‘Imminent need to strike a balance between digital innovation and right to privacy’

Interview: G.V. Anand Bhushan, partner, Shardul Amarchand Mangaldas

cyber-security Representational Image | Pixabay

India is the third most cyber-attacked country in the world, according to national cyber security co-ordinator Rajesh Pant. One report says phishing attacks have gone up by more than 600 per cent since Covid-spawned WFH culture saw many networks getting compromised. Hackers have also been on an overdrive, targeting sectors like MSMEs and even healthcare systems. India's Cyber Emergency Response Team, or CERT, has been repeatedly issuing warnings and advisory on the increased threat of hacking, phishing, spamming and scanning of ICT systems

On the other hand, online privacy has been a topic much discussed with seemingly no solution in sight. In the onslaught of big data and even bigger tech giants, is the individual's own privacy a lost cause? The uproar over the Data Protection Bill, which had to be sent to a select committee right after it was tabled in Parliament last year, and the grave misgivings many have voiced about it in its present form, is only a case in point.

With technology taking over so much of our lives, it remains a cause for concern when the laws dealing with it remain woefully inadequate. Currently, laws in India do not mandate data breach notifications to data subjects. There is so much that the 20-year-old IT Act can do in this rapidly transforming world we live in. THE WEEK caught up with cyber law expert G.V. Anand Bhushan, partner at the law firm Shardul Amarchand Mangaldas, to get a better perspective. Excerpts from an exclusive interview:

What are the existing laws related to cyber protection and how do they fall short?

At present, the IT Act, along with the rules framed thereunder, is the only legislation that primarily deals with cybersecurity and protection in India. Apart from the IT Act, sectoral regulators such as the RBI and TRAI have also issued regulations and guidelines to ensure cyber security by the entities regulated by them.

We need to bear in mind that the IT Act is not an all-encompassing legal framework in this age of ‘Industry 4.0’. Though the IT Act has gone through multiple amendments, it has not been able to keep pace with the burgeoning growth in the technological sector, and there is a growing void in the existing legislation that needs to be looked at immediately.

India does not have a dedicated law on data protection and data privacy yet. With an increase in data breach incidents, there is an urgent need to introduce a data protection framework for a country that thrives on the IT sector.

With the implementation of new legislation such as the Consumer Protection (E-Commerce) Rules, 2020, and the much-awaited data protection law, India will soon boast of a robust cybersecurity regulatory framework.

Cyber attacks have been happening even before the pandemic. How exactly has its nature changed in the last few months, and why is it more pressing now?

The nature of cyberattacks has changed.

Several recent studies reveal that there has been a 4300 per cent increase in coronavirus-themed spam. Besides, there have been several publicised ransomware attacks where the operations of a company have been crippled by hackers who deny access to computer systems or data until a ransom amount is paid. It is pressing now because there is an unprecedented increase in the number of cyberattacks daily. This is exacerbated by the fact that more and more employees are working remotely by the day, thereby magnifying the security risks for businesses and end-users.

Are Indian businesses particularly vulnerable under the present scenario? Why so?

Currently, the tense situation with China and Pakistan, along with the COVID-19 pandemic, has made Indian businesses a massive target for hackers. From war rooms to boardrooms, everything is being targeted by hackers. As per a PWC study conducted in July 2020, cyberattacks on Indian companies had doubled between January and March. The study further revealed that many Indian companies had witnessed a 100 per cent increase in cyberattacks in March alone.

Remote work infrastructure is being highly targeted, along with identity theft. While this trend is being witnessed globally, Indian companies, especially MSMEs and startups, are at a disadvantage because many of these organisations look at cybersecurity as an afterthought and usually have a sluggish response towards cybersecurity and protection. They do not apportion funds to bolster their security infrastructure and do not consider cybersecurity as a priority area and remain highly vulnerable in the face of attacks. Thus, when the pandemic hit the country, and as employees began working from home, these organisations faced high-security risks and became a target for cyberattacks.

However, companies have started realising the importance of having an adequate cybersecurity infrastructure and are now developing protocols to ensure a robust internal cybersecurity and data handling framework.

With fintech and use of mobile phones rising exponentially, what do you see are the lacunae in the present regulations we have?

Regulations (in this area) vary from stringent to merely disclosure-based regulation and supervision, depending on the risk implications.

