Would India’s New Data Protection Bill Bolster Cybersecurity?
Amidst the drive for cybersecurity, worries emerge over potential ‘Total Surveillance’ agenda hidden within New Data Protection Bill
August 11, 2023
The Digital Personal Data Protection Bill, 2022, which is to be tabled before the Parliament in the monsoon session, if passed, would replace the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Central to the proposed legislation is the reinforcement of individual digital privacy and security safeguards.
The formulation of this bill is anticipated to consolidate authority over digital data pertaining to individuals and/or entities, with the overarching objective of fortifying digital data security and cybersecurity measures. The Digital Personal Data Protection Bill, 2022, would a huge step forward in adapting to the digitalisation of the world around us by providing a more detailed and comprehensive understanding of it in place of the already existing Information Technology Act, 2000 and IT Rules of 2011.
According to cybersecurity firm CloudSEK, India was the second-largest target for cyberattacks behind the United States in 2021 and 2022, with 500 attacks last year. Earlier in March, the Ministry of Electronics and Information Technology (MeitY) filed a report to the Lok Sabha detailing 47 incidences of data leak and 142 incidents of data breach during the last five calendar years. Union minister Rajeev Chandrasekhar presented these statistics in answer to a query from Congress MP Pradyut Bordoloi, who inquired about known leaks and breaches of user data during the last five years. The minister also submitted that there were 10 data leaks related to government organisations in 2020, five in 2021 and seven in 2022.
From January 2021 to November 30, 2022, the National Cyber Crime Reporting Portal received 884,863 complaints in the category of online financial fraud. Cybercrimes against children increased from 1,102 in 2020 to 1,376 in 2021. According to a report by the virtual private network (VPN) service provider NordVPN, which is based in Panama, at least 12% of all unique user data discovered in cybercrime marketplaces belonged to Indians, making it the most common. These are just some of the statistics collated of cybercrimes and data breaches of India that reflect the concerns of today’s fast paced digital world.
The current legislations governing digital data and cyberspace are inadequate and ineffective in combating these issues as they are outdated in comparison to the ever-evolving cyber space. This is evident in the lack of provisions covering the said issues in the IT Act, 2000, IT Rules, 2011, and the Indian Penal Code, 1860 with respect to cybercrimes. The IT Act, 2000 is unprepared to deal with new, sophisticated kinds of cybercrime like doxxing, cyberstalking, and online trolling, among others, and lacks rules on user rights, trust, and safety. Considering these drawbacks, in November of 2022, the parliament proposed to implement the Digital Personal Data Protection Bill, 2022 and the Digital India Act, 2023 which will work in tandem to fill in the gaps of the prevalent legislations by being at par with the developments of the digital and cyber world. It also is expected to be able to adapt to the futuristic evolvements in these spheres while keeping in mind the principles that ought to be held up. The Ministry of Electronics and Information Technology (MeitY) is formulating and implementing this legal framework as a part of the Digital India initiative and given that half of India’s population is online, it would be high time for the passing of these bills after going through the recommended drafting and consultative process.
In today’s interconnected world, maintaining the security and dependability of personal information and data is fundamentally dependent on both data privacy and cybersecurity.
The goal of India’s proposed data protection bill is to control how personal digital data, whether obtained online or offline and then converted to digital form, is processed. The bill will be applicable to all data processing tasks carried out in India, including those that involve creating person profiles or promoting products and services there. To protect data privacy, personal information can only be handled for legal purposes with the explicit consent of the person, or “data principal.” Individuals are given specific rights under this legislation, including the opportunity to view information, ask for changes and deletions, and file complaints. The phrase “deemed consent” may also be used in situations like emergency medical care, disaster management, and other situations when consent may be deemed to have already been given.
Additionally, the bill places obligations on “data fiduciaries,” which are organisations in charge of processing personal data either on their own or jointly with others. Data accuracy must be upheld, security must be maintained, and data must be disposed of after serving its purpose. The government plans to create the Data Protection Board of India to monitor and address violations of the bill’s requirements. The proposed data protection bill aims to safeguard digital personal data, give people control over their information, and establish specific rules for data processing in India.
According to the bill, businesses must take “reasonable cybersecurity measures” to protect client data, failing to do so will result in severe penalties. But according to a recent PwC survey, only 9% of Chief Information Security Officers (CISOs) in India are certain they can fully comply with the disclosure obligations. This lack of confidence manifests as authorities put more pressure on businesses to notify them as soon as they become aware of any cyber problems. This makes it difficult for the businesses since they lose the privilege of “continuous consent” with the passing of this bill. The companies that acquire the consent of the customer initially and rely on that to implement future changes in their services without needing consent for every subsequent update in the terms and conditions, will no longer be allowed with the passing of this bill. This changes the dynamics of how apps, firms, etc., conduct their business and could prove as a hindrance to companies interested to participate in the Indian market even though these provisions are following the standards followed and set by the EU General Data Protection Regulation (GDPR).
Although, international bodies and governments across the world have created strict regulations regarding data and it being processed and expect apps and corporations to abide them to conduct business in their respective territories, most of these companies are abiding and complying with these regulations owing to the realisation of the importance of data privacy and cybersecurity, and the severe repercussions of not doing so.
Given that this bill is dealing with the personal data of individuals being handled by firms, organisations, and the Central government, it gives to rise certain ethical considerations that need to be examined carefully. Despite there being a legislation with strict regulation, it will fall flat on its face if the government is not able to ensure accountability on every level as this will end up being seen as a venue to misuse for corruption, coercion, and other forms of activities to gain an illegal upper hand on an individual or a corporation.
There are also concerns that this bill could be misused to try to achieve the ulterior motive of creating a state of ‘total surveillance’ to curb the democratic spirit of the nation. Even though, the bill does clearly mention the situations in which there would be “deemed consent” and where they could interfere to gather and use personal data, the scope granted is too broad. It offers excessive discretion to the government and other national bodies and their officers to operate. Therefore, the scope needs to be narrowed and the particular situations need to be mentioned explicitly in the bill itself rather than leaving up to discretion in the guise of adaptability.
Having said that the Digital Personal Data Protection Bill, 2022 carries with it a bright prospect in ensuring an individual’s privacy and safety online as it is the need of the hour with the increasing cybercrimes, data breaches, and the respective reputational, emotional, social, and monetary damages that have been incurred by individuals and firms. The benefits of the bill overweigh the criticisms and challenges put forward and the respective bodies need to examine the latter to improve on the bill before it is passed and implemented. The bill addresses data protection challenges and can enhance trust in digital services by giving individuals control over their data by tightening the operation of acquiring and providing consent. The bill, at least on paper, seems to have the capacity to protect and responsibly influence India’s digital future.
[Amiy Gaur is a student of Jindal Global Law School (JGLS) and an intern at Jindal Institute of Behavioural Sciences (JIBS)]