Launch of Central Suspect Registry to Combat Cyber Crimes

Introduction: 

The G7 Summit is an international forum that includes member states from France, the United States, the United Kingdom, Germany, Japan, Italy, Canada and the European Union (EU). The annual G7 meeting that is held every year was hosted by Japan this year in May 2023. It took place in Hiroshima. Artificial Intelligence (AI) was the major theme of this G7 summit. Key takeaways from this G7 summit highlight that leaders together focused on escalating the adoption of AI for beneficial use cases across the economy and the government and improving the governing structure to mitigate the potential risks of AI. 

Need for fair and responsible use of AI:

The G7 recognises that they really need to work together to ensure the responsible and fair use of AI to help establish technical standards for the same. Members of the G7 countries agreed to adopt an open and enabling environment for the development of AI technologies.  They also emphasized that AI regulations should be based on democratic values. G7 summit calls for the responsible use of AI. The ministers discussed the risks involved in AI technology programs like ChatGPT. They came up with an action plan for promoting responsible use of AI with human beings leading the efforts. 

Further Ministers from the Group of Seven (G7) countries (Canada, France, Germany, Italy, Japan, the UK, the US, and the EU) met virtually on 7 September 2023 and committed to creating ‘international guiding principles applicable for all AI actors’, and a code of conduct for organisations developing ‘advanced’ AI systems. 

What is HAP (Hiroshima AI Process)

Hiroshima AI Process (HAP) aims to establish trustworthy AI technical standards at the international level. The G7 agreed on creating a ministerial forum to prompt the fair use of AI. Hiroshima AI Process (HAP) is an effort by G7 to determine a way forward to regulate AI. The HAP establishes a forum for international discussions on inclusive AI governance and interoperability to achieve a common vision and goal of trustworthy AI at the global level.

The HAP will be operating in close connection with organisations including the Organisation for Economic Co-operation and Development (OECD) and the Global Partnership on AI (GPAI).

This Hiroshima AI Process (HAP) initiated at the Annual G7 Summit held in Hiroshima, Japan is a significant step towards regulating AI and the Hiroshima AI Process (HAP) is likely to conclude by December 2023.

G7 leaders emphasized fostering an environment where trustworthy AI systems are designed, developed and deployed for the common good worldwide. They advocated for international standards and interoperable tools for trustworthy AI that enable Innovation by creating a comprehensive policy framework, including overall guiding principles for all AI actors in the AI ecosystem.

Stressing upon fair use of advanced technologies:

The impact and misuse of generative AI was also discussed by the G7 leaders. The G7 members also stressed misinformation and disinformation in the realm of generative AI models. As they are capable of creating synthetic content such as deepfakes. In particular, they noted that the next generation of interactive generative media will leverage targeted influence content that is highly personalized, localized, and conversational. 

In the digital landscape, there is a rapid advancement of technologies such as generative 

Artificial Intelligence (AI), deepfake, machine learning, etc. Such technologies offer convenience to users in performing several tasks and are capable of assisting individuals and business entities. Since these technologies are easily accessible, cyber-criminals leverage AI tools and technologies for malicious activities, hence certain regulatory mechanisms at the global level will ensure and advocate for the ethical, reasonable and fair use of such advanced technologies. 

Conclusion: 

The G7 summit held in May 2023 focused on advanced international discussions on inclusive AI governance and interoperability to achieve a common vision and goal of trustworthy AI, in line with shared democratic values. AI governance has become a global issue, countries around the world are coming forward and advocating for the responsible and fair use of AI and influence on global AI governance and standards. It is significant to establish a regulatory framework that defines AI capabilities and identifies areas prone to misuse. And set forth reasonable technical standards while also fostering innovations. Hence overall prioritizing data privacy, integrity, and security in the evolving nature of advanced technologies. 

References:

• https://www.politico.eu/wp-content/uploads/2023/09/07/3e39b82d-464d-403a-b6cb-dc0e1bdec642-230906_Ministerial-clean-Draft-Hiroshima-Ministers-Statement68.pdf
• https://www.g7hiroshima.go.jp/en/summit/about/
• https://www.drishtiias.com/daily-updates/daily-news-analysis/the-hiroshima-ai-process-for-global-ai-governance
• https://www.businesstoday.in/technology/news/story/hiroshima-ai-process-g7-calls-for-adoption-of-international-technical-standards-for-ai-382121-2023-05-20

‍

Introduction

The much-awaited DPDP Rules have now finally been released in the official Gazette on 3rd January 2025 for consultation. The draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) invites objections and suggestions from stakeholders that can be submitted on MyGov (https://mygov.in) by 18th February 2025.