Currently, the most significant lacunae in the fintech sector is the lack of a uniform data privacy regulation, which standardises the requirements of data classification, data localisation, etc.

The government should take up the modernisation and standardisation of land records in the country on a war footing, with a set deadline. This should be backed by regulations that enable the use of distributed ledger technology in the maintenance of land records. This will vastly boost the fintech sector, allowing people to avail loans easily using their lands as collaterals, and without much of a hassle. Also, financial sector regulators must enable the use of technology by financial sector service providers to make compliance with regulations easier and automated for regulated entities.

Also, technology is rapidly changing. Doesn't that pose the risk of any law being enacted becoming redundant pretty soon (like we saw soon enough with the IT Act, 2000). What, in your opinion, could be the way out?

We live in a digital age, and as a country, we are experiencing exponential growth in the technological sector. It is only natural to expect rapid technological advancements, which will eventually lead to the existing laws becoming redundant at some point in time. That being the case, while the government continually needs to keep pace with such technological advancements from a legal and regulatory perspective, one possible solution is to have an umbrella framework concerning data protection and cybersecurity. This is because, irrespective of the kind of technological advancements that we embrace, certain aspects such as cybersecurity and data protection will always continue to hold critical importance. Thus, having an overarching framework for data protection and cybersecurity will be beneficial since the government will then only have to introduce amendments and updates if required.

However, in other cases where there are new technological innovations, there is no other alternative but to keep updating existing legislation and introducing new statuettes as and when we experience such innovations. For instance, no one would have thought about using chatbots for business transactions 20 years back. Today, most organisations deploy the use of chatbots, and countries all over the world are looking at various ways to regulate artificial intelligence on the whole.

There is already controversy surrounding the Data Protection Bill. From your standpoint, is this bill not sufficient to deal with the present scenario?

At the moment, India does not have a comprehensive data protection framework. The IT Act and the SPDI Rules offer minimal protection concerning one's personal information. As countries all over the world are strengthening their data protection laws, and as India moves towards becoming a trillion-dollar digital economy, it is critical to implement an overarching data protection framework that adequately protects one's personal information.

The Data Protection Bill, 2019, offers a plethora of rights to ensure the protection of one's data. The rights provided under the bill are on par with the rights provided under the GDPR, and the GDPR is considered to be the most comprehensive data protection framework, as on date. Apart from giving rights concerning one's data such as the right of access, right of erasure, right of correction, right of data operability, etc, the bill also has specific provisions on the transfer of data, including data localisation requirements and restrictions on cross-border transfer of data, thereby ensuring holistic protection of one's personal information.

While the bill fares well with respect to individual rights vis-a-vis private companies, it fails with respect to protecting individual rights vis-a-vis the state. The blanket exemption granted to governmental bodies by which they can process any personal data without obtaining consent is the issue which needs to be analysed further. Thus, the bill is progressive as far as you exclude the sections providing broad exemptions from obtaining consents and it does strike a balance between safeguarding the right to privacy and fostering digital innovation simultaneously.

Data and privacy are much talked about, yet would you say ensuring cyber privacy is a lost case in today's scenario. Legislatively, what can be done?

It is often said that internet privacy is a lost cause, and one can never be guaranteed absolute privacy in this digital age. A survey held by Black Hat USA recently revealed that only 26 per cent of the respondents (who were cybersecurity and privacy professionals) believed that individuals would be able to protect their online identity and privacy in the future.

However, we ought to bear in mind that the dependency on technological advancements is only going to increase in the future. (So) there is an imminent need to strike a balance between digital innovation and the right to privacy.

Legislatively, we need to fast track the enactment of the Data Protection Act and set up a strong and effective Data Protection Authority. This regulatory framework will provide for appropriate consents to collect and process data, and also prescribe fines and penalties for non-compliance. Since the bill already provides for high fines (Rs 5 crore or 2 per cent of worldwide turnover), it is expected to usher in a strong compliance culture and ensure the protection of one's privacy. However, let us not forget that data protection is a shared responsibility. While States can implement a robust data protection mechanism, it ultimately trickles down to every individual to adopt necessary cybersecurity measures to ensure the protection of his/her data at all times.

📣 The Week is now on Telegram. Click here to join our channel (@TheWeekmagazine) and stay updated with the latest headlines