DATA PROTECTION AND PRIVACY UNDER CYBER LAW

Written By: Priyanshi Verma [1]

 In the present time, where Internet has demonstrated its predominance not just in the business world, wherein a situation like Covid-19, over 4.5 million of IT bolster engineers are providing support throughout India but also has become the lifeline for one’s social life as from booking a ticket to travel or for motion pictures, requesting food to online instruction is only a fingertip away. The Internet has made human lives easier. Much the same as a coin has different sides, technology has two faces, positive and negative and it resembles a twofold edged blade that could be utilized in any case.  As the utilization of the internet is a boon in many ways, but at the same time, it tends to be reviled as well. Cybercrime has become one of the challenges for the world today. Cybercrimes, the violations which are directed through a computer as a medium to satisfy illicit methods such as hacking, identity theft, etc through which the personal data of an individual can be misused. For combating these crimes and for protecting the data and privacy of an individual Cyber Laws are enacted. Cyber laws do not inculcate new laws rather it encloses aspects of the contract, privacy, and data protection laws. Cyber laws deal with the issues related to computer technology, mainly Cyberspace (Internet). Internet is used throughout the world without having any geographical limits hence UNCITRAL (The United Nations Commission on International Trade Law) ) a legitimate body was built up by the UN General Assembly in 1966 for the advancement of universal exchange and a specific degree of consistency of laws in all the part countries. GDPR (Global Data Protection Policy) is a regulation used in the EU for the protection of the personal data and privacy of the residents. The Protection provided by the Indian Legal system to combat cybercrimes is- The Information Technology Act, 2000 which has undergone several changes, latest being the Information (Amendment) Act, 2019, and the Indian Penal code, 1860.

INTRODUCTION

Data protection as the word insinuate refers to safeguarding personal information from any misuse. With the expanding utilization of Cyberspace (Internet), personal information or data is a fundamental prerequisite that needs to be fulfilled by the consumer. Sharing personal information on an online platform can cause several complications for the consumer. 

 One of the most arousing instance of abuse of personal data was-

THE CAMBRIDGE ANALYTICA CASE– In 2016, the Cambridge Analytica is a data analysis firm. The firm with the assistance of an application acquired personal information of more than 300,000 people.

Data privacy or information privacy is a branch of data protection. Personal data is the most crucial asset which holds all the information of an individual. Sharing of personal information depends upon an individual, hence it cannot be used without their consent as privacy is the right of an individual.

DATA PROTECTION AND PRIVACY LAWS

Cyberspace has become a hub for most of the activities which require personal data of an individual with certain cases of misusing the personal information of the consumer which has made the consumer’s frightful to give their personal data because of lack of trust. Because of which more than 40% of the consumer purposefully give inappropriate data while signing for any online service, as their countermeasure.  

Considering the personal data and privacy in view, the European Union (EU) in 2018, implemented new regulations named GDPR or the General data protection regulation which supplant the previous law i.e European data protection directive. Its general provision that requires organizations to protect the personal data and privacy of the EU citizens. This provision is regulated throughout the 28 EU member states, which implies a solitary standard for the organizations to meet inside the EU for working together. GDPR categorizes personal data as anything that that can be utilized by the others as a part of identification like- the name, address, phone number, biometric data, or other sensitive information of an individual. Other nations like Brazil, Australia, Japan, the USA, and Thailand have also adopted comparable data protection of its people. 

In India, as of now, there are no laws for the protection of privacy and punishment for encroaching personal information or privacy of an individual. Only Information Technology Act, 2000 (amended in 2008) contains few provisions which deal with wrongful use of an individual’s personal data and privacy.

 Section 43A, of the Information Technology Act, 2000, where a body, corporate who are in possession of any sensitive personal data or information is negligent in implementing and maintaining reasonable security procedure which results in wrongful loss or gain to any person, such body corporate shall be liable to pay for the damages caused by him to the person affected as compensation. 

Under Section 72A, of the Information Technology Act, 2000, any person who without the consent of the person concerned, discloses any personal information knowingly, shall be punished with imprisonment for a term which may extend to three years or a fine of 5,00,000 or both.

Section 69 of the Information Technology Act, 2000, is an exceptional provision that gives power to the government to issue a direction to remove unpleasant content from social media or cyberspace. Any content which according to the government seems to disrupt the sovereignty, integrity, security, or defense of the country can be removed under the direction of the government.

DATA SECURITY COUNCIL OF INDIA (DSCI) a body set up by the NASSCOM in 2008 for the protection of data. It works for making the cyberspace safe and secure. DSCI work with government and various industry and think tanks on policy matters. For upgrading information and comprehension of data protection and privacy, the body publishes research papers, surveys and also offers various programs and initiatives. 

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011- The rules of 2011, gives the rundown of subjects which ought to be “sensitive personal data” which contains all the information like- 

  • Password 
  • Bank related information
  • Biometric Information

It likewise comprises of rules like taking prior consent a consent from the individual before uncovering his data to an outsider. 

