The Personal Data Protection Bill, 2023, now awaits President Droupadi Murmu’s signature. With this legislation, the Centre hopes to bolster cybersecurity measures and safeguard personal data
In a bid to address persistent cybersecurity challenges, India has taken a significant step forward with the Digital Personal Data Protection Bill, 2023, being passed by both houses of parliament. As data breaches continue to plague organisations and individuals across the globe, the central government’s approach hopes to bolster cybersecurity measures and safeguard personal data.
Surfshark’s recent global study reveals a glimmer of hope for India’s cybersecurity landscape. For the second consecutive quarter, data breaches in India have shown a downward trend. However, despite this positive trajectory, India still ranks among the top countries grappling with data breaches at a global scale.
According to Surfshark, a cybersecurity company, India is the seventh most breached country in the second quarter of 2023 with approximately 1.35 million leaked accounts. Previously, India ranked sixth with 2.4 million in the first quarter of 2023. It should also be noted that the breach rate is 44 percent lower in Q2 than in Q1.
Recognising the need for comprehensive legislation to fortify cybersecurity practices, the Digital Personal Data Protection Bill was passed in Lok Sabha on August 7 despite some concerns raised by the opposition – centralisation of power, data protection board’s independence, data localisation and cross-border data transfer. Later in the afternoon, on Wednesday, Rajya Sabha also passed the critical bill.
The bill, however, which now awaits President Droupadi Murmu’s signature to become a law, encompasses a range of provisions specifically aimed at mitigating cybersecurity risks. This includes:
- Robust technical measures: The bill mandates organisations to implement stringent technical and organisational safeguards to shield personal data from cyber threats. This includes measures like encryption, access controls and well-defined security incident response plans.
- Informed consent: Organisations will be prohibited from processing personal data without explicit consent from individuals unless justified by legitimate reasons. This provision ensures that personal data is not collected or utilised without the knowledge and agreement of individuals.
- Rapid breach notifications: The bill requires organisations to promptly notify individuals within 72 hours of discovering a data breach. This proactive approach empowers individuals to take necessary precautions in the event of a breach, minimising potential harm.
- Data protection board: A central data protection board, which will be established by the government, will oversee the enforcement and execution of the bill’s provisions. This regulatory body possesses the authority to investigate and penalise entities found in violation of the law.
- High penalties: The bill imposes severe fines, ranging from Rs 50 crore to Rs 250 crore, for those found in violation of its terms. The substantial penalties can help prevent cybersecurity risks and may serve as a deterrent to organisations tempted to violate the law. They will be more likely to comply with the law if they know that they could face significant financial penalties.
Experts said by restricting organisations from covertly collecting personal data and enhancing transparency and accountability, the bill creates a more resilient defence against cyber threats. By enforcing stringent technical measures, prioritising informed consent and facilitating rapid breach notifications, the bill holds the potential to curtail cyber threats.
Experts also believe that while challenges persist, this legislative initiative offers a glimmer of hope in the ongoing battle to safeguard personal data in an increasingly interconnected world.