Cyber Laws For Data Protection And Privacy Concern

Written By: Ritwik Ghosh [1]

The way of communicating information from one person to another has been continuously evolved and modified by technology, cyberspace or the internet has become a gateway to access global information that is just one click away, the growing use of internet increases the concern and challenges regarding ones privacy in the virtual world, privacy rights now have a much wider reach, internet users all over the world are exposed to the threat of breach of privacy as there is no territorial limit that draws a line of comparison of the commission of crime between different countries, therefore this has become a matter that is beyond the domain of national problem, and has become a global issue. Due to large use of internet and development in the field of technology more and more people are being involved  in social networking sites and engaging in activities like image sharing and chatting, networking sites liked LinkedIn, Facebook, Instagram, Twitter have the ability to store huge amount of data regarding the personal  information of their users. Threats including malware attachments and email frauds to invade ones personal information are some ways of malicious acts in breach of privacy. Companies use “cookies” to get the personal information of the user or viewer of the website, to maintain a database for purpose of marketing, It’s high time to address collection and storage of data that is provided by users of the internet into the World Wide Web. This research aims to explore and examine the problems faced in ensuring cyber security from the viewpoint of privacy of the user and data protection.    

Keywords: Cyberspace, Privacy, data storing, cyber security.

Data Protection Laws: A Global Scenario

The European Union on May the 25th May, 2018 introduced the General Data Protection Regulation which not only includes companies within the European Union, but also to any company that is involved in collection and processing of data of the Europeans or if they are involved in offering services to the European Union or if they are monitoring the activities of the people of Europe. The GDPR became famous between businesses both inside and outside the domain of EU because of its imposing of significant penalties breach of standard can lead to a penalty of twenty million euro or a four per cent of global turnover. The GDPR makes it compulsory for companies to take consent from individuals for collecting their information. The European citizens will have a more powerful right to protest to online profiling, thus companies working on collection and processing of data has to put more stress in providing justification for not having consent. It provides the residents the right to data probability, undertaking privacy impact assessments for processing of high risk data will be an obligatory action that all companies have to take, and in case the risk cannot be mitigated by the said ways they will have to consult the relevant Data Protection Authority (DPA). It also suggests companies to appoint a Data Protection Officer (DPO) or producing a document stating why such DPO is not required. Any data breach, if feasible must be reported to the DPA within seventy two hours of breach also any individual who is at high risk due to such breach must be informed. In the United States, President Trump invalidated the Internet Service Provider (ISP) rules, issued by the Federal Communications Commission during President Obama’s time. In 2017, it topped the list again in privacy enforcements and litigations, experiencing breach of data calls for a proper investigation and increase in concern over data security and protection. In 2010 the Chinese law made privacy violation a tortuous liability and, unauthorized selling and acquisition of data as a criminal offence. However the Chinese Court said that the usage of cookies for target advertising cannot be claimed as breach of privacy under the Chinese Law, while it debated over the consumer data protection model of either the United States or of Europe, it established its Cyber Security Law on June the 1st, 2017 that includes stringent laws against cyber threats and also provides penalties for transfer of data across borders. Japan introduced Privacy Protection Act 2016, which majorly follows the European model it was enforced on March 31st, 2017 bringing drastic changes in the field of data transferring and data collection. The above mentioned paragraph highlights only some of the notable cyber security developments, there is absolutely no doubt that there exists many other legislations and activities throughout the rest of the world.            