In 2017, through the judgement in the case of JUSTICE K.S PUTTASWAMY VS UNION OF INDIA [2]– the Supreme Court of India held that “Right to Privacy” is one of the obligatory privileges of an individual and it exists alongside the “Right to Life” provided under Article 21 of the Indian Constitution. Through this judgement the eight bench decision in MP SHARMA VS SATISH CHANDRA [3]which held that right to privacy of an individual is not protected under Constitution stands over-ruled, it also over-ruled the case KHARAK SINGH VS STATE OF UTTAR PRADESH [4]to the extent that right to privacy is not protected under the constitution. Through the judgement of the case K.S Puttaswamy, the demand for comprehensive data protection was kept before the government which arose the enactment of the committee headed by Justice B.N Shrikrishna for drafting data protection law for India. Hence, the long-awaited Personal data protection Bill, 2018 was released in July 2018. The Personal data bill, 2018 was further advanced by the Personal data bill, 2019 which was introduced in the parliament in December 2019. The bill has generally been carved through the already existing framework of the data protection laws like the GDPR and the Asia- Pacific Economic Co-operation (APEC) and also on the landmark judgement of the K.S PUTTASWAMY VS. UNION OF INDIA.  The bill seeks to provide protection of individuals and to establish a Data Protection Authority.

INTERNAL INVESTIGATION AND PRIVACY CONCERNS

An Investigation is the RCA (Root cause Analysis) of any problem or incident to get the 5W’s and 1H. Investigation helps us to understand the 5W’s and 1H– who? When? Why? What? Where? And how? Of the incident. It, by and large, alludes to the assortment of data, for reaching a certain point or for getting knowledge about a specific topic. Investigation is one of the key elements in any criminal case. Criminal Examination alludes to gathering smidgens of proof to demonstrate that wrongdoing occurred and about how or who perpetrated the wrongdoing.

An Internal investigation in global organizations everywhere throughout the world has become a hot topic. Internal investigation refers to the formal inquiry conducted by the organization to look at whether the laws, internal policies and regulations are being followed properly. If any of the policies are being violated then the organization takes the recommended corrective measures. During Internal investigation both the sensitive personal data and the personal data of the employees are used. Sensitive personal data is defined under Article 9 of the GDPR and Section 43A of the Information technology act, 2000.

According to Article 9 of the GDPR, 

“Processing of personal data revealing racial or ethnic origin, political opinions, religious beliefs, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

According to Section 43A of Information Technology Act, 2000,

“Sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.”

 The use of sensitive personal data and personal data of an individual is against the data protection and privacy laws. Along these lines, countries over the globe, has embraced different standards and guidelines which ought to be trailed by the organizations for the assurance of the data and privacy of an individual. 

In the United Kingdom, the employees are protected by the General data protection regulation and Data protection act, 2018 which mainly focus on the transparency and establishment of a legal basis for the use of sensitive personal data and the personal data of its residents among the European Association countries as well as over the extraterritorial locale.

In the United States, there exists no such law like the GDPR which is pertinent all through the European Union, so by extension, there are no strict data protection laws applicable in the U.S. States have implemented certain guidelines for the protection of the personal and sensitive personal data of the individual in the organization. Several states have adopted guidelines for the organization for the protection of data and privacy of its residents. BIPA (Biometric information privacy act) is one such act actualized by certain states in the US, though some have set up certain rules equivalent to the United Kingdom which contains-taking of the employee and no tracking of the personal data of the employees during an internal investigation.

In India, the Information technology rules, 2011 under the Information technology Act, 2000 (Amended in 2008) is fabricated for the usage and transfer of personal data of an individual. The IT Act, 2000 consists of provisions that protect sensitive personal data and the personal data of the employees during the internal investigation in the company. During an internal investigation at the multinational organizations, an investigating team is set up which also includes a third party, directly infringing the right of privacy of the employee. To protect the privacy right of the employees, the organizations go through certain prerequisites.

Prerequisites that must be followed by the organization while managing with the personal information of their workers-

  • The organization ought to have a privacy policy and the employees must be informed about the privacy policy. It should comprise of necessary information regarding the security of personal data of the employees.
  • The divulgence of the personal  information of the employees by the organization can just occur under two conditions –
  • Prior agreement between the parties
  • If determined under any law.

Legal obligations which should be considered while using the sensitive personal data of the employees during an internal investigation-

  1. Consent– the organization should take fundamental assent from the person before the utilization of their delicate individual information and before uncovering it to an outsider.
  2. Specified under the law– if the use of any particular information of the individual has been legalized under the law of the land than, that data can be utilized moving along without any more assent of the individual and there is no encroachment of his privacy.
  3. Informing the employees about the use of data– If the organization has informed the individual for which reason his information is being uncovered and from that point onward, he has given the assent for, that information can be utilized.  

