The session, titled “From Curiosity to Compromise: How Users Fall Into Cybercrime,” wasn’t just another safety lecture with a list of do’s and don’ts. It was something more unsettling and more useful an honest look at the psychology behind why people fall for scams, and what we can do about it.

People who fall for cyber scams are not stupid. They are manipulated. – Mr. Tarun S.

Why Awareness Alone Isn’t Enough to Protect You From Cybercrime

Mr. Tarun opened by doing something refreshingly candid he admitted that even he, someone who teaches cyber law, has come close to falling for a cyber attack. That honesty set the tone for the entire session. Cybercrime, he argued, is not primarily a technology problem. It is a human psychology problem.

He asked participants a simple question: if you received a phone call from someone claiming to be from your bank, alerting you to a suspicious transaction and asking for your details to stop it what would you do? Almost everyone in the room said they would cut the call. And yet, this exact scenario plays out thousands of times a day across India, and countless people hand over their OTPs, account numbers, and personal data without blinking.

Why? The answer has a name: cognitive overload.

Cognitive Overload

The state in which a person’s mental bandwidth is so stretched by work, stress, distraction, or urgency that they cannot process new information rationally. This is precisely the state cyber criminals engineer before they strike.

Think about the last time you were in the middle of a deadline, juggling tasks, fielding messages and then your phone rang. In that fractured state of attention, your capacity for critical thinking shrinks dramatically. A skilled scammer doesn’t need you to be gullible. They just need to catch you when your mind is elsewhere.

There is also research to back this up. A widely cited Stanford study found that most cyberattacks are deliberately timed for Friday evenings. The reason is calculated: it’s the end of the workweek, people are mentally depleted, and crucially banks are closed for the next two days. Furthermore it gives fraudsters a 48-hour window before any financial institution can respond or help.

The Foundation of Cybercrime Awareness: What Is Social Engineering?

Before diving into the specific types of attacks, Mr. Tarun grounded everyone in the concept that underlies almost all of them: social engineering.

In cybersecurity, social engineering refers to the art of manipulating people into revealing confidential information or taking actions that compromise their own security. It is not about breaking into systems through code. It is about breaking into people through conversation, trust, and carefully constructed pressure.

The attacker builds a believable identity. They use pieces of your real information your name, your bank’s name, the last four digits of your account number, to establish credibility. Then they manufacture urgency. Then they offer to help. By the time they ask for anything from you, you’ve already mentally placed them in the category of “trusted”.

That architecture of manipulation is the starting point for every cyber scam that follows.

Six Social Engineering Attacks You Need to Recognise

Mr. Tarun walked through six of the most common and most dangerous forms of social engineering attacks used by cybercriminals. Each one felt familiar once explained, which made the lesson hit harder.

Each of these attack types has been responsible for real, devastating losses, financial, reputational, and emotional. The 2011 Operation Trident Tribunal, led by the FBI with participation from the UK and Australia, revealed a gang that had sold USD 72 million worth of fake security software to unsuspecting users worldwide. That is the scale of what scareware can achieve when it finds the right targets at the right moment.

The Problem Nobody Talks About: Sextortion and Fake Profiles

One of the most difficult topics raised in the session and one that is becoming increasingly common is the use of fake profiles for emotional manipulation and extortion. Participants described scenarios in which someone befriends a target online, builds intimacy over time, and then uses shared private images or conversations as blackmail. Sometimes the profile was entirely fabricated. Sometimes a group of people collaborated to create it.

This kind of crime sits at the intersection of cyber fraud and emotional abuse, and its consequences are severe not only financially, but in terms of mental health and personal dignity. Mr. Tarun’s point here was firm: the victim is never at fault. The manipulation is designed to be convincing. What matters is knowing where to report it and acting quickly.

He also flagged the growing risk on matrimonial and dating platforms. The promise of connection is one of the most effective baits in existence, and cyber criminals exploit it with precision.

AI-Driven Cybercrime: The Emerging Threat

One of the most forward-looking moments of the session came when participants raised the issue of AI-driven cyberattacks. Artificial intelligence is rapidly lowering the barrier for scammers. Voice cloning, deepfake video, AI-generated phishing emails that are grammatically flawless these are no longer science fiction. They are tools being deployed right now.

Mr. Tarun acknowledged this candidly: the same technologies being built to protect people are being weaponised against them. Vigilance needs to evolve in tandem with the threats. Understanding what is real in a digital communication whether a voice, an image, or a message is becoming one of the most important skills of modern life.

Your Digital Footprint Is Permanent So Manage It

A recurring theme throughout the session was the concept of the digital footprint every comment you make, every location you tag, every “like” you leave, every photograph you post. Some of this is active (things you consciously share); some is passive (data collected without your direct awareness). Together, they paint a detailed portrait of who you are, where you live, what you do, and what you care about.

Cyber criminals don’t need sophisticated hacking tools to learn a great deal about you. Your public Instagram account especially if you’re a content creator or influencer can tell someone your daily routine, your home neighbourhood, your financial habits, and your emotional vulnerabilities. The session wasn’t a call to quit social media. It was a call to be deliberate about what you share, and to regularly audit what’s publicly visible about you.