INDIAN OVERVIEW OF DATA PROTECTION LAWS

Information Technology Act 2000

The Information Technology Act 2000 does not provide any clear cut definition of data protection it was enacted to bring e-commerce under the legal domain of the country. However there are some laws that can be related with data protection, for instance section 43 of the act deals with penalties charged for any kind of damage made by a person who tries to access the system or computer network without the consent of the owners causes introduction of any contamination or virus introduction in the system extracts data from the system, destroys or disrupts the working of system. Section 66 of the act deals with punishment for commission of any offense mentioned in the above mentioned section, i.e. any person who fraudulently commits any offense described in section 43 shall be served with an imprisonment of five years and a fine up to five lakhs rupees or both. In 2008, with the Amendment of IT Act came two new sections that provided remedy to people who suffer from loss of data due to inadequate protection. Section 43A deals with compensation from a ‘body corporate’ that indulges in processing and handling of personal data, is negligent in executing ‘reasonable security practices’ and therefore causes gain or loss to anyone. The person affected by the negligence of such body is paid compensation. Article 72(A) of the act provides punishment to any person(including intermediary) who while acting under the term of contract has gained any material regarding the personal information about another person, and discloses such information without the consent of the concerned person knowing that it will cause a damage to the other person, or in breach of the lawful contract [provides such information to other person shall be served imprisonment that might extend up to three years or a fine up to five lakh rupees or both.        

Information Technology Rules, 2011. 

This was made for the purpose of reasonable security practices and sensitive personal data or information, rule 3 of this provides guidelines about what can be classified as sensitive and personal data it directs that any information that contains password, bank details or payment instrument details, medical reports or medical history, biometric information, any of the above mentioned details provided to the body corporate for any services or under lawful contract can be deemed as sensitive data, one must remember that any data which can be accused by the public at large or is provided under Right to Information Act cannot be termed as sensitive data. Rule 4 states that a policy should be provided by the body corporate for disclosure of information i.e. the body corporate possess or stores information of sensitive nature from the provider of such information, then the recipient should provide a privacy policy for maintaining such information, such a policy should contain easily accessible statements of the body corporate, the type of information gathered the purpose for such collection and lastly the security measures adopted for protection of such sensitive data. Rule 5 mentions collection of data, the body corporate or the person assigned on behalf of the body corporate should attain the consent in written form (fax/email) from the person providing his/her personal information and should also clearly specify the purpose for obtaining such information. They are not entitled to collect data unless the given information is obtained for a lawful purpose, and that the information is a necessary requirement for fulfilling that purpose, the sub-clause (3) of this rule ensures that the person concerned in this regard has full knowledge that the information is being collected, the purpose for such collection and the recipients of the information. The rule states that then one who is in possession of the collected data should not use or retain it beyond the required time, and also confirms that the information should be used for the sole purpose of its collection, the recipients also allow the information provider to review their personal data. The person who gives such information has the right to withdraw his consent at anytime while taking the services, the body corporate is responsible to keep the sensible information secure. Rule 6 provides that the body corporate should obtain consent from the provider of the information before sharing such data with third party. The information can be shared without taking prior consent of the giver, to government agencies to obtain information that specifically covers the personal information of the provider, for the purpose of prevention, investigation in relation to prosecution cyber offences. The agency in writing should clearly specify the necessity for possessing the personal data, it should also specify that the data will not be published or transferred to any other person. It prohibits the body corporate from publishing such sensitive data. Rule 7 states that the body corporate or any person on its behalf can share the sensitive information to any other body corporate or other person, given that it ensures to have the same type of data protection structure provided under this rule, and this is possible only if it is necessary for the performance of such contracts. Rule 8 provides that the body corporate or any person assigned to collect sensitive information on behalf of this body corporate should comply to reasonable security standards and should have a comprehensive documented information security programmed and policies that can manage technical and physical security, they are required to describe their security structure and measurement program when called by the agency to establish under law calls them for this purpose. One such standard is the International Standard IS/ISO/IEC 27001; any company using tailored regulating programs shall approve it by the Central Government.  

National Security Policy, 2013.

