Data means raw facts and figures, a small word for big concept. Data encompasses of every single bit of information, which could pertain to just about anything including information on you, such as where you live, what you do, where do you keep your money, your likes, dislikes almost everything is data. Data is both a boon and bane depending on who controls it, after all knowledge is power. Even big Companies and businesses generate a lot of data with regards to their financials, products, clients etc. Hence in the light of the importance attached to data, it is pertinent that it is protected. 

Nowadays data is mostly stored electronically on data drives and other data storage devices. Data in the wrong hands could be disastrous and leave a person or business vulnerable. A lot of this data is generated through a network of computers, leaving data vulnerable to cyber-attacks or misuse, further wrong use of data is also an eminent threat for the person furnishing it.

Why does data protection matter?

With a populace of over a billion, there are around 500 million dynamic web clients and India's online market is second just to China.

Collecting the information of individuals along with their behavior has become a profitable business plan. However, it is also a matter of grave concern as it can lead to revelation of private information of an individual. Organizations, governments, and political parties use this information to advertise the information to your, based on your interests and likes.

Also, until now, there are no laws on the use of individual data and thwarting its maltreatment, despite the fact that the Supreme Court kept up the privilege to protection as a central right back legitimately in 2017.

Data Protection law India

To prevent the misuse of data and to protect data from leaking, the governments throughout the world have enacted data protection legislations. In India there is no specific legislation dealing with data protection yet, however currently data is protected and governed under the Information Technology Act of 2000 (the Act) and its allied rules.

 Under the Act, data means the representation of information, knowledge, facts, concepts or instructions which are prepared or have been prepared in a formalized manner, and are intended to be processed or have been processed in a computer system or computer network.  Chapter V of the Act deals with data protection, particularly section 16 which necessitates the requirement of following security procedures and practices for the protection of electronic records (which includes data) especially by intermediaries (persons collecting, using or storing the data and or providing services using the data). Pursuant to section 16 of the Act the ministry of electronics and information, issued the following rules for the protection of data:

1. Information Technology Rules, 2011:

Intermediary Guidelines: These rules place obligations on intermediaries regarding the data dealt with by them. It requires that every intermediary publish rules, regulations, privacy policy and user agreements on their platform whether it be a website or an application.  These rules lay down an obligation on the intermediary on the handling of data they receive from their users and to make disclosures about how the data would be handled and if it would be transferred to a third party. The rules further place prohibition on the type of data which the intermediary may deal with.

Reasonable security practices and procedures and sensitive personal data or information

These rules deal with protection and collection of sensitive information and data such as biometrics, financial information, medical records, sexual orientation etc. The rules place an obligation on the intermediary to protect sensitive data they collect, prevent its leakage and further develop and make available to its user a privacy policy depicting how the such information is handled.

2. Information Technology Rules, 2009:

Procedures and Safeguards for Interception, Monitoring or Decryption of Information: These rules allow the government to appoint certain agencies to monitor, intercept and decrypt data that is dealt with on internet, thereby allowing the government to prevent any cyber-crimes.

Procedure and Safeguards for Blocking for Access of Information by Public: These rules allow the government to appoint certain officers who may issue directions to intermediaries to block access to information that is available to the public as in the case of banning of websites or certain content on it.

Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information: These rules allows the government to appoint agencies which can monitor traffic data (that is any data to identify any person, computer system or network or location including communications origin, destination, route, time, data, size, duration or type of underlying service) for the purpose of preventing cyber-attacks, identifying viruses investigation of security practices of intermediaries.

However, networks, websites, platforms, applications etc in India are not only subject to Indian legislations but where the such networks, websites, applications platforms etc also operate in any part of the European Union they are to follow the General Data Protection Regulation (GDPR) issued by the European Union Commission. The GDPR lays down the principles for processing of personal data collected by any person and necessitates the consent of application, network, website or platform users including minors where any data is being collected including through the use of cookies.

DATA protection bill

Keeping in mind the need for a specific legislation for data protection, pursuant to a direction to the Government by the Supreme Court in the famous aadhar judgment, the government set up a committee of experts under the chairmanship of Retd. Justice B.N. Saikrishna, which drafted the Personal Data Protection Bill, 2018 (the bill).

The bill categorizes data into three heading:

Sensitive data:

All the data which is related to financial data, passwords, health data, official identifier, sexual orientation, religious or caste data, biometric data and genetic data is sensitive data. It can only be processed outside India with the explicit consent of the user.

Critical data 

Critical data, once in a while will be characterized by the government and can only be stored and must handled in India.

General data: 

Data that is not sensitive nor critical is general data and has no limitation to where it can be stored or managed.

The highlights of the bill are:

1. In terms of applicability following the practice similar to the GDPR the bill has extended the applicability of the Act to platform, websites, online services, networks located outside India but providing services or operating in India.
2. The bill lays down the obligations of data fiduciary in regards to the dealing and handling of data provided by a user, especially with the collection of data, and seeking confirmation and consent of the user.
3. The bill lays down the rights of persons furnishing data to any data fiduciary, including rights to modify wrong data and the right to have the data forgotten.
4. The bill provides for a copy of data being collected by data fiduciaries located outside to be made available at data servers or centers located in India.
5. The bill also provides for the establishment of data protection regulator, the Data Protection Authority.

The government pursuant to its initiative of e-governance under its digital India programme has been actively taking steps towards improving the regulatory aspect of e-governance in India, realizing the importance of data protection it has taken steps to protect and safeguard data, one of the first steps being the data protection bill, the bill certainly is a welcome change as data protection is no longer a plethora of law scattered around, but streamlined and made articulate.

Article 19(1)(a) of the Constitution of India grants every citizen the right to express himself, this includes through a network on a computer, and such a right must be protected in every way possible. Such expressions need to be in the control of the citizen making it, the new data protection bill aims to do away with the autonomy networks, websites, applications etc. work in and provide a say to the provider of data.  

Conclusion

As the COVID-19 lockdown is expected to continue in India, the digital payments sector is seeing a growth, as more people are currently buying online. During the first two weeks of the lockdown, digital payments constituted a whopping 72.5% of the total 2.2 billion transactions in India. This will increase instances of data piracy as scammers will find new ways to con people

According to ZoomInZ0D, a Mumbai-based "ethical hacker," the scammers can mine information from various sources.

"The real name of the user can be identified from email IDs. A legitimate-looking fake WhatsApp message asking for phone numbers, email IDs or even addresses can do the trick. Information can also be mined from Google forms," warned ZoomINZ0D.