POST GRADUATE DIPLOMA

IN
CYBER LAW & CYBER FORENSICS

Dissertation Report
Titled
DATA PROTECTION ON CYBER SPACE –
ISSUES AND CONCERNS
Submitted By
GURU PRASAD B R
(ID No: CLCF/999/19)
Jan 2022

Distance Education Department

National Law School of India University
Nagarbhavi, Bengaluru – 560072

(Academic Year: 2019 – 2020)

Data Protection on Cyber Space – Issues and Concerns

ACKNOWLEDGEMENT

I, GURU PRASAD B R, student of Post Graduate Diploma in Cyber Law & Cyber Forensics,
would like to express my gratitude to the esteemed Law School of Global Status, National Law
School of India University, Bengaluru.

I would like to thank Dr.Nagarathna.A, Associate Professor, National Law School of India
University (NLSIU), Bengaluru for her guidance for my dissertation work entitled – Data
Protection on Cyber Space – Issues and Concerns, in parallel fulfilment of the course
requirement for the Post Graduate Diploma in Cyber Law and Cyber Forensics for the academic
year 2019 – 2020.

I would like to sincerely thank the Faculty members, Staff of Distance Education Department
(DED) and library at NLSIU in providing me all the support during this course.

Date: 09th Jan 2022

Place: Bengaluru

2|Page
Data Protection on Cyber Space – Issues and Concerns

DECLARATION

I, GURU PRASAD B R student of National Law School of India University (NLSIU) pursuing
Post Graduate Diploma in Cyber Law and Cyber Forensics (PGDCLCF) in Distance Education
Department, hereby declare that the submission of this dissertation – “Data Protection on Cyber
Space – Issues and Concerns”, is carried out entirely by me. I have utilized available
information on the topic through books, research papers, case laws, newspaper articles and
internet. After going through the material collected and information gathered through the
internet, I have analysed them and arrived at the conclusion by applying my own academic and
professional experience and ideas going into the future with this important area in the IT
industry.

I further acknowledge the relevant publications, their authors and other contributors to own their
respective copyright on their published material.

I hereby declare that the work on producing this report is original and entirely by me and have
not taken any assistance direct or indirect, except for reviews, from anyone else. I also confirm
that I have neither borrowed nor copied from other’s work nor have I presented this partly or
fully to any other institution / college / university. I have compiled with all the formalities
prescribed in this regard.

Date: 09th Jan 2022

Place: Bengaluru

3|Page
Data Protection on Cyber Space – Issues and Concerns

Table of Contents
Chapter Description Page
Abbreviations / Acronyms 5

List of Statutes 6

1 Digital Data and its uses 7

2 Data Concerns – Privacy and Security 9

3 Data Issues - Statistics and Trends 14

4 Data Protection – Global Legislation 18

5 Data Protection – India Legislation 25

6 The Personal Data Protection Bill, 2019 28

7 eGovernance and Data Protection 33

8 Justice B N Sri Krishna Committee Report 41

9 Conclusion 45

References 46

4|Page
Data Protection on Cyber Space – Issues and Concerns

Abbrevations / Acronyms
NLSIU National Law School of India University

DED Distance Education Department

PGDCLCF Post Graduate Diploma in Cyber Law & Cyber Forensics

IT Information Technology

ITes Information Technology Enabled Services

ICT Information Communication Technology

UIDAI Unique Identification Authority of India

Vs / v Versus

Anr And Others

Ors Others

IP Internet Protocol

GDPR General Data Protection Regulation

PDPB Personal Data Protection Bill

EU European Union

DPA Data Protection Authority

NSA National Security Agency

GB GigaByte

5|Page
Data Protection on Cyber Space – Issues and Concerns

List of Statutes
Sl.No. Title
1 Information Technology Act, 2000

2 Indian Telegraph Act, 1885

3 The Aadhaar Act, 2016

4 The Official Secrets Act, 1923

5 24th Constitutional Amendment Act, 1971

6 The Personal Data Protection Bill, 2019

7 General Data Protection Regulation, 2016 (EU)

6|Page
Data Protection on Cyber Space – Issues and Concerns

Chapter 1: Digital Data and its uses

Introduction

Companies have always been collecting data on their customers, even before computers.
As per one of the co-founders of Starbucks, they used to write down the order of every single
person who came into the store and add it to a filing system. That way, when the customer came
back, they were able to tell them what they ordered the previous time to better cater to their
needs when they came back for a repeat purchase.

Data collection began in the 1980s with direct marketers wanting to take their businesses to the
next level with data-based personalization. With the arrival of consumer internet in the 1990s,
companies’ data collection efforts began ramping up exponentially.

Since the beginning of the new millennium, the world has witnessed the emergence of
eGovernance, social media, smartphones, ecommerce, online education. We have also witnessed
huge leaps in energy storage, artificial intelligence, and medical science.

Data is the new oil in 21st century. we are in digital economy where data is more valuable than
ever. Data has always existed but now has taken the center stage. Data is more accessible than
ever and right technology to harness it. Though we have been on this road for few decades now,
the new technologies over the last few years has helped to harness it and the Data Age is here.

Data has become the key for the smooth functionality right from government offices to local
companies. without data, the progress would halt. The current pandemic has shown how critical
data is not only for the business but society at large. Many countries have recognized data value
and has leveraged during pandemic. With the shutdown of traditional mainstays of economic
life, employees working from home, data has been used innovatively to create entirely new
revenue streams

Data is fundamentally transforming the way people do business, how they communicate and how
they make decisions. It is turning the traditional business models on its head and bringing new
unused resources to the marketplace.
7|Page
Data Protection on Cyber Space – Issues and Concerns

Take for example, Ola and Oyo – they both do not have any taxis or hotels of their own.
However, they have managed to tap the taxi network and hotels by connecting the owners with
customers with the help of data.

Data collection and storage has made jobs, business, and any form of work very easy and these
are some of the known sectors that are : govt and national economy, entertainment, health care
sector, financial sector and educational sector

Primary source of Data

There are Three primary source of Data:

Social data comes from the Likes, Tweets & Retweets, Comments, Video Uploads, and general
media that are uploaded and shared via the world’s favorite social media platforms. This kind of
data provides invaluable insights into consumer behavior and sentiment and can be enormously
influential in marketing analytics. The public web is another good source of social data, and tools
like Google Trends can be used to good effect to increase the volume of big data.

Machine data is defined as information, which is generated by industrial equipment, sensors

that are installed in machinery, and even web logs which track user behavior. This type of data
is expected to grow exponentially as the internet of things grows ever more pervasive and
expands around the world. Sensors such as medical devices, smart meters, road cameras,
satellites, games and the rapidly growing Internet Of Things (IOT) will deliver high velocity,
value, volume and variety of data in the very near future.

Transactional data is generated from all the daily transactions that take place both online and
offline. Invoices, payment orders, storage records, delivery receipts – all are characterized as
transactional data yet data alone is almost meaningless, and most organizations struggle to make
sense of the data that they are generating and how it can be put to good use.

8|Page
Data Protection on Cyber Space – Issues and Concerns

Chapter 2: Data Concerns – Privacy and Security

Privacy Concerns

Since the beginning of Digital era, there has always been a section of Digital users voicing their
concerns around data privacy. There were concerns raised against Lotus MarketPlace,
Households and DoubleClick. The former had 30,000 people out of 120 million opt out of its
database in 1990. This accounts to around 0.01% of the total population of United States in 1990.

Today, 69% of consumers are concerned about how personal data is collected in mobile apps,
according to the Internet Society and Consumers International. That’s a huge jump when
compared to the 0.01% of consumers who opted out of the Lotus database.