India’s recent legislation, the Digital Personal Data Protection Act (DPDPA) 2023, introduces important new rights, including the right to erasure (sometimes called the “right to be forgotten”). But law takes time. The most immediate protection you have is your own awareness and restraint.

What You Can Do? Seven Practical Steps

1. Never open suspicious emails: Even opening a phishing email, without clicking anything, can sometimes expose you. Delete anything that feels off, without engaging.
2. Enable Multi-Factor Authentication (MFA): It adds friction for attackers even if they have your password. Write down your backup codes somewhere safe if you struggle to remember them.
3. Be sceptical of tempting offers: If something seems remarkably generous a freebie, a reward, a deal that needs “just your details” pause. That pause can save you.
4. Audit your social media regularly: Limit personal information on public profiles. Be mindful of location, routine, and anything that could be used to build a profile of you.
5. Discard sensitive documents properly: Tear up or shred anything with account numbers, addresses, or personal identifiers before disposing of it. Dumpster diving is real.
6. Keep all devices updatedSoftware updates aren’t just about new features, they contain critical security patches. This applies to your parents’ phones too.
7. Back up your data regularly: Regular backups protect you from ransomware and accidental loss. Automate it so it requires no effort.

If It Happens to You Report It

In addition to above tips, Mr. Tarun emphasised was this: report it. Cybercrime is massively under-reported, partly because victims feel embarrassed, partly because the process seems daunting. But reporting matters both for your own case and to help identify patterns that protect others.

Closing Thought: The Goal Isn’t Fear, It’s Fluency

The first episode of Cyber Sunday didn’t aim to make anyone paranoid about the internet. It aimed to make participants fluent in how digital threats actually work, fluent enough to recognise them, name them, and resist them. That fluency begins with understanding that cybercrime is fundamentally about people, not technology. It exploits trust, urgency, distraction, and loneliness. And the most powerful counter-measure to all of those is awareness.

Project Cyber Shield believes that every person who learns to protect themselves online can protect dozens of others around them family members, friends, colleagues who may never attend a session like this one. That is the mission. And Episode 1 was a strong beginning.

The post CS EP01: From Curiosity to Compromise – How Users Fall Into Cybercrime first appeared on Project CyberShield.

Project CyberShield, an initiative of Naksh Foundation, participated with a focused goal: to deliver practical, ground-level cybercrime awareness to everyday internet users. Cybercrime is no longer limited to technical users or rare cases. It affects students, working professionals, and families alike. Scammers today rely on human behavior more than technology. This makes awareness the first and most effective line of defence. At VolFest 2026, the CyberShield team worked to simplify this understanding for the general public.

Direct Public Engagement during VolFest’26: Making Cyber Risks Understandable

Instead of formal lectures, the team interacted directly with citizens visiting the stall. Conversations were built around real-life situations that people could immediately relate to.

Key cyber threats explained included:

• Phishing Scams: Fake links and messages designed to steal personal data
• Vishing Calls: Fraud calls creating panic to extract sensitive information
• Digital Arrest Scams: Impersonation of authorities to threaten victims
• Social Media Frauds: Fake profiles and manipulated interactions
• Social engineering: A manipulation technique that exploits human psychology and error
• Privacy settings: Tools within websites, apps, and devices that allow users to control who can view their personal information, activity, and profile.
• Understanding VPN (Virtual Private Network): A security technology that creates an encrypted, private tunnel between your device and the internet.
• Risks of Public Wi-Fi: Hackers steal personal data, banking credentials, and, at times, deliver malicious software to connected devices.
• Multi-Factor Authentication (MFA): A security framework requiring users to verify their identity with two or more independent credentials before accessing accounts.
• Reporting Mechanism: helpline number 1930 & cybercrime.gov.in

The approach was clear help people identify patterns, not just definitions.

Interactive Games for Cyber Awareness

One of the most effective strategies used at the stall was game based learning. Visitors participated in simple, scenario-based games that reflected real cybercrime situations. While playing, they were guided through decision-making moments, whether to click a link, trust a caller, or share information.

Impact of This Approach VolFest’26 :

• Increased engagement and curiosity
• Better understanding of cyber risks
• Stronger recall through practical experience

This method ensured that awareness was not passive. People learned by doing.

Nukkad Natak: Street Play on Cybercrime Awareness

A major highlight of the event was the Nukkad Natak performed by the CyberShield team. The street play showcased real-world cybercrime scenarios, including phishing, vishing, digital arrest scams, and frauds through social media. It demonstrated how scammers manipulate emotions such as fear and urgency to control victims.

Key Takeaways from the Performance at VolFest’26 :

• Understanding how scams unfold step by step
• Identifying early warning signs
• Knowing the correct reporting mechanisms

This format made complex issues accessible and memorable for a diverse audience.

