Data Collection and Surveillance

Tracking online activities

Every action on the internet — from search queries to page visits — generates digital footprints. Websites, mobile apps, and browser extensions track users using tools like:

• Cookies: Store user preferences, behavior, and login details
• Web beacons and pixel tags: Monitor whether emails or web content were viewed
• IP tracking and device fingerprinting: Collect information about device configurations and locations

This invisible profiling is often done without explicit user consent and is used for targeted advertising, content personalization, and predictive analytics.

Government surveillance

State surveillance can involve large-scale monitoring of citizens' internet activities in the name of national security or public order. This includes:

• Central Monitoring System (CMS): India’s lawful interception system for phone and internet surveillance
• NATGRID (National Intelligence Grid): Aggregates data from government and private databases for surveillance purposes
• Absence of comprehensive surveillance law: Surveillance is governed by Section 69 of the IT Act, 2000 and Indian Telegraph Act, 1885, which provide broad powers to the government

Corporate data mining

Big Tech companies often collect and analyze vast quantities of user data — including demographics, preferences, voice commands, and location — for commercial gain. Issues include:

• Informed consent vs forced consent: Users have no choice but to accept long, complicated privacy policies
• Third-party data sharing: Personal data is shared with advertisers and data brokers
• Algorithmic profiling: Leads to digital discrimination and filter bubbles

This highlights the urgent need for robust data protection legislation and user-centric privacy policies.

Identity Theft and Online Fraud

Nature and Methods

Identity theft refers to the unauthorized use of someone’s personal information (such as Aadhaar number, PAN, credit card details, or passwords) to impersonate them online. It can result in financial loss, reputational harm, or criminal liabilities for the victim.

Common Techniques:

• Phishing: Fraudulent emails or websites trick users into revealing sensitive data
• SIM swapping: Mobile numbers are duplicated to intercept OTPs
• Credential stuffing: Using leaked passwords to access accounts across platforms
• Fake websites/apps: Mimic trusted platforms to deceive users

Legal Remedies

• Section 66C of IT Act: Punishes identity theft with up to 3 years imprisonment and fine up to ₹1 lakh
• Section 66D: Deals with cheating by personation through communication devices
• IPC Sections 419–420: Provide additional criminal liability for impersonation and fraud

Precautionary Measures

• Use strong passwords and change them regularly
• Enable two-factor authentication (2FA)
• Avoid clicking on suspicious links or attachments
• Use verified payment gateways and secure networks

Balancing privacy with security

The Legal and Ethical Dilemma

The core challenge in cyberspace governance lies in finding a balance between individual privacy and national/institutional security.

Key Debates:

• Right to Privacy: Recognized as a fundamental right under Article 21 (Justice K.S. Puttaswamy v. Union of India, 2017)
• Government Surveillance Powers: Legal but must be reasonable, proportionate, and necessary
• Encryption: Protects privacy but limits law enforcement's access to data

Need for Data Protection Law

To achieve this balance, India has enacted the Digital Personal Data Protection Act, 2023, which aims to:

• Define boundaries of data processing
• Ensure legitimate use by the State and businesses
• Safeguard against misuse of surveillance powers

Conclusion

Privacy and security are not opposing concepts but complementary. A well-defined legal framework, transparent oversight, and technological safeguards are essential for building trustworthy digital ecosystems.

Constitutional Right to Privacy (Article 21)

Judicial pronouncements (Justice K.S. Puttaswamy Case)

The Right to Privacy was declared a Fundamental Right under Article 21 of the Indian Constitution by a 9-judge Bench of the Supreme Court in the landmark case:

Justice K.S. Puttaswamy (Retd.) vs Union of India, 2017

Key Highlights of the Judgment:

• Privacy is intrinsic to the right to life and personal liberty under Article 21.
• Right to privacy includes informational privacy, bodily integrity, and autonomy.
• State interference in privacy must satisfy the tests of legality, necessity, proportionality, and procedural safeguards.
• Laid the groundwork for data protection legislation in India.

Impact: This judgment has influenced the framing of the Digital Personal Data Protection Act, 2023 and led to the scrutiny of government surveillance laws.

Information Technology Act, 2000

Section 72: Breach of Confidentiality and Privacy

This section penalizes any person who, having secured access to any electronic record, book, register, correspondence, or information through powers conferred under the Act, discloses it without consent to any other person.

• Punishment: Imprisonment up to 2 years or fine up to ₹1 lakh or both
• Applies to intermediaries, employees, or any authorized personnel handling user data

Section 43A: Compensation for failure to protect data

This section imposes civil liability on a body corporate for negligent handling of sensitive personal data.

Key Elements:

• Body corporate includes companies, firms, sole proprietorships engaged in commercial activities
• If failure to implement "reasonable security practices" results in a wrongful gain/loss, the victim is entitled to compensation
• Details of what constitutes "reasonable security" are prescribed under the SPDI Rules, 2011 (Sensitive Personal Data and Information Rules)

Example: A digital wallet company storing customer card details without encryption may be liable under Section 43A if breached.

Digital Personal Data Protection Act, 2023

Overview and Objectives

The Digital Personal Data Protection Act, 2023 is a comprehensive law enacted to protect individuals' personal data in the digital ecosystem and to regulate the processing of such data.

Key Definitions:

• Data Principal: The individual whose data is being collected
• Data Fiduciary: The entity (company/organization) determining the purpose and means of processing

Salient Provisions

• Consent-based processing: Personal data can only be processed with the free, informed, specific, and unambiguous consent of the data principal
• Rights of individuals: Right to access, correction, erasure, and grievance redressal
• Duties of data fiduciaries: Implement security safeguards, notify breaches, and maintain transparency
• Establishment of the Data Protection Board of India: A quasi-judicial authority to oversee compliance and redress grievances

Penalties

• Failure to protect personal data: up to ₹250 crore
• Failure to notify breaches: up to ₹150 crore

Conclusion: This law, combined with constitutional protections and the IT Act, forms a robust framework to uphold digital privacy and data sovereignty in India.