UNIT –IV

Data Protection and Cyber security Laws

General Data Protection Regulation (GDPR) - its impact on Fin Tech - CCPA, DPAs-
Powers and functions of CCPA & DPA - Cyber security regulations in India – Indian
Cyber Security regulation bodies.

GDPR:
THE GENERAL DATA PROTECTION REGULATION (GDPR) IS A COMPREHENSIVE DATA
protection LAW IN THE EUROPEAN UNION THAT CAME INTO EFFECT ON MAY 25, 2018. IT
AIMS TO ENHANCE INDIVIDUALS' CONTROL OVER THEIR PERSONAL DATA AND UNIFY DATA
PROTECTION LAWS ACROSS EUROPE.

The GDPR 2016 has eleven chapters, concerning general provisions, principles,
rights of the data subject, duties of data controllers or processors, transfers of personal
data to third-party countries, supervisory authorities, cooperation among member states,
remedies, liability or penalties for breach of rights, provisions related to specific
processing situations, and miscellaneous final provisions. Recital 4 proclaims that
‘processing of personal data should be designed to serve mankind.”

History of the GDPR:

The right to privacy is part of the 1950 European Convention on Human Rights, which
states, “Everyone has the right to respect for his private and family life, his home and his
correspondence.” From this basis, the European Union has sought to ensure the protection
of this right through legislation.
The EU passed the Data Protection Directive in 1995 to set minimum privacy standards.
Meanwhile, the Internet rapidly expanded—first banner ad (1994), online banking (2000),
and Facebook public launch (2006).
By 2011, concerns deepened when a Google user sued over email scanning. That same
year, EU regulators called for stronger protections. This led to efforts to update the 1995
directive into modern data privacy laws.
The GDPR entered into force in 2016 after passing European Parliament, and as
of May 25, 2018, all organizations were required to be compliant.

Scope, penalties, and key definitions:

First, if you process the personal data of EU citizens or residents, or you offer goods or
services to such people, then the GDPR applies to you even if you’re not in the EU. We
talk more about this in another article.
Second, the fines for violating the GDPR are very high. There are two tiers of penalties,
which max out at €20 million or 4% of global revenue (whichever is higher), plus data
subjects have the right to seek compensation for damages. We also talk more about
GDPR fines.
The GDPR defines an array of legal terms at length. Below are some of the most
important ones that we refer to in this article:
Personal data — Personal data is any information that relates to an individual who can
be directly or indirectly identified. Names and email addresses are obviously personal
data. Location information, ethnicity, gender, biometric data, religious beliefs, web
cookies, and political opinions can also be personal data. Pseudonymous data can also fall
under the definition if it’s relatively easy to ID someone from it.
Data processing — Any action performed on data, whether automated or manual. The
examples cited in the text include collecting, recording, organizing, structuring, storing,
using, erasing… so basically anything.
Data subject — The person whose data is processed. These are your customers or site
visitors.
Data controller — The person who decides why and how personal data will be
processed. If you’re an owner or employee in your organization who handles data, this is
you.
Data processor — A third party that processes personal data on behalf of a data
controller. The GDPR has special rules for these individuals and organizations. These
could include cloud servers, like Google Drive, Proton Drive, or Microsoft OneDrive, or
email service providers, like Proton Mail.
PSEUDONYMISATION --pseudonymisation is a required process for stored data that
transforms personal data in such a way that the resulting data cannot be attributed to a
specific data subject without the use of additional information (as an alternative to the
other option of complete data anonymisation).[30] An example is encryption, which
renders the original data unintelligible in a process that cannot be reversed without access
to the correct decryption key. The GDPR requires for the additional information (such as
the decryption key) to be kept separately from the pseudonymised data.

Data protection principles

If you process data, you have to do so according to seven protection and accountability
principles outlined in Article 5.1-2:
Lawfulness, fairness and transparency — Processing must be lawful, fair, and
transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified
explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely
necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as
necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure
appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR
compliance with all of these principles.

Data protection by design and by default:

From now on, everything you do in your organization must, “by design and by default,”
consider data protection. Practically speaking, this means you must consider the data
protection principles in the design of any new product or activity. The GDPR covers this
principle in Article 25.
Suppose, for example, you’re launching a new app for your company. You have to think
about what personal data the app could possibly collect from users, then consider ways to
minimize the amount of data and how you will secure it with the latest technology.