The preamble of the policy defines cyber space as an environment that consist of people software and services that are linked with worldwide distribution of information and communication technology (ICT) devices and networks. In the near future the government expects cyberspace to be more complex, given to the benefits derived from the technological advancements the government thought of devising a policy which could remove the difficulties of drawing boundaries between these groups. Information technology is one of the most important sectors existing in cyberspace it has become a dominant factor in boosting India’s Economy, besides its contribution to India’s economy it has played a significant role in positively influencing lives of people through socio-economic ways like employment, increase in standard of living it has actively influenced lives both directly and indirectly. The sector plays a major role in uplifting India’s image to that of a global player in providing world-class technology solution and related services, for example mobile banking as a part of financial structure. Rapid social transformation plans to gain India’s prominent role in the IT market focusing on the growth of the sector and creating secured environments to build up confidence in electronic transactions. It is not hidden that cyberspace is open to incidents that can be either accidental or intentional; the data present can be used for nation state and non state actions. Cyber attacks that are done to the infrastructure or to a nation economy can cause reduction in the resources and can also hinder the confidence of the supporting structure. A cyber issue of national significance, organized cyber attack any malicious software code can cause a damage or huge impact in nation’s infrastructure, large cyber attacks can also hinder the working of both private and public sector. Some of the examples for these type of attack include phising, hactivism, social engineering, etc. therefore it is important to maintain the integrity of the data. Previously there had been various steps take for this, but the government had thought to combine these efforts and bring it under one banner- National Security Policy. This will be used as an umbrella framework for inspecting and monitoring the actions that are in relation to and directly affect the security of cyberspace. It demonstrates the approach government in strategic and planned protection of the cyberspace and aims at enhancing the cyber security standards of the country. 

Objective and vision

The Vision of this policy is to present its citizens, businesses and government a secure and flexible cyberspace with a mission to protect information and related infrastructure in cyberspace to provide an immune from cyber threats. Its objective are- (I) to design a cyber ecosystem that is secured enough to build a sense of confidence in IT systems, leading to the enhancements of IT systems, leading to the enhancement of IT in all sectors of the nation. (II) To design a framework that assures designs of security policies and to take necessary steps that are required to match the global security standards and to perform the best practices for its conformation. (III) Enhancing the security mechanism to obtain information about the threats to cyberspace and creating different scenarios for response. To establish a National Critical Information Infrastructure Protection Centre (NCIIPC) that operates 24*7 for mandating security practices related to development and operation of information resources. (IV) To secure ICT by developing technology, diffusion, commercialization and etc. (V) To build an infrastructure to upgrade the visibility of the integrity of ICT products with the help of testing the security of such products. (VI) To employ 50000 professionals in this sector in 5 years and develop their skill through capacity building and training. (VII) Encouraging standard security practices and processing in businesses by providing them fiscal benefits. (VIII) To reduce economic losses due to cyber crime or data theft by enabling protection of information safeguarding privacy of citizens. (IX) Making the user responsible through effective communication and promotion strategy. (X) Promoting leveraging relationships for enhancing global corporation.

Strategies

(A)Creating a secure cyber system- Establishing a national nodal agency with the purpose of managing cyber security, defining its rules and responsibility. To encourage all the sectors of the economy to appoint a Chief Information Security Officer (CISO) responsible for cyber security efforts and initiatives. Organizations should undertake steps for making a specific budget that deals with cyber security initiatives and to meet emergencies during cyber breach, the next step to fulfill the objective is to build a system that detects the cyber security issues and to work on its restoration processes. (B) Creating an assurance framework- To secure the cyberspace by adapting to the world’s best practices related to information technology, to reduce risk by proper risk management business continuity management and cyber crisis management. To create conformity assessment for establishing best practices in cyber security. (C) Encouraging Open Standards- Providing a consortium of both private and public sector to create open standards in IT sector and facilitating data exchange between different sectors. (D) Strengthening the regulatory framework- To face the cyber security challenges a dynamic legal framework should be established, so we could easily tackle the problems that arise out of technological developments. Periodic evaluation of the IT structure to evaluate the strength and weakness of the system. (E) Creating mechanism for security threat early warning, vulnerability management and response to security threats- To create a nodal agency that provides required assistance 24 hours (National Legal Computer Emergency Response) – the body will be responsible for operating National level system, mechanisms to counter potential cyber threats. To promote co ordination between all sectors to counter cyber crisis situation, and to facilitate cyber security drills at country and entity levels. (F) Securing e- Governance services- using Public Key Infrastructure for communication and transaction within the government and to employ professionals for e-governance initiatives. (G) implementing steps for the interrogation of business plan with critical information Infrastructure, including  mechanism that establish secured flow of data, data processing, etc. and for this plan to succeed the NCIIPC should operate 24*7 for the infrastructure protection of the companies. Certification of all the security rights from CISO/CSO and to design a software development process that matches the global level. (H) Promotion of  Research and Development in cyber security- to  cater all the long term and short term goals and setting up of centre of excellence for strategic ideas innovative, tailor-made security solutions that are targeted towards the foreign market collaborating with industries for an joint Research and Development in frontline techniques and solution oriented research. (I) Reducing supply chain risks- building relationships with the system vendors  and service providers with the purpose of enhancing end to end supply chain security visibility to create an cyber environment free from threats, vulnerabilities. (J) Human Resource Development- developing educational programs and training session in both formal and informal sector, to cater to the skill development in key sectors. The other strategies include plans for enhancing Public Private Partnership, coordination and cooperation in sharing information and adopting an approach to the most critical areas in the first place. 

