Professional Documents
Culture Documents
IN
CYBER LAW & CYBER FORENSICS
Dissertation Report
Titled
DATA PROTECTION ON CYBER SPACE –
ISSUES AND CONCERNS
Submitted By
GURU PRASAD B R
(ID No: CLCF/999/19)
Jan 2022
ACKNOWLEDGEMENT
I, GURU PRASAD B R, student of Post Graduate Diploma in Cyber Law & Cyber Forensics,
would like to express my gratitude to the esteemed Law School of Global Status, National Law
School of India University, Bengaluru.
I would like to thank Dr.Nagarathna.A, Associate Professor, National Law School of India
University (NLSIU), Bengaluru for her guidance for my dissertation work entitled – Data
Protection on Cyber Space – Issues and Concerns, in parallel fulfilment of the course
requirement for the Post Graduate Diploma in Cyber Law and Cyber Forensics for the academic
year 2019 – 2020.
I would like to sincerely thank the Faculty members, Staff of Distance Education Department
(DED) and library at NLSIU in providing me all the support during this course.
2|Page
Data Protection on Cyber Space – Issues and Concerns
DECLARATION
I, GURU PRASAD B R student of National Law School of India University (NLSIU) pursuing
Post Graduate Diploma in Cyber Law and Cyber Forensics (PGDCLCF) in Distance Education
Department, hereby declare that the submission of this dissertation – “Data Protection on Cyber
Space – Issues and Concerns”, is carried out entirely by me. I have utilized available
information on the topic through books, research papers, case laws, newspaper articles and
internet. After going through the material collected and information gathered through the
internet, I have analysed them and arrived at the conclusion by applying my own academic and
professional experience and ideas going into the future with this important area in the IT
industry.
I further acknowledge the relevant publications, their authors and other contributors to own their
respective copyright on their published material.
I hereby declare that the work on producing this report is original and entirely by me and have
not taken any assistance direct or indirect, except for reviews, from anyone else. I also confirm
that I have neither borrowed nor copied from other’s work nor have I presented this partly or
fully to any other institution / college / university. I have compiled with all the formalities
prescribed in this regard.
3|Page
Data Protection on Cyber Space – Issues and Concerns
Table of Contents
Chapter Description Page
Abbreviations / Acronyms 5
List of Statutes 6
9 Conclusion 45
References 46
4|Page
Data Protection on Cyber Space – Issues and Concerns
Abbrevations / Acronyms
NLSIU National Law School of India University
IT Information Technology
Vs / v Versus
Ors Others
IP Internet Protocol
EU European Union
GB GigaByte
5|Page
Data Protection on Cyber Space – Issues and Concerns
List of Statutes
Sl.No. Title
1 Information Technology Act, 2000
6|Page
Data Protection on Cyber Space – Issues and Concerns
Companies have always been collecting data on their customers, even before computers.
As per one of the co-founders of Starbucks, they used to write down the order of every single
person who came into the store and add it to a filing system. That way, when the customer came
back, they were able to tell them what they ordered the previous time to better cater to their
needs when they came back for a repeat purchase.
Data collection began in the 1980s with direct marketers wanting to take their businesses to the
next level with data-based personalization. With the arrival of consumer internet in the 1990s,
companies’ data collection efforts began ramping up exponentially.
Since the beginning of the new millennium, the world has witnessed the emergence of
eGovernance, social media, smartphones, ecommerce, online education. We have also witnessed
huge leaps in energy storage, artificial intelligence, and medical science.
Data is the new oil in 21st century. we are in digital economy where data is more valuable than
ever. Data has always existed but now has taken the center stage. Data is more accessible than
ever and right technology to harness it. Though we have been on this road for few decades now,
the new technologies over the last few years has helped to harness it and the Data Age is here.
Data has become the key for the smooth functionality right from government offices to local
companies. without data, the progress would halt. The current pandemic has shown how critical
data is not only for the business but society at large. Many countries have recognized data value
and has leveraged during pandemic. With the shutdown of traditional mainstays of economic
life, employees working from home, data has been used innovatively to create entirely new
revenue streams
Data is fundamentally transforming the way people do business, how they communicate and how
they make decisions. It is turning the traditional business models on its head and bringing new
unused resources to the marketplace.
7|Page
Data Protection on Cyber Space – Issues and Concerns
Take for example, Ola and Oyo – they both do not have any taxis or hotels of their own.
However, they have managed to tap the taxi network and hotels by connecting the owners with
customers with the help of data.
Data collection and storage has made jobs, business, and any form of work very easy and these
are some of the known sectors that are : govt and national economy, entertainment, health care
sector, financial sector and educational sector
Social data comes from the Likes, Tweets & Retweets, Comments, Video Uploads, and general
media that are uploaded and shared via the world’s favorite social media platforms. This kind of
data provides invaluable insights into consumer behavior and sentiment and can be enormously
influential in marketing analytics. The public web is another good source of social data, and tools
like Google Trends can be used to good effect to increase the volume of big data.
Transactional data is generated from all the daily transactions that take place both online and
offline. Invoices, payment orders, storage records, delivery receipts – all are characterized as
transactional data yet data alone is almost meaningless, and most organizations struggle to make
sense of the data that they are generating and how it can be put to good use.
8|Page
Data Protection on Cyber Space – Issues and Concerns
Privacy Concerns
Since the beginning of Digital era, there has always been a section of Digital users voicing their
concerns around data privacy. There were concerns raised against Lotus MarketPlace,
Households and DoubleClick. The former had 30,000 people out of 120 million opt out of its
database in 1990. This accounts to around 0.01% of the total population of United States in 1990.
Today, 69% of consumers are concerned about how personal data is collected in mobile apps,
according to the Internet Society and Consumers International. That’s a huge jump when
compared to the 0.01% of consumers who opted out of the Lotus database.
A big reason for the jump in privacy concerns is primarily a result of consumers becoming more
aware of how companies are using their data. Consumers previously did not fully grasp the
amount of their personal data that companies were collecting.
With news stories breaking like the Cambridge Analytica Scandal or the 4,395 data breaches
resulting in over 832,000,000 records being exposed from 2017 to 2019, as reported by Statista,
it’s hard for consumers to ignore the importance of protecting their data.
As the citizens of the world become netizens of the global village transcending the political
borders the threats to their data and privacy is ever larger. The questions arise as to who owns the
data and whether they have rights over the data generated.