Consent:
There are strict new rules about what constitutes consent from a data subject to process
their information.
 Consent must be “freely given, specific, informed and unambiguous.”
 Requests for consent must be “clearly distinguishable from the other matters” and
presented in “clear and plain language.”
 Data subjects can withdraw previously given consent whenever they want, and
you have to honor their decision. You can’t simply change the legal basis of the
processing to one of the other justifications.
 Children under 13 can only give consent with permission from their parent.
 You need to keep documentary evidence of consent.

Data Protection Officers

Contrary to popular belief, not every data controller or processor needs to appoint
a Data Protection Officer (DPO). There are three conditions under which you are required
to appoint a DPO:
 You are a public authority other than a court acting in a judicial capacity.
 Your core activities require you to monitor people systematically and regularly on
a large scale. (e.g. You’re Google.)
 Your core activities are large-scale processing of special categories of data listed
under Article 9 of the GDPR or data relating to criminal convictions and offenses
mentioned in Article 10. (e.g. You’re a medical office.)
 You could also choose to designate a DPO even if you aren’t required to. There
are benefits to having someone in this role. Their basic tasks involve
understanding the GDPR and how it applies to the organization, advising people
in the organization about their responsibilities, conducting data protection
 trainings, conducting audits and monitoring GDPR compliance, and serving as a
liaison with regulators.

People’s privacy rights:

You are a data controller and/or a data processor. But as a person who uses the Internet,
you’re also a data subject. The GDPR recognizes a litany of new privacy rights for data
subjects, which aim to give individuals more control over the data they loan to
organizations. As an organization, it’s important to understand these rights to ensure you
are GDPR compliant.
Below is a rundown of data subjects’ privacy rights:

 The right to be informed

 The right of access
 The right to rectification
 The right to erasure
 The right to restrict processing
 The right to data portability
 The right to object
 Rights in relation to automated decision making and profiling.

FYI:
Businesses collect personal data and they have often sold that information—
sometimes without the consent of their consumers. But laws have been put into place in
parts of the world to help protect individuals.Rules under the General Data Protection
Regulation went into effect in the European Union in 2018. Under the law, companies
must protect consumer data and inform them how their information is used. It has a broad
reach, extending beyond the borders of the EU.

Implications for the FinTech sector under each of the 7 key

GDPR areas
Great — here is a deeper and more detailed explanation of the Implications for the
FinTech sector under each of the 7 key GDPR areas, without the action steps:

1. Customer’s Consent
The GDPR’s strict requirements for explicit and informed consent significantly reshape
how FinTech companies engage with customers and collect data.

FinTech firms often collect data through mobile apps, online platforms, APIs, and
embedded finance tools. With GDPR, the scope of what constitutes “personal data” is
broad — covering everything from names and contact info to IP addresses, geolocation,
and behavioral data (which many FinTechs rely on for credit scoring, fraud detection, or
marketing).

This regulation creates pressure on FinTechs to:

 Redesign user journeys to ensure clarity and transparency around consent

collection.
 Reassess data-driven business models, such as profiling and automated decision-
making, which may now require separate consent.
 Retroactively address historic data collected under looser regulations—consent
that was once considered valid may now be non-compliant.

For firms offering AI-based financial services or real-time analytics, this could mean a
significant compliance burden or the need to alter how algorithms process and use
personal data.

2. Biometric Data in Financial Transactions

Biometric data—such as facial recognition, fingerprints, voice, or iris scans—is
increasingly used by FinTech apps for authentication, onboarding (eKYC), and fraud
prevention. Under GDPR, this data is considered “special category” data, which
requires a higher level of protection and explicit consent.

For FinTech firms:

 This raises compliance complexity when integrating biometric-based login or ID

verification, especially with third-party biometric service providers.
 Any failure or breach involving biometric data could lead to severe
reputational damage, since biometric identifiers are irreplaceable (unlike
passwords).
 Since biometrics are used as proof of identity, GDPR enforces rigorous risk
assessments (DPIAs), forcing FinTechs to justify the necessity and
proportionality of using such data.

As a result, even as biometrics offer seamless user experience and strong security,
FinTechs must carefully balance innovation and compliance, particularly when
operating in multiple jurisdictions.

