Valid Sources

1. Government Reports (Each ministry publishes its own reports including

External Affairs Ministry)

2. PTI, PIB

3. Government Websites

4. Government run News channels i.e., RSTV, LSTV, DD News

5. Standing Committee Reports/ Commission Reports

6. RTI Proofs

7. Parliamentary Standing Committee reports

8. Questions and Answers of the parliament

Introduction
Data is any collection of information that is stored in a way so computers can easily read
them (011010101010 format). It usually refers to information about our social media
messages and posts, online habits, online transactions, medical records, other personal details
etc. Companies, governments, and political parties find this data valuable because they can
use it to find the most convincing ways to advertise or shape our opinions online. For
example- The Facebook–Cambridge Analytica data scandal of 2018 where personal data of
millions of peoples' Facebook profiles without their consent was used for political advertising
purposes.

Data Protection
Data protection is the process of protecting the personal data and aims to strike a balance
between individual privacy rights while still allowing data to be used for myriad purposes.
Several countries have dedicated law for data protection like Japan’s Act on Protection of
Personal Information. European Union has also adopted General Data Protection Regulation
2018. India does not have any dedicated legal framework for data protection.

Presently some acts cover the data protection in general.

● Sec 43A of Information Technology Act 2000 protects user data from misuse but it is

applicable to only corporate entities and not on government agency. Also, the rules
are restricted to sensitive personal data only — medical history, biometric information
among other things.

● Other acts like Consumer Protection Act 2015, Copyrights Act 1957 among others

also attempt to protect the personal information.

 ● In 2018, a draft version of the bill was prepared by a committee headed by retired

Justice B N Srikrishna.

● Recently, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha by the

Minister of Electronics and Information Technology.

Need of Data protection

● Invasion of privacy: India has around 40 crore internet users and 25 crore social

media users who spend significant time online. Extremely personal aspects can be
shared with different stakeholders without someone’s consent. Without effective data
protection there could be increased surveillance, profiling of individuals etc. For e.g.
Recently, 121 Indian citizens’ WhatsApp accounts were hacked by an Israeli software
called Pegasus.

● Supreme Court in K.S. Puttaswamy case has declared Right to Privacy is a

Fundamental right. Hence protecting individual privacy is constitutional duty of the

state.

● Economic losses: According to Cost of a Data Breach report per capita cost per lost or

stolen record reached Rs 5,019 in 2018, which represents an increase of 9.76 per cent
from the prior year. Moreover, data is considered as new oil in 21st century. Without
any proper data regulations or data localisation norms, we are virtually giving away
this asset to foreign companies. Generally, applications often use pre-ticked boxes on
consent while asking users regarding the acceptance to the terms and conditions.

● Increasing sophistication of cyber-crimes: India is witnessing a significant change in

the nature of cybercrimes; it is now extremely organised and collaborative. Moreover,

as the volume of data on internet is expanding exponentially and the spread of new
technologies like artificial intelligence, internet of things, big data poses a threat of
abuse and misuse of data.

Personal Data Protection Bill, 2019

It seeks to provide for protection of personal data of individuals, and establishes a Data
Protection Authority for the same. Its specific provisions are:
• Personal data (data that can identify an individual): The bill talks about various types of
personal data, such as:

▪ Sensitive personal data (related to finances, health, official identifiers, sex life, sexual

orientation, biometric, genetics, transgender status, intersex status, caste or tribe,

religious or political belief or affiliation)

▪ Critical personal data (military or national security data and the government can

define it from time to time)

▪ General personal data- other than sensitive and critical personal data.

• Applicability: The Bill governs the processing of personal data by:

▪ Government

▪ companies incorporated in India

▪ foreign companies dealing with personal data of individuals in India

• Obligations of data fiduciary (an entity or individual who collects and decides the means
and purpose of processing personal data): processing will be subject to certain purpose,
collection and storage limitations. For instance:

▪ Personal data can be processed only for specific, clear and lawful purpose.

▪ They must also institute mechanisms for age verification and parental consent when

processing sensitive personal data of children.

▪ Additionally, all data fiduciaries must undertake certain transparency and

accountability measures such as:

⮚ implementing security safeguards (such as data encryption and preventing misuse of

data)

⮚ instituting grievance redressal mechanisms to address complaints of individuals.