Security Concerns
In 2021, hackers published user data from 530 million Facebook users on an amateur hacking
forum. Facebook published a blog post that said the hackers had scraped data by exploiting a
vulnerability in an old feature on the platform that enabled users to find each other by searching
for their phone numbers.
9|Page
Data Protection on Cyber Space – Issues and Concerns
According to Cisco, IoT will be generating 400 Zettabytes of data every year by 2018. Another
research shows the quantity of data will grow nearly 5x by 2025 and that a single individual
generates 1.7 megabytes of data per second.
These cyberattacks happen regularly, and they can happen to any type of business regardless of
size. More businesses today have sensitive data specifically, personally identifiable information.
Whether access to someone’s financial data or their healthcare information, it needs to have the
proper security controls and security tools in place to protect this information.
10 | P a g e
Data Protection on Cyber Space – Issues and Concerns
Business data includes customer information, payment information, sensitive files, banking
details, etc. It is important to protect customer data from attacks that can encrypt or destroy data,
such as ransomware, as well as attacks that can modify or corrupt customer data.
Losing this data to cybercriminals can have a huge impact on the customer and the business.
According to IBM’s “2019 Cost of a Data Breach Report”, the average total cost of a data breach
is $3.92 million. Healthcare is the most expensive industry for a data breach incident, costing
$6.45 million per attack.
Dark Net:
The "Dark Net," also known as the "Dark Web," is part of the greater "Deep Web," a network of
secret websites that exist on an encrypted network. It is the only network on the Internet (a set of
interconnected networks), wherein all network traffic is hidden.
11 | P a g e
Data Protection on Cyber Space – Issues and Concerns
It is accessed through special software, configurations and authorization and uses a customized
communication protocol. It mainly takes two forms: peer-to-peer networks or anonymized proxy
networks such as The Onion Router (TOR). Due to their specialized access methods they remain
hidden from regular search engine indexers and are not directly accessible by regular browsers.
Unlike the Surface Web, connections in the Deep Web are only made between trusted peers that
are required to be part of the hidden network. Thus, websites are dynamic and mostly in a
continuous change of servers, meaning that one link might lead to something at a particular time,
and at another time it might lead to something else or nothing.
Due to its anonymous nature the dark net has become a place for illicit activities involving
trading of contraband items such as drugs, arms, etc., illegal file sharing, pornographic material,
hackers and access to stolen financial and personal data, among other things. The rising numbers
of cybercrimes are often traced to have source in the dark net.
Anything which is beyond the regulatory control of governments is a potential threat to the
government. Dark Net, due to its anonymous nature is beyond the control of government. Dark
Net is used to bypass government scrutiny over communication. It is generally used by privacy
conscious individuals. However, as it provides pure anonymity it is also used for activities that
are detrimental to state and society such as Terrorism, Drugs Dealing etc.
The existence of dark net and associated technical infrastructure has led to popularity of crypto-
currency such as Bitcoins. They are beyond the regulations of central banks of the nation states.
Originally a niche medium of exchange for the technology community, Bitcoins emerged in
2011 as the currency of choice for drug dealers conducting transactions on a dark-web site
known as the Silk Road. Over the past five years, the combination of an encrypted network
hidden from most of the world and a transactional currency that is nearly untraceable by law
enforcement officials has evolved (Kumar & Rosenbach, 2019).
The law enforcement agencies face technical challenges in countering crime on Dark Net. This is
due to the requirement of specialized techniques and many levels of authentications that they
12 | P a g e
Data Protection on Cyber Space – Issues and Concerns
need to break. The activities on dark net are in violation of many laws and privacy of individuals
is one of the main causalities. Crimes like child pornography, human trafficking, illegal drugs,
money laundering etc., happening on Dark Net takes a new dimension requiring not only
criminology knowledge but also domain expertise in cyber forensics and cyber law.
The need of hour is for capacity building and innovation within the law enforcement agencies to
tackle new challenges posed by the technology. There are cases were authorities have
successfully cracked cases of crime on Dark Net (India’s first ‘Dark Net’ narcotics operative
held, 2020). Global organization INTERPOL held first Dark Net and Crypto-Currencies
working group meet in 2018. With more people getting online in India, there has to be
commensurate development in expertise dealing with misuse of cyberspace.
13 | P a g e
Data Protection on Cyber Space – Issues and Concerns
Additionally, recent security research suggests most companies have unprotected data and poor
cybersecurity practices in place, making them vulnerable to data loss.
14 | P a g e
Data Protection on Cyber Space – Issues and Concerns
14. And the average lifecycle of a breach was 280 days from identification to
containment. (IBM)
15. Personal data was involved in 58% of breaches in 2020. (Verizon)
16. Security breaches have increased by 11% since 2018 and 67% since 2014.
(Accenture)
17. 64% of Americans have never checked to see if they were affected by a data breach.
(Varonis)
18. 56% of Americans don’t know what steps to take in the event of a data breach.
(Varonis)
19. The average ransomware payment rose 33% in 2020 over 2019, to $111,605. (Fintech
News)
20. In 2018, an average of 10,573 malicious mobile apps were blocked per day.
(Symantec)
21. 94% of malware is delivered by email. (CSO Online)
22. The average cost of a ransomware attack on businesses is $133,000. (SafeAtLast)
23. 48% of malicious email attachments are office files. (Symantec)
24. Ransomware detections have been more dominant in countries with higher numbers
of internet-connected populations, and the U.S. ranks highest with 18.2% of all
ransomware attacks. (Symantec)
25. Most malicious domains, about 60%, are associated with spam campaigns. (Cisco)
26. About 20% of malicious domains are very new and used around one week after they
are registered. (Cisco)
27. After declining in 2019, phishing increased in 2020 to account for 1 in every 4,200
emails. (Symantec)
28. 65% of groups used spear-phishing as the primary infection vector. (Symantec)
29. 1 in 13 web requests lead to malware. (Symantec)
30. Phishing attacks account for more than 80% of reported security incidents. (CSO
Online)
31. $17,700 is lost every minute due to a phishing attack. (CSO Online)
32. By 2023, the total number of DDoS attacks worldwide will be 15.4 million. (Cisco)
33. Attacks on IoT devices tripled in the first half of 2019. (CSO Online)
15 | P a g e
Data Protection on Cyber Space – Issues and Concerns
34. Malicious PowerShell scripts blocked in 2018 on the endpoint increased 1,000%.
(Symantec)
