Indian Data Protection Act: An Upsurge or Downsurge to the Data security

Digital Forensics

Past years have brought a fear of a security breach in the industrial sector as well as individuals. This has led to amplified data protection rules at the country level as well as industry level. States bringing in Senate bill 30 in January 2020, makes the possession of the malware malfeasance, punishable by up to 10 years in prison and an upfront fine of $10,000. Europe set up the rule in 2016 with the General Data Protection Regulation, introducing strong guarantees of transparency, security, and privacy.

On the other hand, the world’s largest democratic country recently injected data security with potential threats. India, being the source of upcoming capable engineers, draws the attention of the cyber world by bringing in updates to Indian Data Protection Act of 2019.

India’s Minister of Electronics and Information Technology introduced an updated draft of the Personal Data Protection Bill in the Lok Sabha, India’s Lower house of Parliament. The bill is due with the Joint Select committee (composed of members from both Lower and Upper houses of parliament) and the report is proposed to be announced before the 2020 Budget session of Parliament.

The updated bill retains the core structure of the previous draft version, which is close to the GDPR model. There are many controversial changes in this version including data Localization requirements and provisions carrying criminal penalties. The bill also includes requirements that did not appear in the first draft, such as an enhanced right to erasure, obligations that attach to anonymous data and specific requirements for social media.

  • Data localization and data transfer restrictions.
    • These were earlier stated such that personal data could be transferred out of India only where data fiduciaries had put in place additional mechanisms or where the individual consent was granted or the government found the receiving country to provide adequate protection. Critical personal data generally were not permitted to be transferred out of India, maintaining the security of citizens.
    • The current amendment applies no localization or data transfer restriction to personal data that is not considered “sensitive” or “crucial”. These personal data can be stored on any system outside India without any restrictions or security laws being applied to it. Also, sensitive personal data may be transferred outside India, but will also be stored in India. The ‘Sensitive’ category of data includes financial data. Critical data will not be transferred out of India and will have strict data access.
  • Identity verification for Social Media
    • The bill would require social media intermediaries to enable the users who register their services from India, or use their service from India, to voluntarily verify their accounts in the government suggested method. Verified accounts will have an identification mark.
    • Social media intermediary is defined as an intermediary that primarily enables online interaction between two or more users and allows them to create, upload disseminate, access or modify information using its services. Internet service providers, search engines, encyclopedias, email, storage services, and certain e-commerce platforms have been excluded for now.
  • Anonymous Data
    • The new amendment in the bill would allow the Data Protection Bill to establish standards of anonymity through which data could be rendered as “No longer personal data”. This is brought to indirectly provide support to the e-commerce sector in India by the government.
  • Relaxation for Criminals
    • The Bill also eliminates most forms of criminal liability, except where a person intentionally re-identifies personal data which has been prohibited by data fiduciary or data processor without any consent. Violation of this can lead to imprisonment of 3 years. While in case of an Organizational crime, the Guilty individual will suffer the penalty.

Analyzed Impacts on the System

The above amendments have brought a wave of turbulence in data security as such rules will lead to increased data breaches and less penalty in cybercrime. If personal data is not secure and can be accessed by any individual within or outside India, the data can easily be hacked and be used in any malicious form. Also with Relaxed criminal charges, the government is giving a big chance to hackers to breach the security without any fear.

Although with an optimistic approach this also allows organizations and individuals to harden their data security and use various methods to test any breaches on their data at regular intervals.



Contact LIFARS Immediately if Your

Organization was Hit with a Data Breach