3. Right to Be Forgotten (Data Erasure)

GDPR’s "Right to be Forgotten" places a legal obligation on FinTech firms to erase
personal data upon user request, unless retention is justified under another law.

This has profound implications for:

 Data storage architecture: FinTechs must ensure data can be isolated and
removed across multiple systems, backups, and platforms.
 Legacy systems: Older systems may not be equipped to comply with erasure
requests, requiring costly overhauls.
  Regulatory conflicts: FinTechs often need to retain certain data for regulatory
compliance (e.g., Anti-Money Laundering laws require records be kept for 5–10
years). Determining when GDPR overrides or defers to sector-specific laws
requires legal interpretation on a case-by-case basis.

Furthermore, FinTechs using profiling or automated decision-making (e.g., algorithmic

lending) may be forced to remove not just data but also inferences derived from it,
affecting the integrity of credit models or user risk scores.

4. Communicating a Security Breach

FinTech firms are custodians of highly sensitive financial data, making them prime
targets for cyberattacks and data breaches. GDPR requires that breaches affecting
personal data be reported to data protection authorities within 72 hours and to affected
individuals "without undue delay".

For FinTechs, this introduces several implications:

 Operational strain: The 72-hour deadline leaves little time to investigate, assess
risk, and communicate the breach.
 Market impact: Public disclosure of breaches can shake investor and consumer
confidence, especially for startups or scale-ups.
 Legal exposure: If a FinTech fails to notify on time or cannot demonstrate
accountability, it faces heavy fines and potential litigation.
 Cross-border complexity: Many FinTechs operate across the EU or globally, so
breach notification may involve multiple jurisdictions and supervisory authorities,
complicating response protocols.

This regulation elevates cybersecurity and incident response from a technical issue to a
strategic and legal priority.

5. Supplier Management (Third Parties and Data Processors)

The FinTech sector is heavily reliant on outsourced services and cloud infrastructure
— from KYC providers and payment processors to AI analytics platforms and CRM
systems.

GDPR’s provisions on data processors mean:

 FinTechs cannot shift accountability to vendors. Ultimate responsibility lies with

the data controller — i.e., the FinTech firm itself.
 Any weak link in the data processing chain (e.g., a non-compliant subcontractor)
could lead to regulatory penalties for the FinTech.
 FinTechs working with non-EU entities (especially US-based cloud services or
AI providers) must ensure cross-border data transfers comply with GDPR (e.g.,
through Standard Contractual Clauses, adequacy decisions, or Binding Corporate
Rules).
This greatly increases the compliance due diligence burden for FinTechs, especially
smaller firms scaling rapidly and integrating many vendors.

6. Pseudonymisation
Pseudonymisation, under GDPR, refers to processing personal data in a way that it can
no longer be attributed to a specific individual without additional information.

This presents both challenges and opportunities for FinTechs:

 Pseudonymisation can reduce compliance risks, as it allows more flexible

processing of data while still maintaining a degree of individual protection.
 It enables FinTechs to perform analytics, AI modeling, or behavioral
segmentation without needing to rely on fully identifiable data — which is useful
in developing products or fraud models.
 However, because pseudonymised data is still personal data, it must be protected
under GDPR, and if improperly managed (e.g., re-identification is easy), it offers
no legal benefit.

For FinTechs aiming to leverage large-scale data for innovation, pseudonymisation

becomes a critical tool for achieving a privacy-conscious data strategy.

7. Sanctions and Penalties

GDPR introduces unprecedented levels of fines:

 Up to €20 million or 4% of annual global turnover for serious breaches (e.g.,

unlawful data processing, insufficient consent, security failures).
 Up to €10 million or 2% of turnover for lesser infractions (e.g., poor record-
keeping, delayed breach reporting).

For FinTechs — especially startups and mid-sized firms — these fines can be
existentially threatening, even before considering:

 Regulatory investigations
 Investor concerns
 Customer attrition and reputational fallout

Additionally:

 Compliance violations can trigger class action lawsuits or data subject

complaints, leading to long-term litigation and legal costs.
 Regulatory scrutiny is especially high for FinTechs due to the sensitive and high-
value nature of financial data.