35. The Mirai-distributed DDoS worm was the third most common IoT threat in 2018.
(Symantec)
36. 30% of data breaches involve internal actors. (Verizon)
37. IoT devices experience an average of 5,200 attacks per month. (Symantec)
38. 90% of remote code execution attacks are associated with cryptomining. (Purplesec)
39. 69% of organizations don’t believe the threats they’re seeing can be blocked by their
anti-virus software.(Ponemon Institute’s Cost of Data Breach Study)
40. 1 in 36 mobile devices have high- risk apps installed. (Symantec)
41. WannaCry ransomware attack cost the National Health Service (NHS) over $100
million. (Datto)
42. The healthcare industry lost an estimated $25 billion to ransomware attacks in 2019.
(SafeAtLast)
43. More than 93% of healthcare organizations experienced a data breach in the past
three years. (Herjavec Group)
44. Worldwide cybercrime costs will hit $6 trillion annually by 2021. (Cybersecurity
Ventures)
45. Ransomware damage costs will rise to $20 billion by 2021 and a business will fall
victim to a ransomware attack every 11 seconds at that time. (Cybersecurity
Ventures)
46. Damage related to cybercrime is projected to hit $10.5 trillion annually by 2025.
(Cybersecurity Ventures)
47. More than 70 percent of security executives believe that their budgets for fiscal year
2021 will shrink. (Mckinsey)
48. Since the pandemic began, the FBI reported a 300% increase in reported cybercrimes.
(IMC Grupo)
49. 27% of COVID-19 cyberattacks target banks or healthcare organizations and
COVID-19 is credited for a 238% rise in cyberattacks on banks in 2020. (Fintech
News)
50. Confirmed data breaches in the healthcare industry increased by 58% in 2020.
(Verizon)
16 | P a g e
Data Protection on Cyber Space – Issues and Concerns
51. 33,000 unemployment applicants were exposed to a data security breach from the
Pandemic Unemployment Assistance program in May. (NBC)
52. Americans lost more than $97.39 million to COVID-19 and stimulus check scams.
(Atlasvpn)
53. In April 2020, Google blocked 18 million daily malware and phishing emails related
to Coronavirus. (Google)
54. 52% of legal and compliance leaders are concerned about third-party cyber risks due
to remote work since COVID-19. (Gartner)
55. Remote work has increased the average cost of a data breach by $137,000. (IBM)
56. 47% of employees cited distraction as the reason for falling for a phishing scam while
working from home. (Tessian)
57. 81% of cybersecurity professionals have reported their job function changed during
the pandemic. (ISC)
58. Half a million Zoom user accounts were compromised and sold on a dark web forum
in April 2020. (CPO Magazine)
59. Cloud-based cyber-attacks rose 630% between January and April 2020. (Fintech
News)
60. Remote workers have caused a security breach in 20% of organizations.
(Malwarebytes)
17 | P a g e
Data Protection on Cyber Space – Issues and Concerns
Today, there are more than 120 countries already engaged in some form of international privacy
laws for data protection to ensure that citizens and their data are offered more rigorous
protections and controls. With the process, it’s clear that international privacy laws for data
protection will continue to evolve and develop to ensure personal data protection across all use
cases and situations, even those that have yet to present themselves.
In 2018, the General Data Protection Regulation (GDPR) broke ground as the most forward
thinking and extensive legal provision for the protection of personal data and its ongoing
security. This law is an international privacy law for data protection that impacted any
organization that processed any personal data from any EU citizen. It set the standard and has
shaped the trends that dominate this sector today.
Some of the countries that currently have international privacy laws for data protection:
Europe – The GDPR law was less a localized layer of security and compliance and more an
international privacy law for data protection that impacted any organization that processed any
personal data from any EU citizen. Today, with global enforcement of security and data
protection controls, the future of data protection is defined by stricter regulations, bigger fines,
and more reputational damage if compliance is ignored. After several companies ignored the
GDPR and some were hit by extensive fines and organizations sat up and paid attention. The
enforcement of GDPR and the hefty fines, and reputational damage that came with them, has
meant that organizations are facing a challenging time. They have to be compliant, and they need
the right support to achieve it.
USA – while the country doesn’t have formal laws at the federal level, there is some federal
legislation that protects data on a more general level. With the devolution of power to the state
level, several US states have created their own data-related laws. California’s legislation is
considered among the most forward thinking with the California Consumer Privacy Act
(CCPA) providing robust privacy rights and consumer protection. The law allows for residents of
the state to establish precisely how their personal data is being collected and what it is being used
18 | P a g e
Data Protection on Cyber Space – Issues and Concerns
for. Other states with bills in place, or in the process of being passed, include Alabama,
Connecticut, Florida, New York, Washington, Illinois, Texas and Virginia. A comprehensive list
of the US privacy laws and their status can be found here.
Brazil - has the General Data Protection Law that supports and supplements the extensive list of
more than 40 data privacy-related laws that have been implemented over the years. This
legislation irons out the conflicts between the different laws, clearly defines the concepts of
personal data and public data, outlines clear liabilities, and is applied to all sectors of the country.
This regulation also requires that companies adopt Data Protection Officers, have rigorous
security protocols in place, and upgrade security measures to ensure comprehensive
compliance. Brazil’s Lei Geral de Proteção de Dados (LGPD) came into effect on September
18th last year and creates a legal framework for the use of personal data of individuals in Brazil,
regardless of where the data processor is located. However, its administrative sanctions are likely
only to be enforced from August 2021, making this year the testing ground for how the
Autoridade Nacional de Proteção de Dados (ANPD), will enforce the LGPD.
Bahrain - has the Data Protection Law that has the honor of being the first of its kind to be
introduced in the Middle East and that provides individuals with rights concerning how their data
is collected, processed and stored.
The Philippines has the Data Privacy Act of 2012 that has many of the components that define
the EU Data Protection Directive and that ensures the protection of personal information by
organizations.
19 | P a g e
Data Protection on Cyber Space – Issues and Concerns
global privacy principles and offers consumers significant protection for their personal
information. The Digital Charter Implementation Act (DCIA) was introduced by the Canadian
Minister of Information, Science and Economic Development on 17 November 2020. If this
passes, it will replace PIPEDA and introduce several interesting changes to privacy legislation in
the country. This includes a private right to action and fines that could exceed those of the
GDPR. This is set to be reviewed in 2021.
United Kingdom - the GDPR will apply until 31 July 2021 and thereafter different regulations
will apply thanks to Brexit. However, the Data Protection Act 2018 has already implemented the
requirements of the EU’s GDPR into UK law from 01 January 2021. The Data Protection,
Privacy, and Electronic Communications (DPPEC) Regulations of 2019 changed the DPA 2018
with the GDPR to create a holistic, UK-specific data protection system that applies within the
UK context and is known as the UK GDPR.
