Data protection in India : Are the present cyber-security laws enough?


Author: Stuti Narayan

  1. Introduction

With a population of over 1.3 billion people, India has witnessed an unprecedented surge in internet usage and digital transactions. While this digital revolution has brought numerous benefits, it has also raised concerns about the protection of personal information and to counter evolving cyber threats and mitigate risks, India has enacted comprehensive cyber-security laws and regulations that prioritize the protection of personal information. These laws aim to strike a delicate balance between encouraging technological advancement and safeguarding individuals’ privacy rights, thereby establishing a secure and trusted digital environment.

  1. Evolution of Cybersecurity Laws in India

The evolution of cybersecurity laws in India has been a dynamic process, driven by the growing recognition of the importance of protecting personal information and combating cyber threats. Over the years, the Indian government has introduced several legislative measures and frameworks to address the challenges posed by the digital landscape. Let’s take a brief look at the key milestones in the development of cybersecurity laws in India, along with some relevant case laws:

  1. Information Technology Act, 2000 (IT Act):[1] The IT Act serves as the foundation for cybersecurity laws in India. It was enacted to provide legal recognition to electronic transactions and establish measures for cybersecurity and data protection. Section 43A of the IT Act was introduced in 2008 and mandates compensation for individuals affected by negligence in implementing reasonable security practices by entities handling sensitive personal data.In Shreya Singhal v. Union of India,[2] the Supreme Court struck down Section 66A of the IT Act, which dealt with the punishment for offensive online content, deeming it unconstitutional and a violation of the right to free speech.
  2. Information Technology (Amendment) Act, 2008:[3] This amendment expanded the scope of the IT Act to cover emerging cyber threats and introduced several provisions to enhance data protection, including the establishment of a cyber appellate tribunal and the imposition of stricter penalties for cyber offences, which has been analysed in this article further.
  3. Personal Data Protection Bill, 2019 (PDPB): The PDPB, aimed to provide a comprehensive framework for the protection of personal data. It emphasized individual consent, data localization, and the establishment of a Data Protection Authority to regulatedata processing activities.The landmark judgement by the Supreme Court of India, which played a vital role in the drafting of this bill was Justice K.S.Puttaswamy v. Union of India,[4]in which the Supreme Court recognized the right to privacy as a fundamental right under the Indian Constitution, laying the foundation for robust data protection legislation.
  4. IT Rules, 2021: The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 were published on February 25, 2021, by the Ministry of Electronics and Information Technology. The Information Technology (Intermediaries Guidelines) Rules of 2011 were replaced by these regulations. According to a news statement from the government, the goal is to supply basic users of digital platforms can demand responsibility when their rights are violated and seek recourse for their grievances.[5]

The Rules, among other things, employ user numbers to differentiate between social media intermediaries and significant social media intermediaries and set a far harsher burden on large social media intermediaries in terms of protecting personal data.[6]

However, several amendments were recommended and the bill was hence withdrawn in 2022.

  • Draft Digital Personal Data Protection Bill, 2022: After implementing the amendments suggested by the Joint Parliamentary Committee to the Personal Data Protection Bill, 2019, this draft was presented by the Ministry of Electronics and Information Technology. The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India. As per this draft bill, personal data may be processed only for a lawful purpose and data fiduciaries will be obligated to maintain the accuracy of data, keep it secure and delete it once such purpose has been met. This bill has been analysed in this article in further sections, dealing with the enforcement mechanism as well as the loopholes.
  1. Legal Framework for Personal Information Protection

In India, there is no formal legislation that addresses data protection at the moment. India’s data protection legislation is made up of a number of separate laws and acts. The Information Technology Act and the Contract Act of 1872 both contain provisions that currently govern data protection. A substantial fine of up to one crore rupees is imposed under Section 43 of the IT Act to deter illegal access to computer devices. Section 65 applies to source code for computer programmes. Anyone who intentionally hides, damages, modifies, or forces someone to do so while knowing about it could be punished with up to two lakh rupees in jail time or a fine. Section 66 offers security from hacking. Section 72 prevents data breaches that compromise privacy and confidentiality.

The Information Technology Act of 2000 deals with matters including financial compensation, criminal penalties for illegally disclosing and using private information, and violations of agreements relating to personal data. The internal uses of personal information by the organisations that gather them are not constrained by the information technology of 2000. The RTI Act of 2005, which only covers access rights, is ineffective. The rules in India provide limited protection for the use of sensitive information or personal data outside of the credit reporting industry. The Information Technology Act now only recognises “compensation” for actual losses, not “damages” per se. Damages may be punitive, in contrast to compensation, which is a rehabilitative measure.

