Tag Archives: Data privacy

Cyber Threats: An Overview

August 5, 2021 Team Attorneylex Leave a comment

This Article is written by S Muthu Praba & S Sankar Ganesh, students of Dr. Ambedkar Law University, School of Excellence in Law, Tamilnadu

INTRODUCTION

In this modern era of digitalization, internet and social media has became an inevitable part of human life. The emerging risks in the virtual platform creates more vulnerable environment for all the people irrespective of their age. During the COVID-19 pandemic, people carry out all their activities virtually through different media, which has resulted in miscellaneous intrusions from anonymous persons paving way for cyber threats. India is a country which has stringent legislations for the various offences occurring throughout the country. The Information Technology Act, 2000 and various rules given by the government regarding the prevailing conditions in the society curtailed the increasing cyber threats. Proper regulatory measures have been introduced to ensure strong cyber security in the virtual platform. The researchers give limelight on the prevailing cyber threats and existing legal remedies available in India compared to the international perspective. Though there is no explicit legislation for cyber law, the IT Act and various other acts together serve the sole purpose of reducing cybercrimes. Judicial precedents help in the application of various provisions of the legislations thus rendering justice to the people affected by virtual crimes.

CYBER THREATS IN INDIA

Cyber threat is defined as the possibility of a malicious attempt to damage or disrupt a computer network or system. Cyberattacks occur through different means with multiple intention of threatening the targeted system or person. In 2020, the most observed forms of cyber threat are:

Distributed denial of service (DDoS attacks)
Social engineering
Cloud computing vulnerabilities
Third Party Software
Ransomware

During the pandemic, data breaches and other cyber security issues reported are rapidly increasing when compared to the first quarter of the year 2019. Around 3,137 cyber security related issues were reported every day in 2020 in mediocre level. Due to the unintended shift to the digital services, people became more vulnerable to cyber threats. In 2020, nearly 1.16 million cases of cyberattacks were reported which is far greater than that of the cases reported in 2019. Further, the Indian Computer Emergency Response Team (CERT-In) has observed 11,58,208 cyber security incidents in the year 2020 which has led to various cyber threats.

Researchers have warned that the cyber threats are likely to increase in 2021 due to the extended virtual working platform. The government has issued several guidelines and other cyber security measures in order to curb the cyberattacks.

CYBER LAWS IN INDIA

Though there is no exclusive legislation for cyber laws in India, they are governed by the existing legislations which deal with cyber security and related issues. The Information Technology Act, 2000 guides all the Indian legislations regarding e-commerce, e-banking and e-governance thus providing various provisions offences occurring in computer networking and virtual platform.

The Indian Penal Code, 1860 is invoked along with the IT Act as it also deals with certain offences applicable in cyberspace also. The forgery occurring in digital format and examination of such evidence are governed by the Indian Evidence Act.

The cybersecurity obligations and other responsibilities of the companies registered under the Companies Act, 2013 are refined under this legislation. The SFIO (Serious Frauds Investigation Office) is vested with the power to prosecute the company and its directors. They became stern and proactive after the Companies Inspection, Investment and Inquiry Rules, 2014.

Under the Ministry of Electronics and Information Technology (MEITY), the government issues notification regarding the rules and regulations of cyber security which must be coordinated by the authorities to the public. Further, data protection framework and data governance related rules are structured whenever required.

The National Institute of Standards and Technology (NIST) has authorized Cybersecurity Framework (NCFS) for cyber risk management through which the guidelines and standards for cyber- related issues are fixed.

JUDICIAL INTERPRETATIONS

In Shreya Singhal v Union of India, the honourable Supreme Court upheld the validity of Section 66A of the Information Technology Act, 2000. This decision was made by the court based on three concepts viz, Discussion, Advocacy, and Incitement.

It was held in Shamsher Singh Verma v State of Haryana, the accused challenged the High Court Order, The Supreme Court held that Compact Disc is also a document, and it is not necessary obtain permission or disclaimer regarding a document under Section 294 (1) of CrPC personally from the accused, the complainant, or the witness.