20 | P a g e
Data Protection on Cyber Space – Issues and Concerns
(PIPEDA)
Scope of GDPR
With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when
more people are entrusting their personal data with cloud services and breaches are a daily
occurrence.
The official GDPR text comprises of 11 chapters having total of 99 articles. They cover aspects
such as material and territorial scope, principles governing GDPR, rights of data subjects,
obligations of controller and processors of personal data, movement of data between countries
and international organizations, remedies and penalties in case of violations, regulatory and
supervisory framework among other relevant aspects.
When we process the personal data of EU citizens or residents, or offer goods or services to such
people, then the GDPR applies even if you’re not in the EU. For example, you may be an Indian
software company based in Bengaluru, providing web solutions. But if you track and analyze EU
visitors to your company’s website, then you may be subject to the provisions of the GDPR.
The fines for violating the GDPR are very high. There are two tiers of penalties, which max out
at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to
seek compensation for damages.
GDPR applies for members in the European Union (EU) and the European Economic Area
(EEA). It also deals with transfer of personal data outside the jurisdiction by requiring the
foreign entities to adhere to GDPR when they deal with data related with the individual and
businesses resident in the EU and EEA regions.
21 | P a g e
Data Protection on Cyber Space – Issues and Concerns
Principles of GDPR
Article 5 of the GDPR mentions the seven key principles that should guide the manner in which
the personal data of the user is handled by the data processors and controllers. GDPR's seven
principles are:
1. Lawfulness, fairness, and transparency: Data controllers must ensure that personal data
is processed lawfully, fairly and in a transparent manner in relation to individuals.
2. Purpose limitation: This principle mandates that data is collected for specified, explicit
and legitimate purposes and not further processed in a manner that is incompatible with
those purposes; further processing for archiving purposes in the public interest, scientific
or historical research purposes or statistical purposes shall not be considered to be
incompatible with the initial purposes.
3. Accuracy: It must be ensured that the data collected is accurate and, where necessary,
kept up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or
rectified without delay.
4. Storage limitation: Personal data must be kept in a form which permits identification of
data subjects for no longer than is necessary for the purposes for which the personal data
are processed; personal data may be stored for longer periods insofar as the personal data
will be processed solely for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes subject to implementation of the
appropriate technical and organizational measures required by the GDPR in order to
safeguard the rights and freedoms of individuals.
5. Data minimization: This requires that organizations shouldn't collect more personal data
than they need from their users. They should identify the minimum amount of personal
data required to fulfill the purpose and only that much information is to be held by them.
6. Security of data: Data processors and controllers must ensure personal data should be
protected against unauthorized or unlawful processing, as well as accidental loss,
destruction or damage.
7. Accountability: The organizations dealing with the personal data are responsible and
accountable for ensuring all the guidelines mentioned in GDPR are followed. To ensure
22 | P a g e
Data Protection on Cyber Space – Issues and Concerns
this they need to build their capacities by getting trained in the GDPR framework and
essential technical requirements.
With the entering of force of GDPR, all the stakeholders must ensure that they abide by the
regulations. Failure to do so will attract hefty penalties provisioned under the regulations. It
creates a legal obligation on all entities having access to personal data of members of EU and
EEA to ensure they follow the principles mentioned above. They are required to take necessary
steps to make themselves capable of abiding by the regulations.
The fines for violating the GDPR are very high. There are two tiers of penalties, which max out
at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to
seek compensation for damages.
Even those entities which reside outside EU are impacted by GDPR. The whole point of the
GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to
organizations that handle such data whether they are EU-based organizations or not, known as
“extra-territorial effect (GDPR.EU, 2018).
Benefits of International Privacy Regulation
Data protection ultimately focuses on protecting data and information from both internal and
external threats. It mitigates the risks of fraud, compromise and corruption, and protects the
individual.
As the amount of data being stored and created continues to increase exponentially, increased
data protection has become critical, and indispensable.
This has driven international data protection laws, and offers the following benefits:
Valuable data is protected from leaks, loss and theft
Companies can increase confidence from public, investors and customers
Brand value is inherent and implicit in a robust policy and framework
Good governance improves a company’s competitive advantage
23 | P a g e
Data Protection on Cyber Space – Issues and Concerns
24 | P a g e
Data Protection on Cyber Space – Issues and Concerns
The constitution of India did not have provisions to protect the right to privacy with respect to
fundamental rights as it was not such a concerning issue while framing the constitution. But the
IT Act 2000 helps to address this issue of data protection. The sections in 43A and 72A of the
Information Technology Act, 2000 which deal with right to compensation for improper
disclosure of personal information and the rules made. AADHAAR Act, has some provisions to
for restricting the sharing of personal sensitive data of residents.
In the landmark case where nine judge constitutional bench of Supreme Court in the Justice K. S.
Puttaswamy (Retd.) and Anr. Vs Union of India and Ors. Case in 2017, it was unanimously held
with conclusive, unambiguous and emphatic determination that right to privacy is a part of
fundamental rights which can be traced to Articles 14, 19 and 21 of the Constitution of India.
The government formed a high level committee under the chairmanship of Justice B N Sri
Krishna (Retd) with a mandate to evolve guiding principles for data protection in India and come
with a draft data protection bill. The committee submitted its report along with the draft bill.
The government in the light of the recommendations of the committee came up with a data
protection bill which is currently introduced in the parliament. This bill envisages a
comprehensive model for data protection in India.
Government of India working closely to deal with cyber security issues, many initiatives like
CERT-In, NCIIPC, website and application audits, crisis management plan, regular training and
PDP bill etc are in place and ready to tackle any security issues
Following are the major cyber security initiatives by the Government of India to maintain cyber
security, to mitigate the risks and to tackle any cyber threats -
25 | P a g e
Data Protection on Cyber Space – Issues and Concerns
threats. In September 2019 CERT-In informed about the Necurs malware and also advisory on
fake income tax calculator.
NCIIPC was founded in 2014 with main aims to defend critical information infrastructure and to
minimize risk and vulnerabilities. The NCIIPC organization created under section 70A of IT
ACT 2000.
Scan, detect and clean any botnet malware infections, Government of India under MeitY
launched Cyber Swatchta Kendra initiative to maintain cybersecurity and safe cyber
environment. It works for mobile and computer devices, Its has tools like- M-
Kavach, AppSamwid, USB Pratirodh, and Botnets.
