Data privacy in India is an act of treading a precarious rope, regulated by the government and internet fiduciaries alike. It disrupts the right to privacy, mediating the information of data subjects as consumerism. From the Aadhar data breach to the Pegasus leaks, even the state has exploited citizens data similar to private entities. Debmalya Biswas understands the risk attached to data on the internet. Debmalya explains through such instances of data breaches, enunciating how effective measures can bring about data protection on the internet.
Debmalya Biswas, a third-year law student from KIIT School of Law, Bhubaneswar.
India has the second-largest Internet population in the world. Although information and communications technologies (ICT’s) have incredibly upgraded our abilities to gather, store, measure, and convey data, it is an irony that these innovations limit our freedom and security.
In 2020, the internet penetration rate in the country was about 50 per cent. And while the platform has democratised, it still mimics the physicality of a public sphere. Thus, it’s prone to hate speech and harassment.
Now and then, some personal profiles on social media platforms, websites of small businesses, and data transmission get compromised. Subsequently, an individual may become a victim of harassment or might incur financial losses too.
The world has transformed into cloud computing. As a result, all our data, like emails, chat logs, banking details, etc., are accessible to private and government databases. When we consent these entities for using our data, ‘protection’ or ‘privacy’ on the internet is rendered ineffective.
Plus, different iterations of electronic voyeurism or malicious emails, ‘phishing’ further encroach security. Even though various technological measures reduce this risk, it is paramount to have a robust lawful set-up to protect and maintain electronic privacy.
Instances of Breaching Data Privacy in India
Data Breach can be intentional or unintentional. For example, an unintentional breach could occur when an entity working for an organisation accesses an unauthenticated site, downloads a compromised software program, interfaces with an unsecured Wi-Fi connection etc. These reasons and others could compromise the data of an organisation or person.
An intentional breach happens when a hacker hacks into a person or organisation’s framework to get into restrictive and individual data. During a breach, one’s details appear over the internet for nefarious users.
There have been several instances where the data got leaked from the databases of companies like Dominos, Upstox, Mobikwick, Facebook, Air India, and Big Basket. Additionally, sensitive information like CVV numbers from credit and debit cards, KYC details, AADHAR CARD details and passport information, and even customers’ locations were leaked on dark webs.
Easy accessibility to such sensitive data online can mean dismal for individuals. Moreover, such information penetration disregards the fundamental right to privacy of individuals.
Since there’s no law to provide preemptive protection, such breaks could hamper individual sanity. The same could leave consumers at the end of deceitful exercises, data fraud, blackmailing etc. Unfortunately, the same has been a norm in cases of breaches of data privacy in India.
Growing Risk Of Data Breach: Instance from Educational Institutes
The frequency of breaches and the extent of losses directly impact the protection of individuals and data privacy in India and elsewhere.
In the first half of 2017, training area information breaks multiplied in number. In addition, cyber-attacks penetrated education institutes. For instance, government-funded educational systems in Texas and Cape Cod were breached, uncovering the information of hundreds and thousands of understudies individually.
Similarly, in other instances, data from advanced education institutes got compromised. For example, the Stanford Graduate School of Business suffered a massive data breach, leaking 14 TB of information from monetary guide applications. Further, the Medical College of Wisconsin had also compromised patient information.
Educational institutions, big or small, face huge expenses because of such data breaches.
An investigation by IBM Security shows the typical expense of a data breach per record. Yet, it ordinarily comes to $200 per record (and has been much higher, with the four-year cost averaging $260). The actual expenses depend on the severity of such information break. And how long time and resources are needed to contain it. In contrast to different ventures, the training area occasionally encounters the hidden costs of losing clients after an information break.
Ukhrul Times and Nagaland Express broke the information on retailing data sets of Class 10 and 12 students from Bihar, Haryana, and Nagaland on the online business site Amazon. These information bases, decked with a cover picture, contained students’ names, parents’ names, private locations, schools’ names, telephone numbers and email addresses. All of which was available at Rs. 299.
Such information often thus serve as ‘commodities’ made accessible to private players for breach of privacy. Such violations disregard the students’ fundamental Right to Privacy. This is especially grave as minors do not have the lawful ability to give consent.
