Data protection in India: An overview


  • Days after data analytics firm Cambridge Analytica (CA), a subsidiary of the U.K.-based SCL Group, was suspended by social media company Facebook for not deleting user data obtained from an app developer for the platform, the controversy reached Indian shores with both the BJP and the Congress trading charges of the other having used the firm’s services

Controversy in India:

  • Political parties in India, including the ruling BJP and the Congress, have accused each other of engaging the services of Cambridge Analytica, leading to questions over influencing elections “through questionable means.”
  • The government has sent a notice to U.K.-based Cambridge Analytica — accused of misusing data of 50 million Facebook users — asking it to disclose if data of Indian users was used, and to name the entities that used their services.
  • Union Law Minister Ravi Shankar Prasad also warned Facebook against the misuse of Indians’ data and any attempt to influence the electoral processes of this country.
  • The firm has been asked to reply by March 31.

What is Cambridge Analytica?

Cambridge Analytica (CA) is a UK-based data analytics firm, whose parent company is Strategic Communication Laboratories (SCL). It claims to build psychological profiles of voters to help its clients win elections

Accusation against CA

  • The company is accused of buying millions of Americans’ data from a researcher who told Facebook he was collecting it strictly for academic purposes
  • It then tapped that data to build psychographic profiles of users and their friends, which were utilized for targeted political ads in the UK’s Brexit referendum campaign, as well as by Trump’s team during the 2016 US election.
  • The crisis has renewed questions about Facebook’s ability to protect the privacy of its users while also exploiting their personal details to fuel its lucrative advertising business.
  • It has also deepened concerns about the social media network’s ability to avoid being exploited to spread propaganda and sway elections.
  • Authorities in both the U.S. and the U.K. are investigating both Facebook and Cambridge Analytica. Facebook shares have fallen and some users are contemplating deleting their accounts.

The Breach

  • Facebook allowed Aleksandr Kogan, a psychology professor at the University of Cambridge who owns a company called Global Science Research, to harvest data from users who downloaded his app (thisisyourdigitallife)
  • The app asked users to log in using their Facebook account. As part of the login process, it asked for access to users’ Facebook profiles, locations, what they liked on the service
  • The problem was that Facebook users who agreed to give their information to Kogan’s app also gave up permission to harvest data on all their Facebook friends as well
  • The breach occurred when Kogan then sold this data to Cambridge Analytica, which is against Facebook’s rules. Facebook says it has since changed the way it allows researchers to collect data from the platform as a result

How are social networking sites misused?

  • Loss of Privacy: One basic problem that can come with the use of social networking sites is the loss of individual privacy.
  • Sexual Predators: A very serious problem which is related to loss of privacy is sexual predation on social networking sites.
  • Cyberbullying: A cyberbully is someone who abuses another person through the internet or other technology. Social networking sites are often breeding grounds for such abuse.
  • Time Consumption: Another problem with social networking sites is that they can be very addicting and take up a lot of students’ time.
  • Identity theft: Social media networks facilitate identity theft and fraud.

Why is Data protection crucial?

The theft and sale of stolen data is happening across vast continents where physical boundaries pose no restriction or seem non-existent in this technological era. India being the largest host of outsourced data processing in the world could become the epicenter of cybercrimes this is mainly due the following reasons:

Growing Prominence

  • There is an unprecedented amount of personal data available with Government and Private Sector Players.
  • Digital India, Aadhaar and Demonetization drives have added to the already growing pool of personal data with various public and private players to pursue their activities

March of digitization

  • With rising cybercrime and data breaches, and absence of strong data protection regulatory framework ensuring consumer protection and right to recourse, individuals tend to resort to non-electronic means for transactions.
  • With the Digital India roll-out, push on digital payments, rising e-commerce penetration, and an unprecedented number of platforms and services transacting PII of individuals, a stronger data protection regime is a must to foster trust in the data ecosystem
  • Insufficient regulatory protection
  • The Information Technology (IT) Act 2008 Section 43A Reasonable Security Practices and Procedure rules are not a substitute for a data protection regime.

Share in global digital trade

  • Cross-border data flows are increasingly becoming a key determinant for claiming a country’s share in the global digital trade.

Laws dealing with data protection in India:

The Indian constitution has provided the law relating to privacy under the scope of Article 21. Its interpretation is found insufficient to provide adequate protection to the data. The laws dealing data protection in India are given below:

Information Technology Act ,2000:

  • The Information Technology Act 2000 is an Act of the Indian Parliament notified in 2000.
  • It is the primary law in India dealing with cybercrime and electronic commerce.
  • It is based on the United Nations Model law on Electronic Commerce 1996 recommended by the General Assembly of United Nations by a resolution.
  • The act aims to provide for the legal framework so that legal sanctity is accorded to all electronic records and other activities carried out by electronic means.
  • The act also deals with the use of Digital Signature to authenticate an electronic record.
  • A major amendment was made in 2008.

The Information Technology (Amendment) Act 2008:

  • The Information Technology (Amendment) Act, 2008 an act to amend the IT Act 2000 received the assent of the President on 5thFebruary 2009.
  • It introduced the Section 66A which penalized sending of “offensive messages”.
  • It also introduced the Section 69, which gave authorities the power of “interception or monitoring or decryption of any information through any computer resource”.
  • It also introduced for  Child porn, cyber terrorism and voyeurism.

The Personal Data Protection Bill:

  • In the year 2006, our legislature has also introduced a bill known as ‘The Personal Data Protection Bill’so as to provide protection to the personal information of the person.

The privacy (Protection) Bill, 2013

  • The Bill focuses on the protection of personal and sensitive personal data of persons.
  • There are specific provisions in the bill related to collection, storage, processing, transfer, security, confidentiality, and disclosure of sensitive personal data in the Bill.
  • The consent of the data provider is necessary.
  • The Supreme Court said the introduction of a “carefully structured”data protection regime and its contours were matters policy matters to be considered by the Centre.
  • The government has already indicated in the court that the committee would be framing a data protection Bill similar to the “technology-neutral”draft Privacy Bill submitted by an earlier expert committee led by former Delhi High Court Chief Justice A.P. Shah to the Planning Commission of India in 2012
  • Ministry of Electronics and Information Technologywould work with the panel and hand over all necessary information to it, after which the panel will start its discussions.

Concerns and challenges:

  • India’s inability to localize data protection centers. Its digital economy is governed by more private data protection policies.
  • Infrastructure in India for sufficient data collection and management is lacking.
  • Major players in India’s digital economy are not only based abroad, but also export data to other jurisdictions.

Way ahead:

  • India needs to have a legal framework that meets with the expectations, both legal and of a public nature, as prevail in the jurisdictions from which data is being shipped to India.
  • The law should ensure that the service providers providing a medium of exchange of data for personal reasons shall be bound not to disclose or use such information.
  • There is a need to have standards for maintenance of records with respect to processing of data, method of notification of data breach and standard operating procedure in case of such breaches.
  • If a person requires removal, alteration and correction of data, the same should be allowed.
  • Any contravention by entities (Government or Private) must be duly punished with imprisonment or hefty fines.
  • Mass surveillance and individual profiling without cause should be barred.
  • National interest should prevail over individual rights in narrowly defined exceptions where government can intervene.
  • Collection of data by governments and agencies, need to keep in mind that the Internet and the more virulent Darknet are being increasingly used these days by criminals for illegal trade, trafficking, and money laundering.


  • Given the rising internet penetration and growing emphasis on Digital India, it is imperative to protect the sanctity of data generated by citizens. A legislative framework to address the growing concerns around data protection and privacy is the need of present day.
Print Friendly and PDF