Judgment Securing Right To Privacy

The word “Adhaar” is associated with a card by which any person can be identified. It provides a unique identity to person and claims that it can be used for entering into transactions without any document. This concept was developed in 2006 and was finally launched with formation of Unique Identity Authority of India in 2009, but according to a section of society, the concept of Adhaar is a direct attack on their right to privacy and also the democracy which is the essence of the Indian Constitution. The Adhaar Structure was mainly challenged by retired Justice K.S Puttaswamy and Mr. Pravesh Khanna at a time when the scheme was not protected by the legislation, they challenged the constitutionality of the adhaar act that it violated article 21. In 1954 an eight Judge bench declared that right to privacy is not a fundamental right On August the 11th, 2015 Justices Chelameshwar, Bobde and C. Nagppan passed an order that the above mentioned judgment should be referred to a bench of nine judges. On August the 24th, 2017 the bench collectively recognized the right to privacy as fundamental right and that it is guaranteed by the Constitution of India under Article 21 in particular and Part III in whole. And therefore the decision of 1954 was overruled. Although the decision was undivided, the verdict had six separate coinciding judgments. Justice Chandrachud and allies admitted the fact that notions like liberty and dignity give rise to fundamental rights. Privacy is associated with individual’s right to control his/her personality the right makes it a duty for the State to safeguard the privacy of individual. The judgment in ADM Jabalpur vs. S.S Shukla is overruled to the extent that it held that the right to personal liberty can be surrendered in an emergency. One must remember that legal recognition of the constitution of privacy rights does not amount to appropriation of legislative function. In an age where the lives of individual are governed by information technology, it is essential for the constitution to upgrade in order to face the challenges and meet the requirements of today’s age. In Justice Chelameshwar J.’s opinion some rights are given the status of fundamental rights in order to guard the basic rights from the intervention of the state, also if privacy is absent then freedom has no meaning. The right to privacy finds resonance in freedom mentioned in Part III. Privacy is also subjected to limitations and this depends on the nature of privacy interest claimed. Finally according to Justice Bobde moral interests inherent to human beings are guarded by the natural rights, therefore the rights tom privacy should be elevated to a position of fundamental rights irrespective of it being legal common law. The basic condition necessary for personal liberty is privacy.     

Data Protection Bill, 2019.