A big reason for the jump in privacy concerns is primarily a result of consumers becoming more
aware of how companies are using their data. Consumers previously did not fully grasp the
amount of their personal data that companies were collecting. 

With news stories breaking like the Cambridge Analytica Scandal or the 4,395 data breaches
resulting in over 832,000,000 records being exposed from 2017 to 2019, as reported by Statista,
it’s hard for consumers to ignore the importance of protecting their data.

As the citizens of the world become netizens of the global village transcending the political
borders the threats to their data and privacy is ever larger. The questions arise as to who owns the
data and whether they have rights over the data generated.

Security Concerns

In 2021, hackers published user data from 530 million Facebook users on an amateur hacking
forum. Facebook published a blog post that said the hackers had scraped data by exploiting a
vulnerability in an old feature on the platform that enabled users to find each other by searching
for their phone numbers.

9|Page
Data Protection on Cyber Space – Issues and Concerns

According to Cisco, IoT will be generating 400 Zettabytes of data every year by 2018. Another
research shows the quantity of data will grow nearly 5x by 2025 and that a single individual
generates 1.7 megabytes of data per second.

Figure 1: Types of attacks in cyber world

These cyberattacks happen regularly, and they can happen to any type of business regardless of
size. More businesses today have sensitive data specifically, personally identifiable information.
Whether access to someone’s financial data or their healthcare information, it needs to have the
proper security controls and security tools in place to protect this information.

10 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Business data includes customer information, payment information, sensitive files, banking
details, etc. It is important to protect customer data from attacks that can encrypt or destroy data,
such as ransomware, as well as attacks that can modify or corrupt customer data.

Losing this data to cybercriminals can have a huge impact on the customer and the business.
According to IBM’s “2019 Cost of a Data Breach Report”, the average total cost of a data breach
is $3.92 million. Healthcare is the most expensive industry for a data breach incident, costing
$6.45 million per attack.

Figure 2: Data Breach by Country

Dark Net:
The "Dark Net," also known as the "Dark Web," is part of the greater "Deep Web," a network of
secret websites that exist on an encrypted network. It is the only network on the Internet (a set of
interconnected networks), wherein all network traffic is hidden.

11 | P a g e
Data Protection on Cyber Space – Issues and Concerns

It is accessed through special software, configurations and authorization and uses a customized
communication protocol. It mainly takes two forms: peer-to-peer networks or anonymized proxy
networks such as The Onion Router (TOR). Due to their specialized access methods they remain
hidden from regular search engine indexers and are not directly accessible by regular browsers.

Unlike the Surface Web, connections in the Deep Web are only made between trusted peers that
are required to be part of the hidden network. Thus, websites are dynamic and mostly in a
continuous change of servers, meaning that one link might lead to something at a particular time,
and at another time it might lead to something else or nothing.

Due to its anonymous nature the dark net has become a place for illicit activities involving
trading of contraband items such as drugs, arms, etc., illegal file sharing, pornographic material,
hackers and access to stolen financial and personal data, among other things. The rising numbers
of cybercrimes are often traced to have source in the dark net.

Law Enforcement Challenges

Anything which is beyond the regulatory control of governments is a potential threat to the
government. Dark Net, due to its anonymous nature is beyond the control of government. Dark
Net is used to bypass government scrutiny over communication. It is generally used by privacy
conscious individuals. However, as it provides pure anonymity it is also used for activities that
are detrimental to state and society such as Terrorism, Drugs Dealing etc.

The existence of dark net and associated technical infrastructure has led to popularity of crypto-
currency such as Bitcoins. They are beyond the regulations of central banks of the nation states.
Originally a niche medium of exchange for the technology community, Bitcoins emerged in
2011 as the currency of choice for drug dealers conducting transactions on a dark-web site
known as the Silk Road. Over the past five years, the combination of an encrypted network
hidden from most of the world and a transactional currency that is nearly untraceable by law
enforcement officials has evolved (Kumar & Rosenbach, 2019).

The law enforcement agencies face technical challenges in countering crime on Dark Net. This is
due to the requirement of specialized techniques and many levels of authentications that they

12 | P a g e
Data Protection on Cyber Space – Issues and Concerns

need to break. The activities on dark net are in violation of many laws and privacy of individuals
is one of the main causalities. Crimes like child pornography, human trafficking, illegal drugs,
money laundering etc., happening on Dark Net takes a new dimension requiring not only
criminology knowledge but also domain expertise in cyber forensics and cyber law.

The need of hour is for capacity building and innovation within the law enforcement agencies to
tackle new challenges posed by the technology. There are cases were authorities have
successfully cracked cases of crime on Dark Net (India’s first ‘Dark Net’ narcotics operative
held, 2020). Global organization INTERPOL held first Dark Net and Crypto-Currencies
working group meet in 2018. With more people getting online in India, there has to be
commensurate development in expertise dealing with misuse of cyberspace.

13 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Chapter 3: Data Issues - Statistics and Trends

Cybersecurity issues are becoming a day-to-day struggle for businesses. Recent trends, side
effects of a global pandemic and cybersecurity statistics reveal a huge increase in hacked
and breached data from sources that are increasingly common in the workplace, like mobile and
IoT devices.

Additionally, recent security research suggests most companies have unprotected data and poor
cybersecurity practices in place, making them vulnerable to data loss.

Facts and Stats:

1. 95% of cybersecurity breaches are caused by human error. (Cybint)

2. The worldwide information security market is forecast to reach $170.4 billion in
2022. (Gartner)
3. 88% of organizations worldwide experienced spear phishing attempts in 2019.
(Proofpoint)
4. 68% of business leaders feel their cybersecurity risks are increasing. (Accenture)
5. On average, only 5% of companies’ folders are properly protected. (Varonis)
6. Data breaches exposed 36 billion records in the first half of 2020. (RiskBased)
7. 86% of breaches were financially motivated and 10% were motivated by espionage.
(Verizon)
8. 45% of breaches featured hacking, 17% involved malware and 22% involved
phishing. (Verizon)
9. Between January 1, 2005, and May 31, 2020, there have been 11,762 recorded
breaches. (ID Theft Resource Center)
10. The top malicious email attachment types are .doc and .dot which make up 37%, the
next highest is .exe at 19.5%. (Symantec)
11. An estimated 300 billion passwords are used by humans and machines worldwide.
(Cybersecurity Media)
12. The average cost of a data breach is $3.86 million as of 2020. (IBM)
13. The average time to identify a breach in 2020 was 207 days. (IBM)

14 | P a g e
Data Protection on Cyber Space – Issues and Concerns

14. And the average lifecycle of a breach was 280 days from identification to
containment. (IBM)
15. Personal data was involved in 58% of breaches in 2020. (Verizon)
16. Security breaches have increased by 11% since 2018 and 67% since 2014.
(Accenture)
17. 64% of Americans have never checked to see if they were affected by a data breach.
(Varonis)
18. 56% of Americans don’t know what steps to take in the event of a data breach.
(Varonis)
19. The average ransomware payment rose 33% in 2020 over 2019, to $111,605. (Fintech
News)
20. In 2018, an average of 10,573 malicious mobile apps were blocked per day.
(Symantec)
21.  94% of malware is delivered by email. (CSO Online)
22. The average cost of a ransomware attack on businesses is $133,000. (SafeAtLast)
23. 48% of malicious email attachments are office files. (Symantec)
24. Ransomware detections have been more dominant in countries with higher numbers
of internet-connected populations, and the U.S. ranks highest with 18.2% of all
ransomware attacks. (Symantec)
25. Most malicious domains, about 60%, are associated with spam campaigns. (Cisco)
26. About 20% of malicious domains are very new and used around one week after they
are registered. (Cisco)
27. After declining in 2019, phishing increased in 2020 to account for 1 in every 4,200
emails. (Symantec)
28. 65% of groups used spear-phishing as the primary infection vector. (Symantec)
29. 1 in 13 web requests lead to malware. (Symantec)
30. Phishing attacks account for more than 80% of reported security incidents. (CSO
Online)
31. $17,700 is lost every minute due to a phishing attack. (CSO Online)
32. By 2023, the total number of DDoS attacks worldwide will be 15.4 million. (Cisco)
33. Attacks on IoT devices tripled in the first half of 2019. (CSO Online)

