NEW DELHI: At 462.12 million, India has the second highest number of internet users in the world after China but lacks the legal framework to ensure data protection and privacy with current laws inadequate for the rapidly-evolving sector, say cyber security experts.
As data theft becomes the political buzzword pitching the ruling BJP against the opposition Congress, recent revelations on the issue have forced people to re-examine their everyday social media browsing habits, particularly on Facebook.
It started mid March with international media reports claiming that the profiles of 50 million Facebook users were harvested by UK-based analytics firm Cambridge Analytica (CA) to influence the US presidential election and the pro-Brexit campaign as well as polls in other countries.
The resulting storm engulfed India too, with former CA employee-turned-whistleblower Christopher Wylie claiming the firm extensively operated in the country and had served political parties, including the Congress and the Janata Dal (United).
Beyond the global impact of the biggest-ever data breaches and the social media behemoth Facebook, the scandal brought to the fore the shortcoming of India’s laws to deal with ever advancing issues of online privacy and data theft in the country, say experts.
“India has the second highest number of internet users globally. However India’s Information Technology Act, 2000 and its amendments — 2008 and 2011 — are not well suited to deal with social media and internet related cyber-crimes,” said Jaspreet Singh, partner, Cyber Security, Ernst & Young.
According to figures by Internet World Stats, a website featuring data on global internet usage, China had highest number of internet users at 738.5 million till December 31, 2017. India was second and the US third with 286.94 million users.
India does not have a dedicated law on data protection and privacy, said Singh.
“Consequently, the third party transfers and cross border movement of personal data, the entire sharing ecosystem, is not adequately dealt with under the Indian IT Act. If any organisation is disclosing the personal information to third parties in India for data profiling or other such marketing and business purposes, there is no effective legal solution that is available,” he added.
Supreme Court lawyer Pavan Duggal said it would be a mistake to expect the IT Act to be a holistic one-point legal framework for cyber security as it was enacted 10 years ago.
“… There have been dramatic advances in cyber security and also cyber security breaches, but the law has stood frozen in point of time in history,” the cyber law specialist told PTI.
Going by Indian law, the data breach episode, which has attracted a probe by regulators and governments in several countries and also triggered panic amongst millions of internet users, is at best “immoral or unethical” but not illegal.