FUTURE OF CYBERSECURITY AND DATA PRIVACY IN INDIA

Written By: Aditi Sharma & Sudhanshu Upadhyay[1]

ABSTRACT

In today’s digital era, a generation in which digitalization is used as a tool to help fight the global pandemic and at the very same time provides a support system for our government. The availability of the Internet also helped a lot to keep the essential services sustained during this pandemic period. But the general concern which arises is How prudent this digitalized world is? How can internet users be assertive of their data privacy? Profoundly, under the existing legal regime in India under Information Technology Act,2000 there is no difference between cybersecurity and data privacy, but in my view, cybersecurity and Data Privacy are two major individual issues and are required to be addressed discretely. Cybersecurity laws in India are not limited only to Information Technology Act in India. There are various other laws that contain provisions related to cybersecurity. i.e. IPC,1860 There are penal provisions in IPC for crimes committed using cyberspace such as Defamation, Criminal Intimation, Cheating. Companies (Management and Administration Rules) 2014 framed under Companies Act, 2013 makes it mandatory for companies to ensure that electronic records and security systems are secured from unauthorized access and tampering. And there are many other laws which contain provision related to cybersecurity. But, just framing laws related to cybersecurity doesn’t ensure cybersecurity. For instance, the sectors which are highly vulnerable to cyberattacks are Financial sectors, E-commerce Sites, Digital Payment Gateways, Health care, BFSI. There is some very critical issue in India’s related to cybersecurity are digital data threat, supply chain interconnection, hacking phishing A separate court or tribunal can be set up for these sectors ad they are most vulnerable to cyber-attacks ensuring speedy trials in all these sectors will also help to increase the Ease of Doing Business in the nation. An accountable national cybersecurity apparatus must be provided clear mandates and empowered appropriately.it must be able to supervise and control policies across India, including policies regulated by an independent regulator.   

India fails in the privacy safeguard domain. A study in privacy regulations across the country puts India amongst the worst countries when it comes to protecting the citizens, clearly citing a paucity of stringent laws and policy. Britain based compare tech surveyed at privacy protection and state of surveillance in 47 countries. Countries were rated on the score from  1-5. India ranked 2.4, among the third-worst for data privacy in the global surveillance index.

This article emphasizes cybersecurity and data privacy and its a concern for democratic countries like India, as privacy is an element of fundamental rights guaranteed by the constitution and upheld by the judiciary in many landmark cases. But the current infrastructure to ensure privacy is not sufficient and adequate and rather needs more rectification, the recent controversy regarding the Arogya Setu App has added fuel to the fire and there are many apprehensions with reference to the App.

 EVOLUTION OF CYBER SECURITY AND DATA PRIVACY IN INDIA

The history of data privacy in India arguably starts with the Aadhar case as we are aware that the Hon’ble supreme court upheld as well as struck down certain provisions related to Aadhar which were concerned with the privacy of the general public. But the terms data privacy and cybersecurity are often intermixed in India but according to my view, cybersecurity and data privacy are two individual issues and are required to be addressed individually. Under the existing statutory regime, there is no separate statute governing the matter related to data privacy. The privacy and data related matter is governed by the IT Act “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011” Government of India recently presented the Personal Data Protection Bill 2019 in Parliament and the bill is currently pending before the joint committee. Although the PDP has not been enacted as of now this proposed bill can be considered as a separate statute governing matters related to data privacy. The personal data protection bill 2019 imposes limitations on the collecting and processing of personal data. Apart from the IT Act 2000 the Indian constitution also safeguards the right to life and personal liberty guaranteed under Article 21 interpretation of Article 21 states that the Right to privacy is a fundamental right. In the judgment of [2]. It was upheld that the right to privacy is a fundamental right but there is a certain restriction on the basis of compelling public interest. Data protection is important as there are various data of individual which are online and the data of individual should not be collected or processed without the consent of the individual. In the 21st century, data is termed as the new oil. To understand this statement, we need to admit that there was a time when oil was the most remunerative commodity and also very essential for the growth and development of a Nation’s economy so almost every country was running for oil. But in the present era Data is equivalent and even close to replace oil as and become the most valuable commodity in the 21st century. This is obvious from the fact that 5 of the most valuable company in the world, namely Facebook, Microsoft, Google, Amazon, Apple are from the data sector. Collecting and processing of data can also be said as the fourth industrial revolution as Data processing & Hosting Services in the US market is $164.8 bn. 