15 | P a g e
Data Protection on Cyber Space – Issues and Concerns

34. Malicious PowerShell scripts blocked in 2018 on the endpoint increased 1,000%.
(Symantec)
35. The Mirai-distributed DDoS worm was the third most common IoT threat in 2018. 
(Symantec)
36. 30% of data breaches involve internal actors. (Verizon)
37. IoT devices experience an average of 5,200 attacks per month. (Symantec)
38. 90% of remote code execution attacks are associated with cryptomining. (Purplesec)
39. 69% of organizations don’t believe the threats they’re seeing can be blocked by their
anti-virus software.(Ponemon Institute’s Cost of Data Breach Study)
40. 1 in 36 mobile devices have high- risk apps installed. (Symantec)
41. WannaCry ransomware attack cost the National Health Service (NHS) over $100
million. (Datto)
42. The healthcare industry lost an estimated $25 billion to ransomware attacks in 2019.
(SafeAtLast)
43. More than 93% of healthcare organizations experienced a data breach in the past
three years. (Herjavec Group)
44. Worldwide cybercrime costs will hit $6 trillion annually by 2021. (Cybersecurity
Ventures)
45. Ransomware damage costs will rise to $20 billion by 2021 and a business will fall
victim to a ransomware attack every 11 seconds at that time. (Cybersecurity
Ventures)
46. Damage related to cybercrime is projected to hit $10.5 trillion annually by 2025.
(Cybersecurity Ventures)
47. More than 70 percent of security executives believe that their budgets for fiscal year
2021 will shrink. (Mckinsey)
48. Since the pandemic began, the FBI reported a 300% increase in reported cybercrimes.
(IMC Grupo)
49. 27% of COVID-19 cyberattacks target banks or healthcare organizations and
COVID-19 is credited for a 238% rise in cyberattacks on banks in 2020. (Fintech
News)
50. Confirmed data breaches in the healthcare industry increased by 58% in 2020.
(Verizon)

16 | P a g e
Data Protection on Cyber Space – Issues and Concerns

51. 33,000 unemployment applicants were exposed to a data security breach from the
Pandemic Unemployment Assistance program in May. (NBC)
52. Americans lost more than $97.39 million to COVID-19 and stimulus check scams.
(Atlasvpn)
53. In April 2020, Google blocked 18 million daily malware and phishing emails related
to Coronavirus. (Google)
54. 52% of legal and compliance leaders are concerned about third-party cyber risks due
to remote work since COVID-19. (Gartner)
55. Remote work has increased the average cost of a data breach by $137,000. (IBM)
56. 47% of employees cited distraction as the reason for falling for a phishing scam while
working from home. (Tessian)
57. 81% of cybersecurity professionals have reported their job function changed during
the pandemic. (ISC)
58. Half a million Zoom user accounts were compromised and sold on a dark web forum
in April 2020. (CPO Magazine)
59. Cloud-based cyber-attacks rose 630% between January and April 2020. (Fintech
News)
60. Remote workers have caused a security breach in 20% of organizations.
(Malwarebytes)

17 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Chapter 4: Data Protection – Global Legislation

Today, there are more than 120 countries already engaged in some form of international privacy
laws for data protection to ensure that citizens and their data are offered more rigorous
protections and controls. With the process, it’s clear that international privacy laws for data
protection will continue to evolve and develop to ensure personal data protection across all use
cases and situations, even those that have yet to present themselves.

In 2018, the General Data Protection Regulation (GDPR) broke ground as the most forward
thinking and extensive legal provision for the protection of personal data and its ongoing
security. This law is an international privacy law for data protection that impacted any
organization that processed any personal data from any EU citizen. It set the standard and has
shaped the trends that dominate this sector today.

Some of the countries that currently have international privacy laws for data protection:

Europe – The GDPR law was less a localized layer of security and compliance and more an
international privacy law for data protection that impacted any organization that processed any
personal data from any EU citizen. Today, with global enforcement of security and data
protection controls, the future of data protection is defined by stricter regulations, bigger fines,
and more reputational damage if compliance is ignored. After several companies ignored the
GDPR and some were hit by extensive fines and organizations sat up and paid attention.  The
enforcement of GDPR and the hefty fines, and reputational damage that came with them, has
meant that organizations are facing a challenging time. They have to be compliant, and they need
the right support to achieve it.

USA – while the country doesn’t have formal laws at the federal level, there is some federal
legislation that protects data on a more general level. With the devolution of power to the state
level, several US states have created their own data-related laws. California’s legislation is
considered among the most forward thinking with the California Consumer Privacy Act
(CCPA) providing robust privacy rights and consumer protection. The law allows for residents of
the state to establish precisely how their personal data is being collected and what it is being used

18 | P a g e
Data Protection on Cyber Space – Issues and Concerns

for. Other states with bills in place, or in the process of being passed, include Alabama,
Connecticut, Florida, New York, Washington, Illinois, Texas and Virginia. A comprehensive list
of the US privacy laws and their status can be found here. 

Brazil - has the General Data Protection Law that supports and supplements the extensive list of
more than 40 data privacy-related laws that have been implemented over the years. This
legislation irons out the conflicts between the different laws, clearly defines the concepts of
personal data and public data, outlines clear liabilities, and is applied to all sectors of the country.
This regulation also requires that companies adopt Data Protection Officers, have rigorous
security protocols in place, and upgrade security measures to ensure comprehensive
compliance. Brazil’s Lei Geral de Proteção de Dados (LGPD) came into effect on September
18th last year and creates a legal framework for the use of personal data of individuals in Brazil,
regardless of where the data processor is located. However, its administrative sanctions are likely
only to be enforced from August 2021, making this year the testing ground for how the
Autoridade Nacional de Proteção de Dados (ANPD), will enforce the LGPD.

South Africa - has implemented the Protection of Personal Information Act (POPIA) with

equally stringent and rigorous personal data protection controls in place. The Act has undergone
several iterations and evolutions since it was first proposed in 2013 and is set to harden the final
layers of the Act in July 2021. The privacy laws and protections outlined in POPIA are of as
rigorous a standard as those in the GDPR.

Bahrain - has the Data Protection Law that has the honor of being the first of its kind to be
introduced in the Middle East and that provides individuals with rights concerning how their data
is collected, processed and stored. 
The Philippines has the Data Privacy Act of 2012 that has many of the components that define
the EU Data Protection Directive and that ensures the protection of personal information by
organizations. 

Canada - implemented the Personal Information Protection and Electronic Documents Act

(PIPEDA) that is aligned with EU data protection law. The Act is very much in line with the five

19 | P a g e
Data Protection on Cyber Space – Issues and Concerns

global privacy principles and offers consumers significant protection for their personal

information. The Digital Charter Implementation Act (DCIA) was introduced by the Canadian
Minister of Information, Science and Economic Development on 17 November 2020. If this
passes, it will replace PIPEDA and introduce several interesting changes to privacy legislation in
the country. This includes a private right to action and fines that could exceed those of the
GDPR. This is set to be reviewed in 2021. 