Volunteers Behind the Initiative

The success of CyberShield’s participation was driven by a committed team of volunteers who ensured both engagement and impact on the ground. The team was led by Divya Mehra and Ranjeet Kumar, with Samuel and Jay Kishan serving as the team coordinator. They were actively supported by volunteers Harsha & Abhishek raj.

Other volunteers participated during the event are Noorish, Divya Chauhan, Anjali Rai, Aryan, Chandan Kumar, Priya, Manisha, Ambuj, Mishab, Kumkum, and Sundaram whose collective efforts played a key role in effectively reaching and educating participants during the event.

Their role ensured consistent engagement and effective communication with every visitor.

Key Outcomes of CyberShield at VolFest 2026

• Direct engagement with a diverse public audience
• Increased awareness of common cybercrime techniques
• Improved understanding of preventive digital practices
• Strong recall through interactive and performance-based learning

The Road Ahead

The experience at VolFest 2026 reinforced a critical insight cyber awareness must move beyond structured sessions and reach people in their everyday environments. Project CyberShield will continue expanding its outreach through on-ground activities, institutional collaborations, and community engagement programs.

Conclusion

Cybercrime is evolving rapidly, but awareness can evolve faster. Initiatives like Project CyberShield demonstrate that when awareness is practical, interactive, and accessible, it creates real impact. VolFest 2026 was not just an event, it was a step toward building a more informed and cyber-secure community.

The post CyberShield at VolFest’26: Protecting People Before They Become Victims first appeared on Project CyberShield.

With this concern in mind, Project CyberShield, an initiative of Naksh Foundation, conducted a Cyber Safety and Awareness Outreach Program at Gurugram University. The goal was simple. Start a real conversation with students about cyber safety and responsible digital behaviour.

Why This Outreach Matters

Students are among the most active internet users. From online payments to social media, almost every part of student life now depends on digital platforms. What really matters is understanding the risks that come with it. During the outreach, the CyberShield team explained how small mistakes online can lead to serious consequences. A fake job link, a phishing email, or a suspicious payment request can quickly turn into financial or identity fraud.

What Students Learned

The session focused on practical awareness rather than theory. The discussion covered:

• How phishing and online scams actually work
• Ways to identify fake websites, messages, and suspicious links
• Protecting personal information on social media
• Safe digital habits every student should follow
• How to report cybercrime through official mechanisms in India

Instead of just presenting slides, the team encouraged students to speak, ask questions, and share their own experiences with suspicious online activities.

A Conversation, Not Just a Session

What made the outreach meaningful was the interaction. Students openly discussed how often they receive unknown links, fraud calls, or fake offers online. Many realized that cybercrime is not a distant issue. It is something that can affect anyone using a smartphone.

The CyberShield volunteers guided them on simple preventive steps that can make a big difference in staying safe online.

Moving the Mission Forward

Outreach programs like this are part of the broader mission of Project CyberShield building a culture of cyber awareness among young people. Universities are important spaces for this effort because informed students often become the first people to spread awareness in their homes, communities, and peer groups.

The team of Naksh Foundation will continue conducting similar awareness sessions across institutions, encouraging students to stay alert, informed, and responsible in the digital world.

Because cyber safety is not just a technical issue.
It is a matter of awareness. And awareness begins with conversation.

The post Cyber Safety Takes the Stage at Gurugram University first appeared on Project CyberShield.

Project CyberShield, an initiative of Naksh Foundation, will host Episode 7 of the CyberSundays series, a weekly cybercrime awareness initiative focused on educating citizens about digital safety, cyber law, and responsible internet use.

Cyber Sundays has been designed as a learning platform where students, professionals, and members of the public can engage with experts and gain practical knowledge about cyber threats and legal remedies. Each episode addresses a specific aspect of cybercrime and aims to simplify complex legal and technical issues for wider public understanding.

The upcoming episode will continue this effort by focusing on how cyber offenders are traced and investigated using digital tools and legal procedures.

Topic of the CyberSundays EP07: Tracing Cybersecurity Offenders

The theme of CyberSundays Episode 6 is: “Tracing Cybersecurity Offenders: Digital Investigation Techniques.”

Cybercrime incidents such as online fraud, identity theft, phishing scams, financial cyber fraud, and social media exploitation have become increasingly common. Investigating such offences requires a combination of legal knowledge and technical expertise.

This session will help participants understand how investigators trace cyber offenders by analysing digital footprints, network data, device information, and transaction trails.

Guest Speaker

The session will be delivered by Adv. Darshan Bafna, Advocate at the Bombay High Court and Co-founder of Bafna Law Associates and Bafna Cyberjuris LLC. Through this session, he will share insights into how cybercrime investigations work in real cases and how legal frameworks support the process of identifying and prosecuting cyber offenders.

Key Learning Points for Participants

Participants attending the session will gain an understanding of:

• How cybercriminals leave digital footprints during online activities
• The role of IP addresses and device identifiers in cyber investigations
• How digital forensic techniques assist in tracing cyber offenders
• Legal procedures involved in reporting and investigating cybercrime
• Immediate steps victims should take after experiencing cyber fraud

The session will also provide participants an opportunity to gain clarity about cybercrime reporting mechanisms and the investigative process followed by authorities.

