Protecting Your Digital Identity: Navigating Cybersecurity, Data Privacy, and Laws in India

Data privacy has a lot to do with the rights of the end users, the consumers that are using services like Facebook, Twitter or any other products...

1. What is the purpose of the data you provide to these companies? The collection.
2. How is this data being processed by these firms?
3. What are they doing with this data when I am not even being charged for these services?
4. Are they selling it to 3rd party for ads?

A scenario where data privacy is at work →

A social media site collects demographic info like user age, gender, location etc… now does the company share it with 3rd party companies to show you “relevant ads”. If so are you made aware of it? Are the stakeholders' values converging or diverging?

Data protection, on the other hand, is more about how the data is concealed from the people to which it doesn’t belong. How is the unauthorized not being granted access to the data that belongs to Joe?

1. The laws of a region ensure the robustness of data.
2. The level of transparency of a firm towards the customers in case of mishaps like breaches, and other cybercrimes at individual levels.
3. It has more to do with the CIA triad

A scenario where data protection is at work →

Your medical records are with the hospital, if your lucky they are using updated tech and strong access controls, or they could be using OS versions with vulnerabilities and easy targets for hackers.

There is a bridge connecting both privacy and data protection held strong by typically these hangers that drive the practice of data protection and privacy drivers:

1) Regulations: The stronger the better

The laws of a region define how much the users' data is private. It empowers the user to an extent where he can request the removal/deletion of his data, how is it shared and processed and data disclosure.

The laws also guide the firms as to how strong their tech is in ensuring that the data is not tampered with and stays protected. Again, mentioning the CIA triad here is necessary.

Strong laws and regulations allow the client-company trust process to go easy and consistent, even in case of mishaps.

2) Third-party vendors

If your payroll system is managed by third-party vendors, there is a high chance you might start getting spam messages in your mail / SMS inbox due to sharing of personal demographic information. Many firms outsource whole departments like security to third-party vendors and it is very common practice, therefore there's not much the end user can do. The company needs to take it seriously. They must see that these 3rd party vendors align with the best contracts laid out on the basis of robust regulations and frameworks. And strict action should be taken when they take things for granted.

3) Ethics

Good ethics say ‘the owner should be having 100% control over their information’. Ethics are a major driver for the best practices and it totally is obvious that even ONE unethical event by the most reputed company would result in the whole building crashing down their capital devaluation etc.

4) Consumer data types

The company gets images, videos, and texts and on top of your gender, age, location etc… all these data are just a basis for classification to segregate content that better suits you for your personality traits, (I believe they are the best tools to trick your consciousness). What links do you click on what products do you view but not purchase?

Famous cyber mishaps in India

1. Air India Cyber Breach (April 2021)
2. Covid-19 test results (January 2021)
3. Police Exam Applicants’ Data (February 2021)
4. Domino’s (April 2021)
5. Unacademy Data Breach (2020)
6. SBI Data Breach (January 2019)

Indian laws/regulations related to data privacy & data protection.

Keeping kids first, India has been treating kids’ online data the same way as adult data.

The DPDP Bill provides for the formation of a regulatory body termed the ‘Data Protection Board of India’. The Bill mentions that the primary function of the Board is to determine non-compliance with the provisions of this Act and impose penalties under the provisions of this Act (yet to become an act). Further, it proposes that data collectors “shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children”.

The US has the Children’s Online Privacy Protection Act (COPA), which prohibits processing data of children below the age of 13, the EU’s General Data Protection Regulation (GDPR) has varied norms for a consent between the ages of 13 and 16, depending on the age group adopted by each Comparing the laws in place in US & Europe, Indian ecosystem has a really Long Way To Travel.

Read more commentaries on DPDP at:

Deep Dive: How the data protection bill enables govt surveillance and misuse of personal data

Data Protection Bill legitimises surveillance, govt has no intent of reforms: stakeholders #NAMA

• Information Technology (IT) Act 2000:
  This act lays down the legal framework for electronic commerce, digital signatures, and data protection. It defines sensitive personal data and provides punishment for unauthorized access or disclosure.
• The Personal Data Protection Bill, 2019:
  This bill was introduced to regulate the collection, storage, and processing of personal data by private entities and lays down rules for data protection, cross-border data transfers, and data breaches.

Privacy Week Series: Analyzing cross-border data transfer mechanisms

Read more at (references used):

Where in the world is your child's data safe? 50 countries ranked on their child data protection…

New Data Bill to retain age of minors as those below 18

Biggest Cyber Breaches in India