It was held in Avnish Bajaj v State (NCT) of Delhi, it was regarding the broadcasting of cyber pornography materials, the accused was arrested but it was contended by the accused that he is only the service provider. The court granted bail subject to 2 sureties and the burden of proof to him as only the service provider and not posted such materials.

It was held State of Tamil Nadu v Suhas Katti, a landmark case, in which the accused was a family friend and who intended to marry a girl, but she was married to some other person. The accused created a false e-mail account in the name of the victim and posted slanderous, obscene, and annoying information about the victim. The court convicted the accused person under 469, 509 of IPC, 1860 and Sec 67 of IT Act, 2000.

It was held in CBI v Arif Azim (Sony Sambandh Case), it’s a peculiar cybercrime, in which a person unknowingly used the credit card information of another and purchased Sony TV. The credit card user informed the wrong usage of the card to the bank and the bank approached the company, then it was found that a call centre guy Arif Azim misused the information and committed the crime. The Court relying on the age and the first-time offence, had a lenient action on that boy.

It was held in SMC Pneumatics (India) P Limited v Jogesh Kwatra, the employee of the company sent filthy emails to employers, subsidiaries and derogated, defamed the company. It was found that the employee sent the mails from a internet café. The defendant was terminated from the service. The Court held that the evidence is not qualify as certified evidence U/s. 65B of Indian Evidence Act, 1872.

It was held in Manik Taneja v State of Karnataka, the accused posted a bad comment about the inspector, police personnel of a particular police station in the face book page of the Police. The police filed a case against him. The Court held that the social media platform is to express the grievance and it was made with good intention. Hence the accused was not doing was not punishable offence.

It was held in Gagan harsh Sharma v The State of Maharashtra, the individuals were accused of theft of data and software from the employer, they were booked under Sec 408 and 420 of IPC along with Sec 43, 65 and 66 of IT Act, 2000. The accused pleaded for dropping of provisions under IPC and to charge only under IT Act, 2000 relying on Sharat Babu Digumarti Case. The Bombay High Court upheld the plea of the petitioners and dropped the provisions under IPC.

INTERNATIONAL PERSPECTIVE ON CYBER THREATS

Secret is the only thing which is under amaze in this cyber world. Every country is fighting against the cyber threat, cyber warfare to protect its secrets, its citizens.

In UK, National Cyber Security Centre (NCSC) formed and headed by the cyber security experienced professionals to tackle the cyber threat and cyber warfare. The policy of “active defence” and “hacking back the hackers” are the potentials used by NCSC to fight against the cyber threat or cyber warfare.

In US, the nation with latest technologies and leading in the cyber security has enacted an act, to handle Cyber threats viz, Cyber Security Act of 2015. In addition to that Cyber Security National Action Plan has also been initiated by the Government to work with commercial tech giants, to handle cyber threats and to protect the citizens.

In Europe, NIS directive was initiated in the year 2016 to protect from cyber threats. Computer Emergency Response Team (CERT) was formed by the directive to protect and to have greater control.

In China, introduced a law with more stringent measures and broad new cyber security law to protect and to have control over cyber threats.

In India, Digital India is proposed and taken into every root of the Government Concerns. Indeed, aiding to keep Digital India ahead of the latest cyber-threats is a key unease for those working on the project, whether they are connoisseurs in policy, government services, or security technologies such as PKI.

CONCLUSION

The world is changing and so the technical and technological developments. Everything which soothes the operation will have more impact on us, thus the Cyber Space, which helps us to reach more but it has every potential threat.

Every nation and every individual are apprehended to the cyber warfare and cyber threats, through the bold and clear strategy this can be handled. Its an endless limit to the desire of individuals and hence the threat has no limitations.