Ultimately, the GDPR transforms data protection from an operational concern to a

board-level issue, requiring senior management involvement and long-term risk
management.
California Consumer Privacy Act (CCPA) – In-Depth
Overview
1. Legislative Origins & Context

 Background & Socio-Political Context:

Enacted in 2020, the CCPA represents a landmark California state law created in
response to growing concerns about consumer privacy in the digital era. Within
the evolving data economy, where personal data is often described as the "new
gold," corporate entities increasingly mine vast amounts of personal information
for marketing and business intelligence purposes. Against this backdrop, the
CCPA embodies a consumer-driven movement to restore individual agency over
personal data, giving California residents enforceable rights and legal recourse,
including private rights of action in case of data breaches.
The law’s creation marks a forceful push to bolster cybersecurity and privacy
protections at a time when personal data exploitation and breaches have become
systemic issues.
 Scope & Applicability:
The CCPA applies to any for-profit business operating in California that
collects personal information from California residents and meets certain
thresholds (annual revenues over $25 million, handling data of over 50,000
consumers or households, or deriving 50% or more of revenue from selling
personal data).

Its extraterritorial reach compels even companies outside California to

comply if they process data related to California consumers.

2. Key Legal Provisions & Definitions Relevant to FinTech

 Definition of Personal Information (PI):

The CCPA adopts a notably broad definition of PI, including not only traditional
identifiers like name, address, email, and Social Security number, but also digital
identifiers such as IP addresses, device IDs, browsing history, and geolocation
data. This comprehensive scope extends to include data collected via cookies—
both first-party (which self-delete) and persistent third-party cookies—
acknowledging their capacity to serve as unique identifiers and privacy risks. The
law even protects data linked indirectly to a consumer or their household,
encompassing complex data analytics and profiling that generate inferences or
composite consumer views.
  Consumer Rights Under the CCPA:
The law grants California residents several key rights that directly impact how
FinTech startups handle consumer data:
o Right to Know: Consumers can request disclosure of all personal data
collected, its sources, purposes, and categories of third parties with whom
the data is shared.
o Right to Delete: Consumers may request deletion of personal data, subject
to certain exceptions including regulatory compliance obligations inherent
to financial institutions (e.g., anti-money laundering, fraud prevention).
o Right to Opt-Out: Consumers can opt out of the “sale” of their personal
information. The CCPA’s expansive interpretation of “sale” can include
sharing data with third-party service providers, creating operational
challenges for FinTechs that rely on extensive data-sharing ecosystems
and API-based models.
o Right to Non-Discrimination: Exercising privacy rights cannot result in
service denial, price increases, or other penalties.
 Business Obligations:
Businesses must provide clear, timely privacy notices at or before data collection,
maintain secure data storage, and establish accessible processes to manage
consumer requests promptly. For minors under 16, opt-in consent is mandatory
prior to selling their personal data.

3. Operational Implications for FinTech Startups

 Consumer-Centric Mindset Shift:

Compliance starts with recognizing consumer privacy as a fundamental right
rather than a regulatory hurdle. FinTech startups must reorient their data
governance with transparency, accountability, and security as foundational
principles.
 Data Inventory & Management:
Effective compliance requires thorough identification and cataloging of all
consumer data held—both externally collected customer data and internally
generated employee or applicant data. Data minimization practices limit PI
collection to what is strictly necessary, balancing business needs against privacy
risks.
 Consumer Communication & Consent:
Clear “notice at collection” disclosures must be provided upfront, describing data
uses and rights. Opt-out and deletion mechanisms should be straightforward and
reliable. These are especially critical in onboarding and Know Your Customer
(KYC) procedures, which inherently involve collecting sensitive personal data.
 Handling Data Sales & Sharing:
The broad CCPA definition of “sale” means that even data sharing with third-
party service providers may trigger opt-out obligations. This ambiguity requires
FinTech companies to carefully draft contracts and implement technical controls
ensuring third parties comply with CCPA standards.
 Security & Breach Remediation:
While the CCPA itself does not impose explicit breach notification timelines, the
California Data Breach Notification Law complements it, mandating swift
consumer alerts in case of unauthorized data access. The CCPA also grants a 30-
 day cure period for companies to address violations, potentially avoiding penalties
if timely remediation occurs.
 Innovations & Emerging Technologies:
The CCPA is evolving alongside technology. The California Privacy Protection
Agency (CPPA) recently emphasized attention to data generated by connected
vehicles (CVs) and IoT devices, recognizing these “computers on wheels” as
potent sources of personal data that implicate both driver and bystander privacy.
This development underscores the need for FinTech startups engaged in emerging
mobility or IoT sectors to anticipate future regulatory focus.