DPDP Rules at Glance 

• Processing of Children's Data: The draft rules say that ‘A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child’. It entails that children below 18 will need parents' consent to create social media accounts.
• The identity of the parents and their age can be verified through reliable details of identity and age available with the Data Fiduciary, voluntarily provided identity proof or virtual token mapped to the same. The data fiduciaries are also required to observe due diligence for checking that the individual identifying themselves as the parent is an adult who is identifiable, if required, in connection with compliance with any law for the time being in force in India. Additionally, the government will also extend exemptions from these specific provisions pertaining to processing of children's data to educational institutions, and child welfare organisations.
• Processing of Personal Data Outside India: The draft rules specify that the transfer of personal data outside India, whether it is processed within the country or outside in connection with offering goods or services to individuals in India, is permitted only if the Data Fiduciary complies with the conditions prescribed by the Central Government through general or specific orders.
• Intimation of Personal Data Breach: On becoming aware of a personal data breach, the Data Fiduciary must promptly notify the affected Data Principals in a clear and concise manner through their user account or registered communication method. This notification should include a description of the breach (nature, extent, timing, and location), potential consequences for the Data Principal, measures taken or planned to mitigate risks, recommended safety actions for the Data Principal, and contact information of a representative to address queries. Additionally, the Data Fiduciary must inform the Board without delay, providing details of the breach, its likely impact, and initial findings. Within 72 hours (or a longer period allowed by the Board upon request), the Data Fiduciary must submit updated information, including the facts and circumstances of the breach, mitigation measures, findings about the cause, steps to prevent recurrence, and a report on notifications given to affected Data Principals. 
• Data Protection Board: The draft rules propose establishing the Data Protection Board, which will function as a digital office, enabling remote hearings, and will hold powers to investigate breaches, impose penalties, and perform related regulatory functions.

Journey of Digital Personal Data Protection Act, 2023

The foundation for the single statute legislation on Data Protection was laid down in 2017, in the famous ‘Puttaswami judgment,’ which is also well recognised as the Aadhar Card judgment. In this case, ‘privacy’  was recognised as intrinsic to the right to life and personal liberty, guaranteed by Article 21 of the Constitution of India, thus making ‘Right to Privacy’ a fundamental right.  In the landmark Puttaswamy ruling, the apex court of India stressed the need for a comprehensive data protection law. 

Eight years on and several draft bills later, the Union Cabinet approved the Digital Personal Data Protection Bill (DPDP) on 5th July 2023. The bill was tabled in the Lok Sabha on 3rd August 2023, and It was passed by Lok Sabha on 7th August, and the bill passed by Rajya Sabha on 9th August and got the president's assent on 11th August 2023; and India finally came up with the ‘Digital Personal Data Protection Act, 2023. This is a significant development that has the potential to bring about major improvements to online privacy and the handling of digital personal data by the platforms.

The Digital Personal Data Protection Act, 2023, is a newly-enacted legislation designed to protect individuals' digital personal data. It aims to ensure compliance by Data Fiduciaries and imposes specific obligations on both Data Principals and Data Fiduciaries. The Act promotes consent-based data collection practices and establishes the Data Protection Board to oversee compliance and address grievances. Additionally, it includes provisions for penalties of up to ₹250 crores in the event of a data breach. However, despite the DPDP Act being passed by parliament last year, the Act has not yet taken effect since its rules and regulations are still not finalised.

Conclusion

It is heartening to see that the Ministry of Electronics and Technology (MeitY) has finally released the draft of the much-awaited DPDP rules for consultation from stakeholders. Though noting certain positive aspects, there is still room for addressing certain gaps and multiple aspects under the draft rules that require attention. The public consultation, including the inputs from the tech platforms, is likely to see critical inputs on multiple aspects under the proposed rules. One such key area of interest will be the requirement of verifiable parental consent, which will likely include recommendations for a balanced approach which maintains children’s safety and mechanisms for the requirement of verifiable consent. The Provisions permitting government access to personal data on grounds of national security are also expected to face scrutiny. The proposed rules, after the consultation process, will be taken into consideration for finalisation after 18th February 2025.  The move towards establishing a robust data protection law in India signals a significant step toward enhancing trust and accountability in the digital ecosystem. However, its success will hinge on effective implementation, clear compliance mechanisms, and the adaptability of stakeholders to this evolving regulatory landscape.