The world in which we live is transforming, and so are the perils that we face daily. Governments around the globe must now ensure they are adaptable and swift enough to distinguish when the muggers are moving ahead, and act accordingly.

Articles

The Personal Data Protection Bill, 2019: A Critical Analysis

August 4, 2021 Team Attorneylex Leave a comment

This Article is written by Arpita Mohapatra & Sanika Kapse, students of Modern Law College, Pune

“Our own information is being weaponized against us with military efficiency. Every day, billions of dollars change hands and countless decisions are made on the basis of our likes and dislikes, our friends and families, our relationships and conversations, our wishes and fears, our hopes and dreams. These scraps of data, each one harmless enough on its own, are carefully assembled, synthesised, traded and sold.” – Tim Cook

Introduction:

Data Protection Bill vis-à-vis EU’s General Data Protection Regulation

Consider Chaayos, the popular teahouse chain’s facial recognition technology at a number of its stores in Delhi and Bangalore which uses this technology to create profiles of its customers which is used to “remember” them on subsequent visits, enabling repeat orders and efficient payment. With reference to this Bill, Chaayos is the ‘data fiduciary’ and the customer is the ‘data principal’.

Determining the objectives of any data protection legislation is always surrounded by conflicting interests of the privacy of data principal, state regulations and data commodification. The objectives of EU’s General Data Protection Regulation (hereinafter, the GDPR), are data principal centric, whereas, the Personal Data Protection Bill, 2019 (hereinafter, the Bill), which uses the GDPR as a template, focuses on data as a ‘national asset’. Therefore, to examine the scope of the Bill a comparative analysis with the GDPR is necessary.

The right to be forgotten (RTBF), given in the Bill, has been made unnecessarily difficult to exercise. This right cannot be exercised by directly or indirectly requesting the data fiduciary. The data principal in this case needs to obtain an order from the Adjudicating Authority, which can exercise its discretion, based on wide considerations. This is in contrast to the Supreme Court’s decision in K.S. Puttaswamy which recognized the right to have control over personal data which also includes the right to control its existence on the internet. Similarly, the Delhi High Court and Orissa High Court have held that the RTBF is an inherent part of right to privacy under Article 21 of the Constitution. Conversely, the GDPR incorporates a more extensive right to be forgotten and imposes a requirement on the data controller to erase any data on request.

Similarly, in case of breach of personal data, the GDPR, states that the data controller is to follow a two-step process– firstly, to inform the supervisory authority where there is a low risk to the rights and freedoms of natural persons and secondly, to the data subjects in case of high risk to their rights and freedoms. Whereas, under the Bill, the data fiduciary is to inform the Authority about the data breach and the discretion is vested on such Authority to determine whether the data breach should be reported to the data principal. This at the outset is contradictory to the “fiduciary” relationship which the Bill seeks to establish.

Further, the word ‘consent’ in the GDPR has been used liberally in favour of the data subject. The European data protection authorities have made it clear “that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent.” Contrarily, the Bill consists of an entire chapter which authorises the processing of personal data without consent- by the State and the companies. The Executive is allowed to process the personal data for the provision of “any” service or benefit to the data principal or the issuance of any certification, licence or permit for “any” action or activity of the data principal or for the compliance under any law. This directly contravenes the consent provision in the Bill, which mandates informing the data principal of the “purpose” for which their data is to be processed. Evidently, sweeping powers rest with the government to control citizen’s personal data without consent. The Bill also allows processing of personal data, necessary for purposes related to employment, without the consent of the data principal. The employer with this power can retrieve and process data available on the employees’ computers and mobiles. Another proposed ‘reasonable purpose’ exemption relates to “mergers and acquisitions”. During the transactional stage of any merger or acquisition, dozens of lawyers, financial advisors, and other organizations are given access to the data stored by the companies involved in the transaction. If mergers and acquisition proceedings are treated as a blanket exemption to the requirement of consent for processing, this could act against the privacy-by-design structure of the proposed law.