Session Details

• Event: Cyber Sundays – Episode 7
• Topic: Tracing Cybersecurity Offenders: Digital Investigation Techniques
• Speaker: Adv. Darshan Bafna
• Date: 15 March 2026
• Time: 3:00 PM
• Mode: Online Session

Registration for Cyber Sunday Episode 7

Individuals interested in cyber law, cybersecurity, digital rights, and online safety are encouraged to participate in the session. Participants can register through the official registration page:

Registration Link: https://forms.gle/gJAnaWDAUP6xaxGt9

After completing the registration process, participants will receive further details and joining instructions for the live session.

About the CyberSundays Series

The Cyber Sundays series under Project CyberShield is an ongoing initiative aimed at spreading cyber awareness and strengthening digital safety among citizens. By bringing together legal professionals, cybersecurity experts, and volunteers, the initiative seeks to build a society that is more informed, responsible, and resilient against cybercrime.

The post Register Now For CyberSundays EP07 first appeared on Project CyberShield.

You may not remember your passwords, the last app you downloaded or your shopping history but the digital world, remembers everything. Every click, swipe, location ping and online transaction quietly develops a digital profile of who you are. Ther data knows you better than you know yourself. In recent years, India has witnessed increase in data breaches, online frauds, identity theft and misuse of personal information, making one question inevitable: Who is really in control of our data? 

The Digital Personal Data Protection Act (DPDP Act), 2023 is Indi’s response to this particular question. It is not merely seen as a regulatory statute, it signifies a shift in how technology, privacy and accountability interact in a digital democracy. In an era, where data has become the world’s most valuable asset, privacy concerns have taken centre stage. With enormous amounts of data circulating through digital ecosystems every second, there was an urgent need for resilient legislation in India to safeguard data privacy of individuals. This blog critically examines the scope, challenges and the compliance framework of the Act while positioning it within Indi’s evolving cyber law jurisprudence. 

The Legal Foundation

The DPDP Act does not emerge in isolation, it looks upon privacy as a constitutional right. The legal and philosophical roots lie in the landmark Supreme Court judgement of Justice K.S. Puttaswamy v. Union of India (2017), where privacy was recognized by the Hon’ble court as a fundamental right under Article 21 of the Constitution of India. The Court held that informational privacy, i.e. control over one’s personal data is considered intrinsic to dignity and autonomy of an individual. 

Following this, instances such as Aadhar data leak concerns, growing cybercrime trends and large-scale data breaches in fintech platforms highlighted the absence of a dedicated personal data protection regime. The Act bridges this legislative gap by translating constitutional principles into enforceable statutory obligations. 

Scope of the DPDP Act

The scope of the Act is deliberately wide. Fundamentally, the DPDP Act regulates the processing of digital personal data, whether it is digitised later or collected online at first. The Act focuses on: 

1. Key Stakeholders

• Data Principal: it refers to the individual whose data is processed. 
• Data Fiduciary: It means any entity that determines the purpose and means of the data processing. 
• Data Processor: it refers to an entity processing data on behalf of a fiduciary. 

This particular framework ensures that accountability and transparency does not stop at corporations alone and that government bodies also fall within its ambit.  

2. Consent as the Cornerstone 

 The DPDP Act mandates informed, specific, free and unambiguous consent, reestablishing the idea that personal data is not a corporate asset but and extended version of individual autonomy. This is considered particularly significant in an era where consent is often buried in unread terms and conditions. 

3. Rights of individuals 

This Act empowers citizens through rights to-

• Grievance redressal 
• Access Personal data
• Seek correction or erasure   

These rights are relevant and crucial safeguards against profiling, misuse and surveillance.  

Cybercrime and Data Misuse: Learning from Legal failures

India’s cybercrime landscape gives a strong justification for the DPDP Act. Cases related to identity theft, financial frauds and phishing scams under the Information Technology Act enacted in 2000, particularly Sections 433A and 66C, revealed the limitations of existing cyber laws. While the IT Act, 2000 penalised unauthorised access to data, it failed to comprehensively regulate and given lawful data collection and processing. 

For instance, constant breaches including customer databases of major platforms exhibited that post- harm penalties or punishment are not enough. The DPDP Act shifts the emphasis from reactive punishment to preventive compliance, compelling entities to adopt protection of data by design. 

Challenges in Implementation

Despite the progressive intention of the Act, it faces practical challenges such as- 

• Consent Fatigue- Without simplified and understandable notices and user- friendly design, the very purpose and spirit of informed consent may be diluted in a digital ecosystem that is flooded with pop-ups and permissions, and the consent risks would thereby become symbolic rather than meaningful. 
• Compliance Burden on smaller entities- large corporations have the resources to implement data audits and security systems, startup and small enterprises can on the other hand struggle, which can increase the risk of uneven enforcement. 
• Government Exemptions and Surveillance Concerns- The Act effectively allows exemptions for reasons such as public order and national security. Without strong oversight, these particular exceptions could undermine trust and revive fears of excessive state surveillance. 
• Enforcement Capacity- The efficacy and success of the Data Protection Board of India will depend highly on its independence, technological capacity and expertise, without all these the Act risks becoming toothless.