4. Regulatory Grey Areas & Challenges

 Defining “Sale” of Data:

Interpretative uncertainty about what constitutes a “sale” can complicate
compliance, especially for FinTech platforms utilizing data-sharing partnerships
or monetizing user data indirectly.
 Household-Level Data:
Protection extends to data tied to entire households, which complicates consent
and deletion processes for shared accounts or devices.
 Overlap with Federal Financial Privacy Laws:
The CCPA interacts with sector-specific federal laws such as the Gramm-Leach-
Bliley Act (GLBA), raising questions about which privacy regime takes
precedence and how conflicting requirements can be reconciled.
 Third-Party Risk Management:
Both CCPA and GDPR require transparency about third-party data sharing, but
ensuring third-party compliance remains a complex operational challenge.

5. CCPA in Relation to GDPR

 While both laws seek to empower individuals regarding their personal data and
impose rigorous transparency and access rights, CCPA uniquely emphasizes
restrictions on the sale of personal data—a concept not explicitly regulated under
the GDPR.
 GDPR mandates a lawful basis for data processing, often requiring explicit
consent, whereas the CCPA allows opt-out post-collection for sales but does not
require opt-in consent for all processing.
 CCPA enforcement focuses on California residents and businesses, while GDPR
applies broadly across the EU and globally to entities processing EU data.
 Both laws grant strong enforcement powers to regulators, but the CCPA
introduces a private right of action for consumers in cases of certain data breaches,
creating additional litigation risks.

6. Enforcement & Penalties

 California Privacy Protection Agency (CPPA):

Established to enforce the CCPA with robust authority, including issuing
regulations, conducting audits, and investigating complaints.
 Penalties:
o Up to $2,500 per unintentional violation and $7,500 for intentional
violations.
 o Penalties are calculated per affected consumer; thus, large data breaches
affecting thousands can result in massive fines.
o However, a 30-day cure period allows companies to remedy violations and
potentially avoid fines, incentivizing prompt corrective actions.

7. Continuous Compliance & Future Outlook

 Ongoing Adaptation:
Given rapid technological evolution and expanding use cases (e.g., IoT, connected
vehicles), maintaining compliance requires ongoing monitoring of CCPA updates
and CPPA guidance.
 Industry-Specific Challenges:
FinTech startups must carefully align privacy protections with regulatory
mandates related to financial data, balancing innovation with legal compliance.
 Consumer Trust as a Competitive Advantage:
Transparent, respectful data practices foster customer trust, which is increasingly
recognized as essential for FinTech growth and sustainability.

Data Processing Agreements

What is a Data Processing Agreement (DPA)?

 A Data Processing Agreement (DPA) is a legally binding contract between a

data controller and a data processor. It outlines how personal data will be
handled, protected, and processed on behalf of the controller.
 This contract ensures clarity of roles and responsibilities related to personal data
management and compliance with data protection laws.
 DPAs are essential when a company uses external services such as Customer
Relationship Management (CRM) platforms, Customer Data Platforms (CDP),
analytics tools, or any other service that processes personal data on the company’s
behalf.
 The obligation to have a DPA is mandated by GDPR and the UK Data Protection
Act 2018, as well as earlier data protection directives.

Why are DPAs Critical for Compliance?

 They establish clear responsibilities and accountability for both parties regarding
data privacy.
 DPAs ensure that processors comply with relevant data protection obligations,
safeguarding data subject rights.
 They help controllers demonstrate compliance during audits or investigations by
data protection authorities.
 Clear contracts build trust with data subjects, reassuring them that their personal
data is handled securely.

Key Elements of a GDPR-Compliant Data Processing Agreement

1. General Clauses
 o Subject of the Agreement: Describes the overall relationship and the
processing activities covered.
o Scope, Nature, and Duration of Processing: Defines how personal data
will be processed, the purpose, and the timeframe.
o Categories of Data Subjects: Specifies whose data is being processed
(e.g., customers, employees, children).
o Types of Personal Data: Details the categories of personal data involved
(e.g., names, IP addresses, financial info).
o Data Storage & Transfers: Instructions on where data can be stored and
how international transfers are managed, especially important post-Privacy
Shield invalidation.
o Termination Conditions: Requires deletion or return of data upon
contract end and outlines termination rights (e.g., breach notification
failures).

