CYBER LEGAL DEVELOPMENTS IN INDIA IN 2020
BY
DR. PAVAN DUGGAL
ADVOCATE, SUPREME COURT OF INDIA
PRESIDENT, CYBERLAWS.NET
The year 2020 has been dominated by Covid-19. The year, which saw the beginning of the pandemic, also saw various developments in Cyberlaw in India. In this article, we examine some of the important Cyberlaw developments that took place in India in the year 2020.
Golden Age of Cybercrime in India
In India, in the year 2020, we saw the emergence of a golden age of cybercrimes, proliferating at an exceptional and unprecedented speed in India. Phishing became the most prevalent cybercrime in the Indian context in the year 2020. Further, identity theft and frauds were also not far beyond in terms of targeting innocent Indians into becoming victims of cybercrimes. Losses that Indians have been incurring as a result of increasing cybercrimes have been constantly growing.
The number of local threats in Q1 2020 in India (52,820,874) shows how frequently users are attacked by malware spread via removable USB drives, CDs and DVDs, and other “offline” methods.[1]
India also ranks 11th worldwide in the number of attacks caused by servers that were hosted in the country, which accounts of 2,299,682 incidents in Q1 2020 as compared to 854,782 incidents detected in Q4 2019,[2]
Last year, it was estimated that Rs 1.25 lakh crore were lost due to cyber crimes in India.[3]
Work From Home and related challenges
With the coming of Covid-19 and national lockdowns and with cybercriminals weaponizing fear and panic, more and more Indians became victims of cybercrime. The year 2020 also saw India announcing a national lockdown in little advance notice. As such, most of the Indian corporates were not prepared to deal with the Work From Home concept. The increasing demand by the time dictated that Indian corporates migrated quickly to Work From Home strategies.
After a lot of teething troubles, Indian companies started adjusting themselves into Work From Home paradigm. However, the Covid-19 period underlined that the Indian IT legal frameworks were not ready for Work From Home. There have been massive learnings from the Work From Home experience in 2020 which need to be duly incorporated under the existing Cyberlegal frameworks.
Increasing Cyber Security Attacks and Breaches
With more and more employees working from home, India saw cybersecurity attacks also substantially increasing, which were targeting devices used by employees while Working From Home.
India also saw massive cybersecurity breaches in 2020. Ransomware attacks kept on consolidating their preeminent position. More and more Indian companies became a victim of ransomware attacks on Cognizant[4], Haldiram[5], Honda[6], Dr. Reddy’s Laboratories[7], Lupin[8], and BigBasket[9].
The constantly increasing cybersecurity breaches in India were also accompanied by various attacks on the Critical Information Infrastructure of the country like Electricity Grids and related networks. Mumbai power outage is an example in this regard.[10]
Need for India to have a dedicated law on Cyber Security
The year 2020 was also important as number of attacks took place on Indian networks. These attacks were in sync with other attacks that have been targeted on computer networks of various countries. These cyber security attacks once again underlined the need for India to protect and preserve cybersecurity.
These cybersecurity attacks and breaches once again pointed out the urgent need for India to come up with dedicated law on cybersecurity. This becomes all the more apparent, since Indian Cyberlaw is not a cybersecurity law. The Prime Minister in his address from the ramparts of the Red Fort on the occasion of Independence Day 2020, highlighted that India is soon getting its robust cybersecurity policy.[11]
As India moves forward, it is imperative that India must supplement its cybersecurity strategy with appropriate dedicated law on cybersecurity. India needs to learn from the experiences of other countries like China, Singapore, Vietnam, and Australia and come up with dedicated cybersecurity legal frameworks so that we as a nation can go far beyond, merely providing lip service to cybersecurity.