To make sure there is no malicious files or any hidden virus injected into website files or in
application files, MeitY has asked to audit entire website before uploading it to the main server,
thereafter conduct regular audit after an interval. Government of India’s initiative to audit
department website on regular basis will mitigate the cyber security disturbances. To complete
the website and application audit task done, many Cyber security firms have been impaneled
with government of India.
26 | P a g e
Data Protection on Cyber Space – Issues and Concerns
To counter any cyber-attacks and to mitigate cyber risk, the Government of India has formed
Crisis Management Plan. Ministries, Center and state departments will implement crisis
management plans in critical sectors.
Tech is changing daily so the cybercriminals to are upgrading the attacking methods with
advanced technologies. Cyber security administrators need to be updated about the latest
advancement, and security trends. It is very necessary to regularly upgrade your skills and
knowledge, The government of India has announced to conduct regular training programs for
CISOs, Network and system administrators to deal with advanced cyber security threats.
The Personal Data Protection Bill draft 2019 proposes to store personal data within India only,
it cannot possess abroad without approval of Data Protection Agency, critical data cannot go
abroad.
The Personal Data Protection Bill 2019 proposes heavy penalties for any violation, INR 5 crores
for a minor violation and INR 15 crores for serious violation and organization executives can
also face a jail term.
27 | P a g e
Data Protection on Cyber Space – Issues and Concerns
The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of
Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The
Bill seeks to provide for protection of personal data of individuals, and establishes a Data
Protection Authority for the same.
Applicability: The Bill governs the processing of personal data by: (i) government, (ii)
companies incorporated in India, and (iii) foreign companies dealing with personal data of
individuals in India. Personal data is data which pertains to characteristics, traits or attributes of
identity, which can be used to identify an individual. The Bill categorises certain personal data
as sensitive personal data. This includes financial data, biometric data, caste, religious or
political beliefs, or any other category of data specified by the government, in consultation with
the Authority and the concerned sectoral regulator.
Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means
and purpose of processing personal data. Such processing will be subject to certain purpose,
collection and storage limitations. For instance, personal data can be processed only for specific,
clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency
and accountability measures such as: (i) implementing security safeguards (such as data
encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to
address complaints of individuals. They must also institute mechanisms for age verification and
parental consent when processing sensitive personal data of children.
Rights of the individual: The Bill sets out certain rights of the individual (or data principal).
These include the right to: (i) obtain confirmation from the fiduciary on whether their personal
data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal
data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and
(iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary
or consent is withdrawn.
Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if
consent is provided by the individual. However, in certain circumstances, personal data can be
28 | P a g e
Data Protection on Cyber Space – Issues and Concerns
processed without consent. These include: (i) if required by the State for providing benefits to
the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.
Social media intermediaries: The Bill defines these to include intermediaries which enable
online interaction between users and allow for sharing of information. All such intermediaries
which have users above a notified threshold, and whose actions can impact electoral democracy
or public order, have certain obligations, which include providing a voluntary user verification
mechanism for users in India.
Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take
steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure
compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’
expertise in the field of data protection and information technology. Orders of the Authority can
be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
Transfer of data outside India: Sensitive personal data may be transferred outside India for
processing if explicitly consented to by the individual, and subject to certain additional
conditions. However, such sensitive personal data should continue to be stored in India. Certain
personal data notified as critical personal data by the government can only be processed in India.
Exemptions: The central government can exempt any of its agencies from the provisions of the
Act: (i) in interest of security of state, public order, sovereignty and integrity of India and
friendly relations with foreign states, and (ii) for preventing incitement to commission of any
cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of
personal data is also exempted from provisions of the Bill for certain other purposes such as: (i)
prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii)
journalistic purposes. However, such processing must be for a specific, clear and lawful
purpose, with certain security safeguards.
Offences: Offences under the Bill include: (i) processing or transferring personal data in
violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the
29 | P a g e
Data Protection on Cyber Space – Issues and Concerns
fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of
five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-
identification and processing of de-identified personal data without consent is punishable with
imprisonment of up to three years, or fine, or both.
Sharing of non-personal data with government: The central government may direct data
fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where
it is not possible to identify data principal) for better targeting of services.
Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete
the provisions related to compensation payable by companies for failure to protect personal data.
Although the objective of the government introduced is to protect the privacy and personal data
of the citizens, the changes introduced in the bill deviates widely leading to its criticism by none
other than Justice (Retd) B N Sri Krishna himself.
The committee had recommended watertight and narrow exemptions for state and its agencies
for allowing exemption only in limited circumstances from data protection law. However, in
current form the bill has provided for wide powers to the Government to dilute any of these
provisions for its agencies. It is in completely contrary to the committee recommendations
which sought to bring in a law for the oversight of intelligence-gathering activities, the means by
which non-consensual processing of data takes place. Similar recommendation was also
provided by the task force formed for intelligence reforms by Institute for Defense Studies and
Analysis (IDSA). However, the bill disappoints in this aspect. On this aspect Justice (Retd) B N
Sri Krishna commented the bill in current form will lead to “Orwellian State and Big Brother
looking at you”. Another concern with the bill is on formation of Data Protection Authority
(DPA) as recommended by the committee. The bill seeks to establish DPA with a Chairperson
and maximum of six whole-time members all of whom are to be selected by a panel filled with
Government nominees. This completely disregards the fact that Government agencies are also
30 | P a g e
Data Protection on Cyber Space – Issues and Concerns
regulated under the Act and there by independent and neutral nature of adjudicating authority is
lost.
If the bill is enacted, then the benefits derived by the landmark judgment by Supreme Court in K
S Puttaswamy case is rendered meaningless and it will be a lost opportunity to have a framework
which is robust and safeguarding privacy
Important areas where PDPB (Personal Data Protection Bill) differs from GDPR
In terms of Territorial scope: The PDPB’s scope of application is potentially broader than that of
the GDPR, as an entity may fall within scope merely by processing personal data in India (e.g.,
even through the use of a processor in India). However, this broad scope of application may be
narrowed should the government exercise its authority to exempt such processing activities.
With respect to lawfulness of processing, the PDPB places greater emphasis on the role of
consent; however, consent under the PDPB is more closely linked to transparency than GDPR’s
concept of consent, which emphasizes specific and meaningful control.
The PDPB’s storage limitation provisions are also more specific than those under GDPR:
1. Unlike GDPR, which permits retaining the data in a form that no longer identifies an
individual, the PDPB requires deletion.
2. The PDPB also requires data fiduciaries conduct periodic reviews of whether personal
data must be retained.
