Cyber security is an important area of concern in an increasingly digital world. As more and more people and businesses move online, the cyberspace has become an easy target for scammers. In this article, Tushar Srivastava outlines the importance of cyber security and the role of the General Data Protection Regulation (GDPR) in safeguarding internet users’ rights.
I. Cyber Security in the Digital Ecosystem
Personal data is the information that allows an individual to be identified. It may include the person’s name, location data, an online username, IP addresses, cookie identifiers, etc. Unauthorized and ignorant processing of personal data on the internet can cause great harm to the people and companies at large. There is a dire need to ensure data protection to them. Data protection is the procedure to safeguard important information from corruption, compromise or loss.
Any attempt to jeopardize cyber security is a malicious act that seeks to reform, damage, steal data or disrupt the digital identity of an individual, group or an organisation. It is basically an attempt by a cyber attacker to achieve access to restricted system data intentionally or by accident without authorization.
There are a number of possible threats including hacking, issues related to social engineering (phishing, vishing, pharming and smishing), different types of viruses, malware and so on. Cyber threats should be taken seriously for successful attempts can lead to severe damage to the user data, money extortion and malfunctioning of computers. Bigger attacks may even compromise national security.
The sources of these threats are ever-increasing, most of which are looking to malevolently obtain private data for benefit or exploitation. Even the best information security programs do not guarantee 100% protection of user data.
II. Cyber Security Law in India
Although there is no specific legislation in India, data protection is ensured through the enforcement of privacy rights as under the following act:
Information Technology Act, 2000 (ITA-2000):
The IT Act consisted of 94 sections segregated into 13 chapters originally. It is the primary law in our nation which deals with cyber crimes or threats and e-commerce. The act defines the crimes and prescribes the penalties for the same. It covers a number of offences for the user’s privacy protection including hacking, pornography, child porn, misrepresentation, publishing private images of others, cyber terrorism and so on.
Sec 2 of the Act defines various terms such as Access [Sec. 2(1) a], Cybercafe [Sec. 2(1)(na)], Cyber security [Sec. 2(1) (nb)] and others related to cyber laws. In the IT Act, the ‘cyber contraventions’ are penalised under Sec. 43(a)-(h), which attract civil prosecution. The offender may be fined up to the amount of one crore, whereas the ‘cyber offences’ are penalised under Sec. 63-74, which attract criminal proceeding. The cyber offender or the criminal can be punished with fine, confinement or both.
The aim of the IT Act was to provide legal recognition and awareness to the public of e-commerce and retribution of computer misuse. However, it had no provisions regarding the user’s privacy and data security. The act did address the offences but there was no remedy to take action. The IT (Amendment) Act, 2008 incorporated two important new sections into the IT Act, 2000, Sec. 43A and Sec. 72A, to provide cure to people who have or may suffer a loss of reputation or anything on account of their personal data which was not protected adequately.
The act may still not seem to be as stringent as the cyber laws in other nations, but it has attempted to make the organisations, handling sensitive information, function more efficiently and has set the pathway for a better future. It needs modification and can take suggestions and guidelines from other nations’ rules and regulations.
III. General Data Protection Regulation (GDPR)
The European Union had adopted the Data Protection Directive in the year 1995 in order to protect the privacy of EU citizens with regard to processing personal data. It was in the year 2012 that the European Commission submitted a draft proposal for data protection reform across the European Union with the vision to make Europe “fit and safe for the digital age”. Subsequent to four years of debate and preparation, the EC adopted GDPR in April 2016, and implemented it in May 2018, replacing its outdated Data Protection Directive, 1995. The GDPR requires all the countries of the EU to comply with its norms.
What exactly is GDPR?
The General Data Protection Regulation (GDPR) is basically a regulation to the core of Europe’s digital privacy legislation. It applies to all the organisations operating within the EU along with the organisations outside which offer goods or services to the customers or businesses in the EU. So it eventually means that every major corporation across the world needs a GDPR compliance strategy. The Brexit is not going to have any impact on the enforcement of GDPR and GDPR will continue to work for the benefit of the UK.
GDPR is said to be the strongest set of data protection rules in the world. It contains 99 articles divided into 11 chapters. It is expected to benefit companies by providing consistency in data protection activities and liabilities by enabling more integrated data protection policies. There are also a few special categories under GDPR that are given greater protection. Such categories include information related to racial origin, health information, genetic or biometric data, an individual’s sexual life and orientation and so on.
The Importance of GDPR
Personal data is of great significance under GDPR because the companies or individuals are either ‘controllers’ or ‘processors’ of it are covered by the law. Controllers, being the ultimate decision-makers, exercise overall control over the processing and management of personal data whereas, processors act only on the instructions of a pertinent controller.
GDPR has undoubtedly made the concerned individuals and organisations aware of data protection rules and their rights. It has shown results but the work needs to continue and a similar set of rules can be adopted by various other countries for better security of personal data and to ensure people with cyber security of user data on the web.
By: Tushar Srivastava
Student at Amity Law School, Noida