2. Rights and Responsibilities of the Data Controller

o Controllers must ensure lawful processing, obtain consent where
necessary, and respond to data subject requests.
o They provide clear instructions to processors and appoint contacts to
manage data protection issues.

3. Responsibilities of the Data Processor

o Processors must implement adequate security measures and only process
data according to the controller’s instructions.
o They must not engage sub-processors without prior approval.
o Processors must report breaches immediately and assist controllers in
handling requests and investigations.
o Keeping detailed records of processing activities is mandatory.
o Compliance with EU data transfer rules must be ensured.
o Assist controllers in meeting data subject rights (access, deletion,
portability).
o Processors must delete or return all data at contract termination.
o They must inform controllers if instructions violate GDPR.

4. Technical and Organizational Measures

o Under Article 32 GDPR, processors must apply:
 Data pseudonymization and encryption.
 Confidentiality, integrity, availability, and resilience of systems.
 Rapid restoration after incidents.
 Regular testing and evaluation of security measures.
o Details of these measures are often included as an annex for clarity.

5. Sub-Processor Management
o Any involvement of sub-processors requires controller consent.
o Contracts with sub-processors must mirror the protections of the main
DPA.
o Controllers should audit sub-processor compliance regularly (at least
annually).
o Listing sub-processors in an annex enhances transparency.
 6. Final Clauses
o Changes to the DPA require mutual agreement.
o The DPA supersedes any conflicting agreements related to data
processing.

7. Annexes
o Annex 1: Technical and Organizational Measures.
o Annex 2: List of Sub-Processors.
o These annexes provide detailed, practical descriptions supporting the
DPA’s core provisions.

Why Are These Elements Important for FinTech Startups?

 FinTech startups rely heavily on third-party services (cloud providers, payment

processors, analytics tools), which means DPAs must be carefully negotiated and
managed.
 Handling sensitive financial data, identity verification data, and transaction
information demands high security and compliance.
 Failure to maintain clear DPAs can lead to significant regulatory penalties,
damage to reputation, and loss of customer trust.

DIFFEREANCE BETWEEN CCPA AND GDPR:

S .N CCPA (California Consumer GDPR (General Data

Aspect
O Privacy Act) Protection Regulation)
Applies to businesses processing
1 Applies to businesses collecting personal data of individuals in the
Jurisdiction
data of California residents only. European Union (EU) and
European Economic Area (EEA).
Consumers have the right to opt- Requires explicit, informed
out of the sale of their personal consent from data subjects before
2 User Consent information, but explicit consent their personal data can be
is not always required before processed, except in limited
data collection. cases.
Grants rights to access personal Provides comprehensive rights
data collected, request deletion, including access, correction,
3 User Rights and opt-out of data sales. deletion (right to be forgotten),
Limited rights compared to data portability, and objection to
GDPR. processing.
Penalties for violations can Hefty fines up to €20 million or
reach up to $7,500 per 4% of annual global turnover,
Penalties
4 intentional violation and $2,500 whichever is higher, for serious
for unintentional ones. infringements.
S .N CCPA (California Consumer GDPR (General Data
Aspect
O Privacy Act) Protection Regulation)
Requires notification to relevant
Businesses must notify affected authorities within 72 hours and to
Data Breach
5 consumers within 45 days of individuals if the breach poses a
Notification
discovering a data breach. high risk to their rights and
freedoms.
Covers any information relating
Covers personal data that
to an identified or identifiable
identifies or can be linked to a
Scope of Data natural person, including sensitive
6 consumer or household,
personal data like health or
including online identifiers.
biometric data.

Cyber Laws in India

In Simple way we can say that cyber crime is unlawful acts wherein the computer
is either a tool or a target or both. Cyber crimes can involve criminal activities that are
traditional in nature, such as theft, fraud, forgery, defamation and mischief, all of which
are subject to the Indian Penal Code. The abuse of computers has also given birth to a
gamut of new age crimes that are addressed by the Information Technology Act, 2000.

