of their personal
data by a fiduciary, if it is no longer necessary or
consent is withdrawn.
Data Protection Authority, the bill ensure
The bill set up for
i. take steps to protect interest of individual
ii. prevent misuse of personal data
iii. ensure the compliance with the Bill
Penalties for non-compliance
• Fines of up to INR 15 crore or 4% of the
organization's total annual worldwide turnover
• Imprisonment for 3 years or a fine of INR 2 lakh or
both for processing of de-identified personal data
FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 19
 CLEAR TAKEAWAYS FROM PDP BILL
▪The PDP bill seems to have a clear focus on empowering citizens by giving them considerably more
control over their data. The bill would certainly change the way Indians deal with and perceive their own
personal data and that of others.

▪Businesses would also have to deal with personal data more seriously, and would have to relook at all
their data processing activities. It would pave the way for a stronger data security and privacy control
framework and guidelines in India, similar to those established globally.

▪Reduce risk of mass surveillance and other privacy harms by establishing limitations to power of central
government to issue exemptions under Chapter VIII of the Bill

▪Revise provisions on the transfer of sensitive personal data and critical personal data outside India

FOR ACADEMIC PURPOSE (DR PREETI KHANNA) 20