Introduction
The major framework governing the Cyber Security Laws in India is The Information Technology Act of 2000 (hereinafter referred to as the IT Act). However, over the years the IT Act faced many criticisms and failed to provide adequate measures to the changing and complex technologies. After the K.S. Puttaswamy (Retd.) & Ors v. Union of India[i] which was the landmark judgment for the development of the privacy and data protection laws in India, here the Supreme Court held that privacy is a fundamental right under Article 21 of the Indian Constitution. The judgement gave way to a robust framework of privacy laws in India and it was a heads-up for these organizations to prepare along the lines of the changing framework.[ii]
In recent years multiple bills were passed and withdrawn by the Indian Government to give a legislative framework of the data protection and the privacy laws in the country. The law on data protection is The Digital Personal Data Act, 2023 (Hereinafter referred to as the DPDP Act) which was given the assent of the President on 11th August 2023 and gazetted.[iii] It has been formulated with careful consideration. Various Bills on data protection have been made available to the public in 2018[iv], the 2019 bill[v] was withdrawn and a new 2022 Bill[vi] was passed which was different as compared to the earlier versions. The gazetted DPDP Act was based on the 2022 Bill but also certain new provisions were introduced.[vii]
Before there was a strong foundation laid on Data Protection Law amendments were made to the IT Act and certain Rules were enacted like the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. The Rules increase the level of personal information protection, majorly the Rules would “provide guidelines to enhance the protection of sensitive personal information, a narrower subset of personal data /information. The broad ambit of the IT Act has given the leeway for the Rules to be developed but these Rules only protect personal and sensitive data which are electronically collected. These Rules do not apply to Philanthropic and Government enterprises again limiting their applicability.
Because of the archaic nature of the cyber laws, many recent changes have happened, which are –
1) Jan Vishwas (Amendment of Provisions) Act, 2023
It was passed by the Rajya Sabha on August 2, 2023, and will come into force by 31st November, 2023. The sections that have been amended are 33, 44, 67 C, 68, 69 B, 70 B, 72, and 72A. Under section 69B intermediaries not providing the government with technical assistance now get imprisonment for 1 year with a 1 crore maximum fine earlier the fine amount was undefined and the imprisonment term was three years. Similarly, with the above sections either the imprisonment term has been reduced or taken out completely and the fine amount has been increased. The intent behind reducing jail terms is that the legislators do not want to associate cybercrimes with a criminal in the literal sense who has conducted other grave offenses like murder, sexual violence, etc. Hence, they have decided to increase the penalty almost by 3 times the amount in certain provisions.
However, even though the amendment is not a foolproof way to curb cyber crimes there has been criticism received when section 70B of the IT Act was amended. Here, the penalty was increased to Rs. 1 crore which is a hundred times the previous amount of Rs. 1 Lakh., the amended section along with this mentions imprisonment which is up to 1 year. Hence, neither a case of decriminalization nor a case of rational monetary penalty.[viii]
2) DPDP Act
Before the DPDP Act was passed India did not have a law framework for protecting data and personal data protection was governed by the IT Act. The 2023 Bill which was later enacted called for the processing of “personal data within India which was collected from online or it was collected offline and then later it was digitized”[ix] It can also be applied when data is processed outside India in the case when services and goods are offered within India.
Notifying the DPDP Act
Even after the enactment of the Bill, because of its nature, it will tend to affect the main economic sectors and technology as it lays down multiple rules relating to the “collection, processing, and storage of data”[x] Section 1(2) of the DPDP Act mentions that that Act shall “come into force on such date as the Central Government may, by notification in the Official Gazette, appoint and different dates may be appointed for different provisions of this Act and any reference in any such provision to the commencement of this Act shall be construed as a reference to the coming into force of that provision.”[xi] The Central Government has not been notified in favor of the DPDP Act to date, it was mentioned that since the act covers various areas and is very comprehensive it will require extensive consultation by the public. The Rules of the DPDP Act are still pending in the publishing stage, the DPDP Act cannot function without its rules as the majority of provisions are referring to it.[xii]
In an Article by Economic Times published on 9th August, 2023 it was mentioned that the Government would implement the DPDP Act in another 10 months, however, there has not been any recent update yet. However, work has been started where the data so collected should be as per the DPDA Act and the quantum of the data should be by the requirement.[xiii]
Implementation of the DPDP Act
To successfully implement the DPDP Act a Data Protection Board needs to be set up, which has not been set up yet, the Board will act by Sections 27 & 28 of the DPDP Act when if set up they have the authority to exercise their powers in case of breach of personal data. For the time being the Companies are given a compliance period till the Data Protection Board is set up as the DPDP Act still serves as ‘regulatory guidance’ till the notification implementing it is gazetted. Companies can ensure that (a)data privacy is built and assessed in their organization (2) Their current compliance status is evaluated (3) they come up with a phase-wise action plan covering technology, governance, processes and people (4) a Privacy section is established within them having definite roles also appoint a DPO (5) Designing of Consent Mechanisms and defining the types of consent (6) Developing a Response in case of Data Breach (7) Different Tech solutions should be instituted (8) Data Principle Rights should be instituted (9) Carry out privacy and security training along with programs inducing awareness for contractors and employees who will handle personal information and (10) Coming up with a draft on the standard procedures which detail information on how to handle personal data.[xiv]
