Reader's Poll

Which of the following technologies/concepts are likely to witness significant traction this year?
Any data to show


Tele Data

Mobile Subscribers Yearwise comparision

Safety Net: Need for a stringent legal framework to protect data privacy

June 01, 2018
E-mail Print PDF

India’s attempts to transform into a digital economy have brought data privacy and security issues into the limelight. The increasing instances of cyberattacks and ransomware attacks being reported today are proof of the fragile cybersecurity framework in the country. Globally, some countries/regions do have stringent privacy laws in place (such as the European Union’s General Data Protection Regulation [GDPR]), India does not have any specific regulation in its legal framework to ensure data protection and cybersecurity. Industry experts comment on the government’s preparedness to tackle issues concerning data privacy and security, and the lessons that can be learnt from other countries...(From left - Pavan Duggal, Chairman, International Commission on Cyber Security Law and President, Cyberlaws.net; Samir Shah, Partner, Cybersecurity, EY; Rakshit Tandon, Director, Council of Information Security)

What are your views on the ongoing instances of data breaches by social media platforms like Facebook?

Pavan Duggal

Today, we are seeing a flood of cases pertaining to data breaches by social media firms. However, the recent case of Facebook and Cambridge Analytica is the only one that has come into the limelight.  There are thousands of such instances that take place but are not reported. Given the massive cybersecurity breaches that are happening, it is  clear that social media has indeed become very unsafe. People need to be aware of the intrinsic nature of the social media phenomenon. Most of the time, users are completely unaware of the legal ramifications while signing up on social media platforms. They do not usually read the terms and conditions, and invariably mortgage their entire personal rights in this regard. Consequently, users end up giving a lot of permissions to social media companies that have no connection with the proposed platform but prejudicially impact the data and privacy of individuals. This is happening because there is a fertile ecosystem that allows this kind of data breaches to take place. In the Indian context, there has been a massive increase in the adoption of internet services. However, this has not been accompanied by an appropriate legal framework to strengthen the legalities concerning the social media ecosystem to protect and preserve the rights of online consumers.

Samir Shah

All of us are aware of such unauthorised use of data and it continues with every additional interaction with such social media platforms as well as communication and web service providers. A deterrent in the form of a stringent privacy law like the GDPR is absent in many geographies around the world. The future of safe online interaction and usage depends heavily on user awareness and a stringent legal framework.

Rakhsit Tandon

In this era of digitisation and explosion of smartphones and apps, there are increasing instances of data mining by apps at different levels. As such, there is an urgent need to define laws and frameworks for the protection and designated use of information. What happened with Facebook can or must be happening with other companies as well. Users need protection, as do the companies offering these platforms. Third-party apps seek users’ permission to access their personal information at the time of installation, but what exactly they do with that information is known neither to the user nor to the platform.

What are your views regarding the government’s preparedness to tackle issues concerning data privacy and security?

Pavan Duggal

Currently, the government’s preparedness to tackle issues such as data privacy and security show that there is a huge gap between expectation and reality. As per  information available in the public domain, it is clear that India does not so far have a data protection law, a privacy law or cybersecurity law. The only law that we have is the Indian Information Technology Act, 2000, which is a mother legislation aimed at everything digital, and primarily focuses on and promotes e-commerce and electronic governance in the country. However, the government is cognisant of the issues and the need to take appropriate steps. It has already announced that it will be amending the Information Technology Act, 2000. Further, it has appointed the Justice B.N. Srikrishna Committee to make recommendations for a new data protection laws. With the Supreme Court upholding the right to privacy as a fundamental right under the constitution, the onus is on the government to come up with new, dedicated privacy legislation that addresses issues concerning not only personal privacy but also data privacy. Currently, it appears that data privacy and cybersecurity are not important priorities. Yet, for political governance, it is time to sensitise all lawmakers to make cybersecurity and privacy important focal factors on the basis of which governance can be done in a country like India.

