Recently the Meity released guidelines pertaining to data security for various government departments. The guidelines intend to assist government departments that collect, receive, possess, store, deal or handle personal information including sensitive personal information or identity information to implement the reasonable security practices and procedures and other security and privacy obligations under the IT Act, 2000 and Aadhaar Act, 2016.
While the IT Act 2000 has become grossly outdated yet the constitutionality of Aadhaar Act, 2016 is already questioned before the Supreme Court of India. Further, the guidelines are general guidelines meant for guiding the government departments and lack enforceability capability. In any case, enforcement of laws in India is very poor especially when it comes to enforcement of cyber law and cyber security related norms.
Some people have already started celebrating as if these guidelines have brought something magical. Truth is these guidelines are neither effective nor enough to cover even the basic concepts of data protection and cyber security as per international standards. So the fact remains that India has no dedicated privacy, cyber security and data protection laws and cyber security of sensitive information, including Aadhaar and its CIDR, is at great risk.
The guidelines are just suggestions with no binding legal obligations for data breaches. They are simply telling the government departments to use common sense while dealing with sensitive data of Indians. They have not put any onerous obligations upon government departments the violation of which would be subject to prosecution. Indians have no right even if their data and information is leaked by such government departments.
Government departments are even free to ignore these guidelines as non-existent by simply not acting upon them. There is no time line within which the government departments are required to ensure even basic cyber security practices. Saying that government departments must do this and that does not make any sense if there is no time bound obligations coupled with imposing sanctions against non compliance.
In short, these guidelines are just eyewash to fool Indians and Supreme Court by claiming that some magical data security and cyber security remedy has been put at place. In reality, the guidelines are nothing more than a façade to keep Indians in dark.