Compliance under the DPDP Act

The compliance mechanism should not be seen merely as a legal burden under the Act, in reality it becomes a strategic advantage, transforming data protection from a legal obligation into a tool for business growth, innovation and customer trust.

1. Building Trust-based digital ecosystems 

Trust is viewed as the most valuable currency in the digital age. Users seem to be conscious about how their personal and preferential data is handled. Companies tend to implement robust compliance measures signalling users that they respect value accountability and privacy. Customer trust enhances reputation of brands, attracts new users and reduces customer churn. 

2. Compliant and transparent data practices help organisations and companies avid reputational damage, costly litigation and regulatory fines. The Act empowers the Data Protection Board to impose penalties in case of violations, but those organizations that anticipate these requirements can turn risk management into a proactive strategy. Businesses can prevent breaches of data and demonstrate accountability in case of dispute by conducting regular data audits, monitoring third- party processors and mapping information flows. 
3. Operational and organisational benefits- it includes data mapping, consent management system, employee training and breach response mechanisms. Implementing these practices forces organisations to review and streamline data processes, it also increases efficiency and enhances security. 

Importance of DPDP Act in India’s Digital Future

The digital future of India lies in artificial intelligence, digital governance and data- driven policymaking. India is rapidly evolving into a data- driven economy, from digital payments to AI-based governance. Without prominent data protection , innovation risks becoming exploitative and harmful. 

The government introduction of the Act is represented as an attempt to balance technological ambition with constitutional morality, thereby ensuring that progress does not come at the cost of personal dignity and autonomy, and most importantly privacy. 

Conclusion 

The Indian citizens are now seen as digital citizens and not mere data subjects in the cyberspace. The Act formulated in 2023 denotes a transformative moment in Indi’s cyber law journey. It shifts the focus from who can collect data to who is accountable for its misuse.

Ultimately, the success of the DPDP Act is conditional not only on enforcement but also on collective responsibility of the State, citizens and corporations alike, to treat personal data with the dignity it deserves.

The post The Price of Privacy: Rethinking Data Governance Under India’s DPDP Act, 2023 first appeared on Project CyberShield.

In August 2023, India took a historic step in the digital transformation with the unveiling of the Digital Personal Data Protection Act (DPDP Act) (https://www.meity.gov.in/data-protection-framework). The Act is designed to secure personal data of citizens against the growing data society. It will strike a balance between personal privacy, technological progress and national interest. 

A New Dawn for Data Rights

The DPDP Act of 2023 was found to be the reaction of the Supreme Court to the groundbreaking decision of the court in the case of [Justice K. S. Puttaswamy v. Union of India(2017)]. Prior to this, India did not have a specific law to safeguard personal information.

The new law extends to the digital personal data, collected in India, online or offline and subsequently digitized. It also applies its jurisdiction to other organizations even beyond India provided they handle the information of Indian nationals. The Act is aimed at creating a privacy framework that is inclusive and contemporary by focusing on consent, accountability, and transparency.

Key Pillars of the DPDP Act

1. Consent-Centric Framework

The DPDP Act is based upon the principle of consent. Each person is referred to as a Data Principal and should provide free, informed, specific, and unambiguous consent to the processing of data. There are also some forms of legitimate use of data mentioned in the Act under which processing information without express consent could be allowed. These are adherence to the laws or medical emergencies. This kind of provision is flexible but must also be heavily monitored to ensure that it is not abused.

2. Data Fiduciaries and Data Fiduciary Responsibilities.

Data Fiduciaries are organizations or individuals who control the aim and method of handling the personal information. Their role involves ensuring that information is handled in a legal, correct and a well-defined purpose.

The data processors who may have access to large amounts of sensitive or critical personal information are called Significant Data Fiduciaries. Such organizations are required to undertake Data Protection Impact Assessments (DPIA) and also have Data Protection Officers (DPOs). This model can be likened to the [General Data Protection Regulation (GDPR) of the European Union]

3. Rights of the Individual

The Act gives people the right to gain access, rectify and delete their personal information. They can also delegate such rights to another individual to act on their behalf even after death. This is a progressive provision that takes into consideration the human dignity even after life.

Challenges and Concerns

1. Government Exemptions

The exemption clause of the Act is one of the most controversial points. The opponents claim that this wide discretionary authority may undermine privacy rights which the legislation is meant to establish. The assurance to the people on the fairness of law could be enhanced by independent checks and balances, judicial review, or parliamentary accountability.

2. Cross-Border Data Transfer and Sovereignty

Data localization requirements are not as strict as in previous drafts in the DPDP Act. Rather, it permits the data transfer across the borders to the countries that are officially notified by the government. 

European Union countries, like the GDPR, have more localization protection. The move by India to follow a lighter model might have to be reviewed constantly so that the international transfers would not end up undermining the rights of citizens.