Samir Shah

The Information Technology Act, 2000, with subsequent amendments in 2008 and related rules pronounced in 2011, provides a basic legal framework for the protection of privacy, but it is not comprehensive enough to enforce all basic rights of data subjects. In late 2017, a nine-member bench of the Supreme Court issued a historic ruling, with potentially widespread consequences, decreeing that the right the privacy is a part of the fundamental rights to life and liberty enshrined in the country’s constitution. A subsequent white paper released by the Justice B.N. Srikrishna Committee also provides reasonable indication of an Indian equivalent of the European Union GDPR.

Rakhsit Tandon

The government has taken cognisance of the issues concerning data privacy and security and the draft of a data privacy act and law was recently published on the Ministry of Electronics and Information Technology’s website for suggestions. Things are now in motion, but we need to be fast, proactive and visionary. Drafting a law by just taking into consideration mobile apps and Facebook will not help; we need to look at accommodating technologies such as internet of things (IoT) and artificial intelligence (AI).

How will the advent of 5G, IoT, AI, etc. impact the data protection, privacy and cybersecurity landscape in India?

Pavan Duggal

The advent of 5G, IoT, AI, etc. is going to have a distinct impact on the data protection, privacy and cybersecurity landscape in India. IoT today represents the worst nightmare for lawmakers in terms of cybersecurity and privacy protection. The world still does not have a unanimous viewpoint on protecting privacy and cybersecurity in IoT. Further, at a time when different devices are being connected to the internet, it is very difficult to protect personal privacy as well as data privacy of individuals.

Samir Shah

All new-age technologies like 5G, IoT and AI leverage users’ personal data and information for providing intuitive and personalised service offerings. Stringent data privacy and cybersecurity practices are a prerequisite for the mass adoption and spread of such service offerings. These technologies collect, store, share and process large volumes of sensitive data, including personally identifiable information. Hence, embedding a culture of awareness and accountability would go a long way in balancing technological advancements and protecting privacy.

Rakhsit Tandon

4G has already given a big boost to India’s internet user base, standing at about 600 million users currently. Therefore, 5G will obviously create a greater impact. However, we should be ready with appropriate policies to handle the challenges that will come along with the adoption of AI and IoT. For example, today with AI bots, mobile handsets function according to user needs and location. They can intelligently pick up users’ mail (regarding meetings, flights, etc.) from their inbox and place them as alerts on their calendar. Would we consider this a violation of the user’s privacy, wherein a bot reads the mail and sets a calendar alert? Therefore, new threats will come in with the increased adoption of AI and IoT.

What policy and regulatory measures need to be taken? What lessons can be learnt from the global experience?

Pavan Duggal

First, India needs to have a dedicated law on privacy, which deals with both data privacy and personal privacy. This law needs to take off from where the Supreme Court’s landmark judgement of Justice K.S. Puttaswamy vs Union of India left.  It needs to build on the salient foundations that have been provided by the said judgement, which implicitly recognises privacy as a fundamental right. In addition, the rights, duties and obligations of various stakeholders in the context of protecting privacy in the digital ecosystem need to be well defined. The role of intermediaries is very important in the context of protecting and preserving personal and data privacy.

The lessons that can be learnt from the global market is that today’s is a data economy.  Data is the new oil and hence the data of Indians is extremely important. India is the second most populated country and the biggest democracy in the world. Having access to the data of such a large population presents a very fertile business prospect for various companies. A key lesson that the government needs to learn from global markets is that India should not adopt a cut-and-paste approach. We need to look at Europe’s GDPR. We also need to look at how different countries have started coming up with distinctive legislations on cybersecurity.

Samir Shah

We need to have proper regulatory measures in place with the rights of data subjects as the central theme. Moreover, they should provide specifications on the establishment of a data protection authority, data audit, registration of data collectors, enacting provisions for protecting children’s personal data, defining penalties and compensation in the case of a data breach. All effective data privacy and security legal frameworks in the world have a common success factor in the form of an active and empowered regulator.

Rakhsit Tandon

We should learn from global markets their policies, actions and impact. However, we should also consider our own constraints and limitations before framing the laws in India.

 Your cart is empty



Monday morning