The Reserve Bank of India (RBI) had in a recent notice asked banks to scrutinize their database and reissue customers’ credit and debit cards that were impacted by a leak which caused more than a million card details of Indian banks being on sale on the dark web. This is alarming for a billion-strong nation where the number of active web users is growing every day.
India is one step closer to enacting a law on data protection following the recommendations by the Sri Krishna Committee on Data Privacy and Management. This is a much-needed development considering the pace at which internet penetration is growing in the country. The Personal Data Protection Bill, 2019, was introduced in the Lok Sabha in the Parliament recently and will now go to a Joint Parliamentary Panel for closer scrutiny.
Data is the new commodity and data trails left by our online activities is much sought after by businesses as they can be monetized. This same data when misused can be equally destructive and, hence, individuals, organizations and governments are united in their call for safeguarding personal data and privacy. Despite the unanimity, cyber-attacks, data leaks and frauds continue to be a staple of the news cycle. There is an immediate need for a robust data security framework not only in the form of a law, but also by focusing on training the teams managing the data and IT security.
The Information Technology Act 2000/2008, as the current legal framework for the Indian technology sector, has some serious shortcomings with respect to data privacy. For instance, the IT Act provides for data collection and usage standards, but misses out on setting a framework for data storage techniques, user consent and data processing standards. The Personal Data Protection Bill, 2018, contains several recommendations that will address these shortcomings, besides defining jurisdictional limits, establishing an independent data protection law enforcement authority and heavy penalties for breaking this law.
The bill’s highlight is “to inform and take consent" for usage of personal data. Each user has to be informed about the nature of personal data being collected and the purpose for which it will be used. It also has provisions to appoint a data protection officer, who will need to be notified about every data breach. Non-adherence will result in heavy penalties up to ₹15 crore, or 4% of global turnover, which is more stringent than the Global Data Protection Regulation, the European law. The bill once passed into law will surely have far-reaching ramifications .
The fight for data privacy needs to be multidimensional to be effective. Along with a strong legislation, technological and human aspects of data safety need to be addressed . Ensuring data safety and security is a highly technical job, calling for investments in latest hardware and software to thwart cyber criminals. Humans are often the weak link in the fight for data privacy and security.
With a new legislation in the offing, the fight for data privacy and security will have a much bigger impact if increasing awareness among individuals and organizations translates to increasing adoption of available safety measures and latest technologies. The fight, however, cannot be a one-off event and needs to be on an ongoing basis. As cyber criminals invent new tactics, and more users join the online bandwagon, the multipronged approach in the fight for data safety and privacy must continue.
Sanjay Kaushik is managing director of Netrika Consulting.