• Rights of the data principal (the individual whose data is being collected and processed):
These include the right to:
 ▪ obtain confirmation from the fiduciary on whether their personal data has been

processed o seek correction of inaccurate, incomplete, or out-of-date personal data

▪ have personal data transferred to any other data fiduciary in certain circumstances o

restrict continuing disclosure of their personal data by a fiduciary, if it is no longer

necessary or consent is withdrawn. It also provides a limited right to be forgotten.
• Grounds for processing personal data: The Bill allows processing of data by fiduciaries only
if consent is provided by the individual. However, in certain circumstances, personal data can
be processed without consent. These include:

▪ if required by the State for providing benefits to the individual

▪ legal proceedings o to respond to a medical emergency

• Social media intermediaries: platforms with larger number of users and having potential to
impact electoral democracy or public order, have certain obligations, which include providing
a voluntary user verification mechanism for users in India. According to official sources,
while the process can be voluntary for users and can be completely designed by the company,
it will decrease the anonymity of users and “prevent trolling”.
• Data Protection Authority: The Bill sets up a Data Protection Authority which may:

▪ take steps to protect interests of individuals o prevent misuse of personal data

▪ ensure compliance with the Bill.

• Transfer of data outside India:

▪ Sensitive personal data may be transferred outside India for processing if explicitly

consented to by the individual and subject to certain additional conditions. However,

such sensitive personal data should continue to be stored in India.

▪ Critical personal data can only be processed in India.

▪ Personal data other than sensitive and critical personal data don’t have such

localisation mandates.
• Exemptions:
The central government can exempt any of its agencies from the provisions of the Act:
✓ in interest of security of state, public order, sovereignty and integrity of India and friendly
relations with foreign states
✓ for preventing incitement to commission of any cognisable offence (i.e. arrest without
warrant) relating to the above matters.
Processing of personal data is also exempted from provisions of the Bill for certain other
purposes such as:
✓ prevention, investigation, or prosecution of any offence
✓ personal, domestic
✓ journalistic purposes
• Sharing of non-personal data with government: The central government may direct data
fiduciaries to provide it with any:

▪ non-personal data

▪ anonymised personal data (where it is not possible to identify data principal) for better

targeting of services.
• Amendments to other laws: The Bill amends the Information Technology Act, 2000 to
delete the provisions related to compensation payable by companies for failure to protect
personal data.
• Offences: Offences under the Bill include:

▪ processing or transferring personal data in violation of the Bill

▪ failure to conduct a data audit o Re-identification and processing of deidentified

personal data without consent.

Criticism of the bill

• A report from the IT Ministry’s Artificial Intelligence (AI) Committee tasked with
recommending policy frameworks on “cyber security, safety, legal and ethical issues”,
contradicts foundational aspects of the Bill, such as:
 ▪ India should maintain free flow of data: The report states that India has been one of

the biggest beneficiaries of the global data flows being the world’s largest sourcing
destination for the ITBPM (Business Process Management) services. Limitations on
the free and open flow of data can seriously hinder the ability of an economy to
remain competitive in the modern globalised world.

▪ Focus should be placed on implementation and enforcement instead of over-

regulation. Legislation alone is not enough unless supported by an adequate

implementation ecosystem including an effective grievance redressal system and user
awareness.

▪ Sectoral entities are more appropriate regulators than an overarching authority.

• It is also contended that security and government access are not achieved by mere
localisation. Even if the data is stored in the country, the encryption keys may still be out of
reach of national agencies.
• There are three significant departures in the current bill from the draft Bill prepared by the
Justice B N Srikrishna committee in 2018.

▪ Data Protection Authority’s composition is dominated by the government, in contrast

with the diverse and independent composition as suggested in the committee’s draft.

▪ There is a blanket power of exemption from all provisions of the law (including

access to personal data without consent, citing national security, investigation and
prosecution of any offence, public order) in favour of a government agency. This
could amount to surveillance.

▪ There is an attempt to control social media by reserving a right of access without

consent of non-personal data or anonymized data.

✓ Data is a person’s individual fundamental right and that is being abridged without
following the strict constitutional parameters.
• The draft Bill prepared by the Justice B N Srikrishna committee called for a copy or mirror
of all personal data to be stored in the country. This recommendation was severely criticised
by foreign technology companies that store most of Indians’ data abroad and even some
domestic start-ups. So, on a positive side, the approved Bill removes this stipulation by
requiring individual consent for data transfer abroad.
However, similar to the draft, Bill still requires sensitive personal data to be stored only in
India. It can be processed abroad only under certain conditions including approval of a Data
Protection Agency (DPA). Moreover, critical personal data must be stored and processed in
India.
• From Market perspective:

▪ Mandates of the Bill like Data localisation, data fiduciary responsibility, steep fines

etc. are likely to have repercussions for industries across the board - from retail to
aviation, manufacturing to automobiles, and even a local grocer if he stores one’s
details in a digital format.