United Kingdom - the GDPR will apply until 31 July 2021 and thereafter different regulations
will apply thanks to Brexit. However, the Data Protection Act 2018 has already implemented the
requirements of the EU’s GDPR into UK law from 01 January 2021. The Data Protection,
Privacy, and Electronic Communications (DPPEC) Regulations of 2019 changed the DPA 2018
with the GDPR to create a holistic, UK-specific data protection system that applies within the
UK context and is known as the UK GDPR. 

Other countries with Data Protection Laws:

Country Law Year

Bahrain Personal Data Protection Law 2019
Israel Data Security Regulations 2017
Qatar Law No. 13 2016
Turkey Law on Protection of Personal Data No. 6698 2016
enya Data Protection Act 2019
Mauritius Data Protection Act 2017
Nigeria Data Protection Regulation 2019
South Africa Protection of Personal Information (POPI) Act  (2020) 2020
Uganda Data Protection and Privacy Act, 2019 2019
Japan Act on the Protection of Personal Information  (APPI) 2020
New Zealand Privacy Act 2020
2011, revise
South Korea Personal Information Protection Act (PIPA) 2011
d in 2020
Argentina Personal Data Protection Act No 25,326, constitutional protections 2001
Brazil General Data Protection Law LGPD 2020
Uruguay Act on the Protection of Personal Data and Habeas Data Action 2008
Canada Personal Information Protection and Electronic Documents Act 2000

20 | P a g e
Data Protection on Cyber Space – Issues and Concerns

(PIPEDA)

General Data Protection Regulation (GDPR)

The European Union (EU) came up with a comprehensive data protection framework in the form
of General Data Protection Regulation (GDPR). GDPR is the toughest privacy and security law
in the world. At the heart of GDPR is the personal data of the users.

Scope of GDPR

With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when
more people are entrusting their personal data with cloud services and breaches are a daily
occurrence. 

The official GDPR text comprises of 11 chapters having total of 99 articles. They cover aspects
such as material and territorial scope, principles governing GDPR, rights of data subjects,
obligations of controller and processors of personal data, movement of data between countries
and international organizations, remedies and penalties in case of violations, regulatory and
supervisory framework among other relevant aspects.

When we process the personal data of EU citizens or residents, or offer goods or services to such
people, then the GDPR applies even if you’re not in the EU. For example, you may be an Indian
software company based in Bengaluru, providing web solutions. But if you track and analyze EU
visitors to your company’s website, then you may be subject to the provisions of the GDPR. 

The fines for violating the GDPR are very high. There are two tiers of penalties, which max out
at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to
seek compensation for damages.

GDPR applies for members in the European Union (EU) and the European Economic Area
(EEA). It also deals with transfer of personal data outside the jurisdiction by requiring the
foreign entities to adhere to GDPR when they deal with data related with the individual and
businesses resident in the EU and EEA regions.

21 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Principles of GDPR

Article 5 of the GDPR mentions the seven key principles that should guide the manner in which
the personal data of the user is handled by the data processors and controllers. GDPR's seven
principles are:
1. Lawfulness, fairness, and transparency: Data controllers must ensure that personal data
is processed lawfully, fairly and in a transparent manner in relation to individuals.
2. Purpose limitation: This principle mandates that data is collected for specified, explicit
and legitimate purposes and not further processed in a manner that is incompatible with
those purposes; further processing for archiving purposes in the public interest, scientific
or historical research purposes or statistical purposes shall not be considered to be
incompatible with the initial purposes.
3. Accuracy: It must be ensured that the data collected is accurate and, where necessary,
kept up to date; every reasonable step must be taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or
rectified without delay.
4. Storage limitation: Personal data must be kept in a form which permits identification of
data subjects for no longer than is necessary for the purposes for which the personal data
are processed; personal data may be stored for longer periods insofar as the personal data
will be processed solely for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes subject to implementation of the
appropriate technical and organizational measures required by the GDPR in order to
safeguard the rights and freedoms of individuals.
5. Data minimization: This requires that organizations shouldn't collect more personal data
than they need from their users. They should identify the minimum amount of personal
data required to fulfill the purpose and only that much information is to be held by them.
6. Security of data: Data processors and controllers must ensure personal data should be
protected against unauthorized or unlawful processing, as well as accidental loss,
destruction or damage.

7. Accountability: The organizations dealing with the personal data are responsible and
accountable for ensuring all the guidelines mentioned in GDPR are followed. To ensure

22 | P a g e
Data Protection on Cyber Space – Issues and Concerns

this they need to build their capacities by getting trained in the GDPR framework and
essential technical requirements.

Legal Implications of GDPR

With the entering of force of GDPR, all the stakeholders must ensure that they abide by the
regulations. Failure to do so will attract hefty penalties provisioned under the regulations. It
creates a legal obligation on all entities having access to personal data of members of EU and
EEA to ensure they follow the principles mentioned above. They are required to take necessary
steps to make themselves capable of abiding by the regulations.

The fines for violating the GDPR are very high. There are two tiers of penalties, which max out
at €20 million or 4% of global revenue (whichever is higher), plus data subjects have the right to
seek compensation for damages.

Even those entities which reside outside EU are impacted by GDPR. The whole point of the
GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to
organizations that handle such data whether they are EU-based organizations or not, known as
“extra-territorial effect (GDPR.EU, 2018).
Benefits of International Privacy Regulation

Data protection ultimately focuses on protecting data and information from both internal and
external threats. It mitigates the risks of fraud, compromise and corruption, and protects the
individual.

As the amount of data being stored and created continues to increase exponentially, increased
data protection has become critical, and indispensable. 

This has driven international data protection laws, and offers the following benefits:
 Valuable data is protected from leaks, loss and theft
 Companies can increase confidence from public, investors and customers
 Brand value is inherent and implicit in a robust policy and framework
 Good governance improves a company’s competitive advantage

23 | P a g e
Data Protection on Cyber Space – Issues and Concerns

 Improvements in automation, digitization and innovation due to business process

transformation
 Increased trust and credibility across multiple markets and customers.
 Deeper understanding of the data, its value, and the benefits it offers

 Improved data management and control, resulting in improved innovation and

transformation

Chapter 5: Data Protection – India Legislation

24 | P a g e
Data Protection on Cyber Space – Issues and Concerns

The constitution of India did not have provisions to protect the right to privacy with respect to
fundamental rights as it was not such a concerning issue while framing the constitution. But the
IT Act 2000 helps to address this issue of data protection. The sections in 43A and 72A of the
Information Technology Act, 2000 which deal with right to compensation for improper
disclosure of personal information and the rules made. AADHAAR Act, has some provisions to
for restricting the sharing of personal sensitive data of residents.

In the landmark case where nine judge constitutional bench of Supreme Court in the Justice K. S.
Puttaswamy (Retd.) and Anr. Vs Union of India and Ors. Case in 2017, it was unanimously held
with conclusive, unambiguous and emphatic determination that right to privacy is a part of
fundamental rights which can be traced to Articles 14, 19 and 21 of the Constitution of India.

The government formed a high level committee under the chairmanship of Justice B N Sri
Krishna (Retd) with a mandate to evolve guiding principles for data protection in India and come
with a draft data protection bill. The committee submitted its report along with the draft bill.
The government in the light of the recommendations of the committee came up with a data
protection bill which is currently introduced in the parliament. This bill envisages a
comprehensive model for data protection in India.

