Aspirant Academy

Science and Technology

Cyber Security and Data Privacy

Indian Science: Scientists, Institutions, Robotics, Nanotechnology, Quantum Computing, Government Policies, Digital India, Cyber Security & Data Privacy

Paper II · Unit 2 Section 8 of 13 0 PYQs 38 min
Topic Preview Subject Inventory

Public Section Preview

Cyber Security and Data Privacy

7.1 Legal Framework

Information Technology Act, 2000

India's foundational cyber law, enacted to provide legal recognition for electronic transactions. Key provisions:

  • Section 43: Compensation for unauthorised access, damage, or downloading of data
  • Section 65: Tampering with computer source code (3 years imprisonment/Rs 2 lakh fine)
  • Section 66: Computer related offences (3 years imprisonment/Rs 5 lakh fine)
  • Section 66A: Offensive online messages — STRUCK DOWN by Supreme Court in Shreya Singhal v. Union of India (2015) for being unconstitutionally vague and violating free speech
  • Section 66C: Identity theft (3 years/Rs 1 lakh)
  • Section 66D: Cheating by impersonation via computer (3 years/Rs 1 lakh)
  • Section 66E: Violation of privacy (3 years/Rs 2 lakh)
  • Section 66F: Cyber terrorism (up to life imprisonment)
  • Section 67: Obscene material online; Section 67A: Sexually explicit material
  • Section 69: Power to intercept, monitor, and decrypt information
  • Section 70: Protected system; Section 70B: CERT-In as national nodal agency

IT (Amendment) Act, 2008: Added provisions for cyber terrorism, data protection, and electronic evidence; introduced Section 66A (later struck down) and Section 66F.

National Cyber Security Policy 2013

India's first dedicated cybersecurity policy. Key objectives:

  • Create a secure cyber ecosystem
  • Develop 500,000 cyber security professionals by 2018
  • Establish National Critical Information Infrastructure Protection Centre (NCIIPC) under NTRO
  • Create 24×7 cyber incident response capability
  • Develop indigenous security products and services

Note: The policy is being revised — a new National Cybersecurity Strategy is under preparation (2023–24) as the 2013 policy is outdated.

CERT-In (Computer Emergency Response Team India)

  • Established under Section 70B of IT Act 2000
  • Mandated to collect, analyse, and disseminate information on cyber incidents
  • Issues advisories, alerts, and guidelines on cybersecurity vulnerabilities
  • April 2022 Directives (controversial): Mandatory reporting of cyber incidents within 6 hours (vs. 72 hours under EU GDPR); mandatory log retention for 180 days; VPN providers must maintain user logs for 5 years; mandatory KYC for cloud services.

NCIIPC (National Critical Information Infrastructure Protection Centre)

  • Designated as National Nodal Agency for protection of Critical Information Infrastructure (CII)
  • Operates under NTRO (National Technical Research Organisation), PMO
  • CII sectors: Power, Banking, Telecom, Transport, Government, Healthcare

Cyber Surakshit Bharat Initiative

  • Launched January 2018 by MeitY, in partnership with NASSCOM and DSCI
  • Objective: Spread awareness on cybercrime and build capacity of Chief Information Security Officers (CISOs) and IT staff in government
  • Organized 112+ workshops for 12,000+ government officials

7.2 Digital Personal Data Protection (DPDP) Act, 2023

India's first comprehensive data privacy law was enacted in August 2023, after more than 6 years of drafting (the Justice B.N. Srikrishna Committee submitted its report and draft bill in 2018; various subsequent drafts followed).

Key Definitions

  • Personal Data: Any data about an identifiable individual
  • Data Principal: The individual to whom the personal data relates (data subject)
  • Data Fiduciary: Entity that determines purpose and means of processing (data controller)
  • Significant Data Fiduciary (SDF): Large-scale data processors notified by government based on data volume, sensitivity, national security implications

Rights of Data Principals

  1. Right to access information about data processing
  2. Right to correction and erasure of personal data
  3. Right to grievance redressal
  4. Right to nominate another person in case of death/incapacity

Obligations of Data Fiduciaries

  1. Collect data only for specific, clear, and lawful purposes (Purpose Limitation)
  2. Collect only data necessary for stated purpose (Data Minimisation)
  3. Ensure accuracy of data
  4. Store data only as long as necessary (Storage Limitation)
  5. Implement security safeguards
  6. Notify Data Protection Board and affected users of breaches

Data Protection Board of India

  • Adjudicatory body for resolving complaints and imposing penalties
  • Maximum penalty: Rs 250 crore for a single breach; Rs 500 crore for systemic failures (originally; specific amounts are notified by rules)

Cross-Border Data Transfer

  • Personal data can be transferred to countries notified by the Central Government as having adequate data protection (whitelisted countries)
  • No blanket data localisation requirement (unlike the draft PDP Bill 2019)

Exemptions

  • Processing for national security and public order
  • Research, archiving, statistics purposes
  • Children's data — requires verifiable parental consent; no behavioural targeting of children

Comparison with EU GDPR

Unlike GDPR, DPDP Act does not have an extraterritorial provision for non-Indian controllers; has lower maximum penalties; and lacks a separate supervisory authority with full independence (the Data Protection Board's independence has been questioned).

7.3 Emerging Cyber Threats in India

  • Ransomware: AIIMS Delhi cyberattack (November 2022) — servers brought down for 5 days, potentially exposing patient data of 3–4 crore patients; suspected China-linked APT (Advanced Persistent Threat) group.
  • State-sponsored attacks: CERT-In reported 13.91 lakh cybersecurity incidents in 2022, a 40% increase over 2021.
  • Social engineering/Vishing: UPI and banking fraud via phone-based identity theft costing Rs 1,750 crore annually (RBI estimates 2023).
  • Deepfakes: AI-generated synthetic media increasingly used for fraud, political disinformation. MeitY issued advisory on deepfakes in November 2023 following celebrity deepfakes controversy.