According to the draft Administrative Rules, the Government is likely to allow clinics, healthcare workers, mental health establishments, and medical institutes to be able to use non-personal as well as personal data available to the public for any medical research. This will also be allowed for educational institutes for research and technical and scientific education or higher education in general. The businesses might feel threatened by the cutting-edge technology as data protection laws and their implementation still are uncertain.[xv]
3) Digital India Bill
There is a whole new area of Cyber Security Laws which are still in consideration being the Digital India Bill of 2023 which is said to replace the IT Act. It could be a solution to modern crime e.g.- cybercrimes, deepfakes, online safety, the downside of AI and data protection. The main aim is to foster entrepreneurship and global innovation. The Bill has not been enacted yet and is predicted to be enacted by the coming government. The Indian minister of state for Electronics and Information Technology mentioned that only a guideline of the Bill has been prepared. He also pointed out that India will regulate its markets in tandem with the US regulations and will regulate the rights of citizens by Europe’s regulations. Hence, India would opt for a hybrid approach as AI cannot just be regulated by the markets. In the coming months, the Digital India Bill will be brought under public consideration. India wants to protect the important uses of AI in real life for eg- agriculture, healthcare, and translation. [xvi]
Conclusion
India has come a long way from not having any law for data protection to the enactment of the DPDP Act. However, implementation needs to be postponed as the government notification gazetting it has not been passed, the government has the understanding that the country might not be completely ready to adopt such strict measures hence the period till implementation will be for establishments to start complying with the DPDP Act and undertake measures to sensitize their employees and themselves. There is an understanding that the current IT Act is archaic and despite having rules and amendments it’s not a full-proof protection for cyber security and data protection, with the acceptance of the DPDP Act the IT laws will also be replaced by the Digital India Act in the future.
[i]Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors, (2017) 10 SCC 1.
[ii] Mani, Evolution of Data Protection Law in India, IR Global, (Accessed March 13, 2024), https://irglobal.com/article/evolution-of-data-protection-law-in-india/.
[iii]The Digital Personal Data Act, (NO. 22 OF 2023), 11th August,2023.
[iv] The Personal Data Protection Bill, 2018.
[v] The Personal Data Protection Bill, No. 373 of 2019, 2019.
[vi] The Digital Personal Data Protection Bill, 2022
[vii] Burman, Understanding India’s New Data Protection Law, Carnegie India, (Accessed March 13, 2024), https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624.
[viii] Agrawal, Amendments to IT Act decriminalize offenses, increase penalties, Hindustan Times, (Accessed March 13, 2024), https://www.hindustantimes.com/india-news/amendments-to-it-act-decriminalise-offences-increase-penalties-101701517892813.html.
[ix] The Digital Personal Data Protection Bill, 2023, PRS India, (Accessed March 13, 2024), https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
[x] (Aryan, Agarwal), Govt may not have enough time to notify DPDP rules, The Economic Times, (Accessed March 13, 2024), https://economictimes.indiatimes.com/tech/technology/govt-may-not-have-enough-time-to-notify-dpdp-rules/articleshow/107438113.cms?from=mdr.
[xi] The Digital Personal Data Act, (NO. 22 OF 2023), 11th August,2023.
[xii] (Aryan, Agarwal), Govt may not have enough time to notify DPDP rules, The Economic Times, (Accessed March 13, 2024), https://economictimes.indiatimes.com/tech/technology/govt-may-not-have-enough-time-to-notify-dpdp-rules/articleshow/107438113.cms?from=mdr.
[xiii] Govt expects to implement new data protection law within 10 months, The Economic Times, (Accessed March 13, 2024), https://economictimes.indiatimes.com/tech/technology/govt-expects-to-implement-new-data-protection-law-within-10-months/articleshow/102582200.cms?from=mdr.
[xiv] Narla, 5 steps to prepare for India’s Digital Personal Data Protection Act, I app, (Accessed March 13, 2024), https://iapp.org/news/a/5-steps-to-prepare-for-indias-digital-personal-data-protection-act/.
[xv] (Aryan, Agarwal), Govt may not have enough time to notify DPDP rules, The Economic Times, (Accessed March 13, 2024), https://economictimes.indiatimes.com/tech/technology/govt-may-not-have-enough-time-to-notify-dpdp-rules/articleshow/107438113.cms?from=mdr.
[xvi] Aulakh, Digital India Bill will be taken up by next govt: Rajeev Chandrasekhar, Mint, (Accessed March 13, 2024), https://www.livemint.com/news/india/digital-india-bill-will-be-taken-up-by-next-govt-rajeev-chandrasekhar-11701277740402.html.
Saloni Tekriwal
Saloni’s professional experience lies in Media and Entertainment law, where she has been involved in negotiating Artist agreements, Assignment and licensing agreements, and various aspects of Copyright law. She has conducted research on fair use policies, explored Instagram’s content guidelines, and provided insights on trademark assessments to aid clients in their decision-making processes regarding opposition filings. Additionally, she has drafted oppositions and gained practical experience in handling complex queries regarding the Digital Personal Data Protection Act of 2023, exploring areas of unnecessary disclosures, loopholes, and implementation strategies.
Leave a Reply