Government of India working closely to deal with cyber security issues, many initiatives like
CERT-In, NCIIPC, website and application audits, crisis management plan, regular training and
PDP bill etc are in place and ready to tackle any security issues

Following are the major cyber security initiatives by the Government of India to maintain cyber
security, to mitigate the risks and to tackle any cyber threats -

1. Indian Computer Emergency response Team (CERT-In)

CERT-In, a national nodal agency for the emergency response of any type of cyber security
breaches or attacks or any cyber security-related incidents. Departments and organizations must
inform CERT-In immidiatly incase of any cybersecurity attacks or any issue related to
cybersecurity. CERT-In also issues cybersecurity advisory and guidelines to tackle any risk and

25 | P a g e
Data Protection on Cyber Space – Issues and Concerns

threats. In September 2019 CERT-In informed about the Necurs malware and also advisory on
fake income tax calculator.

2.  National Critical Information Infrastructure Protection Centre (NCIIPC)

NCIIPC was founded in 2014 with main aims to defend critical information infrastructure and to
minimize risk and vulnerabilities. The NCIIPC organization created under section 70A of IT
ACT 2000.

3. Guidelines for Organizations CISOs

In the wake to recent cyber-attacks, Ministry of Electronics and Information Technology

(MeitY) has issues guidelines for the organization’s chief information security officers (CISOs)
to make sure they are following best cyber security practices.

4. Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre)

Scan, detect and clean any botnet malware infections, Government of India under MeitY
launched Cyber Swatchta Kendra initiative to maintain cybersecurity and safe cyber
environment. It works for mobile and computer devices, Its has tools like- M-
Kavach, AppSamwid, USB Pratirodh, and Botnets.

5. Regular Audit of Government Websites

To make sure there is no malicious files or any hidden virus injected into website files or in
application files, MeitY has asked to audit entire website before uploading it to the main server,
thereafter conduct regular audit after an interval. Government of India’s initiative to audit
department website on regular basis will mitigate the cyber security disturbances. To complete
the website and application audit task done, many Cyber security firms have been impaneled
with government of India.

26 | P a g e
Data Protection on Cyber Space – Issues and Concerns

6. Crisis Management Plan

To counter any cyber-attacks and to mitigate cyber risk, the Government of India has formed
Crisis Management Plan. Ministries, Center and state departments will implement crisis
management plans in critical sectors.

7. Regular Training Programs

Tech is changing daily so the cybercriminals to are upgrading the attacking methods with
advanced technologies. Cyber security administrators need to be updated about the latest
advancement, and security trends. It is very necessary to regularly upgrade your skills and
knowledge, The government of India has announced to conduct regular training programs for
CISOs, Network and system administrators to deal with advanced cyber security threats.

8. Personal Data Protection Bill 

The Personal Data Protection Bill draft 2019 proposes to store personal data within India only,
it cannot possess abroad without approval of Data Protection Agency, critical data cannot go
abroad.  
The Personal Data Protection Bill 2019 proposes heavy penalties for any violation, INR 5 crores
for a minor violation and INR 15 crores for serious violation and organization executives can
also face a jail term.

Chapter 6: Personal Data Protection Bill, 2019

27 | P a g e
Data Protection on Cyber Space – Issues and Concerns

The Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the Minister of
Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The
Bill seeks to provide for protection of personal data of individuals, and establishes a Data
Protection Authority for the same. 

Applicability: The Bill governs the processing of personal data by: (i) government, (ii)
companies incorporated in India, and (iii) foreign companies dealing with personal data of
individuals in India. Personal data is data which pertains to characteristics, traits or attributes of
identity, which can be used to identify an individual.  The Bill categorises certain personal data
as sensitive personal data.  This includes financial data, biometric data, caste, religious or
political beliefs, or any other category of data specified by the government, in consultation with
the Authority and the concerned sectoral regulator.

Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the means
and purpose of processing personal data. Such processing will be subject to certain purpose,
collection and storage limitations.  For instance, personal data can be processed only for specific,
clear and lawful purpose.  Additionally, all data fiduciaries must undertake certain transparency
and accountability measures such as: (i) implementing security safeguards (such as data
encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to
address complaints of individuals.  They must also institute mechanisms for age verification and
parental consent when processing sensitive personal data of children.

Rights of the individual: The Bill sets out certain rights of the individual (or data principal).
These include the right to: (i) obtain confirmation from the fiduciary on whether their personal
data has been processed, (ii) seek correction of inaccurate, incomplete, or out-of-date personal
data, (iii) have personal data transferred to any other data fiduciary in certain circumstances, and
(iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary
or consent is withdrawn.
Grounds for processing personal data: The Bill allows processing of data by fiduciaries only if
consent is provided by the individual. However, in certain circumstances, personal data can be

28 | P a g e
Data Protection on Cyber Space – Issues and Concerns

processed without consent.  These include: (i) if required by the State for providing benefits to
the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.

Social media intermediaries: The Bill defines these to include intermediaries which enable
online interaction between users and allow for sharing of information. All such intermediaries
which have users above a notified threshold, and whose actions can impact electoral democracy
or public order, have certain obligations, which include providing a voluntary user verification
mechanism for users in India.

Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take
steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure
compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’
expertise in the field of data protection and information technology.  Orders of the Authority can
be appealed to an Appellate Tribunal.  Appeals from the Tribunal will go to the Supreme Court.

Transfer of data outside India: Sensitive personal data may be transferred outside India for
processing if explicitly consented to by the individual, and subject to certain additional
conditions. However, such sensitive personal data should continue to be stored in India.  Certain
personal data notified as critical personal data by the government can only be processed in India. 

Exemptions: The central government can exempt any of its agencies from the provisions of the
Act: (i) in interest of security of state, public order, sovereignty and integrity of India and
friendly relations with foreign states, and (ii) for preventing incitement to commission of any
cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of
personal data is also exempted from provisions of the Bill for certain other purposes such as: (i)
prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii)
journalistic purposes.  However, such processing must be for a specific, clear and lawful
purpose, with certain security safeguards.

Offences: Offences under the Bill include: (i) processing or transferring personal data in
violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the

29 | P a g e
Data Protection on Cyber Space – Issues and Concerns

fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of
five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.  Re-
identification and processing of de-identified personal data without consent is punishable with
imprisonment of up to three years, or fine, or both.

Sharing of non-personal data with government: The central government may direct data
fiduciaries to provide it with any: (i) non-personal data and (ii) anonymised personal data (where
it is not possible to identify data principal) for better targeting of services.

Amendments to other laws: The Bill amends the Information Technology Act, 2000 to delete
the provisions related to compensation payable by companies for failure to protect personal data.

Issues with the PDP Bill, 2019

Although the objective of the government introduced is to protect the privacy and personal data
of the citizens, the changes introduced in the bill deviates widely leading to its criticism by none
other than Justice (Retd) B N Sri Krishna himself.

The committee had recommended watertight and narrow exemptions for state and its agencies
for allowing exemption only in limited circumstances from data protection law. However, in
current form the bill has provided for wide powers to the Government to dilute any of these
provisions for its agencies. It is in completely contrary to the committee recommendations
which sought to bring in a law for the oversight of intelligence-gathering activities, the means by
which non-consensual processing of data takes place. Similar recommendation was also
provided by the task force formed for intelligence reforms by Institute for Defense Studies and
Analysis (IDSA). However, the bill disappoints in this aspect. On this aspect Justice (Retd) B N
Sri Krishna commented the bill in current form will lead to “Orwellian State and Big Brother
looking at you”. Another concern with the bill is on formation of Data Protection Authority
(DPA) as recommended by the committee. The bill seeks to establish DPA with a Chairperson
and maximum of six whole-time members all of whom are to be selected by a panel filled with
Government nominees. This completely disregards the fact that Government agencies are also

30 | P a g e
Data Protection on Cyber Space – Issues and Concerns

regulated under the Act and there by independent and neutral nature of adjudicating authority is
lost.