Defective definitions in the Bill

The Bill makes a deceptive distinction between ‘personal data’ and ‘sensitive personal data’ which is absurd as personal data is also dangerously vulnerable to profiling. For example, online identifiers (like devices, applications, IP addresses, cookie identifiers, etc.) can leave traces which, when combined with unique identifiers or other information received by servers and can be used to create profiles of data subjects.

The requisites of “consent” in the Bill are watered down by the chapter on exemptions in processing of personal data and the chapter on processing of personal data without consent, which gives autonomy to the companies and the government to an extent where it negates the whole purpose of the Bill to protect personal data.

It is pertinent to note that the distinction between ‘processing’ and ‘profiling’ under the Bill is not watertight, and that the term ‘processing’ covers a broad range of activities which may inevitably lead to profiling. The Bill not only allows ‘manual processing’ of data by the small entities which will leave the data even more prone to profiling, it also attempts to put a blanket ban on accountability of data fiduciaries and puts a rider on the rights of data principals.

Under the Bill, the Central government can obtain anonymized personal data and non-personal data for the delivery of services and policy formulation. Such anonymized personal data can nonetheless be de-anonymised; for example, an anonymised Netflix dataset of film ratings was de-anonymised by comparing the ratings with public scores on the IMDb film website in 2014. Such de-anonymisation of personal data by the government can lead to its arbitrary use.

Arbitrary control of government in every sphere of data regulation regime

Every social media intermediary which is notified as a ‘significant data fiduciary’ is to enable the users to voluntarily verify their accounts in such manner as may be prescribed by the Central government. This power given to the State is evident of its arbitrary interference in a place where this role should unquestionably be exercised by the significant data fiduciaries. Additionally, the provisions like data protection impact assessment, maintenance of report, auditing of policies and conduct of processing etc., have limited applicability only to significant data fiduciaries. The data fiduciaries that do not come under the ambit of significant data fiduciaries can violate the objectives of the Bill if left unchecked.

The Bill provides for exemptions to the Central government to exempt any governmental agency to process personal data in the interest of sovereignty and integrity of India, the security of the State or to preserve public order or for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India. The terms used in these sections are vague and autocratic and warrant the violation of privacy by the government. Further, the establishment of a Data Protection Authority (DPAI), which will be at the helm of affairs for the implementation of the Bill, is marred with prejudice. The selection committee for the constitution of DPAI will be comprised of Cabinet Secretary as the chairperson, Secretary, Department of Legal Affairs, and Secretary, Ministry of Electronics and Information Technology. The committee lacks legal and subject experts when compared to the former draft Bill of 2018. Therefore, the Data Protection Authority will be executive-oriented rather than being an independent regulator.

Impact of Data Localisation

According to the Bill, all sensitive and critical personal data must be stored in servers located in India. Sensitive data may be processed outside the country but must be brought back to India for storage. Critical data cannot be taken out of the country at all. There are no restrictions for general data. Digital companies currently store and process their data wherever is economically most efficient. This locational divide, proposed by the Bill, would impose additional costs on digital companies, leading to subeconomic storage and processing capacities, and might result in “splinternet” or the fragmentation of global digital supply chains. The impact of data localisation on protection of personal data of users is contingent upon the robust infrastructural and technical capacity to protect such data within the borders. Unless these conditions are fulfilled, storage of personal data within or outside the country would make no difference for the data principal, who in either case will be exposed to risk of data breach.

Conclusion

The Bill provides a mere skeleton, the intricacies of which will take shape only after the constitution and working of the Data Protection Authority begins. This Bill uses the term ‘data fiduciary’ as against ‘data controller’ to emphasise on ‘duty of care’ on the part of the data fiduciary to lawfully process personal data. This ‘duty of care’ cannot be reasonably exercised by the data fiduciaries towards the data principals, if they are constantly under the radar of the government. The data principal is at the losing end, in either case of control over data by the government or data fiduciaries. Also, there is hue and cry over the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 (IT Rules) which brings social media platforms under the ambit of government supervision. These regulations mandate the social media platforms to give details of the origin of messages on demand by the government. Coupled with the new IT Rules, the Personal Data Protection Bill will further increase surveillance over significant data fiduciaries which are mostly social media intermediaries, making this framework a tool to build an Orwellian State.

