Cybersecurity Laws And Their Effectiveness In Protecting Data Privacy

Bhavana Kakad, Angels School of Law, Vashi

Introduction

In today’s age where information is growing and being shared, stored, and accessed online so cyber security is a major concern for everyone. The rapidly growing technologies have brought many opportunities, and innovation but also have exposed us to the vulnerable side that can be malicious. To address these challenges, these laws have important tools that help in protecting data, privacy, and sensitive and confidential information and lessen the threats. Cyber laws have wide regulations for safeguarding digital infrastructure and preventing cyber-related crimes. Hence, it has become foremost to address the complexities of digital security.

This would help us to understand how cyber laws are designed in a way, how they are implemented, and how they help safeguard our interests.

Cybersecurity in general means legal measures and regulations stated by the government to safeguard various aspects related to cybersecurity and data privacy. Cyber laws focus on protecting individuals, organizations, and government departments from cyber threats such as data breaches, hacking, cyber espionage, and other cybercrimes.

Key aspects of Cybersecurity laws:

Cybercrime-

Cyber activities such as hacking, malware distribution, identity theft, IPR theft, and unauthorized access to personal information are some cybercrimes. Penalties for these crimes can include fines and also imprisonment.

Data protection and data privacy-

This includes data minimization, obtaining consent for collection of data, limiting storage, and also measures to ensure data protection. This data can be collected by organizations or individuals.

Sector-specific regulations-

Some industries such as – health, and finance have additional regulation requirements for their sector to ensure that data is secured and not hampered.

Data breach-

In case of any breach by the organization, they must inform individuals as stated by many laws.

International data transfer-

During data transfer to cross borders, we should ensure that it is protected according to the standards and maintained even when dealing with different territory regimes.

Effectiveness of cybersecurity laws-

Education and awareness help individuals and organizations about their rights and responsibilities regarding data privacy.
Clear requirements and standards help organizations to make effective use of law and also understand their obligations, to implement necessary measures to protect data.
When there’s a strong enforcement mechanism, non-compliance helps organizations to impose penalties and take laws seriously.
With the rapid increase in cyber laws, threats the law addresses regular updates and adapts to new threats and improvised technologies which help in effective data protection over time.
It helps in comprehensive coverage which includes data breach protection, notifications, standards, and penalties for non-compliance of data protection.

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation, also known as the GDPR, is an innovative data privacy regulation introduced by the European Union (EU). Since its execution in May 2018, the GDPR has restructured the way personal data is handled, processed, and safeguarded, within the EU but globally. Understanding the consequences of the GDPR is important for businesses operating within the EU and those processing the personal data of EU residents.

Key Features of the GDPR:

Increasing Individual Rights:

GDPR grants individuals comprehensive rights, such as the right to get access, rectify, remove, and restrict the processing of their data, who have great control over their information.

Data Breach Notification:

Organizations are required to promptly report data breaches to the relevant supervisory authority within 72 hours of becoming aware of the incident, ensuring lucidity and obedience.

Accountability and Consent:

Organizations must see to it that compliance with the GDPR’s strict requirements and get explicit consideration from individuals before processing their data.

Data Protection Impact Assessments (DPIAs):

Managing DPIAs also helps organizations identify and even mitigate privacy risks associated with their data processing activities and foster responsible data practices.

Scores and liabilities of data fiduciary

A Data Fiduciary is an important part of the frame. They’re responsible for non-compliance with legal vittles, for failure to perform duties assigned to the data principles, etc. Their scores are covered under Chapter 2 of the DPDP Act and can be summarized as follows:

A Data Fiduciary may engage or appoint a Data Processor to reuse the particular data for offering goods and services to the Data Headliners. A Data Fiduciary is under obligation to ensure that the data is complete, accurate, and harmonious when it’s to be used to make a decision that affects data star or is bared to another data fiduciary. He must carry out his duties and liabilities, irrespective of agreement to the negative. He shall borrow applicable specialized and organizational measures to make sure that there’s effective observance of the vittles of this Act and its rules. He shall cover particular data in his possession or under his control, which also includes processing accepted by him or on his behalf by a data processor, by taking reasonable safeguards to help particular data breaches.

