Data Privacy Day 2024: What's India's Outlook For The Year?

As the global transition to the digital landscape gained momentum, the rise of data breaches became an imminent and widespread threat, taking many by surprise regarding the potential for malicious activities over a decade ago. Recognising the urgency to bridge this alarming gap, the Council of Europe initiated 'Data Privacy Day' on 28 January 2007. Since its inception, this day has evolved into an international event dedicated to heightening awareness and advocating for best practices in privacy and data protection.

In India, this year's celebration holds particular importance, especially in the wake of the Digital Personal Data Protection (DPDP) Act, which was enacted in August of the preceding year, 2023.

The DPDPA, 2023 is a legislation enacted by the Indian Parliament. Its purpose is to regulate the handling of digital personal data, ensuring individuals' right to safeguard their personal information while also allowing for lawful processing of such data and addressing related matters.

Regarding the DPDP Act, Balaji Rao, Area Vice President for India & SAARC at Commvault, said that this legislation represents a noteworthy stride in India's privacy-centric digital strategy, demonstrating the nation's commitment to aligning with international data protection standards.

“This Act has also triggered the establishment of a Data Protection Board to adhere to the bill compliance and address any grievance redressal. This highly anticipated reform serves as a guiding framework for both present and future Internet users," emphasised Rao.

Reuben Koh, Director, Security Strategy - Asia Pacific & Japan, Akamai Technologies shared, "Data protection is focused on three things, confidentiality, integrity and the availability of private data." 

He added that "DPDP represents a significant advancement and it is crucial to acknowledge its origins and the journey that led to this point."

Currently, India does not have a standalone law on data protection. Apart from DPDP, the use of personal data is regulated under the Information Technology (IT) Act of 2000.

Weighing on this, Sameer Dhanrajani, CEO at 3AI said, "The DPDP Act of India is comparable to the General Data Protection Regulation (GDPR) of the European Union. Recognising the distinctiveness of each country, the DPDP Act has been carefully customised to address India's specific needs and obstacles. Moreover, the Act expedites the process of resolving grievances by establishing clear deadlines for the Data Protection Boards and the Appellate Tribunals, instilling confidence in the prompt resolution of complaints."

2023 – The Year Of Major Ransomware Attacks

While 2023 gave DPDP to India, the year also witnessed a significant rise in global ransomware attacks, as per Check Point's recent report. Throughout 2023, 10 per cent of organisations worldwide were targeted by an attempted ransomware attack, a growth of 7 per cent from the previous year. This is the highest rate observed in recent years, requiring India to exercise greater caution in dealing with this issue.

Source: Check Point

Acknowledging the report, Priya Kanduri, Senior Vice President & CTO (IMSS) at Happiest Minds Technologies, stressed that India would face cybersecurity challenges in 2024 too, including data breaches, ransomware and phishing attacks. "These challenges could be addressed through the adoption of advanced AI techniques, that may minimise cyber-attacks in crucial areas such as cloud security, OT security, anti-phishing measures, data protection, and awareness."

In a similar vein, Ramprakash Ramamoorthy, Director of AI Research at Zoho Corp, remarked, "As the evolution of AI unfolds, businesses grapple with the challenge of innovating while safeguarding privacy. Organisations must commit to the responsible utilisation and advancement of AI, with a priority on privacy as the key to sustainable development."

India’s Biggest Personal Data Breach

Although business data breaches are frequently discussed, it is crucial to identify that personal data is also largely misused and requires attention. Unfortunately, it often takes a backseat as big tech companies profit greatly from their users' personal information. It's a common occurrence that users, upon searching for something online, find themselves inundated with advertisements or products related to their queries on social media feeds or pages. This phenomenon constitutes a form of data breach. While this might appear as a minor example, a significant data breach in India has recently sent shockwaves throughout the entire nation.

In October 2023, it was found that the sensitive personal data of 81.5 million Indian users had leaked and surfaced on the dark web. The stolen information comprised Aadhaar and passport details, names, phone numbers and temporary and permanent addresses, as per reports. The data reportedly came from the information collected by the Indian Council of Medical Research (ICMR) during COVID-19 testing.

In light of this issue, Vaibhav Tare, Chief Information Security Officer at Fulcrum Digital said, "The government is pressing on the adoption of the Data Empowerment and Protection Architecture (DEPA) to secure data transfers through Application Programming Interfaces (APIs)."

The consent managers of this platform will facilitate secure data sharing with third parties by generating approval artifacts that are digitally signed by users, ensuring transparency, he added.

Satya Machiraju, VP of IT & Information Security, Whatfix underscored that with the DPDP Act, India would look to safeguard the personal data of its users, but it is important to recognise that no regulation can provide absolute protection against the misuse of personal data. 

It is equally vital for organisations that handle such data to comprehend the significance of these regulations and establish policies and procedures to consistently adhere to them. The European Union regulators have been swift in penalising organisations that breach these privacy laws, highlighting the urgent requirement for data privacy officers in entities involved in the processing of personal data. India needs to adopt such measures, remarked Machiraju.

Weighing in on the issue, Raja Lakshmipathy, Vice President and Managing Director for Genesys India & SAARC region said, “In India's ever-evolving cybersecurity realm, the convergence of privacy is an essential entitlement. Although the DPDP implementation marks a significant step in filling legislative gaps, the pursuit of a comprehensive data protection framework remains ongoing.”