This framework has been found to be insufficient for ensuring the protection of personal data.  A Committee of Experts on Data Protection, headed by Justice B. N. Srikrishna, was established by the national government in 2017 to look into matters pertaining to data protection in the nation.  In July 2018, the Committee turned in its report. The Personal Data Protection Bill, 2019 was presented in Lok Sabha in December 2019 based on the Committee’s recommendations. A Joint Parliamentary Committee was given the bill, and it delivered its report in December 2021. The Bill was withdrawn from Parliament in August 2022.  The Draft Digital Personal Data Protection Bill, 2022 was released by the Ministry of Electronics and Information Technology in November 2022 for public comment.[7] The Bill gives people specific rights, including the right to obtain information, request correction or erasure, and file a complaint. As per the bill, for specific reasons, such as state security, public order, and the prevention of crimes, the central government may exclude government agencies from the Bill’s restrictions. Further, the Data Protection Board of India will be established by the national government to decide cases of non-compliance with the Bill’s requirements.

  1. Data Protection Authorities and Regulatory Bodies

Under Section 70B of the IT (Amendment) Act 2008, the government established CERT-In, also known as the “Indian Computer Emergency Response Team,” according to the Ministry of Electronics and Information Technology’s website. A national nodal organisation called CERT-In responds to computer security events as they happen. The functions of the agency include collection, analysis and dissemination of information on cybersecurity incidents; forecast and alerts of cybersecurity incidents, etc.[8]The Ministry of Electronics and Information Technology established CRAT in October 2006 in accordance with Section 48(1) of the IT Act 2000. The tribunal’s new name is Cyber Appellate Tribunal (CAT), according to the IT (Amendment) Act of 2008. Any individual who feels wronged by a decision issued by the Controller of Certifying Authorities or an adjudicating officer under this Act may file an appeal with the CAT in accordance with the IT Act. According to Section 49 of the IT Act 2000, the central government appoints the chairperson of the CAT via notification.[9]

Digital Swachhta Kendra (2017) gives an entry that clients might use to sweep and eliminate malware from their machines. The Cyber Surakshit Bharat drive was created by the Ministry of Electronics and Information Technology to improve familiarity with cybercrime and construct the capacity of Chief Information Security Officers (CISOs) and cutting-edge IT experts across all government organizations for security measures.

  • Challenges and Loopholes in the Framework

While the Draft Digital Personal Data Protection Bill, 2022 was required for Cybersecurity, there are several key issues that have to be addressed. For instance, there are concerns regarding breach of the fundamental right to privacy enshrined under Article 21 of the Indian Constitution as the bill exempts data processing on the grounds of national security, etc., which might lead state to misuse the power given. In similar regard, the Supreme Court has mandated various safeguards including: (i) establishing necessity, (ii) purpose limitation and (iii) storage limitation.[10] However, recently several Indians figured in the Pegasus Spyware target list which is generally used by governments.

Moreover, the bill does not grant the right to data portability (which allows data principals to obtain and transfer their data from data fiduciary for their own use) and the right to be forgotten (which refers to the right of individuals to limit disclosure of personal data on the internet) to individual. Both of the rights have been recommended to be protected by the Srikrishna Committee, hence concerns regarding it must be addressed.

  • Conclusion

India is the largest democracy in the world and along with acquiring the title of having the fastest-growing economy in the world, it has also evolved into a data-centric economy thanks to significant advancements in the fields of data and technology.The IT Act of 2000 and other laws are simply insufficient to control the country’s data flow, and as a result, they do not offer a meaningful level of protection. The country’s data protection system is still in its infancy, but given the significance of data in the modern world, India needs to have a new and improved regulatory framework. While the government has recently claimed that the law is ready, what remains unaddressed is the list of key concerns around the Draft Digital Data Protection Bill, 2022. The requirements for Indian laws can be established by contrasting them with those of sophisticated economies like the European Union’s GDPR. India is currently one of the remaining large economies in the world without a standalone, contemporary, and comprehensive personal data protection law, as the IT Act is more than 20 years old and out of date. The administration must act quickly to put in place a framework that is equivalent to its overseas counterparts given India’s ambition to establish an international reputation as a digital economy with a strong data services sector.

[1]Information Technology Act, 2000 (Act No. 21 of 2000).

[2]AIR 2015 SC 1523.

[3]Information Technology (Amendment) Act, 2008 (Act No. 9 of 2009).

[4](2017) 10 SCC 641.

[5]Aditi Subramanium & Sanuj Das, The Privacy, Data Protection and Cybersecurity Law Review: India, The Law Reviews, available at: visited on May 17, 2023).


[7]PRS Legislative Research, available at <> (last visited on May 18, 2023).

[8]Supra note 3.


[10]PUCL v. Union of India, AIR 1997 SC 568.