If the bill is enacted, then the benefits derived by the landmark judgment by Supreme Court in K
S Puttaswamy case is rendered meaningless and it will be a lost opportunity to have a framework
which is robust and safeguarding privacy

Important areas where PDPB (Personal Data Protection Bill) differs from GDPR

In terms of Territorial scope: The PDPB’s scope of application is potentially broader than that of
the GDPR, as an entity may fall within scope merely by processing personal data in India (e.g.,
even through the use of a processor in India). However, this broad scope of application may be
narrowed should the government exercise its authority to exempt such processing activities.

With respect to lawfulness of processing, the PDPB places greater emphasis on the role of
consent; however, consent under the PDPB is more closely linked to transparency than GDPR’s
concept of consent, which emphasizes specific and meaningful control.

The PDPB’s storage limitation provisions are also more specific than those under GDPR:
1. Unlike GDPR, which permits retaining the data in a form that no longer identifies an
individual, the PDPB requires deletion.
2. The PDPB also requires data fiduciaries conduct periodic reviews of whether personal
data must be retained.
The PDPB distinguishes between two separate rights — one for erasure and one for restricting
the disclosure of personal data (i.e., the right to be forgotten). Unlike the GDPR, the PDPB
places responsibility for determining the scope of application of the right to be forgotten on
adjudicating officers appointed by the DPA (Data Protection Authority), rather than the
controller. By requiring adjudicating officers to consider a number of contextual factors and to
balance various interests, it is likely that the PDPB right to be forgotten will be interpreted more
narrowly than the corresponding GDPR right.

31 | P a g e
Data Protection on Cyber Space – Issues and Concerns

The PDPB’s privacy-by-design requirements appear to be aimed in particular at the development

of policies and documentation, whereas the GDPR accords controllers with greater flexibility in
how they will implement the requirement.

For the DATA LOCALIZATION REQUIREMENTS, “Critical personal data” must be

processed in India, except under emergency circumstances or where the government has
approved the transfer, taking into account India’s security and strategic interests. The
government is granted broad discretion to define “critical personal data”, but the concept appears
to be related to national security. Sensitive personal data must be stored in India, but a copy of
such data may be transferred outside of India in accordance with the data transfer requirements.
Localization requirements represent a significant area of divergence between the PDPB and
GDPR.

APPLICATION TO PUBLIC AUTHORITIES, The PDPB generally applies to public agencies,

as well as private parties. However, the Central Government has broad authority to exempt any
government agency from any or all provisions in the interest of sovereignty, security, public
order, integrity of the state and friendly relations with foreign states, or for preventing incitement
of cognizable offences against the foregoing.

The PDPB grants the government broad authority to exempt itself and its agencies from any or
all requirements. The purpose for which a government agency includes “incitement” of offences
against the state, which could conflict with rights of association and free expression.

Why GDPR is Relevant to India

 The GDPR is being adopted at a time where SC recognized the concept of informational
privacy and noted that legislation should be enacted to ensure enforceability against non-
state actors (Private Entities).
 By this there are indications that future data protection legislation in India will share
several commonalities with the GDPR.
 From this perspective, GDPR compliance may be considered an opportunity for Indian
companies to achieve early compliance with potential Indian Data Privacy legislation.

32 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Chapter 7: eGovernance and Data Protection

E-Governance refers to the administration of Information and Communication Technologies

(ICT) to the procedures and functions of the government with the objective of enhancing the
transparency, efficiency, and participation of the citizens

The users of eGovernance make use of the services online, without stepping out their homes,
minimizing the long queues at the offices of the public sector, thereby saving transportation costs
and time with an alternate delivery of services with efficiency and effectiveness

eGovernance is the outgrowth of the endeavors made by the legislatures to improve relations
with their residents. With its imbued straightforwardness and transparency, given the standards
of Internet, EGovernance brings governments all the more near their residents. Subsequently, E-
Governance has a bigger social edge, as it guarantees an all the more wide and agent majority
rules system. In an information economy, upper hand depends on the ability to adjust to the
changing condition by the constant age and utilization of new information.

E-Governance delivers government services and information to the government agencies,

business and citizens. There are four eminent classifications of the services provided by e-
Government. They are, Government to Business (G2B) service, Government to Citizen service
(G2C), Government to Employee service (G2E) and Government to Government service (G2G).

The greater part of the eGovernance exercises is focused on the Citizens either legitimately or by
implication which is one of the interlinking. All the networks and legitimately conceivable
interlinked E-Governance exercises are given underneath.

33 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Figure 3: e-Governance Classification

The outline above gives a layered methodology for the combination of E-Governance benefits
and advancing them with legitimate change. As appeared over, the change includes four
networks and six results with these four networks. The principle objective is to have E-
Governance with manageable advancement in every one of these results.

Government online services are generating enormous data

34 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Figure 4: e-Transactions from 01/09/22 – 09/01/2022

Reference: https://etaal.gov.in/etaal2/auth/centralchart.aspx

While data can be put to beneficial use, the unregulated and arbitrary use of data, especially
personal data, has raised concerns regarding the privacy and autonomy of an individual. This was
also the subject matter of the landmark judgement of the Supreme Court, which recognized the
right to privacy as a fundamental right

Aadhaar
It is described as a ‘Unique Identity’ and the authority which enrolls a person and at whose
behest the Aadhaar Card is issued is known as Unique Identification Authority of India. It has
become a symbol of digital economy and has enabled multiple avenues for a common man.

35 | P a g e
Data Protection on Cyber Space – Issues and Concerns

With an objective of providing targeted delivery of services especially under Public Distribution
System (PDS), preventing leakages and reducing wastages the central government launched
Aadhaar in 2009 by establishing Unique Identification Authority of India (UIDAI). Aadhaar
number is a 12-digit random number issued by the UIDAI (“Authority”) to the residents of India
after satisfying the verification process laid down by the Authority. Any individual, irrespective
of age and gender, who is a resident of India, may voluntarily enroll to obtain Aadhaar number
(UIDAI, 2016).

There has been much debate surrounding the objectives of Aadhaar, the mode of using it, the
privacy concerns that the project entails, the manner in which it was provided statutory backing
by passing the legislation as money bill thereby skipping scrutiny by Rajya Sabha (Council of
States; Upper House) and among other court cases and Public Interest Litigations (PILs)
involving it.

Scope of Aadhaar

Section 7 of the original Act, Aadhaar authentication can be used to establish the identity of
an individual, for grant of ‘Subsidies, Benefits and Services’, whose expenditure is incurred
from the Consolidated Fund of India (CFI).

Initially Aadhaar started as pilot project for Direct Benefit Transfer (DBT) to Beneficiary
Accounts under PDS. Later its scope was expanded to include many more services such as
MNREGA wages, Scholarships, Pensions, e-KYC document, etc. Today Aadhaar enabled direct
benefit transfer is implemented in over 400 schemes by both Central and the State governments.
Some of them include biometric attendance systems in government offices since 2014, Provident
Fund accounts were linked to Aadhaar, Income Tax Department issued Permanent Account
Number (PAN) was linked to Aadhaar for tax purposes, among other uses. Aadhaar is becoming
de-facto identity document in India although it is proposed and proclaimed to be voluntary on
part of citizens to enroll for it.

36 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Figure 5: Aadhaar Authentication Trend - 2021

Aadhaar Consent and Privacy

Aadhaar is technically a voluntary consent based unique identity system. Individual who enrolls
for Aadhaar willingly provides the biometric and demographic information to the UIDAI. There
is an element of consent involved in enrollment for getting Aadhaar number by an individual.

