Sem 6 - Project Report
Sem 6 - Project Report
Submitted for the Degree of BCom Honours in Accounting & Finance from the
University of Calcutta.
SUBMITTED BY:
Name of the Candidate: Samriddhi Upadhyay
Registration No: 224-1211-0916-20
CU Roll No: 201224-11-0130
College Roll No: 0990
Shift: Morning
Name of the College: Seth Anandram Jaipuria College
Name of the Supervisor: Himangshu Bhattacharjee
1
SUPERVISOR’S CERTIFICATE
SIGNATURE:
Name of the Supervisor: Himangshu Bhattacharjee
Designation: Professor, S.A. Jaipuria College
Name of the College: Seth Anandram Jaipuria College
Place: Kolkata
2
STUDENT’S DECLARATION
I hereby declare that the project work titled “Data Protection: Necessity of the
Hour” submitted by me for the degree of BCom Honours in Accounting and
Finance under the University of Calcutta is my original work.
I also declare that no part of this project report has been incorporated from any
earlier work done by others or me. However, all the sources from where I have
collected parts of my data have been mentioned in the report.
SIGNATURE:
Name: Samriddhi Upadhyay
Address: Uttarayan Housing Estate,
Baranagar, Kolkata- 700108
CU Roll No: 201224-11-0130
CU Registration No: 224-1211-0916-20
3
ACKNOWLEDGEMENT
I present to you my project report on, “Data Protection Act: Necessity of the
Hour”.
I would like to thank our respected Principal Sir, Dr. Asok Mukhopadhyay for
giving me this opportunity to work in this field.
I am very grateful to the Head of our Department Dr. Tarun Kanti Ghosh without
whom this project would not have been successful.
I am very thankful to my supervisor, Prof. Himangshu Bhattacharjee for his
constant support and guidance.
Finally, I want to acknowledge the support of my family and friends in completing
the research work for this report.
Samriddhi Upadhyay
4
TABLE OF CONTENT
4. CONCLUSION AND
RECOMMENDATIONS 30-31
BIBLIOGRAPHY 32
5
CHAPTER 1
INTRODUCTION
6
1.3 NEED OF A DATA PROTECTION ACT:
• India has seen huge technological advancements and is at par with other
countries, but it lags with definite and stringent laws which address all the
recent changes in the way our data is handled. Over the last two decades,
countries like the USA, China and many more have adopted new laws for
data protection. India currently lags uniform legislation. The times require
India to adopt new laws so that it can walk hand in hand with other
countries.
• The current Information Technology Act, 2000 is moderately handling
India’s data protection issues, yet it is not very strict as it falls short in
implementing the provisions properly. Data Protection with strict
implementation is currently a requirement of India.
7
also require the protection of privacy, it highlighted the need to protect
online personal data from prying eyes.
• Digital Data Protection Bill (2022): The Union Government has released a
revised personal data protection bill, now called the Digital Personal Data
Protection Bill, 2022. The Bill has been introduced 3 months after the
withdrawal of the Personal Data Protection Bill, 2019. The Digital Personal
Data Protection Bill, of 2022, is legislation, on one hand, outlines the rights
and duties of the citizen and on the other hand, the obligations to use
collected data lawfully of the data fiduciary. As per an explanatory note
provided, the bill is made on seven principles around the data economy.
• PRIMARY DATA: Primary data is one which an investigator collects for the
first time for a particular purpose. Further, this data is 'pure' in the sense
that there haven't been any statistical operations performed on them, plus
they are also original.
8
• SECONDARY DATA: Secondary data (also known as second-party data)
refers to any dataset collected by any person other than the one using it.
Secondary data sources are extremely useful. They allow researchers and
data analysts to build large, high-quality databases that help solve business
problems.
In this project report I have used secondary data from newspaper journals,
certified information on the internet, editorials, etc.
1.7CHAPTER PLANNING
Chapter 1: INTRODUCTION- In this chapter, the background of the topic, literature
review, objectives and need, methodology used have been discussed.
Chapter 2: CONCEPTUAL FRAMEWORK- Here we have discussed, the concept of
data protection act, its national and international scenario.
Chapter 3: DATA ANALYSIS AND FINDINGS- In this chapter I have tried to illustrate
all the data that I had collected with the help of graphical diagrams.
Chapter 4: CONCLUSION AND RECOMMENDATION- Here I have provided certain
recommendations after finishing my data analysis.
NATIONAL SCENARIO
CURRENT LEGISLATION GOVERNING DATA PRIVACY:
On October 17, 2000, the Information Technology Act of 2000 was passed. It is
the main Indian legislation governing e-commerce and cybercrime issues. The
legislation was passed to uplift e-governance, provide legal backing for online
transactions, and fight cybercrime. The primary goal of the law is to facilitate legal
and reliable digital, computerized, and online operations and lessen or eliminate
cybercrimes. To broaden its scope, the present legislative framework for privacy
was outlined in the Information Technology Rules, 2011 (IT Rules, 2011) which
governs the “collecting, receiving, possessing, storing, dealing, handling, retaining,
using, transferring, disclosing sensitive personal data or information, security
practices and procedures for handling personal information”. However, this
provision is insufficient as it fails to address among other issues, the misuse of
data collected from children, breaches of data by corporations outside India and
the limited scope of the definition of sensitive data. Moreover, there is very little
or no punishment for the violators under the I.T. Act, 2000.
The age-old Indian Contract Act, 1872 is another act governing data protection in
India. Indian Contract Act is generally based on the common law principles and the
Contract Act provides space to the parties to a contract to have appropriate clauses
in the contract for protection of data like confidentiality clause, confidentiality etc.
It was formulated at a time when digitization was an alien concept to this world
and, now we are way ahead of that time but still stuck with that legislation.
The whole digital platform has grown by leaps and bounds in all aspects. The above
Rules though are a step towards having a specific law for data protection but are
not comprehensive enough. These Rules deal with only protected data as defined
in the Rules. There is no comprehensive legislation governing and regulating every
activity relating to data and have stringent provisions for protecting the data. At
10
the time when these were formulated it was a very revolutionary step towards data
protection, but laws need to be changed with time.
The Union government informed the Supreme Court on April 11, 2023, that a new
law, namely the Digital Personal Data Protection Bill 2022, to enforce individual
privacy in online space is “ready”. “The new Bill will be tabled in the Monsoon
Session of the Parliament in July,” Attorney-General R. Venkataramani, appearing
for the Union, informed a Constitution Bench led by Justice KM Joseph. The new
Bill, if passed by the Parliament, would replace the current Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, which was notified in 2011.
The purpose of the 2022 Bill is to “provide for the processing of digital personal
data in a manner that recognizes both the right of individuals to protect their
personal data and the need to process personal data for lawful purposes”. The Bill
separately defines data fiduciary as persons who determined the purpose and
means of processing of personal data; data principal as the individual to whom
the personal data related to; data processor as any person who processes
personal data on behalf of a data fiduciary.
It offers a relatively soft stand on data localization requirements and permits data
transfer to select global destinations which is likely to foster country-to-country
trade agreements. The bill recognizes the data principal's right to postmortem
privacy (Withdraw Consent) which was missing from the PDP Bill, 2019 but had
been recommended by the Joint Parliamentary Committee (JPC).
11
INTERNATIONAL SCENARIO:
• CHINA MODEL: New Chinese laws on data privacy and security issued over
the last 12 months include the Personal Information Protection Law (PIPL),
which came into effect in November 2021. It gives Chinese data principals
new rights as it seeks to prevent the misuse of personal data.
12
CHAPTER 3
CASE STUDY: SECONDARY DATA ANALYSIS
In this section we will look at the reason behind the dire need of a data protection
act, which is increase in the number of cybercrimes being reported, hacking of
devices, etc. There has been much damage due to these crimes, for which there is
hardly any act under which the culprits can be punished.
Let’s have a look at a diagrammatic analysis of the increase in cybercrimes and
other aspects of it.
I have used secondary data in this section to arrive at the given conclusion due to
time crunch and, lack of knowledge regarding our data protection policies. On
talking to my peers regarding this subject it was found that they have very little
knowledge in this regard. Collecting data from such population would amount to
opinion based on half or incorrect knowledge which would lead to a rather biased
conclusion.
13
INCREASE IN THE NUMBER OF CYBERCRIMES SINCE THE PAST FIVE YEARS:
What is cybercrime? Cybercrime is a broad term that is used to define criminal
activity in which computers or computer networks are a tool, a target, or a place of
criminal activity and include everything from electronic wracking to denial-of-
service attacks.
India is the second largest online market in the world with over 650 million internet
users in the country. Cyber-crime cases have witnessed a steady spike since 2018.
India witnessed 2,08,456 incidents in 2018; 3,94,499 incidents in 2019; 11,58,208
cases in 2020; 14,02,809 cases in 2021; and 2,12,485 incidents in the first two
months of 2022. The above figures show that cyber-crimes increased almost seven
times in three years between 2018 and 2021, and more sharply during the
pandemic.
In the above bar graph, we can see that there has been a steady rise in the
number of cyber-crimes in the past five years. Already, in the first two months of
2022 more than 2,00,000 cases were reported which shows what must have been
the situation by the end of the year.
14
STATES WHICH REPORTED THE HIGHEST NUMBER OF CYBER-CRIME CASES:
15
In the given bar graph, Telangana tops the list as per the data of National Crime
Records Bureau. The reason behind this could be Telangana being a digital hub
which makes it more vulnerable.
Cases of fraud causing are the highest in the given statistics; unemployment,
especially after the pandemic, can be a major reason behind such a scenario.
16
INCREASING INSTANCES OF CYBERCRIME AGAINST WOMEN:
Women and children were the most vulnerable parts of society during the
pandemic, making them simple targets for cybercriminals whereas men and
adults were victims of several cybercrime scams. Women were exposed to these
crimes during the pandemic, in particular housewives and those who use social
media. The conviction rate or percentage of case disposal by courts for
cybercrime against women is lower than the conviction rate of cybercrime cases.
Though the percentage is still lower, it jumped up thrice between 2019 and 2021.
That means the conviction rate went up from 10.8 percent in 2019 to 35.2
percent in 2021.
17
It can be seen here that how the crime rate against women have increased
between 2019 and 2021, a major reason behind which could be the pandemic
which has increased the online presence of women.
18
According to the report, the primary motive for these cyberattacks were not
limited to financial gains; rather, they were used as a means of expressing support
or opposition for a certain political, religious, or even economic goal. While most
attacks were essentially on the same old theme, focused on compromised data
and access, there were also a few attacks conducted to help highlight the various
flaws in the country’s security posture and help improve it.
Let us understand about a few common cybercrime terms:
• Hacktivism: Hacktivism occurs when political or social activists use
computer technology to make a statement supporting one of their causes.
• Data Breach: A data breach is any security incident in which unauthorized -
parties gain access to sensitive data or confidential information, including
personal data (Social Security numbers, bank account numbers, healthcare
data) or corporate data (customer data records, intellectual property,
financial information).
• Compromised PII: A PII breach is a loss of control, compromise,
unauthorized disclosure, unauthorized acquisition, unauthorized access, or
any similar term referring to situations where persons other than
authorized users and for an other than authorized purpose have access or
potential access to personally identifiable information.
• Phishing: A technique for attempting to acquire sensitive data, such as bank
account numbers, through a fraudulent solicitation in email or on a web
19
site, in which the perpetrator masquerades as a legitimate business or
reputable person.
• SQL Injection: SQL injection is a code injection technique that might destroy
your database. SQL injection is one of the most common web hacking
techniques. SQL injection is the placement of malicious code in SQL
statements, via web page input.
These are the most commonly used techniques against by which cybercrimes are
committed against individuals or institutions.
20
It was in July 2021, that the speculation regarding the use of Pegasus spyware to
track Indian personal devices came to light. It was in July 2021, that the speculation
regarding the use of Pegasus spyware to track Indian personal devices came to
light. During this time, it was revealed that the powerful Israeli spyware designed
by Israeli cybersecurity company NSO Group, is suspected to be used to target
mobile devices of people in India and some other countries. According to leaked
information, a total of 300 numbers used by Indian citizens, including a
constitutional authority, several journalists, businesspersons, civil society leaders,
two ministers in the central government, and around three leaders from the
opposition, may have been tracked by the spyware.
A report sent to the National Security Council Secretariat (NSCS) and other security
agencies by a department under the Ministry of Electronics and Information
Technology has said that the maximum number of cyber-attacks on official Indian
websites are from China, US and Russia. It has also flagged the possibility of
“malicious actors from Pakistan using German and Canadian cyberspace for
intruding into Indian cyberspace and carrying out malicious activities”.
21
One cannot ascertain if the country as per the report is the one at fault as many
times countries use the cyber space of another country as they might not have up
to date technology for carrying out such high-level attacks. But on the face of it
we can see that our neighbors contribute to many attacks on our cyber space and
security systems.
22
sophisticated attacks than other organized sectors. While customers carry out
online transactions based on trust, not all e-retailers have the means or tech
knowledge to make their businesses foolproof against cyberthreats
With the significant rise in the use of digital systems over the years, there has been
a rapid increase in cyber frauds around the world. Cyber criminals have grown
much more sophisticated, making it more complicated for organizations to defend
themselves against cyber threats. Seeing how Indians have started doing online
banking transactions more now, the number of online banking frauds in India has
increased substantially. According to the RBI’s annual report, bank frauds of
₹100,000 and above have more than doubled in value to ₹1.85 lakh crores in FY20
as compared to ₹71,500 crores in FY19. Also, the number of such cases has
increased by 28% in the same period. According to a report by Hindustan Times,
India has lost a total of ₹615.39 crores in more than 1.17 lakh cases of online
banking frauds from April 2009 to September 2019. The occurrence of these frauds
is spread over a decade. But the banking industry is witnessing a significant rise in
the number of online banking frauds.
Such increase in crimes in the e-banking sector is quite alarming as the elderly and
even the youngsters sometimes get susceptible to such frauds and thus, lose a
large amount of money.
23
Healthcare saw the maximum number of attacks among all sectors in India, with
an organization in India being attacked 1,866 times per week on average in 2022.
The top three most attacked industries in India were healthcare, followed by
education, research and government, and the military. A reason behind this could
be the political agenda of the countries and to also breaking the security network
of our country. In this way, they can gain an upper hand on our data and use it
against us when needed.
Here we can see that the healthcare sector has been the most attacked by
hackers followed by the education sector. Hence, we need to be quick in
formulating the rules as we have put aa huge amount of data at risk out there.
24
The losses due to cybercrimes globally on an average amount to 2.5% of the GDP.
India’s dream of developing a 5 trillion-dollar economy faces a significant threat
from the losses that could result from large scale cybercrimes. The Indian
government is aware of these threats from the past two decades and, the Central
Government has been working to make the cyber space a safe, secure and
reliable platform. It is feared that if these cybercrimes continue to grow at this
rate, then the Indian citizens with the fear of getting scammed might reduce or
stop online transactions due to which the dream of making India a digital hub
would all go in vain.
In a span of a year the revenue loss has increased to Rs. 63.40 crore from Rs.
58.65 crore.
But the point of concern is that where does all the data and money stolen by the
cyber criminals go?
In various studies and researches it has been found that the cyber criminals sell
those data to other countries (for various geopolitical motives). Countries like
Russia who have various rivals buy these data whereas countries like North Korea
who have many sanctions imposed on them due to which they cannot carry out
any trading activities with other countries resort to such crime and sell the data to
other countries. 1/3rd of North Korea's missile program is funded by the data sold
to other countries. This is very dangerous for the country as such crime might
attack the biggest organizations of our country and sensitive, confidential
information might be compromised.
Recently, it was found that some sensitive data was compromised to Pakistani
agents by a senior official from Defence Research and Development Organization
(DRDO). DRDO being India’s one of the largest defence weapons producer such
information being compromised to Pakistani intelligence can make us pay a huge
cost in the future. Organizations like ISRO, AIIMS then our nuclear power plants
25
have been attacked which is very dangerous for our country as these are the most
protected sectors. For their geopolitical motives other countries will always try to
get into our cyber space and get such sensitive information. We need to level up
to protect our data.
Cyber criminals are paid a huge sum of money for such operations and most of
the times they remain unidentified which leads to the recurring nature of such
incidents. Thus, we need to upgrade our security systems so that these criminals
cannot get into our cyber space.
Cybercrimes under Information Technology Act, 2000 which are from hacking to
cyber terrorism. In this Act only Cyber Terrorism is punishable with life
imprisonment, and the rest of them are punishable with imprisonment of three
years while some others are punishable with imprisonment of seven years. India
needs to amend their cyber laws more in a strict manner, because of India’s
cyberlaws there is a growth of scammers, phishing, money laundering, etc. Citing
data from the national cybercrime reporting portal, the Union government says
since 1 January 2020, 1.6mn (million) cybercrime incidents have been reported,
and more than 32,000 first information reports (FIRs) have been registered.
However, conviction rates in these cases remain very low, at less than 1%, while
26
the conviction rate of persons arrested is less than 3%.
According to the five-year data — spanning 2017 to 2021 — shared by the union
home ministry, in 2017, out of chargesheets filed in 5,180 cases across all states
and Union Territories (UTs), only 152 ended in convictions. In 2018, of 7,000 cases
in which chargesheets were filed, there were convictions in only over 490. In 2019,
chargesheets were filed in 9,000 cases of which 360 ended in convictions and in
2020, there were nearly 1,109 convictions in 14,087 cases where chargesheets
were filed. In 2021, the numbers shrunk to 490 convictions in more than 18,000
cases for which chargesheets were filed. The data indicates that despite cases and
chargesheets being registered, the number of cybercrime convictions has not
shown visible improvements.
The landscape of policing and justice delivery is changing fast. Apparently, the
traditional system cannot cope with the diverse demands and specific needs to
27
mete out punishment to digital offenders. The time has arrived to design a separate
cyber-criminal justice ecosystem, parallel to the existing one.
• In the past few years' cybercrimes have increased many folds due to the
increased online presence especially in the states which are considered
digital hubs of the country.
• Attacks on Indian government websites have increased to steal huge amount
of data of the individuals, and to pose a security threat to the country.
• In this situation many women have become victims of cybercrime many
times and have not reported it due to fear of being shamed.
28
• Other countries have also been trying to get into our cyberspace for several
political and security reasons.
• The attackers have targeted the most important sectors of our economy to
steal a large amount of important information.
• The rate of conviction is very low in case of cybercrimes, as there is no
mention about most of the crimes in the act governing cybercrimes so, there
is an increase in the number of crimes being reported but not in the
conviction rate.
Hence, this necessitates a proper Data Protection Act which would govern all the
types of cybercrimes.
One needs to be alert as well from their part to not fall into any trap laid by the
cyber-criminals.
CHAPTER 4
CONCLUSION AND RECOMMENDATIONS
The year 2021 marked a turning point for the nation regarding privacy and data
protection. There were many legislative and executive measures requirements in
response to the urgent need for comprehensive data protection laws. It is
undeniable that India has a long way to go before determining what will work
29
best for a nation such as ours, particularly where data privacy is not well
recognized. However, India has tried and continues to make several attempts to
give these laws and regulations legislative authority. However, it is significant to
inform individuals about data privacy, rights, and framework and bring about
relevant provisions for the governance of the same.
Although our lawmakers have come up with a Data Protection Bill which will soon
be passed as an Act, the discussion should not end here. It still has many
loopholes to it. It needs constant evolution as technology keeps changing every
day and we will come across new issues every day. It is a remarkable step towards
protecting the data of our country and its citizens, but this should not be left here.
Hence, the lawmakers need to fill all the loopholes so that the data of our citizens
cannot be attacked and stolen and always keep improving and updating the law
with respect to the technology.
30
• Data minimization - Data that is processed ought to be minimal and
necessary for the purposes for which such data is sought and other
compatible purposes beneficial for the data subject.
BIBLIOGRAPHY:
The information in the above project report has been collected from the following
sources.
REFERENCE JOURNALS:
• Data Protection Laws in India- Ip Leaders
31
• Rethinking India’s Cyber Defence- Drishti IAS
REFERENCE NEWSPAPERS:
• The Hindu
• Zee News
• The Times of India
REFERENCE WEBSITES:
• https://blog.ipleaders.in/data-protection-laws-in-india-2/
• https://www.drishtiias.com/daily-updates/daily-news-analysis/digital-
personal-data-protection-bill-2022
• https://zeenews.india.com/technology/two-months-of-2022-saw-more-
cyber-crimes-than-entire-2018-why-e-fraud-is-a-ticking-time-bomb-
2458733.html
• https://indianexpress.com/article/india/35-of-cyber-attacks-on-indian-
sites-from-china-official-report/
• https://theprint.in/tech/if-cybercrime-were-a-country-its-economy-would-
be-bigger-than-indias-says-us-firms-report/545038/
• https://timesofindia.indiatimes.com/city/thiruvananthapuram/conviction-
rate-abysmally-poor-in-cyber-crimes/articleshow/91674428.cms
32