💥Join UPSC 2027,2028 Mentorship (July Batch) + XFactor Notes & Microthemes PDF

Subject: Data Protection

  • Data security has assumed significant importance in the digitized world due to rising cyber crimes. The Justice B. N. Srikrishna Committee Report addresses issues related to data security. What, in your view, are the strengths and weakness sof the Report relating to protection of personal data in cyber space?

    The Justice B.N. Srikrishna Committee’s 2018 report – “A Free and Fair Digital Economy” – was India’s foundational attempt to translate the privacy jurisprudence of Puttaswamy (2017) into statutory architecture.

    The Rising Scale of Cybercrime in India

    Cybercrime cases rose from 10.29 lakh in 2022 to 28.15 lakh in 2025 (MHA, I4C).

    Indians lost approximately

    Cybercrime complaints have grown by over 623% between 2021 and 2024 on the NCRP portal.

    77% of fraud losses stem from investment scams; digital arrests (9%) and sextortion (4%) are the fastest-growing categories (I4C, 2025).

    I4C has frozen 24.67 lakh mule accounts and blocked 9.42 lakh SIM cards linked to cyber fraud

    Key Recommendations of the Srikrishna Committee Report

    Citizen reframed as data principal; entity as data fiduciary with trust obligations.

    Enshrined principles of consent, purpose limitation, data minimisation, and storage limitation.

    Heightened protection for sensitive personal data – health, biometric, financial, religious, genetic

    Created an independent Data Protection Authority (DPA) with adjudicatory powers.

    Mandated data localisation for critical and sensitive personal data within India.

    Recognised new-age rights – confirmation, correction, portability, right to be forgotten.

    Special safeguards for children’s data, including parental consent and a ban on profiling.

    Cross-border transfer permitted only via adequacy mechanisms or contractual safeguards.

    Strengths of the Report

    Constitutional anchoring in Puttaswamy – privacy treated as a fundamental right, not a regulatory courtesy.

    Fiduciary framing imposes a trust-based duty on data handlers, drawing from common law traditions.

    GDPR-aligned principles of purpose limitation and accountability bring India to global standards.

    Independent regulator (DPA) institutionalises enforcement beyond executive discretion.

    Empowerment of citizens through actionable rights – correction, portability, erasure.

    Sectoral sensitivity through layered protection for health, financial, biometric, and children’s data.

    Digital sovereignty advanced through data localisation provisions for critical data.

    Balanced approach – does not stifle innovation; permits research, journalism, and reasonable business processing.

    Weaknesses of the Report

    Broad State exemptions – surveillance under Section 35 permits processing in the interest of national security, public order, etc., without prior judicial oversight.

    Weak independence of the DPA – appointment process dominated by the executive raises capture concerns.

    Ambiguity on “critical” personal data – left to executive notification, creating regulatory uncertainty.

    Data localisation costs disproportionately affect MSMEs, startups, and global service providers.

    No clear remedy framework for data breaches – compensation provisions remain vague and non-deterrent.

    Inadequate provisions on non-personal data – a critical gap addressed only later by the Kris Gopalakrishnan Committee.

    No special framework for emerging threats – AI profiling, deepfakes, biometric coercion are underaddressed.

    Limited attention to journalistic and whistleblower data, raising press-freedom concerns.

    Way Forward

    Operationalise the Digital Personal Data Protection Act, 2023, with timely framing of subordinate rules.

    Establish the Data Protection Board of India (DPBI) as a genuinely independent authority, on the lines of TRAI or SEBI.

    Bring State surveillance under judicial pre-authorisation, in line with the Puttaswamy proportionality test.

    Strengthen CERT-In, I4C, and NCIIPC capacities with sustained funding and inter-agency coordination.

    Mandate algorithmic transparency and AI-impact assessments for high-risk processing.

    Operationalise the Cyber Fraud Mitigation Centre (CFMC) to scale real-time fraud interception.

    Launch a national digital literacy mission focusing on Tier-2/3 cities, senior citizens, and first-time users.

    Promote international cooperation through Budapest Convention engagement and bilateral data-sharing protocols.

    “Data is the new oil.” Thus, protection of personal data is no longer a technological concern but a constitutional one.

    2019 – What is CyberDome Project? Explain how it can be useful in controlling internet crimes in India.

    (10)

    The CyberDome Project is a high-tech PPP initiative of Kerala Police, established as a “Centre of Excellence” to combat emerging cyber threats through collaborative research and development.