▪ Technology giants like Facebook and Google are concerned with a fractured Internet

(or a “splinternet”), where the domino effect of protectionist policy will lead to other
countries following suit. Opponents say protectionism may backfire on India’s own
young start-ups that are attempting global growth, or on larger firms that process
foreign data in India, such as Tata Consulting Services and Wipro.

▪ Another contentious part of the bill is government’s access to non-personal data. A

business entity may have non-personal data such as financial data, business strategy
data, future projections data, etc., that is not personal but necessary from the
company’s point of view. Any business entity would not be comfortable in sharing all
such data with the government.

What are the Concerns regarding Privacy in India?

● Having no privacy is like having a perpetual warrant in your name. If you feel you are
under constant surveillance you will never enjoy freedom and liberty which are your
fundamental rights.

● Unregulated access to data can lead to the suppression of dissent and censorship.
Journalists, Human Rights Activists etc. can be put under an invisible prison of
surveillance.

● People who are leading a lifestyle which is deemed a taboo by a certain section of the
society might be vilified or targeted. For example, homosexuals.
 ● Surveillance by Police also causes a concentration of power and puts civil liberties at
serious risk.

● Law enforcement officials across the world are also accused of unauthorized data
collection, data mining to predict travel plans etc. to put citizen’s reputation at risk.

● Private details like travel details, shopping history financial details etc. are used to
create online granular profiles which are then sometimes used to spread specifically
crafted fake news. This has increased the potency of fake news in the country.

● GDPR(General Data Protection Regulation)rules framed by the (EU) has become a

model for the world when it comes to privacy. Right to be forgotten is also in effect in
the EU.

● SC in previous judgements has also asserted the need for a right to reputation. The
society must be mature enough to understand in order to preserve reputations privacy
is crucial.

Centers Surveillance Project

Centralized Monitoring System:

The government has set up a Centralized Monitoring System (CMS) for lawful
interception and monitoring of mobile phones, landlines and internet traffic through
mobile networks.

Network Traffic Analysis:

NETRA (or Network Traffic Analysis) is one such effort being taken by the Indian
Government to filter suspicious keywords from messages in the network

National Intelligence Grid:

First conceptualized in 2009, NATGRID (National intelligence Grid) seeks to become the
one-stop destination for security and intelligence agencies to access databases related to
immigration entry and exit, banking and telephone details of a suspect on a “secured
 platform”.

Information Technology Rules, 2021

The Government of India had framed the Information Technology (Guidelines for
Intermediaries and Digital Media Ethics Code) Rules, 2021, in February this year. These
rules require the social media intermediaries/ platforms to adhere to a vastly tighter set of
rules within three months, which ended on May 25.

Till now almost all major social media intermediaries have not adhered to all the
requirements.

But non-compliance can only make things worse, especially in a situation in which the
relationship between some platforms such as Twitter and the Government seems to have
broken down.

Background

2018:
The Supreme Court (SC) had observed that the Government of India may frame
necessary guidelines to eliminate child pornography, rape and gangrape imageries, videos
and sites in content hosting platforms and other applications.

2020:
An Ad-hoc committee of the Rajya Sabha laid its report after studying the alarming issue
of pornography on social media and its effect on children and society as a whole and
recommended for enabling identification of the first originator of such contents.

The government brought video streaming over-the-top (OTT) platforms under the ambit
of the Ministry of Information and Broadcasting.

New Guidelines for Social Media Intermediaries

The new rules classify social media intermediaries into two categories:
 1. Social media intermediaries
2. Significant social media intermediaries

The above classification is based on the user size and once it has been defined through the
notification of the Government, it would act as the threshold between the two. This is
because there are additional compliance measures for significant social media
intermediaries given the large number of users and the volume of content they process.

Due diligence to be followed by intermediaries

According to the new rules, in case due diligence is not followed by the intermediary, the
safe harbor provisions would not apply to them.

Mandatory grievance redressal mechanism

Intermediaries shall appoint a Grievance Officer to deal with complaints and share the
name and contact details of such officers.This officer should acknowledge the complaint
received within 24 hours and resolve the issue within 15 days.