3. Institutional Capacity and Enforcement 

The enforcement body is the Data Protection Board of India (DPBI): the Act describes it as such (https://www.meity.gov.in/content/draft-digital-personal-data-protection-rules2025). The Board will preside over grievances, compliance as well as punishments. Nevertheless, there are still worries regarding its self-sufficiency, technical capability and resource sufficiency.

To be successful, the DPBI should operate in an open fashion, hire competent professionals, and avoid political or corporate interference.

India in the global privacy landscape

The DPDP Act makes India one of the countries that have acknowledged the central role of privacy in digital governance. Other nations such as, Brazil (LGPD), Singapore (PDPA) and the South Africa (POPIA) have also come up with similar laws on data protection.

The Indian strategy can be said to be consent light and compliance efficient. The legislation focuses on simplicity, computer usability and flexibility over cumbersome bureaucracy. This is much easier to comply with by the companies however it also puts more responsibility on the regulators to enforce this ethically.

Challenges  & Opportunities

The implementation of the principles of privacy-by-design may help to increase customer trust and increase the image in foreign countries. Organizations that make data security a value, and not a cost to compliance, will be able to gain presence in the local and international market.

Compliance requires technical skills, infrastructure and periodic auditing that might be expensive to small companies. Employing employees, establishing redressal mechanisms of grievances, and keeping records of consent cost money.

The industry organizations like NASSCOM and others can be used to create awareness and compliance program to enable businesses to be ready to face the DPDP Act. Such cooperation will make sure that smaller companies do not lose the digital compliance competition.

From Compliance to Culture

Protecting the privacy cannot be ensured by a single law. The actual change will have occurred when organizations and individuals adopt the concept of data ethics in their day to day lives.

Educational institutions may include modules such as cyber hygiene and data privacy in their programs. Corporations ought to educate employees on how to treat information with care and people ought to be educated on how to protect their online identity.

This is the initiative by NASSCOM and Microsoft called CyberShikshaa that provides practical training in cyber hygiene and data protection (https://www.dsci.in/cyber-shikshaa). It can be used by citizens who need to be more aware and responsible in the digital environment.

Way Forward

The DPDP Act will mark the transition of the data-rich but unprotected digital ecosystem in India into the ecosystem that is based on accountability and rights. Nevertheless, it will only be successful when the enforcement is transparent, the institutions are able to enforce it and people participate in the process.

Amendments might include in the future more independent data audit, restrict government exemptions, and transparent cross-border data laws. The constant communication between policymakers, technologists, and civil society will guarantee the protection of privacy is enhanced with the new technologies like artificial intelligence and quantum computing.

To keep informed, readers may track the notifications of the Ministry of Electronics and Information Technology (MeitY) at the link below and CERT-In advisories at the link below on cyber laws and privacy laws:

Conclusion

The Digital Personal Data Protection Act, 2023 is a law regarding data. It is a fact that all Indians should be entitled to manage their digital identities. When efficiently done, it will be able to reform the relation between the citizens, corporations, and the state.

Digital empowerment will be a reality when privacy ceases to be a legal necessity, but a social value. Secrecy of data is Secrecy of people and that is the ultimate aim of a conscientious digital nation.

The post Guardians of Digital Privacy: Decoding the Digital Personal Data Protection Act, 2023 in India first appeared on Project CyberShield.

With the introduction of the Digital Personal Data Protection Act on August 3^rd, 2023, India redefined its legislative framework on data privacy. The Act laid down comprehensive provisions safeguarding individual privacy concerning the transmission of personal data, following the spirit of  K.S. Puttaswamy case ruling. However, the legislature needs to work upon certain critical areas which may rise question of accountability and transparency, regarding the functioning of the enactment.

Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 was passed with the aim to create an equilibrium and amid the right to privacy ensured under Article 21 of the Constitution of India and access to such data concerning national integrity and security. The Act underlines the commitment of Data Fiduciaries, requiring them to administer the digital personal data in such a manner that access to personal data for legal resolves and matter connected or supplementary to it, should not violate rights recognised under article 21.

Right to Privacy before the Digital Personal Data Protection Act, 2023

In the pre-independence period, there was no such provision ensuring the right to privacy, especially concerning digital data protection perceptibly, because:

1. The society was neither so complex, nor technology was much advanced and developed, that the need of recognition of such right and concerned protective measures were felt;
2. Also, as per the need of time, society wrongs like limited data protection and confidentiality in contractual agreements were governed by the Indian Penal Code, 1860 and the Indian Contract Act, 1872.

In the post-independence period, even after the commencement of the Constitution of India, for a long period of time right to privacy was not provided any comprehensive outline to govern and regulate unrestricted access to personal data, especially access to digital data. Then government tried bring the issue under legal answerability through the framework of the Information Technology Act, 2000. However, the act has serious limitations, as being restricted to “sensitive personal data” only.

Further, the Indian judiciary, by virtue of Article 32 the Constitution of India to brought the right to privacy under the canopy rights conferred by Article 21 in the verdict of K.S. Puttaswamy v. Union of India, which strengthened the ambit of security of digital personal data of individuals.

