In this article the author provides analytical framework to know about the importance of The Digital Personal Data Protection Act and the reason of imposing restrictions and providing guidelines to collect and process the data. The key terms that is Data Fiduciary, Data principal ,Data Location . It explains the necessity of implementing the protection bill to stop and prevent potential offenders from doing the cyber scams like phishing , encryption of data etc.

This article also talks about the status of protecting the personal data in other countries as well. It also discusses about misuse of the rights conferred to central government. Several criticisms of this act is also defined in this article. Article also defines various landmark judgements from where the topic of Privacy begins. Various suggestions are also included in the conclusion which helps in increasing the accuracy of the implementation of this Act.

Introduction
Digital Personal Data Protection Act 2023, enunciates about the efficacy of the protection of the personal data gathered by different organizations. The DPDPB bill describes certain obligations of data fiduciary and data principal which they must perform in order to protect the personal data from the intervention of any malwares in the secured devices and servers. Taking consent of that person to whom the data belongs to shall be the top most priority . The Data Principal and Data Fiduciary are the key terms used in this article.

Data Principal refers to the person to whom the data belongs to and Data Fiduciary refers to the person who processes the personal data and provide services by performing certain chain of activities. This came into picture after 2017 when Right To Privacy was introduced as a Fundamental Right under Article 21 in the case of Justice K.S Puttaswamy V. Union Of India and other Landmark Judgements.

Historical Background
The Journey of the protection of Personal Data commenced after the judgement of Right to Privacy came into the picture after the case mentioned below.. The Case was filed before three judges bench of SC on the idea that this theme of Aadhar Card identification act 2016 is desecrating of the Right to Privacy. Right To Privacy which is deemed to be a fundamental Right in case of Justice K.S. Puttaswamy V. Union Of India[1] 2017 under Article 21:Right to life and personal liberty of Indian Constitution.

This case includes the Aadhar act 2016 for which the writ has been filed as a challenge against the government's proposed requirement that individuals own an Aadhaar card (a uniform biometric identity card) in order to receive government services and benefits. The judgement of Right to privacy in 2017 overrules the Judgement passed in the case of M.P Sharma V/s Satish Chandra[2] (1954) and in Kharak Singh V/s State of U.P[3] (1964)Six judge which had been passed in the both the Houses of Parliament and also assented by the Honorable President.

From 2017 work on the protection of digital personal data has been commenced and a expert committee was also formed under Ministry of Electronics and Informational Technology and till 2019 The PDP bill ( Protection Of data privacy bill ) was introduced in Parliament. The PDP bill also known as Protection of Data Privacy bill 2019 was opposed by the parliament and the Joint Parliament Committee (Srikrishna Panel) also recommend to withdraw the bill as there are 81st amendments and 12 recommendations which were very comprehensive and intensive legal framework to be amended .Her are some recommendations that the Joint Parliament committee made in order to amend the bill:

1. The committee recommended to also include Non Personal Data within the ambit of the data privacy bill as it is very difficult to find out difference between personal and Non personal data.
2. The data fiduciary after getting awareness of any breach of data should report to the data protection authority within 72 hours of such awareness of breach of data.
3. The Bill exempts certain agencies of central government of the obligations specified in the bill in the interest of Sovereignty and integrity of India, friendly relations with foreign states, public order or to prevent the happening of any cognizable offences relating to any of these above mentioned. The exemption made must be just, fair and reasonable and with the procedure established by law.
4. The committee also recommended to change the composition of the selection committee for the appointment of the Chairman ,Secretary and other positions in the DPB. The Attorney General of India, an independent expert in protection and a trained person from IIT's should be called .
5. Various data analyst and managers of different organizations dissented for the concept of Data Localization which mandates to keep the copy of data of Data Principals secured within the physical device by the Data Fiduciary.

One of the main reasons of the withdrawal of the bill was that more powers lies in the hand of central government which may lead to monopoly over the whole statute. The Start ups also dissented for the application of bill as it includes huge regulatory compliance.

On 18 November ,2022 a new draft of DPDPB 2021 was introduced and given for public consultation and the request for revealing the submissions made by public is denied and the bill at another time was also rejected . Therefore now, At the 4th time a new legislature had been introduced a Digital Personal Data Protection Bill 2023 in the Monsoon Session of

Parliament and got passed with an assent of The President on 11th August 2023 and came to known DPDPB Act 2023[4]

Digital Personal Data Protection Status in other countries

Increasing of the social and economic activities at online platform leads to the necessity of the adoption of more stern rules and legislations . In Asia and Africa 61% and 57 % of the countries has adopted the personal data protection legislation.

The General Data Protection Regulation (GDPR) is the most robust privacy and security law in the world. Despite having been developed and authorized by the European Union (EU), it puts obligations on any organizations that seek out or obtain data about individuals who name EU as their residence.