We can categorize Cyber crimes in two ways

The Computer as a Target :-using a computer to attack other computers.

e.g. Hacking,Virus/Worm attacks,DOS attack etc.

computer as a weapon :-using a computer to commit real world crimes.

e.g. Cyber Terrorism, IPR violations,Credit card frauds,EFT frauds, Pornography

etc.

Cyber law (also referred to as cyberlaw) is a term used to describe the legal issues
related to use of communications technology, particularly "cyberspace", i.e. the Internet.
It is less a distinct field of law in the way that property or contract are as it is an
intersection of many legal fields, including intellectual property, privacy, freedom of
expression, and jurisdiction. In essence, cyber law is an attempt to integrate the
challenges presented by human activity on the Internet with legacy system of laws
applicable to the physical world.

When Internet was developed, the founding fathers of Internet hardly had any
inclination that Internet could transform itself into an all pervading revolution which
could be misused for criminal activities and which required regulation. Today, there are
many disturbing things happening in cyberspace. Due to the anonymous nature of the
Internet, it is possible to engage into a variety of criminal activities with impunity and
people with intelligence, have been grossly misusing this aspect of the Internet to
perpetuate criminal activities in cyberspace. Hence the need for Cyberlaws in India.
Advantages of Cyber Laws

Cyber laws that everyone using the internet must be aware of

Internet is just like life. It is interesting and we spend a lot of time doing amusing things
here, but it comes with its fair share of trouble. With the technology boom and easy
Internet access across the country, cyber crime, too, has become a pretty common
occurrence. From hacking into computers to making fraudulent transactions online, there
are many ways in which we can become a victim of illegal cyber activities.

1. Information Technology Act, 2000 (IT Act, 2000)

The foundation of cyber law in India, enacted to provide legal recognition to electronic
transactions and to curb cybercrimes.

Objectives:

 Grant legal recognition to electronic records and digital signatures.

 Prevent unauthorised access, misuse, and fraud involving computers.
 Define and penalize cybercrimes.
 Protect critical information infrastructure.

Key Sections & Explanation:

 Sec. 65: Tampering with computer source code (like altering banking software).

 Sec. 66: Computer-related offences (hacking, identity theft, impersonation).

 Sec. 66C: Identity theft – misuse of password, credit card, digital signature.

 Sec. 66D: Cheating by impersonation (e.g., phishing emails, fake job portals)

2. Indian Penal Code (IPC), 1860 (Extended to Cyberspace)

Though framed in the 19th century, IPC provisions apply to online crimes too(general
criminal law, but also applies to crimes committed through computers/internet.).

 Forgery (Sec. 463–465): Creating fake electronic documents.

 Cheating (Sec. 415–420): Online scams, fraudulent e-commerce, fake UPI apps.
 Defamation (Sec. 499–500): Posting defamatory content on social media.
 Obscenity (Sec. 292–294): Circulating obscene images/videos via WhatsApp,
Telegram.

3. Indian Evidence Act, 1872 (Amendment 2000)

 Sec. 65A & 65B: Recognition of electronic records as legal evidence.

o Example: WhatsApp chats, CCTV footage, server logs, emails admissible
in court.
 o Important condition: They must be authenticated via a 65B certificate
(issued by a system administrator/official).

Ensures cybercrimes can be proved with digital evidence.

4. Companies Act, 2013

 Sec. 134: Directors must report on risk management, including cyber risks.
 Sec. 143(12): Auditors must report frauds (including cyber frauds).
 Companies handling large customer data are accountable for data security
practices.

Ensures corporate governance & accountability in cyber risk management.

5. Reserve Bank of India (RBI) Cybersecurity Regulations

Since banking is highly digital, RBI enforces strict cybersecurity norms. Protects
customer money and trust in digital banking

 Banking Regulation Act, 1949: Empowers RBI to regulate digital banking.

 Payment & Settlement Systems Act, 2007: Governs UPI, NEFT, IMPS, wallets.
 RBI Cybersecurity Framework (2016):
o Real-time fraud detection systems.
o Cyber crisis management plan.
o Mandatory reporting of cyber incidents within 2–6 hours.
o Periodic cyber audits.

6. Securities and Exchange Board of India (SEBI) Regulations

Stock markets and securities are high-value cyber targets. Prevents cyber frauds like
insider trading, algorithm manipulation, ransomware attacks.