Such break-in mechanisms leave most students powerless against making them the casualties of fake exercises, fraud, blackmail, and their contact subtleties being shared on obscene sites.
Effective Measures to Protect Data Privacy in India
When we use a third-party application like Google Analytics to gather information on our user base, we allow Google Analytics to collect that data to promote google ads. Given how essential protecting data is, it’s only a shame that Google samples and controls data sets without complying with comprehensive and consumer-centred privacy guidelines.
The legal obligation of Data fiduciaries (i.e. companies like DOMINOS and MOBIKWIK) is to ensure that their customers’ data are in safe custody.
In Justice (Retd.) KS Puttaswamy v. Union of India, the Supreme Court recognised ‘informational self-determination’ as an aspect of our right to privacy. ‘Informational self-determination’ as a terminology requires that individuals be aware of how their information is being used or shared.
The IT Act makes ‘body corporates‘ liable for the losses arising from negligent handling of sensitive personal data. Unfortunately, however, there is no legal obligation for such companies to report a breach, except a moral responsibility towards their users for mere goodwill.
The IT Act provides reparations for negligent handling of sensitive data, but due to improper investigation, the cause of the data breach remains unknown to the victims.
By law, it is unlawful to sell/leak data of an individual or a student in India. Section 43A of the Information Technology (Amendment) Act, 2008, considers foundations responsible for neglecting to carry out ‘sensible security practices and methodology’ to ensure the sensitivity, information of students or individuals.
Section 67B of the IT Act (2008) endeavours to shield the security of kids under 18 years by making another upgraded punishment for hoodlums who target kids.
The recently delivered Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, an extension of Draft Intermediary Due-Diligence Guidelines, 2011, prohibits ‘intermediaries (internet or telecom services) to store and update communicate data’, ‘informing the user about such use’ and retaining the user information for ‘180 days after cancellation or withdrawal of registration’.
A mediator with such information needs to act spontaneously, working with clients to eliminate admittance to such data. As otherwise, the same could infringe on the privacy of the subject.
The KS Puttaswamy judgment reaffirmed that classified information is under threat and has become a significant worry. Under Indian law, according to the IT Act, a few remedies exist against the information preparing substance for a data breach.
WM Morrison Supermarkets PLC v. Various Claimants, a recent judgment delivered by the United Kingdom Supreme Court, sets that vicarious liability will not make a difference in instances of a data breach.
Interestingly, there’s no clarity on how managers can be expected to take responsibility for breaching workers’ data privacy in India. The Indian courts, working with the proposed Data Protection Act, are likely to reference the UK Supreme Court.
A website called ‘Have I Been Pwned’ helps determine if any emails have been compromised in a data breach after entering the email ID and phone number linked with any social media or other websites.
The website will reveal how many times an email ID or phone number got leaked. After knowing that the data have been leaked, one should immediately change all the passwords of that account. In case of any registered bank details, one should notify the bank as early as possible and change all pins and passwords. Should activate two-factor authentication (TFA or 2FA) is available on all critical applications and services.
Can we really trust the apps or the website we have been using on our phones, PCs, or Laptops for several years?
When it comes to data privacy, smartphone apps are difficult to trust. Unfortunately, there is no way to inform at face value if an app monitors you, even while you say forestall. No safety is fool-proof.
There are various ways to detect and remove the data from the apps and websites initially saved there. In addition, privacy settings have been boosted in Android 12 and iOS 14. This privacy will restrict the apps from storing data and tracking the user.
A ‘privacy nutrition level’ is now available in iOS 14, initially showing the user what kind of data an app can collect, store or track before its installation.
According to experts, data privacy to some extent lies in the hands of users, use of strong passwords in online banking apps or websites, while using any public internet service, enable VPN so that the actual location of the device becomes untraceable. In addition, users should be careful while granting permissions to unnecessary apps, websites and refrain from giving access to the contact details and location of the device.
Finally, security updates dedicated to the authorised user interfaces, operating systems, and applications in all devices will go a long way in protecting users from a data breach.
 The IT Act, 2000, Sec. 43(A), (INDIA).
 Justice KS Puttaswamy v. Union of India (CIVIL) NO 494 OF 2012, (INDIA).
 WM Morrison Supermarket PLC v. Various Claimants (2020) UKSC 12, (CANADA).