ABSTRACT
In today’s digital world, the protection of an individual’s digital personal data is of paramount importance. Various factors have contributed to this situation. The increasing digital population is one of the major reasons for this, as the availability of an individual’s personal data in the digital arena is increasing day by day. These data are provided expressly or impliedly. The presence of data in the digital world makes an individual vulnerable to various forms of cybercrime, which include financial fraud through impersonation, digital arrest, and misuse of sensitive personal data. It has become very crucial to safeguard an individual’s personal data through legal and statutory frameworks. The Information Technology Act, 2000 (IT Act 2000) is marked as the country’s first step towards providing legal recognition for electronic transactions and electronic governance. This legislation facilitated e-commerce growth and addressed cybercrimes, but the need for a more structured enactment was growing due to the dynamic nature of technology. The Digital Personal Data Protection Act 2023 and Digital Personal Data Protection Rules 2025 are a few landmark legislations that are drafted to safeguard an individual’s personal data. Both the legislation is made with the intention to safeguard an individual’s personal data, and detailed provisions have been laid in this matter addressing the relevant concerns. In today’s world, there is an extraordinary technological advancement that has resulted in digital development and has brought a sense of ease in our lives; at the very same time, it has been exploited by many individuals who lack the sense of ethical responsibility and has caused a serious violation of individual’s right to privacy. The right to privacy is recognized as a fundamental right through the 2017 landmark judgment of Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors .
KEYWORDS
Personal Data, Cybercrime, Digital Personal Data Protection Act, Privacy, E-governance, Data Protection, Ethical Responsibility.
INTRODUCTION
In today’s digital era, data has become the most valuable asset. To understand more about the need for the protection of personal data, we must be aware of certain important terminologies and their meaning. Important terminologies include: (a) Digital personal data refers to any personal data that is present in the digital form. (b) Data privacy refers to the ability of an individual to know how his data is collected, stored, or used. The concept of privacy was discussed in various cases, but it was not expressly recognized in the Indian constitution. Relying on the 2017 landmark judgment of Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors famously known as the right to privacy judgment, which expressly recognized the right to privacy as a fundamental right under the ambit of Article 21, which deals with the right to life, and personal liberty. India felt the pressing need to enact legislation to accommodate the growing technological advancement and to safeguard the privacy of an individual. This led to the enactment of the Digital Personal Data Protection Act 2023, followed by the Digital Personal Data Protection Rules 2025, which deals with the nuances as to, how to enforce the Digital Personal Data Protection Act 2023. The Data privacy laws in India have had a significant development after the introduction of the Digital Personal Data Protection Act, 2023. The Digital Personal Data Protection Act 2023 tries to strike a balance between personal data protection and technological development in the digital world.
RESEARCH METHODOLOGY
In this legal research on the need for the protection of personal data, the descriptive research methodology has been employed to thoroughly examine and describe the relevant legal principles, case laws, statutes, and legal doctrines. The descriptive method aims to provide an indepth understanding of a specific legal issue by systematically analyzing existing laws, precedents, and interpretations. The Descriptive research methodology plays a pivotal role in legal research, offering several key benefits that enhance the understanding and analysis of the present legal issues in hand. To ensure a complete and detailed approach, this research has relied on various relevant legislation as primary sources as the DPDP Act 2023 and DPDP Rules 2025 are the important ones referred here. The descriptive approach is suitable for this study as it helps in giving an in-depth understanding of the current legal scenario and its implications for personal data protection. By employing a descriptive method, this research aims to elucidate the critical need for structured personal data protection measures to combat the different types of crimes that could take place in the digital platform. Research methodology is one of the crucial aspects of research work it helps in better understanding.
LITERATURE REVIEW
The rapid growth in technology has posed the need for a legislation to protect personal data.
There is a legislation governing the activities happening in the digital space in India that is the Information Technology Act 2000 but it does not particularly deal with certain aspects of the digital arena like the protection of digital personal data. The introduction of the Digital Personal
Data Protection (DPDP) Act, of 2023, marks a major step towards personal data governance in India. This legislation is designed to provide individuals with effective control over their personal data. The principles incorporated in the Digital Personal Data Protection Act 2023 is also aligning with the global standards set forth by the General Data Protection Regulation (GDPR). the GDPR is a stringent law governing the protection of personal data. it was passed by the European Union in 2016 but came into force on May 15, 2018. The Digital Personal Data Protection Rules 2025 are also notified to the citizens to help in the enforcement of the Digital Personal Data Protection Act 2023. All these enactments are referred in this research paper.