When there’s any data breach, the Data Fiduciary is under a duty to give suggestions regarding it to the Board and Data Star in the manner and form specified under the DPDP Act. The Data Fiduciary shall abolish particular data when the Data Star withdraws concurrence or when it’s reasonable to assume that the purpose specified is no longer being served, whichever is before, and make the Data Processor abolish particular data made available by the Data Fiduciary. The exception is when retention of data is needed under the law. For, illustration A decides to close her savings with a bank.

The bank is needed by law to maintain the record of A’s identity for a term of ten times beyond the end of the account. It’s admissible to retain the data. The data Fiduciary shall publish the business contact information of the data protection officer or any person who’s suitable to answer on behalf of the data fiduciary any questions raised by the data star regarding the processing of particular data. Data Fiduciary shall also establish a medium for revenging grievances of the Data Principles. There are also some fresh scores for the Significant Data Fiduciary given under Section 10 of the DPDP Act. The significant Data Fiduciaries are notified by the central government based on assessments of factors similar to Volume and perceptivity of particular data reused pitfalls to the data top Implicit impact on the sovereignty and integrity of India Risk to electoral republic Security of the state Public order.

The fresh scores of a significant Data Fiduciary include the following. He shall appoint a Data Protection Officer who Shall represent the Significant Data Fiduciary under the vittles of the DPDP Act. He should be grounded in India. He should be an individual responsible to the Board of Directors or analogous governing body of Significant Data Fiduciary. He should be the point of contact for the grievance redressal medium under the vittles of this Act. He shall appoint an independent data adjudicator to carry out the data inspection and shall estimate the compliance of Significant Data Fiduciary with the Act.

Important case laws:

M.P. Sharma. Satish Chandra( 1954)

It’s one of the first cases in India that dealt with the right to sequestration in India. An eight-judge bench of the loftiest court of the land sat down to decide upon the constitutionality of the hunt and seizure of vittles of the Code of Criminal Procedure. The Court then didn’t honor any right to sequestration and held that the hunt and seizures weren’t, in fact, violative of the right to sequestration.o provision in the Indian Constitution that deals with the right to sequestration, it can’t be violated as well.

Kharak Singhv. State of UP( 1962)

Another case where the Apex Court decided about sequestration rights. The Court examined the wide powers of police surveillance and its overarching powers about sequestration. Then, the Court for the first time, was faced with issues about the right to sequestration as a part of Composition 21. The court didn’t explicitly honor any right to sequestration, but J. Subba Rao stated in his dissent that the right to sequestration is essential in our Constitution. This notorious dissent helped initiate the growth of the right to sequestration.

Gobindv. State of MP( 1975)

This is the decision where the Supreme Court was again faced with an analogous question of the right to sequestration. The data of the case were similar in that it dealt with police surveillance by domiciliary visits. The Supreme Court recognized the significance of the right to sequestration but said that it should give way to a larger state interest. It states that the right to sequestration has its own set of restrictions, similar to public order, morality, public security, etc.

In the decision of Maneka Gandhi. Union of India( 1978)

The Hon’ble Court, speaking through a bench of seven judges, said that the term ‘ particular liberty ’ includes a variety of rights within its dimension. The rights so recognized must fulfill the triadic test, that is, they must define a procedure, and that procedure must follow the test of abecedarian rights under Composition 19 and also repel the tests of Composition 14.

Major Breaches of Information Privacy

Pegasus spyware

It was created by the NSO( N stands for Niv, S stands for Shalev and O stands for Omri, the authors) group of Israel, it’s known for its products of zero-click surveillance and faced numerous suits due to those products. Apps like Whatsapp, and Facebook use end-to-end encryption by which they can’t be traced or tracked. But, the product made by the NSO group called Pegasus, surpasses the encryption hedge just by making a call to their number and it can cancel the call after it is done, it also allows the stoner to read the translated dispatches and calls.

Joker Malware

Joker Malware is malware that’s created to steal private information like credit card and disbenefit card data. Joker malware quietly enters a device when a stoner installs an operation infected by the malware, this malware is dangerous and has infected over 200 operations on the Google Play Store. Google took away and deleted the apps that were exposing the druggies ’ data to malware.

Emotet Botnet

Emotet is a type of malware, also known to be the king of malware, as a type of botnet that enters into a computer system when a stoner opens the link transferred by the bushwhacker via dispatch which looks licit. A botnet is a group of infected systems that attack a specific computer or a garçon by transferring more commands than it can handle.