This led to the realisation among legislators, political experts, and policy-makers to devise a uniform and comprehensive enactment dealing with access to digital personal data.

Crucial Aspects of the Digital Personal Data Protection Act, 2023

Conformity with the Global Data Protection Rights – the legislation conforms with the global standard for data protection and privacy, and the domestic legislation provide for the provisions of consent of data and data principal, data fiduciary which makes it in resonance with the GDPR, with necessary refinement to fit in the Indian setting.

The Commitment of Data Fiduciary – the data fiduciaries were obliged to ensure accuracy in data transfer alongwith the authorised access to data transfer, and account and supervision over data breach. Also, to supervise the transfer of user data outside the territorial jurisdiction of the country.

The Data Protection Board – the Act provide for the establishment of a body corporate under Section 18, i.e., the Data Protection Board, to regulate, control and supervise transfer of personal data and devise remedial measures for data breach via unauthorised access.

Prioritization to individual’s right – the provision of prior consent from individuals over use and access of users’ data, and appointment of Data Principal and Consent Manager to ensure protection of ones’ right to privacy and right to live with dignity as held in K.S. Puttaswamy v. Union of India, AIR 2017.

Further, the Act tried to established an ease of doing business regime by providing clear and regulated guidelines and rules over access to personal data in align with domestic and global regulation.

Major concerns with the Digital Personal Data Protection Act, 2023

Implication on the Right to Information Act – the Act is severely critized by critique for undermining accountability and answerability due to Section 44, as it provides for amendment to Section 8 of the Right to Information Act, 2005. The outcome was that it mentioned that it was no longer governments responsibility to be answerable to the questions raised by the citizens under the Right to Information Act as Section 44 of the Digital Personal Data Protection Act, 2023 act as a blanket of immunity over the strict regulations of answerability as stipulated under the Right to Information Act, 2005.

Challenges with Cross-border Data Transfer – in case of cross-border data transfer the Act provides for mechanisms of restricted data transfer to white list countries, while strictly provides for bar on transfer of data to all those countries and corporate houses situated under those countries marked as blacklisted one by virtue of the Act. Further, it raises concern over the mechanism and apparatuses’ efficacy and competency in discharging such responsibilities without biasness. 

Dilemma of Data Fiduciaries – in balancing privacy rights in the light of exemptions granted to certain entities. The Act proved to be inadequate and inefficient in dealing with issues like data theft, pre-emptive surveillance, freedom of access to user data by corporate houses, and so on. Thus, the Act put emphasis on dispensation of individuals personal data rather than safeguarding individuals’ right to privacy.

Question over Discretionary powers to the Central Government – the Act granted unrestricted power to the Central Government in determining the pertinence of the provisions of the Act in terms of user data transfer. Despite the provision of data consent, the act provides no accountability and remain silent when it comes to access to data private entities – where and how the provided data will be utilised by them, who will be held accountable in case of data theft, misuse of data or cyberbullying.

Conclusion

In a nutshell, the DPDP Act is a landmark legislation, which tries to navigate the balance between national security and individuals’ privacy. However, the Act needs to be revised concerning the aforementioned issues and maintaining the check and balance in government power while exercising its rights and duties.

The post Whether the Digital Personal Data Protection Act, 2023 should to be revised? first appeared on Project CyberShield.

Cybercrime and the indispensable need for International Cooperation

As we step towards an intricately interconnected world of technology and AI, cybercrime has been on the constant rise as well, becoming one of the most transnational or cross border criminal activities in recent times. The widespread illicit inter-jurisdictional activities have crippled economies worldwide. The most pervasive criminal markets operate from sanctuaries beyond the reach of the law enforcement. Online servers are scattered across multiple jurisdictions. Unlike traditional offences, cybercrime transcends borders. The digital world has no territorial limit, enabling criminals to exploit this borderless nature.
Irrespective of a nation’s technological advancement, such threats cannot be solely addressed by any nation alone. To effectively combat these crimes, a growing need for resilient international cooperation is vital.

The Jurisdictional Dilemma of Cross Border Crimes

Dealing with cyber offences on an international level, the territorial sovereignty is nuanced.
While the foundation of application of criminal or civil law is jurisdiction, dealing with
cybercrimes the term- ‘jurisdiction’ becomes deeply contested. A cyber-attack may originate in one country, network through servers, and affect victims located elsewhere. The paradox arises when the crime is to be investigated- which country has the right to investigate? The country where the crime originated? Or the country with the casualties? The culprits, on purpose choose transnational pathways to shield themselves from being detected. Furthermore, different countries have varied rules and definitions while dealing with cyber offences. While some activities may be considered a serious crime in one nation, it may be legal in the other. Beyond that, things like encryption, the dark web, and anonymity tools, further intensify and obscure the origins of attack. Even if a suspect is identified, procuring evidence becomes a hassle, as more than often data is stored in foreign servers, or managed by companies operating under different obligations. This allows the offenders to escape accountability; a dilemma that has seen a vigorous rise in recent times, a predicament nonetheless.