 Mandates stock exchanges, depositories, clearing corporations to adopt:

o ISO/IEC 27001, 27002, COBIT 5 standards.
 Must have Security Operations Centres (SOCs) for monitoring cyber threats.
 Report incidents within 2 hours of detection.

7. Insurance Regulatory and Development Authority (IRDAI)

Guidelines

 Insurance companies handle sensitive financial + health data.

 IRDAI mandates:
o Appointment of CISO (Chief Information Security Officer).
o Report breaches within 48 hours.
o Encrypt and secure customer data.
o Adopt ISO/IEC cybersecurity standards.
8. National Cyber Security Policy, 2013 (Policy, not law)

 Vision: “To build a secure and resilient cyberspace for citizens, businesses,
and government.”
 Targets:
o Protect critical infrastructure.
o Train 5 lakh cybersecurity professionals.
o Promote public-private partnerships.

9. Digital Personal Data Protection (DPDP) Act, 2023

India’s first standalone data protection law, modeled on global standards like GDPR.

 Scope: Applies to personal data processed in India (and outside if linked to Indian
data).
 Rights of individuals (Data Principals):
o Right to consent before data collection.
o Right to access, correct, delete data.
o Right to grievance redressal.
 Duties of companies (Data Fiduciaries):
o Process data only for lawful purposes.
o Ensure security safeguards.
o Notify breaches.

Major cyber security regulatory bodies in

India :
Apart from the national courts and tribunals, some major regulatory bodies have
been created to enforce cyber laws and regulations, the major ones are as follows:

 Computer Emergency Response Team (CERT-In) :

It is the national nodal agency for collecting, analyzing, forecasting and

disseminating non-critical cyber security incidents. It also recommends best practices,
guidelines and precautions for cyber incident management so that organizations can
respond effectively.

 National Critical Information Infrastructure Protection Center (NCIIPC) :

It monitors and reports on national level threats to critical information

infrastructure like power, financial sector, telecom etc. It has successfully implemented
several guidelines for policy guidance, knowledge sharing and cybersecurity awareness
for organizations to take precautionary measures in key sectors.

 Cyber Regulations Appellate Tribunal (CRAT) :

It is the main cyber governance body which has the power to find
facts, receive cyber evidence and examine and punish witnesses. It can issue summons
 and issue regular commissions to examine witnesses, documents, persons under oath
and to review the final decisions of the court to resolve incidents and cases.

 Ministry of Electronics and Information Technology (MeitY) :

It is responsible for formulating national policies related to

information technology, including cyber security policies and strategies. It monitors
the implementation of cyber security measures and initiatives to ensure compliance
with national policies.

 National Cyber Coordination Centre (NCCC) :

It provides real-time situational awareness of cyber threats by

monitoring and analysing cyber activities across the country. It coordinates responses
to cyber security incidents, ensures timely and effective action, analyses cyber threats
and disseminates intelligence to relevant stakeholders for proactive threat mitigation.

 Apart from the above major national level regulatory bodies, the sectoral regulators
listed below have introduced many separate cyber security guidelines and they are as
follows:

 Reserve Bank of India (RBI) :- It has prescribed comprehensive cyber

security standards and guidelines for banks, non-banking financial
companies, payment system operators and payment aggregators.
 Securities and Exchange Board of India (SEBI) :- It has issued circulars
and guidelines on cyber security for stock market participants. Another
objective of this is to protect the data of market intermediaries, investors
and issuers of securities, customer data and transactions from cyber
criminals.
 Insurance Regulatory and Development Authority of India
(IRDAI) :- It has issued guidelines on cyber security for all insurers and
insurance intermediaries. It aims to encourage insurance companies to
establish and maintain a robust cyber risk assessment plan, improve
methods to mitigate internal and external cyber threats, and prevent
ransomware attacks and other forms of cyber fraud.
 Department of Telecom (DOT) :- Telecom licensees have issued several
guidelines on reporting cyber security incidents under the licensing
framework and on cyber security. DoT is an executive arm of the Ministry
of Communications of India and has imposed multi-tiered data consent
rules that protect personal data processing.
 Telecom Regulatory Authority of India (TRAI) :- It regulates cyber
security practices in the telecom sector, ensures the security of telecom
networks and services. It develops and enforces standards and guidelines
to secure telecom infrastructure there by protecting customer data and
monitors compliance with cyber security regulations and takes corrective
actions as required.