Section 43A and 72A of the Information technology act, 2000 (amended in 2008) deals with the data protection and privacy of the employees. Through these sections any person because of whose negligence the data of an employee is used wrongly and if any person or authority without the consent of the employee uses his personal data. According to these sections, the person or authority should keep the sensitive personal data of employees in safe hands and also should take necessary consent of witnesses to carry out such procedures to download and print the same is sufficient to prove the electronic communication.

ANKUR CHAWLA VS CBI [5] in this case, the Hon’ble High Court of Calcutta, held that downloaded and printed form of the email account of a person can be proved under Section 65B r/w Section 88A of Indian evidence Act, 1872. The testimony of witnesses to carry out such procedures to download and print the same is sufficient to prove the electronic communication.

ABDUL RAHAMAN KUNJI VS THE STATE OF WEST BENGAL- while dealing with the admissibility of intercepted telephonic call in a CD which was without a certificate u/s 65B of Indian evidence act the court held, secondary electronic evidence without certificate u/s 65B is inadmissible and cannot be looked into by the court.

DEFECTS IN INVESTIGATION

There exist various flaws regarding the methods in which the cybercrimes are investigated and in the laws which are enacted –

  • Under the data shared by DSCI, the administration authorities are commonly not mindful of the force implemented upon them under the Information technology Act, 2008.
  • There is a lack of standard procedures for examining digital evidence. Lack of information and technology and no legitimate procedure for searching and seizing the digital or electronic evidence.
  • Though for the cybercrimes there exist extraterritorial jurisdiction, but the procedure like obtaining a court order in multiple jurisdictions and the legal norms make it difficult for finding evidence. 
  • The different legitimate standards and laws sanctioned by the legislature for accepting the digital evidence which makes certain obligations for the evidence to present before the court of law.

CONCLUSION-

After the recognition of privacy as a fundamental right of an individual, Data protection and privacy laws have gained a lot of focus and are progressively growing. But there remain certain pitfalls. A committee lead by Justice B.N Shrikrishna was constituted, mainly focusing on the consent rather than how the consent-based data was being wrongfully acquired and used. The DPA, 2019 bill also talks about taking consent rather than identifying the specific harmful practices. The Mumbai attack case, 2008 where the lawbreakers utilize the satellite telephones to impart inside each other, because of which the investigators come across the use of satellite phones for communication and the Parliament attack case, 2011 where the method of steganography was used to convey messages from one criminal unto the next. With the expanding use of technology, the cybercrimes are also on the rise, the laws of India are making it difficult to protect and make cyberspace safe.

Zoom app which became one of the most downloaded apps in India has been India has been doled out a warning by the Ministry of Human Affairs. It was declared as an unsafe platform. Cyber Attacks and spillage of sensitive personal information was the aftereffect of the noteworthy shortcomings in the application. Consequently, the application was violating the Data protection and privacy laws (Information technology Act, 2000) of an individual. The concerns were raised in the Supreme Court of India, which have lakhs of cases pending making it difficult to get a speedy solution to this problem. It likewise shows the non- presence of testing organizations in India. This shows there still are a few changes to be made and a few arrangements to be made under Cyberlaw in India.

REFERENCES:

  • [1] NALSAR University of Law.
  • [2](2017) 10 SCC 1
  • [3] AIR 1954 SC 300
  • [4] AIR 1963 SC 1295
  • [5] AIR 2014 LRC 96
  • https://insights.comforte.com/6-countries-with-gdpr-like-data-privacy-laws#:~:text=The%20PDPA%20is%20similar%20to,harsh%20penalties%20for%20non%2Dcompliance.
  • https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
  • pleaders.in/data-protection-and-privacy-policies-in-cyber-law/
  • http://www.lawoctopus.com/academike/pucl-v-uoi/
  • https://globalinvestigationsreview.com/benchmarking/the-asia-pacific-investigations-review-2016/1025261/india-a-guide-to-conducting-internal-investigations-in-india
  • https://globalinvestigationsreview.com/benchmarking/the-practitioner%E2%80%99s-guide-to-global-investigations-fourth-edition/1212406/data-protection-in-investigations
  • https://shodhganga.inflibnet.ac.in/bitstream/10603/203654/9/09_chapter%204.pdf
  • https://m.economictimes.com/news/politics-and-nation/courts-can-rely-on-electronic-records-without-certificate-supreme-court/articleshow/62777759.cms
  • https://www.livemint.com/Home-Page/6Tzx7n4mD1vpyQCOfATbxO/Why-most-cyber-crimes-in-India-dont-end-in-conviction.html
  • file:///C:/Users/Dell.DESKTOP-8741DHD/Downloads/Cyber-laws-in-India%20(1).pdf
  • https://carnegieindia.org/2020/03/09/will-india-s-proposed-data-protection-law-protect-privacy-and-promote-growth-pub-81217
  • https://www.latestlaws.com/latest-news/zoom-violates-right-to-privacy-lawyers-write-letter-petition-to-cji-asks-for-ban-on-app/
  • Section 43A, 72A, 69, 65A, 65B, 88 of The Information Technology Act, 2000
  • Article 9 of  The General Data Protection Regulation