CYBER SECURITY AND DATA PROTECTION LAWS: PROTECTING THE VIRTUAL BORDERS

Written by Prajakta Bharsakade [1]

Abstract

The technological development has certainly made life easier in various ways. But, with services from net-banking to social networking sites, the risk of cybercrimes increases tenfold. This paper aims at analyzing different data protection legislations of multiple countries across the world to help construct synchronized data protection laws throughout the globe. Cyber attacks can be directed towards any country or organization in the world regardless of the geographic location of the perpetrators. This makes cyber crimes borderless, demanding urgent international collaborations between law enforcement agencies and harmonization of cyber laws. The major method used for this study is the research and analytical method, resulting in a cohesive compilation of the relevant data on the concerned subject. The results showed drastically different cyber laws among different countries to be a hindrance to the development of a secure cyberspace. This study definitively answers the question – whether synchronized data protection laws are needed? Further studies are needed regarding how such synchronization can be brought about. 

Keywords: Cyber security, data protection laws, privacy laws, harmonization of laws. 

Introduction to Cyber Security

 Situations like the 2020 Corona Virus pandemic make us realize exactly how significant technology is to our lives. From online classrooms to work from home policies, we mainly see the world through our computer screens now. The protection of our privacy rights and ultimately, the cyberspace through cyber security is the need of the hour.               

The term cyber security was popularized after the former US President Barack Obama used it in his White House press release in 2009. He said “I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with appropriate activities, events, and trainings to enhance our national security and resilience” [1]. The disjointed form of the word i.e. “cyber security” is more common in Google searches than the joint form “cybersecurity” [1].

 The term cyber security did not have a universal definition for a long time. But Schatz, Bashroush and Wall have constructed a satisfactory definition which goes as follows: “The approach and actions associated with security risk management processes followed by organizations and states to protect confidentiality, integrity and availability of data and assets used in cyber space. The concept includes guidelines, policies and collections of safeguards, technologies, tools and training to provide the best protection for the state of the cyber environment and its users [1].” Simply put, cyber security entails all the activities and measures involved in protecting computers, their networks and the data they contain and communicate, from all types of cyber threats and attacks [2].

 With technology playing such a vital role in our lives, the evil of cyber attacks has a greater chance of presenting itself and cyber security becomes necessary then. Cyber threats like phishing, data breaches, spoofing, DoS and DDoS attacks can be checked and prevented by implementing proper cyber security techniques. Data breaches occur when cybercriminals gain unauthorized access to sensitive and private data. These cybercriminals are undoubtedly accountable for the damage data breaches cause, but the companies processing and storing the data are also held liable for lack of proper security measures. Thus, cyber security is a means to ensure data protection. 

 Cyber security can be achieved through installation of firewalls, anti-malware, anti-spyware and antivirus software among many other options. Cybercrime legislations also play an important role in building cyber security. While 154(79%) countries have enacted cybercrime legislations, the adoption rate varies by region. Europe has the highest adoption rate (93%), while Asia and the Pacific the lowest (55%) [3].

Data Protection Laws around the world

Privacy and data protection have never been more recognized than in today’s digital age. The acts of collection, use and sale of data by various entities without the consent of consumers are worrisome. To restrict such unethical practices, 132 out of 194 member countries of UNCTAD (United Nations Council for Trade and Development) have put data protection laws in place. UNCTAD’s statistics show the varying adoption rate of data protection laws around the world. In Africa, 27 of the total 54 countries have data protection legislations, making the adoption rate 50%. On the other hand, the Americas have an adoption rate of 69% as 24 out of 35 countries have privacy laws. The adoption rate of the Asia-Pacific is 57%, with 34 of 60 countries having privacy laws [4].

Asia: The Association of South East Asian Nations (ASEAN) was formed under the UNO for South East Asian nations to work in co-ordination for the convenience of e-commerce. ASEAN also focuses on harmonizing laws in the South East. Malaysia was the first country to pass privacy legislation in 2010, preceding the Philippines and Singapore in 2012. Indonesia and Viet Nam both have partial privacy legislations enclosed in their e-commerce laws, but they do not provide the full scope and detail that a proper privacy law would. Thailand and Brunei Darussalam have initiated discussions on draft legislations, while Cambodia, The Lao People’s Democratic Republic and Myanmar have shown the least development in this field [5].

Latin America: Brazil, which is at the forefront regarding privacy legislations in Latin America, passed the General Data Protection Law (LGPD) in 2018. It closely resembles the European Union’s General Data Protection Regulation (GDPR) and has been in effect since August 2020 [6]. It introduces some new rights like the right to access, the right to data rectification and the right to revoke consent previously given. It also introduces some new grounds for lawful data processing [7].

USA: Every State in America has its own data protection law. But, the California Consumer Privacy Act (CCPA) which was enacted in 2018 is among the most inclusive privacy legislations. Its aim is to expand the ambit of consumer privacy legislations to the Internet [6]. Under this Act, consumers can check and ask for the deletion of information that businesses collect about them. They can opt out of the sale and sharing of their data and sue companies using their stolen data or for negligently handling their data [7].