Articles

DATA PROTECTION BILL AND RIGHT TO PRIVACY

July 14, 2021 Team Attorneylex Leave a comment

This article is written by Riddhi Patni, a student of Maharashtra National Law University, Aurangabad

ABSTRACT

The Right to Privacy is one of the most challenging issues to address. One of the most difficult concepts to define is privacy, which cannot be understood as a static and one-dimensional concept. It can only be interpreted as a set of rights. It is clear from the facts that an identity is stolen every 79 seconds, recognising that privacy concerns are the wildest increasing crime of these days. The right was recently enshrined in Article 21 of the Indian Constitution by the Supreme Court. Still, it has become a contentious issue due to concerns raised about the government’s initiatives to collect personal data from citizens. Not only is the right to privacy at stake, but so is the Data Protection Bill. Article 21 of the Indian Constitution includes the right to privacy as a requirement of the right to life and personal liberty. The term privacy, in particular, is a dynamic concept that needed to be clarified. Under the Indian Constitution, the scope of Article 21 is multifaceted.

INTRODUCTION TO PRIVACY

According to Black’s Law Dictionary, “the right to privacy means the right to be left alone; the right of an individual to be free from unwarranted interference”. Recently, Justice D.Y. Chandrachud delivered a judgement that overruled the principles developed in the Habeas Corpus case in the case of Justice K.S. Puttaswamy and ors. v. Union of India , which evolved as a landmark judgement in India’s history regarding the status of Right to Privacy. The terms privacy and right to privacy are difficult to grasp. To better understand this, consider how privacy has been interpreted in various situations. According to Tom Gaiety, “the right to privacy entails the inviolability of one’s body as well as the integrity and intimacy of one’s personal identity, including marital privacy”.

Fundamental rights are basic rights that every human being inherits, and such rights should be granted to every citizen of the country, along with appropriate remedies. Certain private and secret aspects of human beings cannot be revealed to the public. Following the recent case of 2017, the right to privacy has gained momentum around the world, and it has been recognised as a fundamental right to privacy. Various countries, including the United States, the United Kingdom, and India, have given convincing recognition to the right to privacy, as have international organisations such as the UDHR, the International Covenant on Civil and Political Rights, and the European Convention on Human Rights .

VARIOUS ASPECTS OF THE RIGHT TO PRIVACY

Phone Tapping and Right to Privacy

Phone tapping and the right to privacy are being impacted by new technological developments relating to a person’s correspondence, which has become a contentious issue. The Supreme Court stated in R.M. Malkani v. State of Maharashtra that it will not tolerate safeguards for citizen protection being jeopardised by allowing the police to use unlawful or irregular methods. Telephone tapping is a violation of the right to privacy and freedom of expression, and the government cannot impose restrictions on publishing defamatory materials about its officials, which violates Articles 21 and 19(1)(a) of the Constitution.

Gender Priority on Privacy

This other aspect of the right to privacy is gender priority, which implies not only the right to prevent the inaccurate portrayal of private life, but also the right to prevent it from being depicted at all. Even a woman of simple virtue has the right to privacy, and no one has the right to intrude on it. Every female has the fundamental right to be treated with decency and dignity. Health and Privacy

The health sector is a major source of concern in privacy, as well as one of the most important aspects of the right to privacy. Health information includes not only information about one’s health or disability, but also information about health services that one may receive. Many people have a human tendency to regard health-related information as highly sensitive. The right to life is so important that it takes precedence over the right to privacy. A doctor is bound by an oath or by medical ethics not to reveal confidential information about a patient if doing so would jeopardise or endanger the lives of others.