The PDPB distinguishes between two separate rights — one for erasure and one for restricting
the disclosure of personal data (i.e., the right to be forgotten). Unlike the GDPR, the PDPB
places responsibility for determining the scope of application of the right to be forgotten on
adjudicating officers appointed by the DPA (Data Protection Authority), rather than the
controller. By requiring adjudicating officers to consider a number of contextual factors and to
balance various interests, it is likely that the PDPB right to be forgotten will be interpreted more
narrowly than the corresponding GDPR right.
31 | P a g e
Data Protection on Cyber Space – Issues and Concerns
The PDPB grants the government broad authority to exempt itself and its agencies from any or
all requirements. The purpose for which a government agency includes “incitement” of offences
against the state, which could conflict with rights of association and free expression.
The GDPR is being adopted at a time where SC recognized the concept of informational
privacy and noted that legislation should be enacted to ensure enforceability against non-
state actors (Private Entities).
By this there are indications that future data protection legislation in India will share
several commonalities with the GDPR.
From this perspective, GDPR compliance may be considered an opportunity for Indian
companies to achieve early compliance with potential Indian Data Privacy legislation.
32 | P a g e
Data Protection on Cyber Space – Issues and Concerns
The users of eGovernance make use of the services online, without stepping out their homes,
minimizing the long queues at the offices of the public sector, thereby saving transportation costs
and time with an alternate delivery of services with efficiency and effectiveness
eGovernance is the outgrowth of the endeavors made by the legislatures to improve relations
with their residents. With its imbued straightforwardness and transparency, given the standards
of Internet, EGovernance brings governments all the more near their residents. Subsequently, E-
Governance has a bigger social edge, as it guarantees an all the more wide and agent majority
rules system. In an information economy, upper hand depends on the ability to adjust to the
changing condition by the constant age and utilization of new information.
The greater part of the eGovernance exercises is focused on the Citizens either legitimately or by
implication which is one of the interlinking. All the networks and legitimately conceivable
interlinked E-Governance exercises are given underneath.
33 | P a g e
Data Protection on Cyber Space – Issues and Concerns
The outline above gives a layered methodology for the combination of E-Governance benefits
and advancing them with legitimate change. As appeared over, the change includes four
networks and six results with these four networks. The principle objective is to have E-
Governance with manageable advancement in every one of these results.
34 | P a g e
Data Protection on Cyber Space – Issues and Concerns
Reference: https://etaal.gov.in/etaal2/auth/centralchart.aspx
While data can be put to beneficial use, the unregulated and arbitrary use of data, especially
personal data, has raised concerns regarding the privacy and autonomy of an individual. This was
also the subject matter of the landmark judgement of the Supreme Court, which recognized the
right to privacy as a fundamental right
Aadhaar
It is described as a ‘Unique Identity’ and the authority which enrolls a person and at whose
behest the Aadhaar Card is issued is known as Unique Identification Authority of India. It has
become a symbol of digital economy and has enabled multiple avenues for a common man.
35 | P a g e
Data Protection on Cyber Space – Issues and Concerns
With an objective of providing targeted delivery of services especially under Public Distribution
System (PDS), preventing leakages and reducing wastages the central government launched
Aadhaar in 2009 by establishing Unique Identification Authority of India (UIDAI). Aadhaar
number is a 12-digit random number issued by the UIDAI (“Authority”) to the residents of India
after satisfying the verification process laid down by the Authority. Any individual, irrespective
of age and gender, who is a resident of India, may voluntarily enroll to obtain Aadhaar number
(UIDAI, 2016).
There has been much debate surrounding the objectives of Aadhaar, the mode of using it, the
privacy concerns that the project entails, the manner in which it was provided statutory backing
by passing the legislation as money bill thereby skipping scrutiny by Rajya Sabha (Council of
States; Upper House) and among other court cases and Public Interest Litigations (PILs)
involving it.
Scope of Aadhaar
Section 7 of the original Act, Aadhaar authentication can be used to establish the identity of
an individual, for grant of ‘Subsidies, Benefits and Services’, whose expenditure is incurred
from the Consolidated Fund of India (CFI).
Initially Aadhaar started as pilot project for Direct Benefit Transfer (DBT) to Beneficiary
Accounts under PDS. Later its scope was expanded to include many more services such as
MNREGA wages, Scholarships, Pensions, e-KYC document, etc. Today Aadhaar enabled direct
benefit transfer is implemented in over 400 schemes by both Central and the State governments.
Some of them include biometric attendance systems in government offices since 2014, Provident
Fund accounts were linked to Aadhaar, Income Tax Department issued Permanent Account
Number (PAN) was linked to Aadhaar for tax purposes, among other uses. Aadhaar is becoming
de-facto identity document in India although it is proposed and proclaimed to be voluntary on
part of citizens to enroll for it.
36 | P a g e
Data Protection on Cyber Space – Issues and Concerns
Aadhaar is technically a voluntary consent based unique identity system. Individual who enrolls
for Aadhaar willingly provides the biometric and demographic information to the UIDAI. There
is an element of consent involved in enrollment for getting Aadhaar number by an individual.
However, time and again there have been privacy concerns raised over the manner in which
personal data under Aadhaar would be processed. The main privacy concerns are as below.
1. Identity Theft: Biometric information is not secret information. There is possibility of
illegally harvesting the data leading to biometric and identity frauds.
2. Data Processing and Identification without Consent: Possible unauthorized use of
Aadhaar database to identify people illegally without the consent of Aadhaar holders.
3. Correlation of Identities across Domains: National Social Registry plans to create a 360
degree profile of citizens using Aadhaar. This is a mass surveillance project without
consent by the individual to use his or her personal data.
4. Aadhaar doesn’t record the purpose of authentication.
37 | P a g e
Data Protection on Cyber Space – Issues and Concerns
The PIL filed in the Supreme Court by the retired Karnataka High Court judge K S Puttaswamy
against the Aadhaar project led to a landmark judgment declaring privacy to be a fundamental
right in India under Article 21 of the constitution.
The State while enlivening right to food, right to shelter etc., envisaged under Article 21
cannot encroach upon the right of privacy of beneficiaries nor can former be given
precedence over the latter.
The nine Judge Bench judgment has given an unanimous answer to the Reference with
conclusive, unambiguous and emphatic determination that right to privacy is a part of
fundamental rights which can be traced to Articles 14, 19 and 21 of the Constitution of India.
There have been several instances where Aadhaar has come under scrutiny for improper use and
data breach. Few of them are as below.