Ensuring online safety and dignity of users

o Intermediaries should remove or disable, within 24 hours of the complaint

received, content that displays partial or full nudity, sexual act, morphed
images, etc.

o Complaints of such nature can be filed either by individuals or any person

on behalf of the individuals.

Additional due diligence for significant social media intermediaries

● They have to appoint a Chief Compliance Officer, a Nodal Contact Person and a
Resident Grievance Officer, and all these officers should be Indian residents.

● They should publish a monthly compliance report detailing the complaints received

Unlawful information removal

An intermediary upon receiving actual knowledge in the form of an order by a court or

being notified by the appropriate govt. or its agencies through authorized officer should not
host or publish any information which is prohibited under any law in relation to the interest
 of the sovereignty and integrity of India, public order, friendly relations with foreign
countries, etc.

New Guidelines for OTT Platforms, News Publishers

Over-the-top (OTT) Platforms

● The new rules call OTT platforms ‘publishers of online curated content’.

● They would have to self-classify the content into five categories based on age.

o U (Universal)

o U/A 7+

o U/A 13+

o U/A 16+

o A (Adult)

● OTT platforms would be required to provide parental lock systems for content
classified U/A 13+ or higher, and have age verification mechanism for content
classified as ‘Adult’.

● The rating for the content should be prominently displayed before the programme
starts so that users can make informed decisions based on suitability. Along with
the rating, the content’s description should also be provided with a viewer
discretion message if applicable.

News Publishers

● Publishers of news on digital media should observe Norms of Journalistic Conduct

of the Press Council of India and the Programmed Code under the Cable Television
Networks Regulation Act 1995 in order to provide a level playing field between the
offline (Print, TV) and digital media.
Positives of The Rules

The Rules must be credited for they mandate duties such as:

▪ Removal of non-consensual intimate pictures within 24 hours,

▪ Publication of compliance reports to increase transparency,

▪ Setting up a dispute resolution mechanism for content removal,

▪ Adding a label to information for users to know whether content is advertised,

owned, sponsored or exclusively controlled.

Issues With the Rules

▪ Rules Ultra-vires to the IT Act

▪ Undermining Free Speech:

▪ Counterproductive in Absence of Data Privacy Law

▪ Depriving of Fair Recourse

Pegasus Spyware

Recently, it has been reported that Pegasus, the malicious software, has allegedly been used
to secretly monitor and spy on an extensive host of public figures in India.

It is designed to gain access to devices, without the knowledge of users, and gather
personal information and relay it back to whoever it is that is using the software to spy.

o Pegasus has been developed by the Israeli firm NSO Group that was set up in
2010.

o The earliest version of Pegasus discovered, which was captured by researchers

in 2016, infected phones through what is called spear-phishing – text
messages or emails that trick a target into clicking on a malicious link.
 o Since then, however, NSO’s attack capabilities have become more advanced.
Pegasus infections can be achieved through so-called “zero-click” attacks,
which do not require any interaction from the phone’s owner in order to
succeed.

These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an
operating system that the mobile phone’s manufacturer does not yet know about and so
has not been able to fix.

Targets:

● Human Rights activists, journalists and lawyers around the world have been

targeted with phone malware sold to authoritarian governments by an Israeli

surveillance firm.

● Indian ministers, government officials and opposition leaders also figure in the list

of people whose phones may have been compromised by the spyware.

● In 2019, WhatsApp filed a lawsuit in the US court against Israel's NSO Group,

alleging that the firm was incorporating cyber-attacks on the application by

infecting mobile devices with malicious software.

Conclusion

The urgency for a need of such a statute which protects the privacy of individuals is
reinforced by the absence of any monitoring system which safeguards the private and
personal information of individuals. There is also need to have a uniform law which is
compatible with international privacy laws because now the flow of data has become trans-
national due to globalization. For instance, India is set to become the global Centre for setting
up and operating call centers. The BPO sector in India is on a rise. In such a case, a large
amount of data has already been collected, and if such operations remain unregulated, the
situation for the Indian customers could deteriorate as they are not protected by any privacy
law which guards their interests.

New IT Rules:-

https://mib.gov.in/sites/default/files/IT%28Intermediary%20Guidelines%20and%20Digital
%20Media%20Ethics%20Code%29%20Rules%2C%202021%20English.pdf

Data Protection Bill :-

https://prsindia.org/billtrack/the-personal-data-protection-bill-2019

IT Act:-

https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf