PROJECT REPORT

Submitted for the Degree of BCom Honours in Accounting & Finance from the
University of Calcutta.

TITLE OF THE PROJECT:

DATA PROTECTION ACT: NECESSITY OF THE HOUR.

SUBMITTED BY:
Name of the Candidate: Samriddhi Upadhyay
Registration No: 224-1211-0916-20
CU Roll No: 201224-11-0130
College Roll No: 0990
Shift: Morning
Name of the College: Seth Anandram Jaipuria College
Name of the Supervisor: Himangshu Bhattacharjee

MONTH AND YEAR OF SUBMISSION: JUNE, 2023

1
 SUPERVISOR’S CERTIFICATE

This is to certify that SAMRIDDHI UPADHYAY student of BCom Honours in

Accounting and Finance of Seth Anandram Jaipuria College under the University
of Calcutta has worked under my supervision and guidance for her project work
and prepared a project report with the title, “DATA PROTECTION ACT: NECESSITY
OF THE HOUR” which she is submitting and is her genuine and original work to
the best of my knowledge.

SIGNATURE:
Name of the Supervisor: Himangshu Bhattacharjee
Designation: Professor, S.A. Jaipuria College
Name of the College: Seth Anandram Jaipuria College

Date: June 27, 2023

Place: Kolkata

2
 STUDENT’S DECLARATION

I hereby declare that the project work titled “Data Protection: Necessity of the
Hour” submitted by me for the degree of BCom Honours in Accounting and
Finance under the University of Calcutta is my original work.
I also declare that no part of this project report has been incorporated from any
earlier work done by others or me. However, all the sources from where I have
collected parts of my data have been mentioned in the report.

SIGNATURE:
Name: Samriddhi Upadhyay
Address: Uttarayan Housing Estate,
Baranagar, Kolkata- 700108
CU Roll No: 201224-11-0130
CU Registration No: 224-1211-0916-20

Date: June 27, 2023

Place: Kolkata

3
 ACKNOWLEDGEMENT

I present to you my project report on, “Data Protection Act: Necessity of the
Hour”.
I would like to thank our respected Principal Sir, Dr. Asok Mukhopadhyay for
giving me this opportunity to work in this field.
I am very grateful to the Head of our Department Dr. Tarun Kanti Ghosh without
whom this project would not have been successful.
I am very thankful to my supervisor, Prof. Himangshu Bhattacharjee for his
constant support and guidance.
Finally, I want to acknowledge the support of my family and friends in completing
the research work for this report.

Samriddhi Upadhyay

4
 TABLE OF CONTENT

CHAPTER CONTENT PAGE NO

1. INTRODUCTION
1.1 Background of the study 6
1.2 Objective of the study 6
1.3 Need of a Data Protection
Act 7
1.4 Literature Review
7-8
1.5 Research Methodology
8-9
1.6 Limitation of the Study
9
1.7 Chapter Planning
9
2. BASIC CONCEPTUAL
FRAMEWORK 10-12

3. CASE STUDY: PRESENTATION OF

DATA ANALYSIS AND FINDINGS 13-29

4. CONCLUSION AND
RECOMMENDATIONS 30-31

BIBLIOGRAPHY 32

5
 CHAPTER 1

INTRODUCTION

1.1 BACKGROUND OF THE STUDY-

Protection safeguards sensitive data against loss, manipulation, and misuse. With
the emerging sharing of data (online as well as offline) a single legislation is the
dire need of the hour to avoid any kind of misuse of data. Right to Privacy was
guaranteed as a fundamental right under Art. 21 of the Constitution as a part of
the Right to Life and Personal Liberty. An aspect of privacy is ‘informational
privacy’, which has been acknowledged by the courts as well. The protection of
privacy is currently governed by the Information Technology Act, 2000 and Indian
Contract Act, 1872 both of which are not relevant in the present situation. In the
last decade the vast use of online and social media platforms has led to an
unavoidable sharing of a huge amount of personal data which is lying out there
unprotected. Hence, the only solution to this is a stringent Data Protection Act
which would not only but protect the data of the Indian citizens from being
misused but also, punish those who try to misuse it.

1.2 OBJECTIVES OF THE STUDY:

• To understand the necessity of a Data Protection Act in the country.
• To know about the number of cybercrimes.
• To understand why the current legislation is not enough.

6
1.3 NEED OF A DATA PROTECTION ACT:

• India has seen huge technological advancements and is at par with other
countries, but it lags with definite and stringent laws which address all the
recent changes in the way our data is handled. Over the last two decades,
countries like the USA, China and many more have adopted new laws for
data protection. India currently lags uniform legislation. The times require
India to adopt new laws so that it can walk hand in hand with other
countries.
• The current Information Technology Act, 2000 is moderately handling
India’s data protection issues, yet it is not very strict as it falls short in
implementing the provisions properly. Data Protection with strict
implementation is currently a requirement of India.

• Online transactions also need to be addressed specifically, as it is currently

being regulated by RBI norms, which should be addressed by relevant laws,
which necessitates new laws on data protection in India even more.

• Since India is a nation-state, the data of the citizens is considered a

national asset. Depending on India’s security and geopolitical objectives,
this national asset may need to be protected and stored within national
borders. That would include not only the corporates, but also Non-
Governmental Organizations and governmental bodies

1.4 LITERATURE REVIEW:

• KS Puttaswamy judgement (2017): The Supreme Court of India has
established the right to privacy and data protection as a fundamental right
in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), also
called the “privacy judgement.” An aspect of the right to privacy known as
“informational privacy” has been acknowledged. The court also observed
that information about a person and the right to access that information

7
 also require the protection of privacy, it highlighted the need to protect
online personal data from prying eyes.

• Personal Data Protection Bill (2019): The Government of India had

introduced the Personal Data Protection Bill 2019 (PDP Bill) in the Lok
Sabha on 11 December 2019. "Bill" was referred for examination and
recommendations to a Joint Committee of both Houses of Parliament
(called JPC) on 12 December 2019. The government of India has withdrawn
the Personal Data Protection Bill from Parliament as it considers a
“comprehensive legal framework” to regulate the online space to boost
innovation in the country through a new bill.

• Digital Data Protection Bill (2022): The Union Government has released a
revised personal data protection bill, now called the Digital Personal Data
Protection Bill, 2022. The Bill has been introduced 3 months after the
withdrawal of the Personal Data Protection Bill, 2019. The Digital Personal
Data Protection Bill, of 2022, is legislation, on one hand, outlines the rights
and duties of the citizen and on the other hand, the obligations to use
collected data lawfully of the data fiduciary. As per an explanatory note
provided, the bill is made on seven principles around the data economy.

1.5 RESEARCH METHODOLOGY:

TYPE OF DATA:

• PRIMARY DATA: Primary data is one which an investigator collects for the
first time for a particular purpose. Further, this data is 'pure' in the sense
that there haven't been any statistical operations performed on them, plus
they are also original.

8
 • SECONDARY DATA: Secondary data (also known as second-party data)
refers to any dataset collected by any person other than the one using it.
Secondary data sources are extremely useful. They allow researchers and
data analysts to build large, high-quality databases that help solve business
problems.

In this project report I have used secondary data from newspaper journals,
certified information on the internet, editorials, etc.

1.6 LIMITATIONS OF THE STUDY:

• In some situations, secondary data might not be very reliable as it is
incomplete.
• It is difficult to find neutral data online as it is largely based on the opinion
of the publisher.
• Primary data could not be obtained due to the lack of knowledge about the
absence of a data protection act and its current scenario.

1.7CHAPTER PLANNING
Chapter 1: INTRODUCTION- In this chapter, the background of the topic, literature
review, objectives and need, methodology used have been discussed.
Chapter 2: CONCEPTUAL FRAMEWORK- Here we have discussed, the concept of
data protection act, its national and international scenario.
Chapter 3: DATA ANALYSIS AND FINDINGS- In this chapter I have tried to illustrate
all the data that I had collected with the help of graphical diagrams.
Chapter 4: CONCLUSION AND RECOMMENDATION- Here I have provided certain
recommendations after finishing my data analysis.

DURATION OF THE STUDY:

30 days (April 15- May 15)
9
 CHAPTER 2
BASIC CONCEPTUAL FRAMEWORK

NATIONAL SCENARIO
CURRENT LEGISLATION GOVERNING DATA PRIVACY:
On October 17, 2000, the Information Technology Act of 2000 was passed. It is
the main Indian legislation governing e-commerce and cybercrime issues. The
legislation was passed to uplift e-governance, provide legal backing for online
transactions, and fight cybercrime. The primary goal of the law is to facilitate legal
and reliable digital, computerized, and online operations and lessen or eliminate
cybercrimes. To broaden its scope, the present legislative framework for privacy
was outlined in the Information Technology Rules, 2011 (IT Rules, 2011) which
governs the “collecting, receiving, possessing, storing, dealing, handling, retaining,
using, transferring, disclosing sensitive personal data or information, security
practices and procedures for handling personal information”. However, this
provision is insufficient as it fails to address among other issues, the misuse of
data collected from children, breaches of data by corporations outside India and
the limited scope of the definition of sensitive data. Moreover, there is very little
or no punishment for the violators under the I.T. Act, 2000.
The age-old Indian Contract Act, 1872 is another act governing data protection in
India. Indian Contract Act is generally based on the common law principles and the
Contract Act provides space to the parties to a contract to have appropriate clauses
in the contract for protection of data like confidentiality clause, confidentiality etc.
It was formulated at a time when digitization was an alien concept to this world
and, now we are way ahead of that time but still stuck with that legislation.
The whole digital platform has grown by leaps and bounds in all aspects. The above
Rules though are a step towards having a specific law for data protection but are
not comprehensive enough. These Rules deal with only protected data as defined
in the Rules. There is no comprehensive legislation governing and regulating every
activity relating to data and have stringent provisions for protecting the data. At
10
the time when these were formulated it was a very revolutionary step towards data
protection, but laws need to be changed with time.

DEVELOPMENTS IN THE RECENT PAST IN THIS REGARD:

The Union government informed the Supreme Court on April 11, 2023, that a new
law, namely the Digital Personal Data Protection Bill 2022, to enforce individual
privacy in online space is “ready”. “The new Bill will be tabled in the Monsoon
Session of the Parliament in July,” Attorney-General R. Venkataramani, appearing
for the Union, informed a Constitution Bench led by Justice KM Joseph. The new
Bill, if passed by the Parliament, would replace the current Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, which was notified in 2011.

The purpose of the 2022 Bill is to “provide for the processing of digital personal
data in a manner that recognizes both the right of individuals to protect their
personal data and the need to process personal data for lawful purposes”. The Bill
separately defines data fiduciary as persons who determined the purpose and
means of processing of personal data; data principal as the individual to whom
the personal data related to; data processor as any person who processes
personal data on behalf of a data fiduciary.

It offers a relatively soft stand on data localization requirements and permits data
transfer to select global destinations which is likely to foster country-to-country
trade agreements. The bill recognizes the data principal's right to postmortem
privacy (Withdraw Consent) which was missing from the PDP Bill, 2019 but had
been recommended by the Joint Parliamentary Committee (JPC).

11
INTERNATIONAL SCENARIO:

DATA PROTECTION LAWS IN OTHER NATIONS:

• EUROPEAN UNION MODEL: The General Data Protection Regulation focuses

on a comprehensive data protection law for processing of personal data. In
the EU, the right to privacy is enshrined as a fundamental right that seeks
to protect an individual’s dignity and her right over the data she generates.

• US MODEL: There is no comprehensive set of privacy rights or principles in

the US that, like the EU’s GDPR, addresses the use, collection, and
disclosure of data. Instead, there is limited sector-specific regulation. The
approach towards data protection is different for the public and private
sectors.

• CHINA MODEL: New Chinese laws on data privacy and security issued over
the last 12 months include the Personal Information Protection Law (PIPL),
which came into effect in November 2021. It gives Chinese data principals
new rights as it seeks to prevent the misuse of personal data.

12
 CHAPTER 3
CASE STUDY: SECONDARY DATA ANALYSIS

In this section we will look at the reason behind the dire need of a data protection
act, which is increase in the number of cybercrimes being reported, hacking of
devices, etc. There has been much damage due to these crimes, for which there is
hardly any act under which the culprits can be punished.
Let’s have a look at a diagrammatic analysis of the increase in cybercrimes and
other aspects of it.
I have used secondary data in this section to arrive at the given conclusion due to
time crunch and, lack of knowledge regarding our data protection policies. On
talking to my peers regarding this subject it was found that they have very little
knowledge in this regard. Collecting data from such population would amount to
opinion based on half or incorrect knowledge which would lead to a rather biased
conclusion.

13
INCREASE IN THE NUMBER OF CYBERCRIMES SINCE THE PAST FIVE YEARS:
What is cybercrime? Cybercrime is a broad term that is used to define criminal
activity in which computers or computer networks are a tool, a target, or a place of
criminal activity and include everything from electronic wracking to denial-of-
service attacks.
India is the second largest online market in the world with over 650 million internet
users in the country. Cyber-crime cases have witnessed a steady spike since 2018.
India witnessed 2,08,456 incidents in 2018; 3,94,499 incidents in 2019; 11,58,208
cases in 2020; 14,02,809 cases in 2021; and 2,12,485 incidents in the first two
months of 2022. The above figures show that cyber-crimes increased almost seven
times in three years between 2018 and 2021, and more sharply during the
pandemic.

In the above bar graph, we can see that there has been a steady rise in the
number of cyber-crimes in the past five years. Already, in the first two months of
2022 more than 2,00,000 cases were reported which shows what must have been
the situation by the end of the year.

14
STATES WHICH REPORTED THE HIGHEST NUMBER OF CYBER-CRIME CASES:

India reported 52,974 incidents of cyber-crimes in 2021, an increase of nearly six

percent from the year before. Telangana topped the chart among states,
accounting for more than 19 percent, National Crime Records Bureau (NCRB) data
shows. The reason behind this can be that more people are coming out and
reporting such incidents.

Source: National Crime Records Bureau

15
In the given bar graph, Telangana tops the list as per the data of National Crime
Records Bureau. The reason behind this could be Telangana being a digital hub
which makes it more vulnerable.

MAIN MOTIVES BEHIND CYBERCRIME:

SOURCE: NATIONAL CRIME RECORDS BUREAU

Cases of fraud causing are the highest in the given statistics; unemployment,
especially after the pandemic, can be a major reason behind such a scenario.

16
INCREASING INSTANCES OF CYBERCRIME AGAINST WOMEN:

Women and children were the most vulnerable parts of society during the
pandemic, making them simple targets for cybercriminals whereas men and
adults were victims of several cybercrime scams. Women were exposed to these
crimes during the pandemic, in particular housewives and those who use social
media. The conviction rate or percentage of case disposal by courts for
cybercrime against women is lower than the conviction rate of cybercrime cases.
Though the percentage is still lower, it jumped up thrice between 2019 and 2021.
That means the conviction rate went up from 10.8 percent in 2019 to 35.2
percent in 2021.

17
It can be seen here that how the crime rate against women have increased
between 2019 and 2021, a major reason behind which could be the pandemic
which has increased the online presence of women.

CYBERATTACKS ON INDIAN GOVERNMENT:

IT Minister Ashwini Vaishnav said that around 50 government websites have been
hacked and compromised. India witnessed 13.91 Lakh cyber security incidents in
2022, Minister of State for Electronics and Information and Technology Rajeev
Chandrasekhar informed the Parliament on Friday (February 10).
The numbers still do not give an entire picture of cyberattacks on the country as
these statistics only include information reported to and tracked by the Indian
Computer Emergency Response Team (CERT-In).
The year 2022 saw one of the biggest cyberattacks in India where the country’s
premier institution, All India Institute of Medical Sciences (AIIMS) was hit by a
ransomware attack.
Let us look at the type of cybercrimes committed against the Indian government
agencies:

18
According to the report, the primary motive for these cyberattacks were not
limited to financial gains; rather, they were used as a means of expressing support
or opposition for a certain political, religious, or even economic goal. While most
attacks were essentially on the same old theme, focused on compromised data
and access, there were also a few attacks conducted to help highlight the various
flaws in the country’s security posture and help improve it.
Let us understand about a few common cybercrime terms:
• Hacktivism: Hacktivism occurs when political or social activists use
computer technology to make a statement supporting one of their causes.
• Data Breach: A data breach is any security incident in which unauthorized -
parties gain access to sensitive data or confidential information, including
personal data (Social Security numbers, bank account numbers, healthcare
data) or corporate data (customer data records, intellectual property,
financial information).
• Compromised PII: A PII breach is a loss of control, compromise,
unauthorized disclosure, unauthorized acquisition, unauthorized access, or
any similar term referring to situations where persons other than
authorized users and for an other than authorized purpose have access or
potential access to personally identifiable information.
• Phishing: A technique for attempting to acquire sensitive data, such as bank
account numbers, through a fraudulent solicitation in email or on a web

19
 site, in which the perpetrator masquerades as a legitimate business or
reputable person.
• SQL Injection: SQL injection is a code injection technique that might destroy
your database. SQL injection is one of the most common web hacking
techniques. SQL injection is the placement of malicious code in SQL
statements, via web page input.

These are the most commonly used techniques against by which cybercrimes are
committed against individuals or institutions.

CYBERATTACKS BY OTHER COUNTRIES:

In the recent past, foreign countries have been attacking the cyber network of
India. Not just for monetary reasons, but also for political reasons. Let us look at a
few attacks:

As per a report prepared by US-based cybersecurity company Recorded Future,

Chinese hackers targeted seven Indian centers in Ladakh responsible for carrying
out electrical dispatch and grid control near a border area disputed by the two
nuclear neighbors in the month of April this year. The Chinese hackers primarily
used the trojan Shadow Pad, which is believed to have been developed by
contractors for China's Ministry of State Security, leading to the conclusion that
this was a state-sponsored hacking effort, according to the report.

20
 It was in July 2021, that the speculation regarding the use of Pegasus spyware to
track Indian personal devices came to light. It was in July 2021, that the speculation
regarding the use of Pegasus spyware to track Indian personal devices came to
light. During this time, it was revealed that the powerful Israeli spyware designed
by Israeli cybersecurity company NSO Group, is suspected to be used to target
mobile devices of people in India and some other countries. According to leaked
information, a total of 300 numbers used by Indian citizens, including a
constitutional authority, several journalists, businesspersons, civil society leaders,
two ministers in the central government, and around three leaders from the
opposition, may have been tracked by the spyware.
A report sent to the National Security Council Secretariat (NSCS) and other security
agencies by a department under the Ministry of Electronics and Information
Technology has said that the maximum number of cyber-attacks on official Indian
websites are from China, US and Russia. It has also flagged the possibility of
“malicious actors from Pakistan using German and Canadian cyberspace for
intruding into Indian cyberspace and carrying out malicious activities”.

SOURCE: THE INDIAN EXPRESS

21
One cannot ascertain if the country as per the report is the one at fault as many
times countries use the cyber space of another country as they might not have up
to date technology for carrying out such high-level attacks. But on the face of it
we can see that our neighbors contribute to many attacks on our cyber space and
security systems.

IMPACT OF CYBERCRIMES ON E-COMMERCE AND E-BANKING SECTOR:

According to a recent analysis by Inc42, the ecommerce market is set to cross the
$400 Bn mark by 2030 — growing at a compound annual growth rate (CAGR) of
18.9% between 2022 to 2030 — while D2C, the most prominent sub-segment in
this market, will have an estimated value of $302 Bn. These are ambitious
estimates, but they also underline how tempted cybercriminals will be to take
control of such a massive market. Brands, too, must understand the extent of the
risk and the need for implementing a robust system to reduce customer churn
triggered by data breaches.
Hackers/cybercriminals tend to target retail ecommerce companies for two
reasons. First, PoS (point of sale) attacks give them quick access to the most
sensitive personal and financial data. Second, be it POS intrusion, website attack
or database hacks, e-retail companies and their customers are more vulnerable to

22
sophisticated attacks than other organized sectors. While customers carry out
online transactions based on trust, not all e-retailers have the means or tech
knowledge to make their businesses foolproof against cyberthreats

With the significant rise in the use of digital systems over the years, there has been
a rapid increase in cyber frauds around the world. Cyber criminals have grown
much more sophisticated, making it more complicated for organizations to defend
themselves against cyber threats. Seeing how Indians have started doing online
banking transactions more now, the number of online banking frauds in India has
increased substantially. According to the RBI’s annual report, bank frauds of
₹100,000 and above have more than doubled in value to ₹1.85 lakh crores in FY20
as compared to ₹71,500 crores in FY19. Also, the number of such cases has
increased by 28% in the same period. According to a report by Hindustan Times,
India has lost a total of ₹615.39 crores in more than 1.17 lakh cases of online
banking frauds from April 2009 to September 2019. The occurrence of these frauds
is spread over a decade. But the banking industry is witnessing a significant rise in
the number of online banking frauds.

Such increase in crimes in the e-banking sector is quite alarming as the elderly and
even the youngsters sometimes get susceptible to such frauds and thus, lose a
large amount of money.

SECTORS MOST AFFECTED BY CYBER THREATS:

23
Healthcare saw the maximum number of attacks among all sectors in India, with
an organization in India being attacked 1,866 times per week on average in 2022.
The top three most attacked industries in India were healthcare, followed by
education, research and government, and the military. A reason behind this could
be the political agenda of the countries and to also breaking the security network
of our country. In this way, they can gain an upper hand on our data and use it
against us when needed.

Let us look at a visual representation of the most attacked sectors.

SOURCE: CHECK POINT RESEARCH

Here we can see that the healthcare sector has been the most attacked by
hackers followed by the education sector. Hence, we need to be quick in
formulating the rules as we have put aa huge amount of data at risk out there.

LOSS SUFFERED DUE TO CYBERATTACKS:

24
The losses due to cybercrimes globally on an average amount to 2.5% of the GDP.
India’s dream of developing a 5 trillion-dollar economy faces a significant threat
from the losses that could result from large scale cybercrimes. The Indian
government is aware of these threats from the past two decades and, the Central
Government has been working to make the cyber space a safe, secure and
reliable platform. It is feared that if these cybercrimes continue to grow at this
rate, then the Indian citizens with the fear of getting scammed might reduce or
stop online transactions due to which the dream of making India a digital hub
would all go in vain.

SOURCE: THE ECONOMIC TIMES

In a span of a year the revenue loss has increased to Rs. 63.40 crore from Rs.
58.65 crore.
But the point of concern is that where does all the data and money stolen by the
cyber criminals go?
In various studies and researches it has been found that the cyber criminals sell
those data to other countries (for various geopolitical motives). Countries like
Russia who have various rivals buy these data whereas countries like North Korea
who have many sanctions imposed on them due to which they cannot carry out
any trading activities with other countries resort to such crime and sell the data to
other countries. 1/3rd of North Korea's missile program is funded by the data sold
to other countries. This is very dangerous for the country as such crime might
attack the biggest organizations of our country and sensitive, confidential
information might be compromised.
Recently, it was found that some sensitive data was compromised to Pakistani
agents by a senior official from Defence Research and Development Organization
(DRDO). DRDO being India’s one of the largest defence weapons producer such
information being compromised to Pakistani intelligence can make us pay a huge
cost in the future. Organizations like ISRO, AIIMS then our nuclear power plants

25
have been attacked which is very dangerous for our country as these are the most
protected sectors. For their geopolitical motives other countries will always try to
get into our cyber space and get such sensitive information. We need to level up
to protect our data.
Cyber criminals are paid a huge sum of money for such operations and most of
the times they remain unidentified which leads to the recurring nature of such
incidents. Thus, we need to upgrade our security systems so that these criminals
cannot get into our cyber space.

CRIME REPORTED VS ACTUAL CONVICTION RATE:

Cybercrimes under Information Technology Act, 2000 which are from hacking to
cyber terrorism. In this Act only Cyber Terrorism is punishable with life
imprisonment, and the rest of them are punishable with imprisonment of three
years while some others are punishable with imprisonment of seven years. India
needs to amend their cyber laws more in a strict manner, because of India’s
cyberlaws there is a growth of scammers, phishing, money laundering, etc. Citing
data from the national cybercrime reporting portal, the Union government says
since 1 January 2020, 1.6mn (million) cybercrime incidents have been reported,
and more than 32,000 first information reports (FIRs) have been registered.
However, conviction rates in these cases remain very low, at less than 1%, while

26
the conviction rate of persons arrested is less than 3%.

SOURCE: THE PRINT (2017-2021)

According to the five-year data — spanning 2017 to 2021 — shared by the union
home ministry, in 2017, out of chargesheets filed in 5,180 cases across all states
and Union Territories (UTs), only 152 ended in convictions. In 2018, of 7,000 cases
in which chargesheets were filed, there were convictions in only over 490. In 2019,
chargesheets were filed in 9,000 cases of which 360 ended in convictions and in
2020, there were nearly 1,109 convictions in 14,087 cases where chargesheets
were filed. In 2021, the numbers shrunk to 490 convictions in more than 18,000
cases for which chargesheets were filed. The data indicates that despite cases and
chargesheets being registered, the number of cybercrime convictions has not
shown visible improvements.

“Lack of adequate resources in cyber forensics”, the “trans-border nature of

attacks” and cyber criminals using more advanced technology to evade detection
have led to this situation, believe experts & police agencies.

The landscape of policing and justice delivery is changing fast. Apparently, the
traditional system cannot cope with the diverse demands and specific needs to

27
mete out punishment to digital offenders. The time has arrived to design a separate
cyber-criminal justice ecosystem, parallel to the existing one.

INFERENCE DRAWN FROM THE ABOVE DATA ANALYSIS:

• In the past few years' cybercrimes have increased many folds due to the
increased online presence especially in the states which are considered
digital hubs of the country.
• Attacks on Indian government websites have increased to steal huge amount
of data of the individuals, and to pose a security threat to the country.
• In this situation many women have become victims of cybercrime many
times and have not reported it due to fear of being shamed.
28
 • Other countries have also been trying to get into our cyberspace for several
political and security reasons.
• The attackers have targeted the most important sectors of our economy to
steal a large amount of important information.
• The rate of conviction is very low in case of cybercrimes, as there is no
mention about most of the crimes in the act governing cybercrimes so, there
is an increase in the number of crimes being reported but not in the
conviction rate.

Hence, this necessitates a proper Data Protection Act which would govern all the
types of cybercrimes.
One needs to be alert as well from their part to not fall into any trap laid by the
cyber-criminals.

CHAPTER 4
CONCLUSION AND RECOMMENDATIONS

The year 2021 marked a turning point for the nation regarding privacy and data
protection. There were many legislative and executive measures requirements in
response to the urgent need for comprehensive data protection laws. It is
undeniable that India has a long way to go before determining what will work

29
best for a nation such as ours, particularly where data privacy is not well
recognized. However, India has tried and continues to make several attempts to
give these laws and regulations legislative authority. However, it is significant to
inform individuals about data privacy, rights, and framework and bring about
relevant provisions for the governance of the same.

Although our lawmakers have come up with a Data Protection Bill which will soon
be passed as an Act, the discussion should not end here. It still has many
loopholes to it. It needs constant evolution as technology keeps changing every
day and we will come across new issues every day. It is a remarkable step towards
protecting the data of our country and its citizens, but this should not be left here.
Hence, the lawmakers need to fill all the loopholes so that the data of our citizens
cannot be attacked and stolen and always keep improving and updating the law
with respect to the technology.

RECOMMENDATIONS TO BE CONSIDERED FOR NEW DATA PROTECTION ACT:

• Technology agnosticism - The law must be technology agnostic. It must be
flexible to consider changing technologies and standards of compliance.

• Informed consent - Consent is an expression of human autonomy. For such

an expression to be genuine, it must be informed and meaningful. The law
must ensure that consent meets the criteria.

30
 • Data minimization - Data that is processed ought to be minimal and
necessary for the purposes for which such data is sought and other
compatible purposes beneficial for the data subject.

• Controller accountability - The data controller shall be held accountable for

any processing of data, whether by itself or entities with whom it may have
shared the data for processing.

• Structured enforcement - Enforcement of the data protection framework

must be by a high-powered statutory authority with sufficient capacity. This
must coexist with appropriately decentralized enforcement mechanisms.

BIBLIOGRAPHY:

The information in the above project report has been collected from the following
sources.
REFERENCE JOURNALS:
• Data Protection Laws in India- Ip Leaders

31
 • Rethinking India’s Cyber Defence- Drishti IAS

REFERENCE NEWSPAPERS:
• The Hindu
• Zee News
• The Times of India

REFERENCE WEBSITES:
• https://blog.ipleaders.in/data-protection-laws-in-india-2/
• https://www.drishtiias.com/daily-updates/daily-news-analysis/digital-
personal-data-protection-bill-2022
• https://zeenews.india.com/technology/two-months-of-2022-saw-more-
cyber-crimes-than-entire-2018-why-e-fraud-is-a-ticking-time-bomb-
2458733.html
• https://indianexpress.com/article/india/35-of-cyber-attacks-on-indian-
sites-from-china-official-report/
• https://theprint.in/tech/if-cybercrime-were-a-country-its-economy-would-
be-bigger-than-indias-says-us-firms-report/545038/
• https://timesofindia.indiatimes.com/city/thiruvananthapuram/conviction-
rate-abysmally-poor-in-cyber-crimes/articleshow/91674428.cms

32