Personal Data And Data Theft
Over a single day, we visit multiple websites online. We are all familiar with
browse through a website that promises to enhance
our browsing experience.
Often, little thought is given to such notification and these tiny hindrances on
the screen are bypassed by clicking the I agree
option. However, did you know
that you just left traces of your data behind? The next time we enter that
website, it will remember details about us like our zip code, browsing history,
email id, etc. we may also find similar products in our advertisement space.
Personal data is arguably the most important digital resource in modern times
and hence called the 'oil of modern times
'. Personal data can be categorized
into sensitive data and more sensitive data. Sensitive data include details like
name, phone number, email address, etc, while more sensitive data can include
your passwords, sexual orientation, financial details, biometric detail, etc.
When both these data are combined, it forms a clear picture of us. Our values,
interests, and personal interests form our identity. Companies generally store
our data in their system. This makes us vulnerable to targeted advertisements as
our interests, choice, preferences are known to a third party.
Social media apps and search engines might not explicitly charge us anything for
their services but oblige us to reciprocally share our data with them. With our
preferences known, we are exposed to advertisements according to our interests.
After all, advertisement is the primary source of revenue for these entities.
When we hand over our data to a third party, we expect them to protect our data
and handle it responsibly. Unfortunately, there have been many instances of data
theft that have surfaced on the news. Data theft is the act of stealing
information stored in computers, mobile phones, or other electronic devices with
the intent to obtain confidential information of the device operator and hence
infringe upon that individual's privacy.
Infamous cases of data theft may
include the Cambridge Analytica scandal by Facebook, MasterCard, Marriot, Air
India, and the more recent, Pegasus spyware. Data theft is a sheer violation of
our privacy and can also lead to identity theft. Hackers can use passwords,
credit card details, and other credentials to cause huge financial losses.
Extremely personal photos or conversations could also be leaked on the internet
to cause social harassment. In addition to this, stalkers can track you down in
real life after obtaining information about you!
Legislation regarding data protection is important because they provide guidance
and best practice rules regarding the use of personal data for organizations and
governments to follow. Firstly, the laws regulate the processing of personal
data. Secondly, they protect the rights of the data subject. Thirdly, the laws
establish authority to monitor any breach in the regulations, thus making the
data fiduciary liable.
In India, Privacy has been recognized as a fundamental right under article 21 in K.S Puttaswamy vs Union of India
. The Supreme Court has held that information of
a person and the right to access the information of the person also falls under
the ambit of the right to privacy. Until recently India did not have specific
legislation enacted primarily for data protection. India's regulatory mechanism
for data protection and privacy is the Information Technology Act,2000, and its
corresponding Information Technology (Reasonable Security Practices and
Procedure and Sensitive Personal Data or Information) Rule 2011.
Personal Data Protection bill, 2019 is under the scrutiny of the Joint Committee
of Parliament (JCP) and after receiving a nod for its fifth extension, the
committee is scheduled to present its report before the parliament in the first
week of the winter session. If enacted, this will be India's first law on data
protection and will repeal 43A of the IT Act.
Personal Data Protection Bill, 2019
In 2017, a committee was set up by the Ministry of Electronics and Information
Technology to study issues relating to data protection. The committee was headed
by retired Supreme Court judge, Justice B.N Srikrishna. The committee submitted
the draft Personal Data Protection Bill in 2018.
This bill was further
deliberated on, and after receiving the nod of the cabinet ministry, it was
tabled on the 11th of November 2019. The bill was passed by voice vote.
Subsequently, a Joint Committee of Parliament, chaired by Meenakshi Lekhi was
set up to scrutinize the bill.
The Personal Data Protection Bill is landmark legislation that regulates how
companies and organizations use data in India. The bill proposes the formation
of the Data Protection Authority (DPA), which will regulate how user's data is
used by companies and social media organizations within India and outside the
The key feature of the bill is that it makes the prior consent of the
individual a necessity. The bill also limits the purpose for which the data is
collected and ensures that only necessary data for proving the said service is
collected. In addition, the bill includes data localization requirements and
makes the appointment of a data protection officer in the organization an
The bill has also proposed the concept of data fiduciary
or data processor
which is equivalent to a processor or controller in the European Union's General
Data Protection Regulation. The Bill's application is not only limited to people
in India but also applies to people outside India who provide goods and services
within the Indian territory.
Under this Bill, companies in regulated sectors, such as financial sectors or
telecom sectors are subjected to the obligation of confidentiality under
sectoral laws which require them to use the data collected from clients only in
the prescribed manner, or in the manner agreed upon upon upon with the client.
The organization is required to have a robust data security system to safeguard
the client's data so collected by preventing unauthorized access to sensitive
and confidential data, malicious cyber-attack, and accidental loss of
The bill has raised concern among social media firms, ministers, and experts who
held that the bill had too many loopholes to be effective and beneficial for the
companies and users.
The first to raise a red flag about the bill was Justice B.N Krishna, himself.
He held that the bill might lead to an Orwellian State
and used the term
while describing his disapproval towards the exemption clause of the
bill which removes the safeguard for government agencies. It is important to
note that threats to privacy can originate from both, state actors and non-state
This clause is problematic because the government is given access to
'critical' or 'sensitive personal data under the pretext of national security.
Critics highlight the possibility of widespread misuse of this clause. Justice B.N Krishna held that exemptions granted under the bill should be watertight
that should be made available for limited circumstance
Another controversial clause of the bill is the establishment of the Data
Protection Authority (DPA) that will be led by a chairman and six committee
members. The DPA will be charged with managing data collected from the Aadhar
program. In this committee, all the members will be appointed by the Central
The committee will include civil servants, Cabinet ministers, and
other state actors. This raises questions about the independence of the
committee and the likelihood of bias. The government's discretion in appointing
and removing high-level officials is a cause of fear among stakeholders. Unlike
similar committees of the Reserve Bank of India or the Security Exchange Board
of India, the board will not have an independent member of the judiciary to
ensure that the decision made is not prejudicial to any stakeholder.
Although one can argue that the personal data protection bill is too little
coming too late, yet is a sine qua non because of the expanding cyber scenario.
The Personal Data Protection Bill seeks to regulate one's data online and can be
called India's baby step towards protecting an individual's privacy on the
The bill may be lacking in its features when compared to European
Union's General Data Protection Bill which has included the right to be
forgotten among other rights, yet we are hopeful that the bill shall duly be
amended to adapt to the demands of the internet users in the country.
- JPC gets time to present the report on personal data protection
- Why India has introduced the new Personal Data Protection Bill - DCD" https://www.datacenterdynamics.com/en/opinions/why-india-has-introduced-the-new-personal-data-protection-bill/
- The victors of GDPR will monetize compliance -
- General Data Protection Regulation- Wikipedia
- Unfulfilled promises on Personal Data Protection Bill- The Hindu
- Personal Data Bill, 2019- Privacy Laws
- What are cookie websites tracking?- Vox
- Data value- Hornet Security
- Why is Data Security so Important- fsb.org.uk
- Personal Data important-Keep safe- Redscan