The Personal Data Protection Bill, 2018 was issued by the committee of experts along with Justice B.N Srikrishna of their chairman, the foundations of bill was laid in the judgments of retired Justice K.S Puttaswamy vs.  Union of India, that declared ‘right to privacy’ as a fundamental right guaranteed by the Article 21 in particular and Part III in general. The bill defines personal data as any data by which a person can be directly or indirectly identified or could relate with the data principal. Processing of data can be defined as collection, usage, structuring and all other activities or operations done on personal data. The Sensitive Personal Data contains all the previous categories of financial, medical, etc data along with few additions that include genetic data, biometrics, caste or tribe, etc. This bill not extent to irreversibly transformed data which fails to decipher the Data Principal, it is also referred to as anonymized data. Section 2 of the bill defines consent, that is to be obtained before processing of any personal data or SPD, and the consent should be explicit in nature and data fiduciary cannot obtain any personal data which is not required under the context of performance of contract or any provisions for goods and services. The contractual relationships are not included as a requirement for processing of data as it is in case of GDPR. The bill also contains a provision that prohibits processing of SPD that contains biometric data (mentioned by Central Government) by Data Fiduciaries. Processing of SPD to cater any function of the state legislature or Parliament, or any function of state authenticated by law or for issuing certificates or licenses for the data provider. Processing of data can be done for tackling medical emergency of individuals, employment opportunities of persons, or any other cause mentioned and authorized by DPA. In case of processing of personal data for children parental consent is a must, any data fiduciary involved in operating of commercial website that targets children for online services are prohibited from performing profiling and advertisement, there are various rights of data principal, the section 24 of the bill mentions that the provider of the information should know about the scope and purpose  of collection of personal data and should also be aware of the risk associated with it, the data principal has the right to access the data. Section 25(1) makes it obligatory for the data fiduciary to notify the DPA any breach of data and also should notify the data principal if that breach leads to high risk or damage to the individual. Disclosure of personal data can be restricted by an adjudicating officer by passing adjudication. The bill makes it compulsory for all data fiduciaries to establish transparency measures under Section 8 of the bill based on the volume and sensitivity of the data processed the DPA might highlight some of the data fiduciaries Significant Data Fiduciaries, any personal data that should remain only in the servers, cross border transfer of data are based on contractual arrangements made in compliance with DPA standards. The bill provides a provision that permits processing of data for investigation prosecution or other lawful purpose. 

The Data Protection Authority or the DPA is an independent regulatory body, that is established with the purpose  of performing duties, that include setting up parameters to define SPD, criteria for its identification defining rules and regulations for practice, establishing security standards, look over contractual agreements and cross border transfers. The bill also provides penalties and damages for breach in data, in civil cases it defines the two slabs of penalty, the first includes a sum of rupees 5 crore or 2% of the world wide turnover, the second consist of a lump sum amount of rupees 15 crore or 4% of the total worldwide turnover. The bill also provides compensation to the damage caused to the data principal for the breach, under criminal scenario an imprisonment of three to five years is served as punishment for intentionally obtaining or disclosing personal data or selling of data, the bill has also been defined  a new offense known as ‘de-identification’. This bill aims at making revolutionary and significant changes in the processing of data and data protection in India, it also aims at phase implementation i.e. some functions of DPA will immediately come into action after the bill enforced.      

CONCLUSION

In India the concern for data protection is growing rapidly and efforts are being made to match the global efforts, the Information Technology Act 2000 and the Information Technology (amendment) Act did not directly contribute in safeguarding of cyberspace, this idea was developed and nurtured in 2013 by the proposal of National Security Policy and its guidelines. In 2016 the campaign for Digital India planned with the motive of boosting the economy gave birth to queries regarding the safety of cyberspace and data protection, also amending of taxation act and made it compulsory for individuals to link their PAN (Permanent Account Number) with the file of income tax return. In 2016 India’s active participation and selection as a member in the United Nations group of government experts (GGE) in order to identify ‘rules of road’ for cyberspace was a great shift of concern towards cyber security. The Adhaar Act of 2016 faced a lot of petitions challenging the constitutionality of the Act, this lead to one of the historic decisions which gave judicial protection to ‘right to privacy’ and was declared a fundamental right. Finally the Data Protection Bill that was published on December the 11th, 2019 is a great step of the government towards data protection but sadly the bill remains pending in the Lok Sabha.  

REFERENCES

[1] Amity Law School, Noida

Acts of the parliament

  • The Information Technology Act 2000, No. 21, Acts of the Parliament (2000), India.
  • The information Technology (amendment) Act 2008, No. 10, Acts of the Parliament (2008), India.
  • National Security Policy, File No 2(35)/ 2011.
  • The Adhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act 2016, No. 47, Acts of the Parliament (2016), India.
  • The Data Protection Bill 2019, Bill No. 373, introduced in Lok Sabha (2019), India.

Articles

Judgments

  • Justice K.S Puttaswamy vs. Union of India, Writ Petition (CIVIL) No. 494 of 2012.

Journals

  • Alan Charles Raul, The Privacy, Data Protection and Cyber Security Law Review, Fourth Edition ( December 2017)