Europe: While each country in Europe has its separate data protection law, the members of the EU are obliged to follow the General Data Protection Regulation (GDPR). The law requires the nations, among other things, to set up Data Protection Agencies (DPA) and enable them to make binding decisions regarding penalties and fines. Businesses should notify the DPAs and data subjects i.e. identified or identifiable people, by reference to identifiers such as name, an identification number, location data, etc. [8] about data breaches. It also gives data subjects the right to object to information processing and requires active consent from them [7]. 

Jurisdictional issues

Even though almost all the parts of the world are covered by privacy legislations, data breaches and other privacy violations and cybercrimes are often international in nature. Also, that which is legal in one country may be illegal in another. This makes the question of jurisdiction complicated and the administration of justice, delayed. The question remains: How should cyberspace be governed and by whom? Two opposite visions of the cyberspace have come forth so far: Russia and China support a sovereignty-based cyberspace which emphasizes on State control, while the USA, UK and its allies contend that cyberspace should not be governed by States only [9].

The jurisdictional dilemmas produced by border-crossing electronic communications can be resolved by one simple principle: “conceiving of cyberspace as a distinct “place” for the purposes of legal analysis” [10]. This new view would eliminate the need to find out “where” in the geographical world a cybercrime was committed. Alternatively, the more pertinent questions will be: What rules are appropriate for the particular characteristics of this new place and the people who perform various kinds of activities there? What mechanisms exist or need to be developed by which these rules can be enforced? [10]

A possible answer to the questions above may be this: The role of private parties in cyberspace governance should be through multilateral governance. The domain of cyberspace should be governed by treaties. Military activities in the domain should be regulated through some level of demilitarization. [9]

Differences in Data Protection Laws 

Following are some differences between the GDPR and other privacy legislations/bills:

Vermont Act 171 of 2018 Data Broker Regulation: This Act does not require data brokers i.e. businesses which collect and sell the data of individuals they’re not directly related to, to get active consents from users of such services. The GDPR, however, requires active consent to be sought [7].

California Consumer Privacy Act (CCPA): The GDPR is mostly concerned with data collection and processing while the CCPA focuses more on the sale of data [7].

Brazilian General Data Protection Law (LGPD): The LGPD gives shorter time-periods to businesses for notifying on data breaches and compliance to data subjects’ requests than the GDPR [7].

India Personal Data Protection Bill: Effective in 2020, this bill has many debatable clauses. But the major difference is that sensitive personal data- biometric data, health data, etc. cannot be stored overseas without contracts to that end. [7]  

There are also some similarities among these privacy laws and policies of democracies, especially the United States and Europe. For example, there is general agreement as regards the treatment of personal information based on certain core principles called the “First Principles” and four main standards, namely, “1) data quality, 2) transparency or openness of processing, 3) treatment of particularly sensitive data and 4) enforcement mechanisms.” However, there is no universal definition to various terms like “personal information” and “sensitive data” [11]. 

Even though the privacy laws of various countries seek to achieve good governance of the cyberspace by fulfilling these standards, the approaches of governments are considerably different. The US has a market-based approach while Europe implements a rights-based approach. The privacy regulations of a country reflect the roles it wants the State, market and individual to play in the democracy [11].

Countries interpret the First Principles differently and so the national privacy laws become different. The execution of those laws is yet another issue. The interpretation of elements like personal information and transparency is inconsistent. Further, the data protection agencies have varying powers depending on the country. All these issues hinder the regulation of data flow on the Internet [11]. 

The International Anti-cybercrime Network

While there may be differences in legislations, a study by Dupont shows a proliferating network of countries joining forces with their peers to check cybercrime. These networks including four main organizational actors, namely- national law enforcement agencies, international organizations, private companies and NGOs- undertook initiatives to combat cybercrimes by virtue of various strategies like information sharing, regulatory & legal activities and criminal investigations. The study also points out that while most of these operations were initiated by international organizations and government agencies, overwhelmingly large numbers of them were initiated by private corporations indicating that “private interests overwhelmingly own and operate the infrastructure and services that enable the internet” [12].

 The great and middle powers such as the UK, Italy, France, Germany and Netherlands have great influence over this network comprising of 204 countries. Despite being a political and economic superpower, the US does not play a very important part in this network. The UK and Canada are two major influences in this network due to their diverse relations and commitments with several other countries. China and Russia, which are often attributed of being the origin of a disproportionate share of cyber attacks, do not show much participation in these anti-cybercrime initiatives despite being economically and technologically capable [12]

International organizations such as Interpol and Europol collaborate with various IT enterprises to gather intelligence and additional expertise. However, this raises serious privacy concerns. Multinational corporations like Microsoft and Symantec play major roles in forming computer incident response teams like FIRST (Forum of Incident Response and Security Teams). But, as Dupont points out, these networks are very fragmented. For instance, NGOs fighting child pornography and sexual exploitation are seldom connected to the giant corporations which are most concerned about online frauds and data breaches [12].

