By: Koupal Jain & Ankit Saurashtriya
Student, VI SEMETER, B.A.LL.B (Hons.), Department of Law, Prestige
Institute of Management and Research, Indore (M.P.)
The Digital Personal Data Protection Bill, 2023 was introduced on 3 August 2023 and was
passed by Lok Sabha on 9 August 2023. The bill has received president’s assent
and published in official gazette notification and has become law on 11 August
2023. As per the provisions of the act ‘Data means a representation of information,
facts, concepts, opinion or instructions in a manner suitable for
communication, interpretation or processing by human beings or by automated
means. A recent news stated that Pro-Palestinian hacker group hacked a company whose services are available to thousands of
students across Israel and leaked its data online, including names, contact
number, address and E-mail address.
Student’s details were shared by using telegram app. These Malaysian hackers group Dragonforce pick up
information from the website of AcadeMe which is one of the largest recruitment
networks across Israel for students and graduates seeking work. According to the Ministry of External Affairs the estimated data of Indian students
studying in Israel is about 1,218.
DOES THIS DIGITAL PERSONAL DATA PROTECTION ACT, 2023 MAKES THIRD PARTY /
HACKERS ORGANIZATION LIABLE?
As per the Digital Personal Data Protection Act, the provisions of the act shall applies to
the processing of digital personal data within India as well as it will also
apply to the processing of personal data outside the territory of India, if
such processing is in connection with any activity of offering goods and
services to the data principals within the territory of India. Here the
personal data means any data about individual who is identifiable by or in
relation to such data. Data fiduciary means any person who is alone or in
conjunction with other persons determines the purpose and means of the
processing of personal data. Data principle means the individual to whom the
personal data relates. Illustration-A, a data principal, makes a purchase at B, a data
fiduciary. A voluntary provides B her personal data and request B to
acknowledge receipts of the payment made for the purchase by sending a message
to her mobile phone. Here B, a data fiduciary may process the personal data of
A, a data principal for the purpose of sending the receipts.
Here are some general obligations of data fiduciary a data fiduciary
shall, irrespective of any agreement to the contrary or failure to
carry out the duties provided under this act, be responsible for complying with
the provision of this act and rules made in respect of any processing
undertaken by it or on its behalf by a data processor. A data fiduciary must
make efforts to ensure the accuracy of data and also maintain or build
reasonable security safeguards to prevent data breach. Here personal data breach
means any unauthorized processing of data or disclosure, acquisition, sharing,
use, alteration, destruction, loss of personal data. It is the responsibility
of a data fiduciary to erase personal data as soon as the purpose has been
accomplished. Illustration- A, an individual, makes a purchase at B, a
pharmacy. She voluntarily provides B her personal data for the purpose of
payment .B may process the personal data of A for the purpose of sending the
receipt. Subsequently, A informs B that the payment has been made. The B shall
cease or erase the personal data of A.
As per the news of Times of India the hackers stole
the email addresses of more than 200 million twitter users and posted them on
an online hacking forum such as dark web. A dark web is the part of Internet. The dark
web can be used to sell or stolen personal information. Report says the hacker
forums and hacker organization selling data of scraped twitter user profiles.
This includes private phone numbers and Email address, usernames, age, screen
names, account creation dates. Here again the question arises who is
responsible for this attack? No responsibility has taken by the hacker
organization for the data breach the only information available is the threat
actor named Staymad published data on a hacking platform. This is one of the
major drawbacks of the Digital Personal Data Protection Act, 2023 that it does
not regulate risk of harm arising out from processing of personal data. Harm
includes identity theft, loss of reputation, financial loss, etc. The definition of personal data means any data
about individual who is identifiable by or in relation to such data. Here this
definition of personal data is very abstract as well as ambiguous because
images, audio, video and other sensitive data can also come under the purview
of personal data.
Another big loophole is that the act only makes data fiduciary liable
whose is responsible for protecting the data but not the third party such as
hackers organization who wrongfully gained or misused the personal data of data
principals.
No comments:
Post a Comment