1. In 2019 Aadhar details of about 7.82 crore Indians from the state of Andhra Pradesh and
Telangana were found on private firm IT Grids’ database (Report, 2019). According to
the same source about 30 First Information Reports (FIRs) have been lodged by UIDAI
since the enactment of Aadhaar Act in 2016.
2. Aadhaar data was directed to be given to law enforcement agencies to solve crime
without consent. Supreme Court restricted sharing of the database with Central Bureau of
Investigation (CBI) in a crime case (Report, Stop Aadhaar data use to probe crime:
UIDAI to SC, 2014).
3. Largest public sector bank State Bank of India (SBI) alleged that Aadhaar platform was
misused to generate unauthorized Aadhaar cards (Arora & Kumar, 2019).
4. As per data reported by Public Sector Banks (PSBs), there have been incidents of money
being fraudulently withdrawn from bank accounts using the customers’ Aadhaar number
in a few banks, Shiv Pratap Shukla, the minister of state for finance, told the Rajya Sabha
in a written reply on February 6, 2018.
5. About 100GB volume of personal data of Indians which along with other details included
Aadhaar information was up for sale on dark web (100 GB of Indians’ data up for sale on
dark web, 2020).
The fundamental right to privacy is breached by the Aadhaar project and the Aadhaar Act in
numerous ways. Following are the illustrations given by the petitioners:
38 | P a g e
Data Protection on Cyber Space – Issues and Concerns
1. Between 2009-10 and July 2016 the project violated the right to privacy with respect to
personal demographic as well as biometric information collected, stored and shared as
there was no law authorizing these actions.
2. During both the pre-Act and post-Act periods, the project continues to violate the right to
privacy by requiring individuals to part with demographic as well as biometric
information to private enrolling agencies.
3. By enabling private entities to use the Aadhaar authentication platform, the citizen’s right
to informational privacy is violated inasmuch as the citizen is compelled to ‘report’
his/her actions to the State.
4. Even where a person is availing of a subsidy, benefit or service from the State, mandatory
authentication through the Aadhaar platform (without an option to the citizen to use an
alternative mode of identification) violates the right to informational privacy.
5. With Aadhaar being made compulsory for holding a bank account, operating a cell
phone, having a valid PAN, holding mutual funds, securing admission to school, taking a
board examination, etc. the citizen has no option but to obtain Aadhaar. Compelling the
citizen to part with biometric information violates individual autonomy and dignity.
6. In a digital society an individual has the right to protect himself by controlling the
dissemination of personal information, including biometric information. Compelling an
individual to establish his identity by planting her biometric at multiple points of service
violates privacy involving the person.
7. The seeding of Aadhaar in distinct databases enables the content of information about an
individual that is stored in different silos to be aggregated. This enables the State to build
complete profiles of individuals violating privacy through the convergence of data.
Since its inception the Aadhaar has faced several legal hurdles. They include the implicit and
subtle mandatory nature of imposition, lack of legislation till 2016 during its existence, privacy
debate surrounding the use of personal data among other things.
The nine-judge constitutional bench held privacy to be a fundamental right. Accordingly now
government and UIDAI has to ensure that the privacy of individuals who have enrolled for
Aadhaar is not violated. At the same time Supreme Court has upheld the constitutional validity
of Aadhaar and clarified areas in which it cannot be made mandatory. In doing so the emphasis
was on resorting to the original intent of the program: to plug leakages in subsidy schemes and to
have better targeting of welfare benefits (Editorial, Aadhaar survives, 2018).
39 | P a g e
Data Protection on Cyber Space – Issues and Concerns
The Court sought to limit the scheme to aspects directly related to welfare benefits, subsidies and
money spent from the Consolidated Fund of India. Thus all those circulars and notifications
which made Aadhaar mandatory to be linked with mobile and bank accounts have been declared
unconstitutional. Section 57 of the Aadhaar Act, 2016, has been struck down to the extent that it
authorized body corporates and individuals to use the Aadhaar number to establish someone’s
identity without the consent of the individual possessing Aadhaar (Editorial, Aadhaar survives,
2018).
40 | P a g e
Data Protection on Cyber Space – Issues and Concerns
The mandate of the committee was to identify key data protection issues and recommend
methods for addressing them. Additionally, it was tasked with coming up a draft data protection
bill. The committee gave its recommendations in the form report titled “A Free and Fair Digital
Economy – Protecting Privacy, Empowering Indians”.
Context
India has been passing through a crucial stage in the digital front. There are about 500 million
users connected online as of 2019 (IAMAI, 2020). Government has provided impetus to internet
penetration and growth in size through sustained campaign on Digital India.
At the same time awareness about legal rights of the users who generate data and the associated
privacy aspects was forthcoming. In 2017 the Supreme Court pronounced a landmark verdict
which made privacy to be recognized as a fundamental right under the Article 21 of the Indian
constitution. Globally too adoption of General Data Protection Regulation (GDPR) by the
European Union (EU) provided insights into principles governing data protection for policy
makers in India. Scandals like Cambridge Analytica and rising cyber incidents surrounding
personal data made it clear that India should soon adopt personal data protection regulation to
protect the citizens and ensure their liberty is upheld. It is in the above context government
formed a ten-member high level committee under Justice (Retd) B N Sri Krishna to identify data
protection issues and come up with a draft bill on data protection for India.
41 | P a g e
Data Protection on Cyber Space – Issues and Concerns
Key Highlights
The following are the key recommendations of Justice B N Sri Krishna committee on Data
Protection.
1. The Individual who produces the data is called as Data Principal.
2. A data fiduciary is an entity or individual who decides the means and purpose of
processing personal data. Such processing will be subject to certain purpose, collection
and storage limitations.
3. The law will have jurisdiction over the processing of personal data if such data has been
used, shared, disclosed, collected or otherwise processed in India.
4. It will cover personal data used by companies incorporated under Indian law, irrespective
of data being processed in India or not.
5. The law will cover processing of personal data by both public and private entities.
6. The data protection law will set up a Data Protection Authority (DPA) which will be an
independent regulatory body responsible for the enforcement and effective
implementation of the law. The Central Government shall establish an appellate tribunal
or grant powers to an existing appellate tribunal to hear and dispose of any appeal against
an order of the DPA.
7. Sensitive personal data will include Passwords, Financial Data, Health Data, Official
Identifier, Sex Life, Sexual Orientation, Biometric and Genetic Data, Data that reveals
Transgender Status, Intersex Status, Caste, Tribe, Religious or Political Beliefs or
Affiliations of an Individual. However, the DPA will be given the residuary power to
notify further categories as per law.