The rule is going to be in effect as of May 25, 2018. Those who violate the GDPR's privacy and security would likely to be the accused who would be punished by imposing a fine upto tens of millions of euros. Since GDPR has come into effect, every organization have a duty to strictly follow its laws and regulations without fail. Below are some of the Rights conferred by this act to their candidates on which this act is applied:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

According to estimate, Cybercrime had an impact on 53.35 million US individuals in the first half of 2022,. The US was the nation most frequently targeted by cyberattacks between July 2020 and June 2021, making about 46% of all attacks worldwide. The California Consumer Privacy Act[5] (CCPA), which offers strong consumer protection and privacy rights, is one of the state's most progressive pieces of legislation. Just 50% of US organisations have cyber insurance with full cover.

A further 28% have cyber insurance with exclusions or exceptions in the policy, meaning they may not be covered for certain attacks or under certain circumstance. This statute help the people to gather the details and information how and for what purpose their data is gathered and utilized. Alabama, Connecticut, Florida, New York, Washington, Illinois, Texas, and Virginia are among more states with bills in place or in the process of being passed.

The GDPR[6] is only applicable in UK until 31st July 2021 and after that a new act came into picture i.e. Data Protection Act 2018 which gets enforced in July . As the tech got advanced in social and economical activities and in order to give a wider protection to privacy United Kingdom has formulated a new law that is The Data Protection, Privacy and Electronic Communication Regulation Act 2019 which amended the above act and gave it a holistic view which differ it from GDPR

The Germany protects the personal data of individuals by following the regulations mentioned in EU- GDPR. According to the 2022 research, 72.6% of the German organizations had experienced at least one successful cyberattack in 12 months prior to such survey. In 2022, 5.19% of spam originated from Germany.

South Africa has the act named POPI Act[7] which is ascertained to be commenced from 1st July2020. This Act has been formulated in 2013 but it took 7 years for the enforcement fully as a well defined act.

The PA 1988[8] is the piece of legislation applicable in Australia that is handling the protection of personal data of individuals. Australia experienced an 81% surge in cyberattacks between July 2021 and June 2022. The continuous prevalence of cybercrime in the nation is highlighted by the fact that network traffic only increased by 38% during the same time period. In 2022, attacks against websites that deal with money have increased by more than 200%.

Applicability of the Bill

1. Where the personal data is collected:
   1. In digital or through online submission
   2. Recorded offline but digitalized subsequently.
2. The personal data is collected by an organization outside the territory of India but their chain of activities are linked to providing goods and services to the Data Principals in the Territory Of India.
3. It is not applicable on the person:
   1. who is under any obligation to publish the data publicly under any force of law.
   2. Who is using the personal information for personal or domestic purpose.

Position Of Protection Of Personal Data In India
Before 2017 the negotiations for forming the regulations for protecting the personal data was going on but was not more efficient and effective. In the late 1980's and 1990's after the LPG policy was implemented competitions started developing in India as India is invaded by multi national corporations but there was not so much development on the technology as such that the idea of protecting the digital personal data is of great significance . India which have become digitalized over a period of time have somewhere lacked in legislations.

Though IT Act [9]2000 and SDPI rules are helping in protecting some part of the personal data as well but a bit more degree of accuracy was required to protect the personal Data therefore Digital Personal Data Protection Bill was brought into picture and efforts were made for its formulation since 2017. IT act only talks about securing the data of the Data principal but did not explained the obligations, liabilities and rights of different characters mentioned sin this Act.

Phishing that is one of the common cyber scam which leads to the leakage of personal information only through wrong click. According to the website[10] Cyber crime reported in 2018 is 208,456.In 2022 the rate has has gone to 212,485 in first two months more than entirely of 2018. There was a vast rise in figures of cyber crimes i.e 394,499 in 2019 to 1,158,208 in 2020 and 1.402,809 in 2021 . Between Q1 and Q2 in 2022 Cyber crime in whole of India has risen by 15.3 %.

Additionally 26,121 websites were hacked in 2020. Out of 78% of the cyber scams 80% were the scams in which personal data was encrypted. With the increasing digitization of various sectors including critical infrastructure ,it becomes essential to have legislation in place to safeguard sensitive data from potential offenders .

Necessity of Digital Personal Data Protection bill
Bringing a data protection bill is necessary to address the growing concerns surrounding personal data protection in today's digital world. Such legislation would provide a legal framework for the collection, use, and storage of personal data, ensuring that individuals' rights and privacy are protected. Below are some requirements that this bill provides for the both the Data Principal and Data Fiduciary:

1. Regulations for Handling personal Data: A data protection bill would establish clear guidelines and standards for organizations handling personal data. It would require companies to implement robust security measures to prevent data breaches and unauthorized access. By holding organizations accountable for the protection of personal data, the bill would help prevent incidents of identity theft, financial fraud, and other forms of cybercrime.
    
2. Transparency and Biasness: A data protection bill would address the issue of discrimination and abuse arising from the collection and analysis of personal data. It would require organizations to ensure that their data analysis processes are fair, unbiased, and transparent. This would help prevent discriminatory practices based on inaccurate or biased data, protecting individuals from unfair treatment.
    
