In a move addressing the growing threat of cybercrime and data vulnerability, the Supreme Court of India on Tuesday directed the Ministry of Electronics and Information Technology (MeitY) to consider a public interest litigation (PIL) seeking a comprehensive mechanism to recover or destroy stolen personal data of citizens currently stored on foreign servers.
A bench comprising Chief Justice Surya Kant, Justice Joymalya Bagchi, and Justice Vipul M Pancholi directed the petitioner to approach the government directly, noting that the highly complex issue falls under administrative and technical domains rather than judicial ones.
The PIL was filed by Nitish Kumar, a cyber security consultant, who argued the case himself. Kumar presented a chilling picture of how leaked Indian data is being exploited globally. He submitted that sensitive personal information—including fingerprints and other personal identifiers—has been stolen by entities operating in at least five foreign countries.
According to Kumar, this compromised information is actively being “weaponized” against Indian citizens to execute sophisticated transnational crimes, most notably “digital arrests” and extortion schemes.
During the hearing, the bench pointed out the geopolitical hurdles in prosecuting foreign-based cybercriminals, observing, “Unless there’s an extradition treaty,” the accused individuals cannot be brought to India to face the law.
In response, Kumar emphasized the urgent need for local containment and mitigation. “If we cannot bring the data back, we can at least restructure and save it,” he argued.
While acknowledging the gravity of the issues raised in the petition, the Chief Justice-led bench declined to entertain the PIL directly, stating that the matter pertained almost entirely to information technology and lacked purely legal aspects.
“The issue being highly technical in nature, it seems to us that an effective course will be to approach the Ministry of Electronics and IT,” the bench observed. “Let this plea be given as a supplementary representation. They shall consider it.”
By disposing of the plea, the court granted Kumar the liberty to submit his petition as a supplementary representation to MeitY, ensuring his technical insights reach the policymakers equipped to handle them.
The petitioner’s plea outlined several crucial interventions aimed at safeguarding citizen data and bringing systemic reforms, including:
- Data Recovery and Destruction: A formal directive to the Centre to actively recover or destroy stolen personal data residing in foreign jurisdictions.
- Activating the DPDP: The immediate operationalisation of the landmark Digital Personal Data Protection (DPDP) Act, 2023, to mitigate the rise of data-breach-linked extortion.
- Specialist Oversight: The constitution of a Special Investigation Team (SIT) dedicated to monitoring and investigating major data theft cases.
The Supreme Court noted that Kumar has already brought these matters to the attention of the Union government through previous representations, detailing how a robust, forward-looking mechanism can protect future data and destroy compromised information to prevent ongoing misuse.