INCREASING THREAT IN THE DIGITAL LANDSCAPE
Cyber threats and cybercrimes are highly dynamic in nature and are multifaceted. The cybercriminals are exploiting the technological advancement and employing it against the public. These are serious issues that require immediate attention from the government to create a wellstructured legislation.
- Identity theft
Identity theft is the most common type of cybercrime that occurs when an individual uses another person’s sensitive personal data without their permission for their own benefit.
This refers to the unlawful and unauthorized use of another individual’s personal data. Sensitive data like bank details, credit card numbers, addresses, or driving licenses could be breached. Identity fraudsters try to use another person’s data for their own personal gain it is usually for financial gain. They use the data to transfer money or open a new bank account and the liability for all the damages caused by the identity fraudster completely falls on the victim. The reason for the increasing identity theft is the increase in the value of this information in present times these are the digital assets. There are various methods through which one can commit these offences such as through Data breaches, browsing on an unsecured website, malicious software, etc.
- Ransomware
This refers to a type of cybercrime wherein the hacker encrypts the data, and files of the victim’s computer and demands ransom from the victim to gain access to those files. On the fulfillment of the demand only, the cyber attackers will give the decrypt key for the encrypted files. This hacking poses a serious threat to all the personal data of an individual on the computer.
- Digital arrest
Cybercrime by virtue of being dynamic in nature has resulted in a novel type of offence where the victim is intimidated by impersonating as a government official to extort money from them. The crime is executed in such a nature that, most individuals fall victim to it. They intimidate the victims stating that they are involved in an unlawful activity and would pressure them to pay the money. They demand the money under the guise of clearing the victim’s name from the said unlawful activity. This is becoming one of the major types of cybercrime these days. One must be vigilant to escape such traps.
- Gender-based violence
Women are subjected to such gruesome offences not just physically but also through electronic mediums. Sensitive personal data including data like names, and pictures are used to degrade the reputation and these acts cause serious mental agony to the victim. Morphing the pictures, and using the data to harass the victim are a clear violation of individuals’ privacy and bodily integrity. Though irrespective of gender every individual could be subjected to these acts additional stress is laid on women and children as they are the vulnerable sections of our society.
These are very few of the major types of data breaches and cybercrimes that will affect the personal data of an individual. An in-depth understanding of the serious nature of these crimes poses the pressing need to enact a law that will govern all the development that takes place at the interface of law and technology.
CASE STUDY
1. Wannacry ransomware attack 2017
This was a global ransomware attack affecting more than 150 countries including India. This was the first of its kind to be executed in such a large digital landscape. The ransomware spread through the use of Microsoft computers. A hefty Ransom amount was demanded by the attackers, who asked the victims to pay the money to them in Bitcoins by encrypting the data of the victims. Within a few hours of the attack, the malicious software was temporarily neutralized but by then a lot of computers had been encrypted and were in an unusable state. This is one such major incident of ransomware attack to have taken place.
OVERVIEW OF THE DPDP ACT 2023 AND RULES 2025
This marks a significant milestone in enacting a legal framework for the protection of personal data in the country. Before The Digital Personal Data Protection Act 2023, India did not possess a detailed and structured law that governs the privacy of an individual in the digital platform with reference to one’s personal data. The Digital Personal Data Protection Act 2023 contains IX Chapters and I Schedule. The Digital Personal Data Protection Act 2023 is designed to protect the personal data of an individual. It lays down a detailed mechanism as to how digital personal data must be processed, in a manner that protects the rights of the individual to whom the data belongs.
The Digital Personal Data Protection Act 2023 was structured and framed by amending the Digital Personal Data Protection Bill 2022. It was the predecessor of the former.
Section 3 of this enactment states the applicability of this act, wherein it states that the provisions of this act shall extend to the processing of personal data within India. It lays down two important ingredients: that the data collected should be in the digital form or it could be converted into digital form later. Section 3(c) states certain exception clauses that this shall not apply to those data that are processed for personal or domestic use or the personal data was made available by the data principals themselves or by any person authorized to do so by them. It has extra-territorial applicability also, this enactment can even be applied to territories outside India where the data is processed, is for providing service in India.
There are certain obligations that a data fiduciary owes to the data principal: all the personal data of the data principal must be processed only in accordance with the law. All the processes must be done only with the consent of the data principal and be used for legitimate purposes alone. In case of a data breach, the data fiduciary must immediately inform the Data Protection Board of India. Here great importance has been given to the concept of consent, consent must be free, specific, informed, unconditional, and unambiguous. It also mentions that the data principal must have the option to view the consent and notice under this enactment in English or any other languages that are recognized under the 8th schedule of the Indian constitution.
