The recent interaction of the newly reappointed Union IT Minister with journalists has sparked significant interest within the IT Industry and among privacy enthusiasts. Ashwini Vaishnaw announced on June 15 that the MEITY will soon release the rules under the Digital Personal Data Protection (DPDP) Act, a development of immense significance for India's cybersecurity landscape.[1]'s Acts. It holds immense significance for the country, especially with the increasing number of internet users.
Of 2023 for public consultation. The rules hold immense significance for a country like India, with 751.5 million internet users at the commencement of 2024[2].
With the continuous surge in internet usage across India, the volume of personal data shared online is also on the rise. This occurs either voluntarily, such as an individual providing personal information to a social media platform to access its services, or involuntarily, as a consequence of falling victim to a cybercrime incident or data breach.
The much-awaited rules are set to establish guidelines for safeguarding personal data and providing details to enforce the DPDP Act. The rules are fundamental in the face of a continuous rise in data breach activity. According to Flashpoint's 2024 Global Threat Intelligence Report, there was a significant surge in data breaches in 2023 across the world, with 6,077 publicly reported cases - marking a 34.5% increase compared to 2022.[3].
Currently, India ranks 5th in the global tally of accounts compromised since the onset of this year.[4].India was on the fifth slot in the list of ‘most breached countries’ with the number of leaked accounts crossing 5 million in 2023[5]. India was ranked 3rd in the same list in the year 2021[6]As the government budget for cybersecurity projects increased, India's rank on the list of the most breached countries decreased.
However, the decline in India’s ranking cannot be solely credited to an increase in government budgets for cyber security projects but various other factors, such as the increasing cyber security market in the country and increasing awareness among organizations, leading to larger investments and expenditures towards protection and encryption.
In the 2024 interim budget, the government has almost doubled the allocation for cybersecurity projects from INR 400 crore in 2023-2024 to INR 759 crore in 2024-2025[7].Organizations in India are expected to increase their spending in 2024 on all segments concerning information security and risk management.[8].
With the highest-ever government budget for cyber security projects and other positive factors, such as the release of rules under the DPDP Act, the year 2024 will be a litmus test for the Indian Cyber Security landscape.
Nevertheless, the situation in India presents a complex scenario where the privacy paradox has profound implications. This paradox delineates the gap between individuals' professed privacy concerns and their online behaviour. The “privacy paradox” is “where people say that they value privacy highly, yet in their behaviour relinquish their data for very little in exchange or fail to use measures to protect their privacy."[9]The Indian population requires a heightened awareness of data privacy and its importance, similar to the educational initiatives undertaken against cyber-financial frauds.
Various stakeholders have raised apprehensions regarding multiple facets of the DPDP Act, including the proposed structure and composition of the data protection board, the broad exemptions granted to the government, and the provisions for protecting children's rights as stipulated in the Act.
The alleged widespread surveillance powers that the Act may enable and situations where personal data may be processed without user consent on grounds known as ‘legitimate uses’ as provided by Section 7[10] Of the Act. Section 7 contains instances where DPDP obligations are entirely waived, such as “in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, or preventing incitement to any cognizable offence relating to any of these”[11].
The landscape of cybercrime is swiftly evolving with the technological advancement of various AI tools, thus unprecedentedly escalating risks for individuals, institutions, businesses, and governments. Consequently, stakeholders eagerly await the publication of the draft regulations for public feedback.
By: Deependra K. Kushwaha
Law Student, NLIU Bhopal
[1] The Digital Personal Data Protection Act, 2023, Act No. 22, is a pivotal legislation in the Indian Parliament
[2]Digital 2024: India [https://datareportal.com/reports/digital-2024-india]. Accessed June 16, 2024.
[3] Flashpoint, Global Threat Intelligence Report (2024).
[4]Surfshark. (2024, April 15). Data breach monitoring. Retrieved from https://surfshark.com/research/data-breach-monitoring
[5]The Hindu. "India Ranks Amongst the Top Five Most-Breached Countries in 2023, Finds Analysis," The Hindu, June 18, 2024, https://www.thehindu.com/sci-tech/technology/internet/india-ranks-amongst-the-top-five-most-breached-countries-in-2023-finds-analysis/article67888062.ece.
[6]Surfshark. (2021, December). Data breach statistics by country: Recap of 2021. Retrieved fromhttps://surfshark.com/blog/data-breach-statistics-by-country-in-2021
[7]Moneycontrol, "Govt Nearly Doubles Allocation for Cybersecurity Projects in Budget 2024," Moneycontrol.com, June 18, 2024, https://www.moneycontrol.com/news/business/budget/govt-nearly-doubles-allocation-for-cybersecurity-projects-in-budget-2024-12170711.html.
[8]Shangliao Sun, Information security and risk management spending in India in 2023, with an estimate for 2024, by segment, Statista (accessed June 14, 2024)
[9]Solove, Daniel J. "The Myth of the Privacy Paradox." 89 Geo. Wash. L. Rev. 1 (2021).
[10]DPDP Act § 7, No. 22, Acts of India Parliament (2023).
[11] Ibid.
Comments
Post a Comment