However, time and again there have been privacy concerns raised over the manner in which
personal data under Aadhaar would be processed. The main privacy concerns are as below.
1. Identity Theft: Biometric information is not secret information. There is possibility of
illegally harvesting the data leading to biometric and identity frauds.
2. Data Processing and Identification without Consent: Possible unauthorized use of
Aadhaar database to identify people illegally without the consent of Aadhaar holders.
3. Correlation of Identities across Domains: National Social Registry plans to create a 360
degree profile of citizens using Aadhaar. This is a mass surveillance project without
consent by the individual to use his or her personal data.
4. Aadhaar doesn’t record the purpose of authentication.

37 | P a g e
Data Protection on Cyber Space – Issues and Concerns

The PIL filed in the Supreme Court by the retired Karnataka High Court judge K S Puttaswamy
against the Aadhaar project led to a landmark judgment declaring privacy to be a fundamental
right in India under Article 21 of the constitution.

The State while enlivening right to food, right to shelter etc., envisaged under Article 21
cannot encroach upon the right of privacy of beneficiaries nor can former be given
precedence over the latter.

The nine Judge Bench judgment has given an unanimous answer to the Reference with
conclusive, unambiguous and emphatic determination that right to privacy is a part of
fundamental rights which can be traced to Articles 14, 19 and 21 of the Constitution of India.

Data Breach and Misuse

There have been several instances where Aadhaar has come under scrutiny for improper use and
data breach. Few of them are as below.
1. In 2019 Aadhar details of about 7.82 crore Indians from the state of Andhra Pradesh and
Telangana were found on private firm IT Grids’ database (Report, 2019). According to
the same source about 30 First Information Reports (FIRs) have been lodged by UIDAI
since the enactment of Aadhaar Act in 2016.
2. Aadhaar data was directed to be given to law enforcement agencies to solve crime
without consent. Supreme Court restricted sharing of the database with Central Bureau of
Investigation (CBI) in a crime case (Report, Stop Aadhaar data use to probe crime:
UIDAI to SC, 2014).
3. Largest public sector bank State Bank of India (SBI) alleged that Aadhaar platform was
misused to generate unauthorized Aadhaar cards (Arora & Kumar, 2019).
4. As per data reported by Public Sector Banks (PSBs), there have been incidents of money
being fraudulently withdrawn from bank accounts using the customers’ Aadhaar number
in a few banks, Shiv Pratap Shukla, the minister of state for finance, told the Rajya Sabha
in a written reply on February 6, 2018.
5. About 100GB volume of personal data of Indians which along with other details included
Aadhaar information was up for sale on dark web (100 GB of Indians’ data up for sale on
dark web, 2020).

The fundamental right to privacy is breached by the Aadhaar project and the Aadhaar Act in
numerous ways. Following are the illustrations given by the petitioners:

38 | P a g e
Data Protection on Cyber Space – Issues and Concerns

1. Between 2009-10 and July 2016 the project violated the right to privacy with respect to
personal demographic as well as biometric information collected, stored and shared as
there was no law authorizing these actions.
2. During both the pre-Act and post-Act periods, the project continues to violate the right to
privacy by requiring individuals to part with demographic as well as biometric
information to private enrolling agencies.
3. By enabling private entities to use the Aadhaar authentication platform, the citizen’s right
to informational privacy is violated inasmuch as the citizen is compelled to ‘report’
his/her actions to the State.
4. Even where a person is availing of a subsidy, benefit or service from the State, mandatory
authentication through the Aadhaar platform (without an option to the citizen to use an
alternative mode of identification) violates the right to informational privacy.
5. With Aadhaar being made compulsory for holding a bank account, operating a cell
phone, having a valid PAN, holding mutual funds, securing admission to school, taking a
board examination, etc. the citizen has no option but to obtain Aadhaar. Compelling the
citizen to part with biometric information violates individual autonomy and dignity.
6. In a digital society an individual has the right to protect himself by controlling the
dissemination of personal information, including biometric information. Compelling an
individual to establish his identity by planting her biometric at multiple points of service
violates privacy involving the person.
7. The seeding of Aadhaar in distinct databases enables the content of information about an
individual that is stored in different silos to be aggregated. This enables the State to build
complete profiles of individuals violating privacy through the convergence of data.

Court Judgements and Aadhaar

Since its inception the Aadhaar has faced several legal hurdles. They include the implicit and
subtle mandatory nature of imposition, lack of legislation till 2016 during its existence, privacy
debate surrounding the use of personal data among other things.

The nine-judge constitutional bench held privacy to be a fundamental right. Accordingly now
government and UIDAI has to ensure that the privacy of individuals who have enrolled for
Aadhaar is not violated. At the same time Supreme Court has upheld the constitutional validity
of Aadhaar and clarified areas in which it cannot be made mandatory. In doing so the emphasis
was on resorting to the original intent of the program: to plug leakages in subsidy schemes and to
have better targeting of welfare benefits (Editorial, Aadhaar survives, 2018).

39 | P a g e
Data Protection on Cyber Space – Issues and Concerns

The Court sought to limit the scheme to aspects directly related to welfare benefits, subsidies and
money spent from the Consolidated Fund of India. Thus all those circulars and notifications
which made Aadhaar mandatory to be linked with mobile and bank accounts have been declared
unconstitutional. Section 57 of the Aadhaar Act, 2016, has been struck down to the extent that it
authorized body corporates and individuals to use the Aadhaar number to establish someone’s
identity without the consent of the individual possessing Aadhaar (Editorial, Aadhaar survives,
2018).

40 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Chapter 8: Justice B N Sri Krishna Committee Report

Introduction

The right to privacy is a fundamental right which necessitates protection of personal data as an

essential facet of informational privacy says the draft Personal Data Protection bill, 2018. India
is in the process of legislating a data protection framework that is intended to be comprehensive
and holistic in scope. There is currently no specific legislation that covers all aspects of the data
protection and privacy. The government formed a high-level committee under the chairmanship
of retired Supreme Court Judge B N Sri Krishna in July 2017.

The mandate of the committee was to identify key data protection issues and recommend
methods for addressing them. Additionally, it was tasked with coming up a draft data protection
bill. The committee gave its recommendations in the form report titled “A Free and Fair Digital
Economy – Protecting Privacy, Empowering Indians”.

Context

India has been passing through a crucial stage in the digital front. There are about 500 million
users connected online as of 2019 (IAMAI, 2020). Government has provided impetus to internet
penetration and growth in size through sustained campaign on Digital India.

At the same time awareness about legal rights of the users who generate data and the associated
privacy aspects was forthcoming. In 2017 the Supreme Court pronounced a landmark verdict
which made privacy to be recognized as a fundamental right under the Article 21 of the Indian
constitution. Globally too adoption of General Data Protection Regulation (GDPR) by the
European Union (EU) provided insights into principles governing data protection for policy
makers in India. Scandals like Cambridge Analytica and rising cyber incidents surrounding
personal data made it clear that India should soon adopt personal data protection regulation to
protect the citizens and ensure their liberty is upheld. It is in the above context government
formed a ten-member high level committee under Justice (Retd) B N Sri Krishna to identify data
protection issues and come up with a draft bill on data protection for India.