Data Protection
The year 2020 saw developments in India to further strengthen the proposed data protection legislation. The Parliament of India had already sent the Personal Data Protection Bill, 2019 for deliberations of the Joint Parliamentary Committee. This year saw the Joint Parliamentary Committee doing various deliberations on different aspects of the Personal Data Protection Bill, 2019. Various representatives of different companies were called to answer the queries of the Committee. The Committee’s deliberations still continue. The Committee’s recommendations are important as the Personal Data Protection Bill, 2019 is India’s foray in the area of data protection. It is imperative that India must do all that it takes to have in place, a strong and efficient data protection legal regime.
Increasing Fake News and Related Challenges
The year 2020 also saw a massive increase in fake news in India. The Covid-19 was the singular most significant element, contributing to growing fake news in India. Cyber criminals started using Covid-19 as the basis for further dissemination of fake news. Though, the Government of India issued an advisory to intermediaries to implement appropriate mechanisms to prevent the dissemination of fake news, clearly, that was not enough to prevent the massive dissemination of fake news in India.
In March 2020, the Union Home Secretary, Government of India wrote a letter to all Chief Secretaries and Administrators of States/Union Territories to encourage them to take steps to stop fake news.[12]
A massive increase of fake news in India has further highlighted the need for India to have dedicated legal frameworks on fake news. India as a nation does not have a dedicated law on fake news. Having a dedicated law on fake news is of urgent necessity in order to regulate the further dissemination of fake news.
Aarogya Setu and connected challenges
We have also seen other developments in India that impact Cyberlaw. One of the most significant developments in this regard has been the advent and adoption of the AarogyaSetu app. AarogyaSetu app is India’s Covid-19 contact tracing app, which demonstrates immense challenges. The said app was seen as a hurried response to deal with Covid-19 challenges. However, it also raised various cyber legal issues inasmuch as the said app could not demonstrate through its legal terms as to how it complies with the parameters of Indian Cyberlaw.
AarogyaSetu app raised immense privacy related ramifications as it is still not clear as to how humungous volumes of health data captured by the AarogyaSetu app is being dealt with, processed or handled. The nebulous terms of the AarogyaSetu app enables data of this app to be accessed by various governmental agencies. With fears that the AarogyaSetu app is violating personal privacy and data privacy, the app generated immense controversy. The intention of the Government to make it mandatory, resulted in massive hue and cry on social media and consequently, the Government decided to make the use of the said app voluntary, not mandatory.
AarogyaSetu app experiment shows that India requires strong privacy laws. We are also likely to see more privacy litigations in the coming times. Given the launch and use of AarogyaSetu app, the absence of dedicated privacy law in India effectively negated some of the benefits that were conferred by the judgment of the Hon’ble Supreme Court of India in the case of Justice Puttaswamy v/s Union of India. In the said landmark judgment, the right to privacy was declared as a fundamental right and an integral part of the right to life under Article 21 of the Constitution of India.
Increasing Importance of Cyber Sovereignty
The importance of cyber sovereignty as a concept assumed far greater proportion in the year 2020 as the Government increasingly relied upon the significance of protecting its cyber sovereign interests. Numerous developments took place in the year 2020, which highlighted the need for India to protect and preserve its cybersecurity ecosystem.
Growing Cyber Legal Realization
The year 2020 was also the year where more and more Indians jumped on the digital bandwagon. With national lockdown and subsequent restrictions in India, the digital medium became the defacto mode of communication. With increasing activities being done on the electronic ecosystem, the importance of Cyberlaw in India increased massively. People slowly started realizing that all of their acts done in the digital and mobile ecosystem, are already covered under the Indian Cyberlaw. There is also growing realization amongst stakeholders and users that all activities done using computers, computer systems, computer networks, computer resources, and communication devices in India, are covered under the Indian Cyberlaw.
The aforesaid were some of the key developments that took place in the year 2020. The year 2020 was a very eventful year. The said year itself contributed in its own manner in the further growth of Cyberlaw in the Indian Sub-Continent. These developments were indeed significant as a lot of countries are following the manner, how Cyberlaw jurisprudence in India is evolving. There were lot of lessons learnt by these developments concerning the Cyberlaw developments in India.
