Hackers Take Advantage of India's Loose Data Privacy Laws

Hackers Take Advantage of India's Loose Data Privacy Laws

India has some of the loosest data policy laws on the planet. Hackers have seen these loose data privacy laws as the opening they need to steal data and sell it on the black market. Regulations are changing, but many experts that are seeing the importance of data protection feel that they are not moving at a fast-enough pace.

Since India lacks comprehensive privacy laws, little is being done to protect people’s personal data. The Personal Data Protection Bill is an initial step by the lower house of parliament in India to provide a level of security. This bill is designed to regulate how the personal data of people in India is used by companies, the government, and law enforcement.

In 2019, India’s government passed an ordinance that permits people to voluntarily use official government issued IDs if they want to offer proof of identity when they go to the bank or perform other essential services. However, the same ordinance made it possible for digital pay companies, such as Amazon Pay and PayTm, to ask for the official ID as well.

The way things are currently structured, there is the possibility that individuals would lose their access to key services if they did not share their personal information with the companies or agencies that provide them. Businesses have created several safeguards to address fraud. They protect merchants from online fraud.

Data Theft and Organized Crime

Much of the data theft is used as a way to commit financial fraud. According to the FTC report 1.7 million identity theft and fraud reports received in 2019 were fraud-related. Many individuals and organizations are taking steps to protect themselves by using VPNs and other security measures. But not all security measures offer the same level of security.

Alex Williams from Hosting Data group tested over 20 popular VPN solutions and found out that not all VPN services offer the same layer of protection - the ones that guaranteed maximum protection against any threat used the AES-256 encryption, which is the strongest encryption standard. VPN is a great solution when it comes to protecting your online privacy and sensitive data from threats such as identity theft, or hackers stealing and selling your personal information on the Dark Web - but only if it offers strong encryption and no-logging policy.

Some argue that banks are facing a worse situation than individuals with data theft and fraud. An example of the fraud an individual faces is scammers trying to get their one time password when they are doing a transaction. This is a scam seen in many parts of India. Gangs in Jharkhand are at the heart of these scams. Sadly, gangs will work with mobile shops. It’s common for mobile shops that sell SIM cards to work with the criminals, allowing them to get access to the mobile phones of the individuals they have sold SIM cards to.

This problem is only going to get bigger as COVID-19 continues affecting people in India and around the world. India, like other countries, is relying on digital payments. The digital payment sector is expected to grow exponentially as more people are opting to purchase online. In India, digital payments accounted for 2.2 billion transactions during the first weeks of the coronavirus lockdown. This is 72.5 percent of the transactions carried out in India. Scammers will look at this and will see an alternative way to con people. People are getting what appears to be legitimate communications from the bank offering a loan moratorium.

How Privacy Laws around the World Compare with Those in India

GDPR is one of the strictest data privacy policies in the world. However, it’s not the first privacy policy nor is it the last. Several countries around the world have strict data privacy laws.


Lei Geral de Proteção de Dados is a policy that was crafted after GDPR. It has a similar scope and similar applicability. The major difference between Brazil’s privacy laws and the GDPR is that the GDPR has fewer fines for noncompliance.

Any company around the world that wants to do business with Brazil, which has the world’s largest economy, will need to comply with Lei Geral de Proteção de Dados by 2020. If not, they can pay fines of up to €11.8 million.


Australia’s privacy law is known as the Privacy Amendment. It has been on the books since February 2018. Organizations that have more than AU$3 million in turnover every year will need to disclose data breaches if those data breaches pose a real threat of serious harm in 30 days from their discovery of the breach or face fines of €1.1 million.

The Privacy Australia group’s recent survey showed that approximately 39.2% of Australians cited hackers and other types of cybercriminals as the biggest threats to their online safety, while 30.1% cited Australian government surveillance.

The United States

The US doesn't have a universal privacy law that affects all industries on the federal level. Each state can create its own privacy laws. These regulations are going to vary in applicability, penalties, and scope. California has the California Consumer Privacy Act. This is one of the strictest privacy laws in the country. It has a lot in common with GDPR.

HIPAA is a privacy law that impacts how private medical data is used. There are other privacy laws that are used in the financial field.


, or the Japan’s Act on Protection of Personal Information, came into law in May 2017. Both foreign and domestic companies must adhere to this law. Japan and the EU have reached reciprocal adequacy laws when it comes to each country’s privacy laws. Japan has even created a white list of EU companies that are cautious when handling personal information.

South Korea

The is one of the earliest privacy laws on the books. South Korea’s Personal Information Protection Act became law in September 2011. The GDPR shares many of the same provisions, including limiting when organizations can retain a person’s data and requiring strict justification for retaining said data.

India Has Some Catching up to Do

The above-mentioned PDPB was introduced into parliament in December 2019. There is still some ambiguity in some policies, and India's central government has a lot of power in deciding how this will be enforced and when exceptions can be made. Some tenants of this legislation include breach notification requirements, consent of data subjects, the right to be forgotten, and hefty fines if there is noncompliance. In fact, the fines can be as high as four percent of global annual turnover.

Critics of privacy policies like the GDPR say that while the protection offered by these policies is good, it’s not enough. They point out areas where GDPR, HIPAA, and other similar policies failed to guarantee full compliance.

India is taking steps in the right direction but has a long way to go. It owes it to its over one billion citizens to provide data protection and protect them against hackers.