Also, there is a similarity between Oil and Data as both of the commodities are useless in their raw form both are required to be processed for optimum utilization. We are required to admit the fact that data is a serious concern nowadays and India being a developing nation and also 564.5 million internet users we need a proper policy and infrastructure ensuring the privacy and security of the personal data as guaranteed by the Constitution of India.  India ranks 3rdin terms of the highest number of internet users within the world after the USA and China, the record has grown 6-fold between 2012 to 2017 with a compound annual growth rate of 44% India also secures a place among the top 10 spam-sending countries in the world parallel to the USA. India was ranked among the top 5 countries to be affected by cybercrime, according to a report of an online security firm “Symantec corps”       

INTRODUCTION

Cybersecurity is the protection of internet-connected systems such as hardware, software, and data from cyber threats. This practice is used by individuals and enterprises to protect against unauthorized access to data centers and other computerized system.

Data privacy relates to how a bit of information or data should be handled with references that have relative importance. in the digital age, we typically apply the concept of data privacy to critical personal information, also known as personally identifiable information (PII)and personal health information (PHI)this can include various security sectors like social security, health and medical record, financial data, bank account, and credit card details. Privacy is no longer a “personal issue” but has emerged as a global issue. The impact is not just on cybersecurity but also on how companies take business decisions, leverage information, and deals when it concerns data. The issues which are this complex require a multifaced and holistic approach with the involvement of business, legal, technology, and IT security leadership

THE INFORMATION TECHNOLOGY ACT (2000) (IT ACT) AND

THE INFORMATION TECHNOLOGY (AMENDMENT) ACT 2008

The Provision for the protection of electronic data is mentioned in the IT act. The IT act penalizes ‘cyber contraventions’ (section 43(a)-(h)), which entices civil prosecution, and ‘cyber offenses’ (sections 63 –74), which entice criminal action.

The IT Act was passed with the objective to assure legal recognition for e-commerce and sanctions for computer misuse. At that time, it had no express provisions regarding data security. Contravention of data security would result in the persecution of individual who hacked into the system, under section 43and 66 of the IT Act, but the act did not provide other remedies such as for instances taking action against him that the organization holding the data Accordingly, the IT  (AMENDMENT ) Act was passed, which among other things added two new sections into the IT Act, section 43A and section 72A, to give a judicial remedy to the persons who have suffered or are likely to suffer a loss on account of their personal data not adequately protected

The IT act does not provide any definition for personal data. Data protection contains the technical framework of security measures designed to ensure that data are handled in such a fashion that they’re secure from unforeseen, unintended, unwanted, or malevolent use. Civil liability and data protection. The IT act,2000 provides for civil liability in case of computer database theft, computer trespass, unauthorized digital copying. Etc. Section 43 provides for penalty for a good range of cyber contraventions. There were few major amendments done in the IT ACT (AMENDMENT)2008 which has a significant impact on data privacy and cybersecurity.

Section 43A compensation in failure to protect data states that if a body corporates processing, dealings or handling any sensitive data or information in a computer resource which it owns, control, or operates is negligent in implementing and maintain resources security practices and procedure, and thereby causes wrongful loss or wrongful gain to any person this body corporate will become liable to pay for the damages as compensation to the affected person. In the case of [3] says Section 43A of the IT Act was argued and advanced but they have not been properly dealt with and are not reflected in the order but that should not be permitted to deprive the complainant of adequate compensation granted by the impugned.

India does not have a specific data protection legislation, other than the IT act, which may give the authority to collect and monitor the data and other data. Section 72 provides for penalty for breach of confidentiality and privacy as meaning any person securing access to any electronic record, book, register, correspondence, information, documents or other material or any other person. Section 72A also describes the law of privacy and asserts that disclosure of information in breach of lawful contract.

PERSONAL DATA PROTECTION BILL 2019

The Personal Data Protection Bill,2019 was introduced in the winter session of the parliament and has been referred to a joint parliamentary committee. The bill aims to place certain obligations on organization processing personal data and gives rights to individuals whose personal data is processed the bill also aims to establish a Data Protection Authority for this purpose. Following the judgment of the Supreme Court in 2017 which declared privacy as a fundamental right, the government is set out to introduce a data protection law in India the usage of the personal data or information of citizens is currently regulated by the Information Technology Act, 2000. The limitation of the IT act is it only applies to companies but not the government. The 2019 Data Protection Bill applies to all entities processing personal data both government as well as companies incorporated in India. Further, the act also extends to the foreign companies which deal with the personal data of individuals in India to prevent data misuse and to ensure overall compliance with the bill. The bill establishes a Data Protection Authority to supervise the above-mentioned tasks.