References

• Draft DPDP Rules; https://egazette.gov.in/(S(rszckzjqxkns41cjzagebonx))/ViewPDF.aspx
• DPDP Act 2023; https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

Introduction

India’s digital growth journey has been moving at a tremendous pace. According to MeitY’s report, India’s digital economy is expected to rise to US$ 500 billion by 2025, up from US$ 200 billion in 2019. The digitisation drive that we are experiencing is likely to foster and boost a favourable business environment that will attract rapid investment and augment economic growth across sectors. This will, in turn, compel businesses to adopt digital platforms as solutions to meet customer expectations. Due to accelerated digitisation, cyber risks often deter business growth. Cybercrimes are becoming more rampant and complex and the costs associated with such breaches are not only increasing but also becoming more systemic.

Development of the Cyber Insurance Landscape

Digitization of businesses started in the 1980s with the use of mainframes. Personal computers entered the game and further modified the landscape from the 2000s along with LANs, the internet and the dot-com boom of the 2000s. In the late 1990s, cyber-insurance was developed as a risk management tool to ensure information security. Coverage was limited, and clients included SMEs in need of insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations. The first cyber insurance policy was written in 1997 through AIG, against hacking as a third-party liability policy. 

The current trends in the cyber insurance space are focused on the prevention of cyber risks, which by nature are hard to outline and constantly evolving. The result is that the buyers have limited clarity on the types of cyber risks covered under cyber insurance, and even lesser visibility on the scope and amount of optimum coverage. Unfamiliarity with the claim procedure and resolutions, ambiguous claim thresholds during settlements, and confusion around exclusions and coverage of regulatory fines and penalties under a purchased scheme further discourage potential buyers from seriously investing in cyber insurance products. 

Key Factors in Cyber Insurance Evolution and Its Role in Risk Management

The cyber insurance market in India has three key influencing factors, namely the speed of achieving digital maturity, government initiatives to digitise and enforce stringent cyber laws, and the evolving landscape with technology giants and MNCs entering the cyber insurance domain. The latter  are the catalyst for intensifying competition in this market. 

Advancements in technology in terms of AI, machine learning, big data, robotics, blockchain, augmented and virtual reality, and IoT are expected to reshape the insurance industry and help reach untapped audiences in a more digital-forward manner. With the absence of a standard cyber insurance policy, regulators need to take the following variables into consideration while developing cyber insurance policies: the risk insured against, the scope of the loss covered and the limits/ sub-limits.

Challenges 

With the complexity of cyber risks increasing exponentially the challenges to counter the same are growing too which is leading to gaps in the coverage offered for cyber threats. Resultantly, the compliance regulations are dependent on the risks which exist and cyber threat actors adopt new technologies faster and exploit them to their benefit. A lack of historical data and predictability in future cyber risks, the possibility of large overwhelming loss events, uncertainties among market participants about what is specifically covered under such policies, and legal battles over fundamental issues are some of the challenges identified.

Future Outlook/ Recommendations

India's cyber infrastructure requires a multi-faceted approach that involves collaboration between government, industry, and academia should be developed. Some recommendations are:

• Risk assessments should be a general practice and the cyber insurance policies should be simplified, clearing the mismatch between the premium paid and insurance coverage and there should be standard verbosity across cyber policy language.
• Promoting R&D tailored to India focused on education programs that have public-private partnerships and global collaborations to share threat intelligence, best practices, and expertise in critical infrastructure protection.
• Cyber insurance can also be promoted as compliance with the DPDP Act, which would lead to better development of cyber infrastructure and cyber hygiene practices.
• Regular updates to cyber insurance policies to ensure relevance and effectiveness. Insurers could create and offer holistic cyber insurance risk management plans.

Conclusion

According to a report by Deloitte in 2023, the cyber insurance market in India is expected to grow by 27-30 per cent in the coming years and it is currently valued at USD 50-60 million, while maintaining a steady 27-30 per cent CAGR in the past three years. The Indian cyber infrastructure’s nature is challenging, however, it offers opportunities for growth, innovation, and collaboration. A proactive approach, supported by robust policies, advanced technologies, and skilled professionals, will be essential to building a resilient cyber infrastructure capable of withstanding evolving threats.

Reference

• https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/financial-services/deloitte-nl-fsi-demystifying-cyber-insurance-coverage-report.pdf
• https://www.dnaindia.com/business/report-what-s-cyber-liablity-insurance-and-why-you-may-need-it-2136556‍
• https://economictimes.indiatimes.com/industry/banking/finance/insure/cyber-insurance-gains-momentum-in-india-set-to-witness-exponential-growth-deloitte/articleshow/104189297.cms?from=mdr