3. Autonomy Status: A data protection bill would uphold individuals' right to privacy and autonomy over their own information. It would ensure that individuals have control over how their data is collected, used, and shared. This would enable individuals to make informed choices about the use of their personal data and prevent unauthorized access or misuse.
    
4. Trust: A data protection bill would play a crucial role in restoring trust in digital services. With clear regulations in place, individuals would feel more confident in sharing their personal information online, knowing that it is being handled responsibly and securely. This increased trust would encourage greater participation in digital activities, fostering economic growth and innovation.
    
5. Sovereignty and Integrity: A data protection bill would contribute to national security efforts. By establishing safeguards for the handling of personal data, it would help prevent malicious actors from exploiting personal information for espionage, terrorism, or political manipulation. This would protect both individuals and the nation as a whole from potential harm.

Criticism Regarding Digital Personal Data Protection Act

• Many Startups in now a days are facing issues in performing the function of marketing as they are not able to introduce their product into the market in an effective and efficient manner. If ,the startups have breached any part that is obligatory under the law or it failed to inform the person or the data principal to whom the data belongs to, it may impose a fine or hefty penalty upto Rs 200 crore on failure which would imbalance their start up and a situation may come to shut down the start up.
   
• Right To Information act is another loophole found in Digital personal data protection bill as the above right gave a person power and authority to know about a particular information.
   
• The central government was considered to be the enforcer of the law. If the Data Fiduciary is in the partnership with the central government ,the ruling party may take care and always be in favour of the Data Fiduciary and may curb all the cases that is in favour of data fiduciary. Central Government's powers to appoint data Protection Board could influence the board and they may become biased in giving appointments to the chairperson and the members of Data Protection Board[11].
   
• There is a provision in this act which allows the central government to by pass the norms seeking citizen consent[12].

Any instrumentality of the state is exempted from getting consent in case of adverse consequences. These adverse consequences may be mentioned below:

1. National Security
2. Relations with Foreign State
3. Governments
4. Maintenance of Public Order

 

Some Important Cyber Attacks

JBS Ransomware Attack 2021:

• The biggest meat-processing business in the world is JBS. Ransomware was used by cybercriminals to infiltrate the JBS network on May 30th, 2021, causing disruptions at plants in the USA, Canada, and Australia.
• All of JBS's beef processing facilities in the USA were momentarily shut down.
• The US Department of Agriculture was momentarily unable to provide wholesale prices for beef and pork as a result of the effects, which also brought attention to supply chain vulnerabilities in the meat processing industry.

Uber Hack Attack 2022:

• AWS cloud account and corporate Slack account of Uber were compromised and hacked on September 16, 2022.
• The hacker most likely bought an Uber corporate password from a contractor whose login information was leaked after malware was installed on their personal laptop.
• The hacker gained access to the account as soon as the contractor granted the request, intensifying his intended attack.
• Uber found accounts that had been hacked and either disabled them or changed their passwords. In order to stop any more code changes, they also locked down the codebase and reset access to internal tools.

Nvidia Cyber Attack 2022:

• A significant manufacturer of Microchip, Nvidia experienced a data breach on February 23 that resulted in source code reaching the hands of offenders.
• The criminal organization demanded that Nvidia make its drivers open source rather than using ransomware, which was not found in the security breaches.
• In retaliation Nvidia changed the passwords of every employee making sure the security of it by not handing over to cyber criminals.

Conclusion
The Digital Personal data protection bill is important for maintaining the privacy of the data of Data Principal but these restrictions may not be absolutely provided and should not be rigid in nature. I think that the powers for appointment of the Data Protection Board should not remain in the hands of Central Government as they may show biasness. The Judiciary should be the best one to be made head for the appointment of the board.

This bill will help to restore the trust in digital services, upholds individual, right to privacy and autonomy over their own information, and contribute to national security efforts. Enacting a data protection bill is crucial to creating a safer and more secure digital environment for all. The legislation establishes clear guildlines and standards for organization handling personal ,data ensuring robust security measure place to prevent data breaches and unauthorized access.

End-Notes:

1. AIR 2017 SCC 4161
2. 1954 AIR 300
3. 1963 AIR 1295
4. The Digital Personal Data Protection Act 2023 (Act 22 of 2023)
5. The California Consumer Privacy Act, 2018
6. General Data Protection Regulation, 2016
7. Protection Of Personal Information Act, 2020
8. The Privacy Act, 1988
9. The Information Technology Act, 2000 (Act 21 of 2000), S.43(a)
10. aag-it.com
11. The Digital Personal Data Protection Act, 2023 (Act 22 of 2023), s.19
12. The Digital Personal Data Protection Act, 2023 (Act 22 of 2023), s.35

Award Winning Article Is Written By: Mr.Shivam Bansal

Authentication No: JN418026560790-20-0624