41 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Key Highlights

The following are the key recommendations of Justice B N Sri Krishna committee on Data
Protection.
1. The Individual who produces the data is called as Data Principal.
2. A data fiduciary is an entity or individual who decides the means and purpose of
processing personal data. Such processing will be subject to certain purpose, collection
and storage limitations.
3. The law will have jurisdiction over the processing of personal data if such data has been
used, shared, disclosed, collected or otherwise processed in India.
4. It will cover personal data used by companies incorporated under Indian law, irrespective
of data being processed in India or not.
5. The law will cover processing of personal data by both public and private entities.
6. The data protection law will set up a Data Protection Authority (DPA) which will be an
independent regulatory body responsible for the enforcement and effective
implementation of the law. The Central Government shall establish an appellate tribunal
or grant powers to an existing appellate tribunal to hear and dispose of any appeal against
an order of the DPA.
7. Sensitive personal data will include Passwords, Financial Data, Health Data, Official
Identifier, Sex Life, Sexual Orientation, Biometric and Genetic Data, Data that reveals
Transgender Status, Intersex Status, Caste, Tribe, Religious or Political Beliefs or
Affiliations of an Individual. However, the DPA will be given the residuary power to
notify further categories as per law.
8. Consent will be a lawful basis for processing of personal data. However, the law will
adopt a modified consent framework which will apply a product liability regime to
consent thereby making the data fiduciary liable for harms caused to the Data Principal.
9. The state can process data without consent of the user on ground of public welfare, law
and order, emergency situations where the individual is incapable of providing consent,
employment, and reasonable purpose.
10. Cross border data transfers of personal data, other than critical personal data, will be
through model contract clauses containing key obligations with the transferor being liable
for harms caused to the principal due to any violations committed by the transferee.
Personal data determined to be critical will be subject to the requirement to process only
in India (There will be a prohibition against cross border transfer for such data).
Penalties will be imposed for violating the data protection regulations.
11. Adopting Data Protection Framework should entail corresponding amendments in the
allied legislations such as Aadhaar Act, 2016; RTI Act.
12. Data localization: Personal data needs to be stored on servers located within India and
transfers outside the country will need to be subject to safeguards. Critical personal data,
however, will only be processed in India.

42 | P a g e
Data Protection on Cyber Space – Issues and Concerns

13. The Committee on Data Privacy has made specific mention of the need for separate and
more stringent norms for protecting the Data of Children, recommending that companies
be barred from certain types of data processing such as behavioral monitoring, tracking,
targeted advertising and any other type of processing which is not in the best interest of
the Child.

Analysis of The Recommendations

The Committee has borrowed from the major Data Protection Frameworks globally. The
recommendations have been strongly influenced by General Data Protection Regulation (GDPR)
of the European Union. By making consent, a key Anchor for Data Protection the committee has
make individual the focal factor of data protection in digital economy. Accordingly, it calls the
Data Generator as Data Principal instead of Data Subject as in the case of GDPR.

By covering both the public and private data fiduciaries under single law it follows the
comprehensive model of data protection framework. The committee has recognized that though
security of the state is a ground for partial exemption from the data protection law, it must come
with certain safeguards to prevent the abuse. Thus, it places accountability as and when
exemptions are sought. The committee also provides Right to Confirmation, Access, Correction,
Data Portability and Right to be Forgotten etc. These are individual centric rights that emphasize
privacy.

The committee recommended amendment to Aadhaar Act, 2016, Right to Information Act, 2005.
However, it has not provided the details of amendment to few crucial legislations having bearing
such has Telegraph Act, 1885; Information Technology Act, 2000; Official Secrets Act, 1923
etc.

Handle children’s data with care, says committee. It is widely accepted that processing of
personal data of children ought to be subject to greater protection than regular processing of data.
Safeguarding the best interests of the child should be the guiding principle for statutory
regulation on protecting data of children.

The committee recommends that the Data Protection Authority will have the power to designate

websites or online services that process large volumes of personal data of children as “Guardian
Data Fiduciaries”.

43 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Parental consent in processing the data of a child: The committee noted that this approach, of
placing the onus of properly processing the data of a child on the company, is preferable to the
existing regulatory approach which is based solely on a system of parental consent.

Sri Krishna Committee has recommended in the report that the Central Government should
expeditiously bring in a law for the oversight of intelligence gathering activities.

It further added that to strike a balance between freedom of expression and right to informational
privacy, the data protection law would need to signal what the term ‘Journalistic Purposes’
signifies and how ethical standards for such activities would need to be set.

Regarding data misuse, the committee recommended a penalty of either a certain percentage of

the total worldwide turnover of the data misuser or a fixed amount set by the law.

It recommended that the penalty may extend up to ₹5 crore or 2% of the data misuser’s total
worldwide turnover of the preceding financial year, whichever is higher in situations where the
company fails to take “Prompt and Appropriate Action” in response to a Data Security Breach.

In situations where the norms on personal data, sensitive personal data, and the personal data on
children are violated, the report has recommended a penalty of ₹15 crore or 4% of the total
worldwide turnover of the preceding financial year of the company.

Overall, the committee has done a satisfactory job on the mandate assigned. The key values and
principles enunciated by it must become part of legislation that goes into the Data Protection
Framework for India.

44 | P a g e
Data Protection on Cyber Space – Issues and Concerns

Chapter 9: Conclusion

India is the second-fastest digital adapter among 17 of the most-digital economies globally, and

rapid digitization does require forward-looking measures to boost cybersecurity.

Consumers are becoming increasingly aware – and increasingly uncomfortable – about data
collection in their day-to-day lives. In fact, chances are you’re one of those consumers on your
day off, with a survey finding that 97 percent of consumers are somewhat or very concerned
about protecting their personal data. 

The lowering costs of smartphones and data packages, technology being driven by regional
languages on internet, it is only expected that more people will start becoming netizens in this
global village. In this context the landmark judgement by the Supreme Court of India in Justice
(Retd) K S Puttaswamy case declaring privacy a fundamental right is a watershed moment.

The various reports such as GDPR, B N Sri Krishna committee recommendations and
experiences across world offer valuable insights to evolve a robust and comprehensive
framework for personal data protection in India. The rising challenges of elections getting
influenced through online platforms, data harvesting by illegal means, ever expanding scope of
Aadhaar and its alleged link to surveillance, dark net among others make a strong impetus for
having a tough legal framework on data protection.

The draft Personal Data Protection Bill, 2019 introduced in the parliament has several issues that
need to be addressed. The provisions must be harmonized and reconciled by keeping the
innocent individual at the center of the debate. Recommendations of Justice B N Sri Krishna
committee’s valuable suggestions should be taken into account instead of becoming state centric
framework. Although many people are conscious about their data, there is also a concern for
lack of awareness about legal rights and remedies of individuals. It is in this context that digital
literacy becomes important along with strong law on data protection.

45 | P a g e
Data Protection on Cyber Space – Issues and Concerns

References
https://itbrief.com.au/story/data-in-the-21st-century-harness-the-power-of-a-new-age

https://www.information-age.com/data-revolution-gold-rush-21st-century-2-123460039/

https://www.ie.edu/building-resilience/knowledge/data-economy-oil-21st-century/

https://www.forbes.com/sites/forbestechcouncil/2020/12/14/the-rising-concern-around-consumer-
data-and-privacy/?sh=c2b2a5f487e8

https://www.imperva.com/learn/data-security/data-security/

https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/the-consumer-data-
opportunity-and-the-privacy-imperative

https://www.varonis.com/blog/cybersecurity-statistics

https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/magazine/beyond-
gdpr-data-protection-around-world

https://www.cxovoice.com/cyber-security-initiatives-by-government-of-india-to-combat-cyber-threats/

https://securityscorecard.com/blog/countries-with-gdpr-like-data-privacy-laws

https://prsindia.org/billtrack/the-personal-data-protection-bill-201
https://easychair.org/publications/preprint/22Vn 9

46 | P a g e