Hopefully, the Government and other stakeholders would learn from these developments and come up with appropriate holistic approaches to deal with various challenges thrown up by Indian cyberspace.
The author Dr. Pavan Duggal, Advocate, Supreme Court of India, is an internationally renowned expert authority on Cyberlaw and Cybersecurity law. He has been acknowledged as one of the top four Cyber lawyers in the world. He is also the Chairman of International Commission on Cybersecurity Law. You can reach him at pavan@pavanduggal.com. More about Dr.Pavan Duggal is available at www.pavanduggal.com.
[1] ET CISO (2020). 37% increase in cyberattacks in India in Q1 2020: Report. [online] ETCISO.in. Available at: https://ciso.economictimes.indiatimes.com/news/37-increase-in-cyberattacks-in-india-in-q1-2020-report/75962696#:~:text=37%25%20increase%20in%20cyberattacks%20in%20India%20in%20Q1%202020%3A%20Report,-India%20has%20seen&text=The%20data%20also%20shows%20that,position%20globally%20in%20Q4%202019. [Accessed 30 Dec. 2020].
[2] Supra Note 1
[3] PTI (2020). Cyber crimes in India caused Rs 1.25 lakh cr loss last year: Official. [online] The Economic Times. Available at: https://economictimes.indiatimes.com/tech/tech-bytes/cyber-crimes-in-india-caused-rs-1-25-lakh-cr-loss-last-year-official/articleshow/78773214.cms [Accessed 30 Dec. 2020].
[4]AnandiChandrashekhar (2020). Cognizant hit by “Maze” ransomware attack. [online] The Economic Times. Available at: https://economictimes.indiatimes.com/tech/internet/cognizant-hit-by-maze-ransomware-attack/articleshow/75228505.cms?from=mdr [Accessed on 18 Nov. 2020 at 19:14 IST].
[5] PTI (2020). Haldiram’s crucial data stolen; hackers demand ₹7.50 lakh to release information. [online] mint. Available at: https://www.livemint.com/companies/news/haldiram-s-crucial-data-stolen-hackers-demand-rs-7-50-lakh-to-release-information-11602893857224.html [Accessed on 18 Nov. 2020 at 19:16 IST].
[6] Tidy, J. (2020). Honda’s global operations hit by cyber-attack. [online] BBC News. Available at: https://www.bbc.com/news/technology-52982427 [Accessed on 18 Nov. 2020 at 19:18 IST].
[7]PrabhaRaghavan (2020). Dr Reddy’s isolates data centre services after cyber attack. [online] The Indian Express. Available at: https://indianexpress.com/article/business/companies/dr-reddys-isolates-data-centre-services-after-cyber-attack-6846787/ [Accessed on 18 Nov. 2020 at 19:20 IST].
[8]BusinessToday.In (2020). Lupin hit by cyberattack; threat increases for pharma firms amid PANDEMIC. [online] Businesstoday.in. Available at: https://www.businesstoday.in/sectors/pharma/lupin-hit-by-cyberattack-threat-increases-for-pharma-firms-amid-pandemic/story/421348.html [Accessed on 18 Nov. 2020 at 19:22 IST].
[9] Today, I. (2020). AnkitaChakravarti. [online] India Today. Available at: https://www.indiatoday.in/technology/features/story/bigbasket-confirms-data-breach-of-2-crore-bb-users-here-is-what-we-know-so-far-1739342-2020-11-09 [Accessed on 18 Nov. 2020 at 19:24 IST].
[10]https://www.indiatoday.in/india/story/mumbai-power-outage-malware-attack-1742538-2020-11-20
[11]https://theprint.in/india/india-to-get-new-robust-cyber-security-policy-soon-says-pm-modi/482356/
[12]https://www.mha.gov.in/sites/default/files/PR_DOletterstoChiefSecretariesAdministratorsandAdvisersonSupremeCourtOrderon_31032020.pdf (Accessed on 18th December, 2020 at 10.30 am)