Published on 05 Feb 2025
Data protection
Data protection involves safeguarding crucial data to prevent loss, compromise, or corruption. In the current era, the significance of data protection has risen dramatically due to the substantial increase in data collection and storage.
Need to protect data
Surge in data collection: Data is the new oil, and it is collected by government and private organizations for delivering services. Collecting huge quantities of data also creates a need to have a mechanism to protect them.
Example: As per UIDAI, 99% Indian adults have Aadhaar which creates a liability upon the government to protect the collected data.
Nature of data being stored: The data includes highly personal information like financial details, health records etc., which are prone to misuse.
Example: Cyber-attack on servers of AIIMS threatened the health security of Indians.
Increase in cybercrimes: The shift towards the digital era has led to increased cybercrimes which includes cases of misuse and breach of data.
Example: Since 2001, the online crime victim count has increased by 16 times worldwide. (Surfshark)
Financial loss associated with data breach: Data being stolen has been used for fraudulent transactions and blackmailing thus causing huge financial losses.
Example: In 2022, the hourly financial loss due to cybercrime has been $1.2 million worldwide.
Personal Data Protection Bill
India did not have a standalone legislation on data protection with provisions of the IT Act, 2000 being used to regulate data. In 2017, the Central government constituted the B. N. Srikrishna committee to examine the issues related to data protection and based on its recommendation Personal Data Protection Bill 2019 was introduced in the Lok Sabha. A refined form of the bill, got passed by the Parliament to enact Digital Personal Data Protection Act, 2023.
Features of the Digital Personal Data Protection Act, 2023
Applicability: The bill is applicable to data collected and processed within India and also to data to be processed outside India if it is for offering services in India. Does not apply to personal data processed for any personal purpose.
Consent: Data could be collected only with the consent of the individual and this consent may be withdrawn at any point of time. Consent will not be required for legitimate uss like provision of benefits or services by the government, medical emergency etc.
Right of data principle: The one who gives the data has the right to obtain information about the processing, seek correction and call for erasing the data. He/she also has the right to have effective grievance redressal.
Obligation of data fiduciary: The entity which collects and processes data must make a security mechanism to prevent data breach and ensure accuracy and completeness of data. They must erase personal data as soon as the purpose has been met.
Significant data fiduciary: Central government may notify a Significant data fiduciary based on the volume and sensitivity of data processed, risk to data principle, impact on sovereignty, integrity and security of the nation etc.
Exemptions: The Central government may exempt certain activities in the interest of state security and public order. The rights of data principal and obligations of data fiduciary shall not apply in the following cases, like certain notified agencies, to perform judicial function, for prevention and investigation of offences, for certain researches, for startups or other notified categories of data fiduciaries etc.
Data transfer: Allows personal data transfer outside India, except to countries being restricted by the central government.
Data Protection Board of India: Established by the central government for monitoring compliance and imposing penalties. They can direct fiduciaries to take necessary measures in the event of data breach.
Appeal: Telecom Dispute Settlement and Appellate Tribunal is the appellate body.
Penalty: 200 crore for non-fulfilment of obligations for children and 250 crore for failure to take security measures to prevent data breaches.
Issues associated with the legislation
Prone to misuse by state: Exemptions for the state may lead to data collection and retention, which could be used for political motives. This violates the fundamental right to privacy of citizens.
Denial of certain rights: The bill does not grant the right to data portability and the right to be forgotten to the data principal.
Transfer of data: There is no adequate mechanism to ensure the data security standards in the country where the data is being transferred.
Independence of Data Protection Board: 2-year term with scope for re appointment may affect the independent functioning of the institution.
Hinders functioning of RTI Act: The personal data of government functionaries is protected making it difficult to be shared with the applicant.
No compensation: The IT Act, 2000 mandates the corporates to compensate for any negligence while handling sensitive data. Such a provision has been missing in the present bill.
Though the legislation has bridged the much-needed gap associated with data security, provisions should also be incorporated to ensure that the government does not misuse their power to stifle opposition. Proper compensation mechanism and provisions to ensure the independence of the data protection board are the need of the hour. Also, the legislation by no means hinder the functioning of another landmark legislation, the RTI Act, 2005.
Security
Cyber security
Data protection
Digital Personal data protection act
Issues in data protection
General Studies Paper 3
Cybersecurity