Current Prevailing Multilateral Mechanisms and Frameworks for Legal Cooperation

The International community has recognized the crucial need for statutory frameworks to counter these challenges. The most conspicuous amongst all the established cooperation mechanisms is the Budapest Convention on Cybercrime, 2001. It is the first internationally binding treaty on crimes committed on the Internet and other computer networks, dealing particularly with infringements of copyright, computer related fraud, child pornography and violations of network security. The Preamble, of The Council of Europe-Convention of Cybercrime, states that they recognize the need to cooperate with other parties to the convention, and must pursue a common criminal policy aimed at the protection of society against cybercrime, by adopting appropriate legislation and fostering international cooperation. Additionally, The Second Additional Protocol to the Budapest Convention, 2022 intended to improve the operational effectiveness of the Convention by providing a legal basis to enhance the speed of sharing digital evidence and to
deepen cooperation on trans-border investigations for all internet-enabled crimes.
The ASEAN and African Union have established cyber security strategies focusing on capacity building and developing regional frameworks. The African Union Convention on Cyber Security and Personal Data Protection, is a strategic framework for delivering on Africa’s goal for inclusive and legally binding approach to cybercrime. ASEAN’s approach to dealing with cyber offences is characterized by a comprehensive structure with concrete initiatives and support to advance cyber readiness, build trust, and develop regional capacity. The ASEAN Cyber security Cooperation Strategy (2017-2020) was written to provide a roadmap for regional cooperation to achieve the objective of a safe and secure ASEAN cyberspace. Countries now enter into MLATs- Mutual Legal Assistance Treaty(ies). They are formal investigation requests made by states for access of data located in another country for the sake of investigation.
A total of 42 countries have signed an MLAT with India. However India is not a member or a signatory of the Budapest Convention of Cybercrime, declining to participate citing concerns about national sovereignty and data privacy.

Inadequacies of the current framework

Despite the existence of multiple international mechanisms, various gaps linger. Countries often lack compatibility in preserving digital evidences, making it inadmissible to the courts. In spite of numerous multilateral agreements, the process of sharing the evidence is extremely slow and tedious. These delays, often extending across months or years, render the evidence unusable. Additionally, adoption of these frameworks is not uniform across different countries, limiting cooperation amongst nations and creating vulnerable systemic loopholes that can be exploited. 

Moreover, geopolitical tensions significantly affect cooperation. More often than not, the suspected perpetrators are located in regions that refuse to cooperate with the investigation or deny their participation. Finally, the differing views of different countries on privacy, surveillance, etc. builds tension between countries. These weaknesses and inadequacies collectively create an environment of minimal risk for cybercriminals to function as they fit.

Case Studies

A Russian hacker hacked a U.S bank in 1994, making it possibly the first online bank robbery. Customers of the bank discovered a total of $400,000 missing from their accounts. A total of 40 illegal transactions were identified, adding up to a whopping $10 million.

In December 2024, Cyber-attacks on Indian government entities increased by 138% between 2019 and 2023, rising from 85,797 incidents in 2019 to 2,04,844 in 2023, according to the Indian Ministry of Electronics and IT.

In February 2025, North Korean hackers stole $1.5 billion in Ethereum from the Dubai-based exchange “ByBit”. Attackers exploited a vulnerability in third-party wallet software during a fund transfer, laundering at least $160 million within the first 48 hours of the attack. It is the largest cryptocurrency heist to date.

The total value lost to cybercrime yearly is now comparable to the gross domestic product of major economies. As this financial impact continues to grow exponentially, with projected costs expected to more than double in just a few years, the resulting parallel economy funds further criminal innovation and attracts more participants to these illicit activities. It comes as no surprise that as digital technologies become increasingly embedded in our daily lives, the traditional boundaries between cybercrime and conventional criminal activity continue to disappear. Even crimes once considered purely physical now incorporate cyber elements. 

Roadmaps towards an effective International Cooperation

First and foremost, countries must work toward harmonizing cybercrime laws, ensuring consistent definitions and penalties for cyber offences.

Uniformity reduces uncertainty and conflicts. A joint taskforce and strengthened cooperation is a necessity. 

Timely information exchange is important to detect and mitigate crimes. 

Capacity building is essential as many countries lack proper resources. Nations while ensuring international cooperation must simultaneously ensure the privacy and rights of their citizens. 

Effective cooperation must protect civil liberties and nations must maintain accountability.

Conclusion

Cross border Cybercrimes have presented an unprecedented challenge for all the countries. Combating these evolving threats Continue to pose significant challenges for law enforcement agencies worldwide. Criminals hide behind layers of anonymity and mask their identities, thus hindering investigation. Detecting and mitigating cybercrimes requires a coordinated effort and action. A collaborative ecosystem and a harmonized global approach are the only sustainable methods to ensure security and safety in the digital realm.

The post The Paralyzing crisis in the Digital World – A rising requirement for International Legal Cooperation first appeared on Project CyberShield.