The bill gives certain rights to individuals to protect their personal data the bill defines personal data as. Any piece of information from which inferences can be drawn to identify a person, individuals can get confirmation from data entities and whether the personal data has been processed, seek correction of inaccurate incomplete personal data, and have personal data transfer to any other data of fiduciary under certain condition. Individuals can also prevent access to personal data if it’s no longer necessary for the data entity to hold on to. There are various provisions in the bill, and it is not aimed at completely controlling the data transfer but this bill does it by categorizing the data into Sensitive Personal Data and Critical Personal Data, and the bill envisage that the critical personal data is kept and stored within the country so that the people whose data it is they can exercise better control whether they want to share the data for a long period- short period whether they want to withdraw their consent. Otherwise, the data flow is absolute for commercial purposes the data can be flown across the borders as it is being done today, but it was necessary to impose some legible restrictions on data flow as the Supreme court has recognized the right to privacy as a fundamental right in K.S. Puttaswamy v. Union of India under Article 21 of the constitution so the control of flow to a certain extent is important otherwise the local law enforcement agencies in India are finding it not possible to enforce the laws of India and the Constitution of India.

Under the bill Personal Data can be processed only for specific, clear, and lawful purpose with the proper consent further, the bill allows personal data collection only with the consent of the individual with some exceptions including events such as Medical emergency, legal proceedings, or instances where the state needs to provide benefits to individuals. Further, the government could exempt any agencies from provisions of the Bill in the interest of national security, public order, and sovereignty.  

For successful implementation of this Bill few things will be required the very first is the effective regulating authority as prescribed in the Act. Secondly, the companies must have an Indian Office as prescribed in IT intermediary rules as well as a grievance mechanism system will also be required so that the individuals, as well as collective users, can have the grievances redressal. Also, for effective implementation of the bill one thing more can be done and that is under the consumer protection act there is provision for the class action suit so in that type of Data violation that provision should also be incorporated in the new bill so that collectively or individually the users can sue or claim compensation against the entities processing the Data.

The Supreme court in one of its judgments recognized that “Life must mean something more than mere animal existence, including the faculties of thinking and feeling.”[4] It can be ascertained from the above judgment that how important role dignity plays in assuring a Life, so it can be ascertained that Privacy is an integral part of the dignity and also it has been recognized in the landmark judgment of K.S. Puttaswamy by the apex court.

Types of cyber security threat

  • Malware –it is a form of malicious software variant, including viruses, ransomware, spyware, trojans, worms. It basically consists of code developed by attackers designed to cause extensive damage to data and systems to gain unauthorized access to a network.
  • Social engineering-this type of threat is primarily formed due to human interactions that are tricking users through deception. It is used to deceive and manipulate victims in order to obtain information or gain access to their computers.
  • Spear phishing-phishing is a method of social engineering used to trick people into divulging sensitive or confidential information often via emails.
  • Denial of service attack (dos) – Blocking access to websites means shutting down a machine or network, making it inaccessible to its intended users
  • Router security – Broader gateway protocol (BGP) Hijacking

In maximum cybercrimes, whether identity theft or economic fraud, or data breach, the chances of the offender getting caught eventually is very less. The reason behind it is that generally, cybercrimes has an international dimension, attacks such as WannaCry and NotPetya is an example of such attacks. Hence cybercrime becomes a less risky and more profitable business and cybercriminals are motivated further to attack.

In these situations, technological solutions alone are not enough to tackle the problem of cybersecurity. A holistic approach is required for the effective and efficient tackle of cyber threats and to ensure cybersecurity. If the cybersecurity policy of the nation deals only with technological aspects to reduce the cyberattacks and threat of cyberattacks then the very object of effective and efficient cybersecurity will not be achieved.

The holistic approach should consist three major aspects.