    Rising Internet Crimes in India

    Cybersecurity incidents rose from 10.29 lakh in 2022 to 22.68 lakh in 2024 (120% increase in two years)

    Massive Financial Toll- over as per NCRP.

    Significant rise in AI-driven phishing and “Digital Arrest” scams

    Enforcement agencies have blocked over 9.42 lakh SIM cards and 2.63 lakh IMEIs linked to fraudulent activities by early 2025.

    Over 86% of households are now connected to the internet – High vulnerability

    13.7% of global incidents target India (Cyfirma report)

    Importance of CyberDome in Controlling Internet Crimes

    Shift from “reactive investigation” approach to “proactive defense” model

    Public-Private Collaboration bridges the talent gap by involving over 2,500 volunteers, including ethical hackers and IT experts

    Real-Time Threat Intelligence using AI and machine learning. In 2024, it successfully thwarted a major DDoS attack on an Indian financial institution.

    Combatting Online Exploitation through initiatives like “Hac’KP 2025” and the “KID GLOVE” program (international recognition from INTERPOL)

    In September 2024, it launched a Security Operation Centre (SOC) to monitor police networks and prevent sensitive data breaches.

    Specialized Cyber-Wings- It operates niche units like the “Ransomware School” and a Malware Analysis Lab, creating Standard Operating Procedures (SOPs).

    Academic Synergy- Collaborations with institutions like NIT Calicut (2024 MoU)

    Financial Fraud Mitigation detected vulnerabilities in 4 out of 10 banking apps tested (CAG report)

    Officers and volunteers act as “Online Police Patrols,” monitoring social media for extremist propaganda, radicalization efforts, and the spread of fake news.

    The CyberDome Project has transformed the Kerala Police into a tech-forward force, achieving a 25% increase in case resolution between 2022 and 2024.

  • Describe the context and salient features of the Digital Personal Data Protection Act, 2023

    The DPDP Act, 2023 aims to transform India from a “privacy-neutral” state to a “privacy-centric” digital democracy. It provides the legal backbone for India’s $1 trillion digital economy aspirations.

    Context of the Act

    Committee Recommendations (Justice B.N. Srikrishna Committee) emphasizing “Data Sovereignty” and the “Fiduciary” relationship.

    Digital economy- With over 900 million internet users, the rapid expansion of digital payments (UPI) and digital public infrastructure (Aadhar, CoWIN) required robust safeguards.

    Inadequacy of IT Act, 2000- The previous framework (Section 43A) was narrow, outdated, and lacked the “teeth” to penalize global tech giants for data breaches.

    To remain a global outsourcing hub, India needed a law compatible with Global Norms. Eg- EU’s GDPR.

    Data Breaches highlighted the vulnerability of citizens’ personal data. Eg- CoWIN data leak

    The rise of AI-driven behavioral profiling and “dark patterns” in e-commerce necessitated “Purpose Limitation.”

    Data has become the “new oil” in modern warfare, with data localization as a vital component of national security.

    Salient Features of the Act

    The Act is built on the philosophy of “Rightful Processing”

    Tripartite Stakeholder Model- Identifies the Data Principal (individual), Data Fiduciary (entity deciding data use), and Data Processor (entity handling data).

    Consent-First Approach- Processing is only lawful with “free, specific, informed, unconditional, and unambiguous” consent via a clear notice.

    Rights of Data Principals- Grants the right to Access (summary of data), Correction, Erasure, and Nomination (bequeathing digital data after death).

    Significant Data Fiduciaries (SDFs)- Entities handling high-volume or sensitive data (e.g., Social Media) must appoint a Data Protection Officer (DPO) and conduct annual audits.

    Protection of Minors- Mandates verifiable parental consent for children (under 18) and strictly prohibits tracking or targeted advertising directed at them.

    Data Protection Board of India (DPBI)- A digital-first regulatory body empowered to investigate breaches and impose fines.

    Negative List for Cross-Border Flow- Permits data transfer to most countries unless specifically restricted by a government “Blocklist.”

    Stringent Financial Penalties- Forgoes criminal jail terms in favor of massive civil penalties-up to for failure to prevent a data breach.

    Challenges That Remain

    Surveillance concerns- Section 17 allows the state to bypass most provisions for “security of the state” and “public order”.

    Diligence vs. Innovation- high cost of implementing “Privacy by Design” and maintaining audit trails for MSMEs and startups.

    One-size-fits-all approach- Unlike GDPR, the Indian law does not distinguish between general data and “Sensitive” data.

    The Act is a right step toward Digital Sovereignty. It must move beyond mere legal text to create a “Privacy Culture” for meaningful exercise of digital autonomy.