8. Consent will be a lawful basis for processing of personal data. However, the law will
adopt a modified consent framework which will apply a product liability regime to
consent thereby making the data fiduciary liable for harms caused to the Data Principal.
9. The state can process data without consent of the user on ground of public welfare, law
and order, emergency situations where the individual is incapable of providing consent,
employment, and reasonable purpose.
10. Cross border data transfers of personal data, other than critical personal data, will be
through model contract clauses containing key obligations with the transferor being liable
for harms caused to the principal due to any violations committed by the transferee.
Personal data determined to be critical will be subject to the requirement to process only
in India (There will be a prohibition against cross border transfer for such data).
Penalties will be imposed for violating the data protection regulations.
11. Adopting Data Protection Framework should entail corresponding amendments in the
allied legislations such as Aadhaar Act, 2016; RTI Act.
12. Data localization: Personal data needs to be stored on servers located within India and
transfers outside the country will need to be subject to safeguards. Critical personal data,
however, will only be processed in India.
42 | P a g e
Data Protection on Cyber Space – Issues and Concerns
13. The Committee on Data Privacy has made specific mention of the need for separate and
more stringent norms for protecting the Data of Children, recommending that companies
be barred from certain types of data processing such as behavioral monitoring, tracking,
targeted advertising and any other type of processing which is not in the best interest of
the Child.
The Committee has borrowed from the major Data Protection Frameworks globally. The
recommendations have been strongly influenced by General Data Protection Regulation (GDPR)
of the European Union. By making consent, a key Anchor for Data Protection the committee has
make individual the focal factor of data protection in digital economy. Accordingly, it calls the
Data Generator as Data Principal instead of Data Subject as in the case of GDPR.
By covering both the public and private data fiduciaries under single law it follows the
comprehensive model of data protection framework. The committee has recognized that though
security of the state is a ground for partial exemption from the data protection law, it must come
with certain safeguards to prevent the abuse. Thus, it places accountability as and when
exemptions are sought. The committee also provides Right to Confirmation, Access, Correction,
Data Portability and Right to be Forgotten etc. These are individual centric rights that emphasize
privacy.
The committee recommended amendment to Aadhaar Act, 2016, Right to Information Act, 2005.
However, it has not provided the details of amendment to few crucial legislations having bearing
such has Telegraph Act, 1885; Information Technology Act, 2000; Official Secrets Act, 1923
etc.
Handle children’s data with care, says committee. It is widely accepted that processing of
personal data of children ought to be subject to greater protection than regular processing of data.
Safeguarding the best interests of the child should be the guiding principle for statutory
regulation on protecting data of children.
43 | P a g e
Data Protection on Cyber Space – Issues and Concerns
Parental consent in processing the data of a child: The committee noted that this approach, of
placing the onus of properly processing the data of a child on the company, is preferable to the
existing regulatory approach which is based solely on a system of parental consent.
Sri Krishna Committee has recommended in the report that the Central Government should
expeditiously bring in a law for the oversight of intelligence gathering activities.
It further added that to strike a balance between freedom of expression and right to informational
privacy, the data protection law would need to signal what the term ‘Journalistic Purposes’
signifies and how ethical standards for such activities would need to be set.
It recommended that the penalty may extend up to ₹5 crore or 2% of the data misuser’s total
worldwide turnover of the preceding financial year, whichever is higher in situations where the
company fails to take “Prompt and Appropriate Action” in response to a Data Security Breach.
In situations where the norms on personal data, sensitive personal data, and the personal data on
children are violated, the report has recommended a penalty of ₹15 crore or 4% of the total
worldwide turnover of the preceding financial year of the company.
Overall, the committee has done a satisfactory job on the mandate assigned. The key values and
principles enunciated by it must become part of legislation that goes into the Data Protection
Framework for India.
44 | P a g e
Data Protection on Cyber Space – Issues and Concerns
Chapter 9: Conclusion
Consumers are becoming increasingly aware – and increasingly uncomfortable – about data
collection in their day-to-day lives. In fact, chances are you’re one of those consumers on your
day off, with a survey finding that 97 percent of consumers are somewhat or very concerned
about protecting their personal data.
The lowering costs of smartphones and data packages, technology being driven by regional
languages on internet, it is only expected that more people will start becoming netizens in this
global village. In this context the landmark judgement by the Supreme Court of India in Justice
(Retd) K S Puttaswamy case declaring privacy a fundamental right is a watershed moment.
The various reports such as GDPR, B N Sri Krishna committee recommendations and
experiences across world offer valuable insights to evolve a robust and comprehensive
framework for personal data protection in India. The rising challenges of elections getting
influenced through online platforms, data harvesting by illegal means, ever expanding scope of
Aadhaar and its alleged link to surveillance, dark net among others make a strong impetus for
having a tough legal framework on data protection.
The draft Personal Data Protection Bill, 2019 introduced in the parliament has several issues that
need to be addressed. The provisions must be harmonized and reconciled by keeping the
innocent individual at the center of the debate. Recommendations of Justice B N Sri Krishna
committee’s valuable suggestions should be taken into account instead of becoming state centric
framework. Although many people are conscious about their data, there is also a concern for
lack of awareness about legal rights and remedies of individuals. It is in this context that digital
literacy becomes important along with strong law on data protection.
45 | P a g e
Data Protection on Cyber Space – Issues and Concerns
References
https://itbrief.com.au/story/data-in-the-21st-century-harness-the-power-of-a-new-age
https://www.information-age.com/data-revolution-gold-rush-21st-century-2-123460039/
https://www.ie.edu/building-resilience/knowledge/data-economy-oil-21st-century/
https://www.forbes.com/sites/forbestechcouncil/2020/12/14/the-rising-concern-around-consumer-
data-and-privacy/?sh=c2b2a5f487e8
https://www.imperva.com/learn/data-security/data-security/
https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/the-consumer-data-
opportunity-and-the-privacy-imperative
https://www.varonis.com/blog/cybersecurity-statistics
https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/magazine/beyond-
gdpr-data-protection-around-world
https://www.cxovoice.com/cyber-security-initiatives-by-government-of-india-to-combat-cyber-threats/
https://securityscorecard.com/blog/countries-with-gdpr-like-data-privacy-laws
https://prsindia.org/billtrack/the-personal-data-protection-bill-201
https://easychair.org/publications/preprint/22Vn 9
46 | P a g e