The method in which consent is taken for the usage of data belonging to children and persons with disability is also mentioned, though it has some practical difficulties with regard to the verification of the guardian if he or she is the actual lawful guardian of the child or person with disability.
The data fiduciary has the right that is, cross-border transfer of personal data that is they have the right to transfer the data to one or more countries, except to those as mentioned by the central government.
It also contains numerous rights for the data principal, it is their data that will be processed by the data fiduciary. Right to know what type of data is collected, right to alter or delete the data, right to access their personal data, and more.
The Data Protection Board of India is the first regulatory body with regard to personal data protection. Chapter V deals with the formation of a Data Protection Board in India which is a body corporate that deals with the regulation of the act. It consists of a chairperson and other members whose tenure is for two years and who are eligible for re-appointment.
Penalties, a comprehensive chapter is present to address the non-compliance of the requirement mentioned under this enactment while processing the personal data of an individual. Monetary penalties have been laid down for the breaches.
The Indian government has taken steps to achieve compliance with the Digital Personal Data Protection Act 2023 by drafting the Digital Personal Data Protection Rules 2025. To give more clarity relating to the process of enforcing it.
Key aspects clarified under the Draft Rules are the role of the consent manager it specifically mentions about deletion of digital data by three data fiduciaries, including the e-commerce entities, social media intermediaries, and online gaming intermediaries, and also mentions that information regarding the same must be conveyed to the data principal 48 hours prior to the removal. The Digital Personal Data Protection Rules 2025 has tried to shed some clarity on the Digital Personal Data Protection Act 2023 but still, there are various provisions that require some more clarity. The Digital Personal Data Protection rules were given to the public and were asked to submit their recommendation. We hope that the rules be refined and India shall have a more structured legislation with regard to personal data protection in the electronic platform.
ALIGNMENT WITH INTERNATIONAL STANDARDS
The Digital Personal Data Protection Act 2023 Act and the subsequent drafting of the Digital Personal Data Protection Rules 2025 are drafted with an aim to meet the international standard in the aspect of data protection. Various countries have enactments to regulate and safeguard the data but one such important enactment in this regard is the General Data Protection Regulation which was passed by the European Union in 2016 but came into force on May 15, 2018. The Digital Personal Data Protection Act 2023 follows a very similar principle as mentioned in the General Data Protection Regulation.
SUGGESTIONS
Backing up of data
Due to the unprecedented times in the digital world, backing up the data could help individuals and organizations to protect and safeguard themselves from such malware attacks. This ensures that even during such attacks the data will be secured. Backing up of data contributes to the overall protection of personal information in our increasingly digitized world. It helps us to have access to our data. Backing up of data is a crucial practice in protecting the personal data of an individual and that of the organization from any kind of malware attack.
Public awareness
Awareness is very important in the aspect of cybercrimes as it involves a lot of technological facets, a layman will find it very difficult to understand the in-depth consequences of such activities taking place. Imparting knowledge to the people is very important in reducing their vulnerability to these types of cybercrimes. The government must take initiatives to create awareness among the public on these pressing matters of importance. This emerges as a vital strategy to protect individuals from these types of crimes and helps them to safeguard their data.
The awareness creates a sense of responsibility and vigilance among the public.
Browsing in unsecured websites
In today’s digital world, one must be very cautious while browsing the internet. It is advised that one must refrain from browsing in unsecured websites and clicking on phishing emails or links and be aware of the phishing techniques that are used by the hackers. Do not entertain such unwanted phishing links. By clicking such links an individual paves the way for the hacker to access one’s personal data. Be very mindful when you enter sensitive credentials in the electronic platform and check that the website is secured by check one can avoid being a victim of cybercrime and protect their personal data.
CONCLUSION
A detailed reflection of the multi-faceted nature of cybercrimes and their dynamic nature is a clear piece of evidence that the need for regulating and protecting personal data is vital in the digital era. The DPDP act consists of provisions that regulate it to some extent but this does not mean that the DPDP act is immune from criticism because of certain drawbacks it contains certain areas that require additional attention. The DPDP rules which have taken the recommendation from the public. Only on the release of the redefined legislation we will state whether all the shortcomings have been reduced or not. However, the initiative taken to protect personal data is a great step forward towards the protection of digital personal data. Only after the enforcement of these laws will show the true efficacy of these enactments. it is vital to recognize that data protection is not a static law. The landscape of technology and cyber threats are ever developing. Therefore, any regulation must remain flexible and adaptable, evolving to handle emerging risks and trends in cyberspace.
Afya Arsheen. A
B.S.Abdur Rahman Crescent Institute Of Science And Technology.