Privacy in context of Sexual Identities

One aspect relating to the right to privacy, which has been enshrined in Article 21 of the Indian Constitution, was read down in the case of Naz Foundation v. Union of India, in which the Delhi High Court struck down Section 377 of the Indian Penal Code, 1860, so as to decriminalise a class of sexual relations between consenting adults and intrusion by the state only if the state was able to establish one of the critical arguments, protected by Article 21 of the Indian Constitution, was a compelling interest. The Supreme Court of India ruled in Navtej Singh Johar v. Union of India that Section 377 of the Indian Penal Code, 1860, as it applied to consensual sexual conduct between adults in private, is constitutional.

RECENT ADVANCES IN THE RIGHT TO PRIVACY

It will be sufficient to encroach into any sphere of activity once the right to privacy is recognised as a fundamental right under Article 21. The infringement of such a right has become extremely difficult with the advancement of technology and social networking sites.

The degree to which privacy is important to individuals is subjective and varies from person to person. Section 43 of the Information Technology Act of 2000 includes a Right to Privacy provision that makes unauthorised access to a computer resource a crime.

The right to press is included in Article 19(1)(a) of the Indian Constitution, which can sometimes conflict with the right to privacy. Then the question arises as to where there is a conflict between an individual’s right to privacy and another person’s right to press. Such a question is well answered by bringing up the concepts of public interest and public morality, as well as other provisions mentioned in Article 19(2) of the Indian Constitution. Personal information about an individual may be published without his consent if it is part of public records, including court records.

In several ways, the right to privacy may conflict with police investigations. Various tests, such as Narco-Analysis, Polygraph or Lie Detector tests, and Brain Mapping tests, infringe on a person’s right to privacy. The Supreme Court recognised the distinction between physical and mental privacy in the case of Selvi and others v. State of Karnataka , and this case also establishes the intersection of the right to privacy with Article 20(3) of the Constitution.

THE PERSONAL DATA PROTECTION BILL (PDPB), 2019

The Minister of Electronics and Information Technology introduced the Personal Data Protection Bill, 2019, in Lok Sabha. The purpose of this Bill is to provide for the protection of individuals’ privacy in relation to their Personal Data and to establish a Data Protection Authority of India for these purposes and matters relating to an individual’s personal data. The Bill proposes to repeal Section 43-A of the Information Technology Act of 2000 by removing the provisions relating to compensation payable by companies for failure to protect personal data. The Personal Data Protection Bill, among other things, specifies how personal data should be collected, processed, used, disclosed, stored, and transferred.

The PDPB proposes to protect “Personal Data” relating to a natural person’s identity, traits, and attributes, as well as “Sensitive Personal Data” such as financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs.

CONCLUSION

When we consider ourselves to be members of a society, we frequently argue that we are individuals first, and that in this world, each and every person or individual requires his or her own private space. To ensure that each individual has that right, the state is providing those private moments to be enjoyed with those they choose away from the prying eyes of the rest of the world. This right is becoming increasingly important as time passes. With all of our lives being exposed to the media via social networking sites or spy cameras, everyone needs to be protected, and it should act in such a way that no one thinks of invading an individual’s right to privacy. Privacy should be protected in all aspects, but it is subject to reasonable restrictions under the provisions of the Indian Constitution and other relevant statutory provisions in force. One must understand that privacy should be kept in mind and should be kept within the confines of not explaining to the rest of the world.

Following the enactment of the PDPB into an Act, there are several compliances that organisations processing personal data must follow in order to ensure the privacy of individuals relating to their Personal Data. Individual consent would be required for the processing of personal data. Organizations will have to review and update data protection policies and codes based on the type of personal data being processed to ensure they are consistent with the revised principles, such as updating their internal breach notification procedures, implementing appropriate technical and organisational measures to prevent data misuse, and appointing a Data Protection Officer to be appointed by the Significant Data Protection Officer .