Attacks on Civilian Privacy

Laws are enacted primarily for better governance, but some countries seem to be violating the privacy and other human rights of their citizens, abusing these very laws. Russia shutting down the internet in 2016 and 2018 and Saudi Arabia hacking into a dissident’s phone are grave violations of privacy [13]. The Internet is a vital medium for people to express their opinions, learn and access social services. Government hacking infringes on these fundamental rights of people. UN Secretary-General António Guterres, at an informal meeting regarding cyber security held at Estonia, said “new technologies are too often used to violate rights.” [13]

China is an example of this. Police in the Xinjiang district of China have an application which is a part of the IJOP (Integrated Joint Operations Platform), the main intelligence collection system. Analysis reveals that authorities are collecting huge amounts of personal information and monitoring the personal relationships of people to track down “suspicious” individuals. Among other things, the Chinese government has labeled the use of VPNs, encrypted communication tools such as WhatsApp and being related to people having foreign relations as suspicious. The administration justifies the app as a measure to battle terrorism, but this is no less than mass surveillance [14].

 Section 57 of ICT (Information and Communication Technology) Act of Bangladesh authorizes the prosecution of any person who publishes, in electronic form, material that is fake and obscene; defamatory; “tends to deprave and corrupt” its audience; causes, or may cause, “deterioration in law and order;” prejudices the image of the state or a person; or “causes or may cause hurt to religious belief.” These broad and sweeping terms invite misuse of the law. When Bangladesh first enacted the ICT Act in November 2006, prosecutions under it were limited due to legal protections under the law. However, when the Act was amended in 2013, the amount of complaints increased as the need for warrants and official permission to prosecute was nullified [15].

Due to flawed legislations and incompetent administration, innumerable innocent people are being punished and their rights violated. Governments abusing laws to silence dissidents and justifying these actions in the name of national security are concerning issues.

Conclusion

All of the issues and dilemmas discussed above have one possible solution: harmonization of privacy laws around the world. If this is done, the jurisdictional issues would be resolved as there would be uniformity in the laws all around. Also, governments would not be able to misuse the laws as they will have to comply with international standards. This would discourage administrations from passing laws which are drafted with the motive to gain power by breaching the rights of their citizens. The harmonization of laws is suitable to the cyberspace and the borderless nature of cybercrimes. 

Further research is needed as regards the methods by which this harmonization is to be brought about. Possible options could be, 1) all nations could accept and implement pre-existing international privacy regulations like the EU’s GDPR, 2) signing the Budapest Convention which promotes the harmonization of laws, by all nations so that the UNO may device a suitable plan to that end or 3) enacting privacy laws which adhere to the aforementioned international conventions.

References

[1] Government Law College, Mumbai University

[1] D. Schatz, R. Bashroush and J. Wall, “Towards a More Representative Definition of Cyber Security”, The Journal of Digital Forensics, Security and Law, vol. 12, no. 2, p. 66, 2017. Available: https://commons.erau.edu/jdfsl/vol12/iss2/8.

[2] “Cyber Security | Data Security Council of India”, Dsci.in, 2020. [Online]. Available: https://www.dsci.in/content/cyber-security.

[3] “UNCTAD | Cybercrime Legislation Worldwide”, Unctad.org, 2020. [Online]. Available: https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Cybercrime-Laws.aspx. [Accessed: 25- Jul- 2020].

[4]”UNCTAD | Data Protection and Privacy Legislation Worldwide”, Unctad.org, 2020. [Online]. Available: https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx. [Accessed: 26- Jul- 2020].

[5] Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations. Geneve: ASEAN, 2013, p. 8.

[6] “Latin American Data Privacy In 2020: What Should Employers Consider When Requesting Background Checks?”, Forbes, 2020.

[7]K. Lubowicka, “6 New Privacy Laws Around The Globe You Should Pay Attention To”, 2019. .

[8] “Art. 4 GDPR – Definitions | General Data Protection Regulation (GDPR)”, General Data Protection Regulation (GDPR), 2020. [Online]. Available: https://gdpr-info.eu/art-4-gdpr/. [Accessed: 08- Aug- 2020].

[9] K. Eichensehr, “The Cyber-Law of Nations”, Georgetown Law Journal, 2014. Available: https://heinonline.org/HOL/LandingPage?handle=hein.journals/glj103&div=13&id=&page=. [Accessed 24 July 2020].

[10] D. Johnson and D. Post, “Law and Borders: The Rise of Law in Cyberspace”, Stanford Law Review, vol. 48, no. 5, p. 1367, 1996. Available: 10.2307/1229390.

[11]J. Reidenberg, “Resolving Conflicting International Data Privacy Rules in Cyberspace”, Stanford Law Review, vol. 52, no. 5, p. 1315, 2000. Available: https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1040&context=faculty_scholarship. [Accessed 6 August 2020].

[12]B. Dupont, “Mapping the International Governance of Cybercrime”, Centre for International Governance Innovation, 2018.

[13] D. Brown, “It’s Time to Treat Cybersecurity as a Human Rights Issue”, 2020. .

[14] “China’s Algorithms of Repression Reverse Engineering a Xinjiang Police Mass Surveillance App”, Human Rights Watch, 2020.

[15] “No Place for Criticism Bangladesh Crackdown on Social Media Commentary”, Human Rights Watch, 2018.