  • Building the best Infrastructure Possible to detect and defend against cyberattacks
  • Mass level state-funded cyber awareness campaigns 
  • Legal reforms in the subject matter of Cybercrime and Cybersecurity

Building the best Infrastructure Possible to detect and defend against cyberattacks is one of the major elements in tackling crimes related to cybersecurity, as the more updated and effective the infrastructure would be it will be easier for the authorities to trace back the origin of such attacks and act accordingly. Investment in cybersecurity is an alarming need of the hour as we can observe by comparing the budget of the IT sector with the budget of National Security, and in today’s era of Artificial Intelligence, a secure cybersecurity infrastructure is very essential for the survival and growth of a nation. From the point of view of India cybersecurity infrastructure also becomes very essential for India because the US and China are racing ahead of India in AI research, AI Entrepreneurship, and Government Investment in AI. But the question which eventually arises is can we have 100% assurance that a robust cybersecurity infrastructure is impenetrable? The answer to this is a big NO.

No matter how sturdy the immune system, individuals will fall sick at some or point, and in order to get treated they have to be taken to hospitals. Just like in the current COVID-19 pandemic

Mass Level State-funded Cyber Awareness Campaign is also a very crucial element for tackling cybercrimes in a particular nation or worldwide as various research studies show that almost 90% of the cyber-attacks happen due to some type of human error or behavior. Humans are considered as the weakest link in the cybersecurity chain and to tackle this problem especially in a country like India along with mass-level cyber awareness campaigns. Cyber awareness should become a part of society and should be taught from an early age. Also, the governments and the policymakers need to acknowledge the fact that focusing only on the technological aspect in preventing cybercrime is not enough. Human elements also require attention. Although we recognize the fact that many difficulties will arise while framing policies for the human element of cybersecurity. At the same time focusing only on the technological aspect will also not serve the very purpose of cybersecurity. The human element of cybersecurity is also very crucial for Nations like India as the literacy rate according to the 2011 census is 64.8% and half of the country’s population are from rural areas where there is minimum or no awareness regarding cybersecurity.

Legal Reforms in Subject Matter of Cybersecurity and Cybercrime:

It is observed that the cyber-crime is more profitable and less risky in comparison to traditional crime. It is one of the motivating factors for the cybercriminal that in many nations in the world the cybersecurity laws are not yet codified. Also, if you steal someone’s property there is a general penal provision that you will end up in a prison, but you steal someone’s personal data you will barely even get noticed for doing that. There is an alarming need of the hour for legal reforms in the subject matter of cybersecurity and cybercrime. Especially in a country like India where the Right to privacy has been recognized as a Fundamental Right. It is now the job of the policymakers to bring in legal reforms in the field of cybersecurity so that fundamental right as guaranteed by the constitution is not being violated and even if violated there should be a remedy available in the statutory provisions also penal provisions of offenders should also be determined by the policymakers. There are various difficulties also in framing legislation related to cybercrime as the identity of the person remains anonymous, also cybercrimes have no boundaries it can be done internationally from any part of the world so the question of jurisdiction also arises. So there exists various challenges before the actual reform took place in the field of cybersecurity. Recently Kerala High court in its judgment recognized the need of training the state police to tackle the increasing cyber-crime. The court was of the view that “ It is High time for the state local  police to bring out a good practice guide for digital evidence if they intend to tackle cyber-crime head-on.”[5] Also, at times there were judicial precedents set up by the courts in various fields of cyber-crime. In one of its judgment Delhi High court recognized Phishing as a form of internet fraud, the court stated that “Even though there is no specific legislation in India to penalize Phishing, Phishing can be termed as a misrepresentation made in the course of trade leading to confusion as to the source of origin.”[6]

CONCLUSION

This article seeks to provide a basic understanding of and importance of cybersecurity and data privacy and how much impact it has on our life. The very purpose of cybersecurity will be achieved if the government and organizations start to acknowledge the fact that only technical aspect is not enough to control cyberattacks but other factors are also responsible and until and unless a co-ordinated focus is not given in all the other factors involved the very object of cybersecurity will not be achieved.


REFERENCES:

[1] Amity University

[2]Kharak Singh v. The state of U.P &Others, 1963 AIR 1295.

[3]Standard Chartered bank v. Ramesh Tathod, cyber appeal no. 10 of 2015.

[4] Francis Coralie v. Administrator union territory of Delhi, (1981) 1 SCC 608

[5]Vijesh v. State of Kerala, Bail Appl. No. 7022 of 2018

[6] National Association of Software and Service Companies v. Ajay Sood & Ors, (2005) DLT 596.