An Overview of Privacy, Data Protection and Cyber Security in India

in Articles

Dr. Sreenivasulu NS ((Professor of Law, National University of Juridical Sciences, Kolkata, and Formerly Founder and Chairman,Department of Studies and Research in Law, Karnataka State Open University, Mysore, Faculty of Law at National Law School, Bangalore and University of Mysore, Karnataka))and Jagadish AT ((Faculty of Law, JSS Law College, Autonomous, Mysore and Research Scholar, Department of Studies and Research in Law, Karnataka State Open University, Mysore, Karnataka)).

You can have security and not have privacy, but you cannot have Privacy without security.” —Tim Mather

The Right to Privacy is one of the man’s most precious possessions ((Karnika Seth, Computers, Internet and New Technology Laws, Lexis Nexis Butterworths Wadhwa, Nagpur, 2012, Page no:273)). The word privacy has been derived from the Latin word “Privatus which mean separate from rest” It can be defined as capability of an individual or group secludes themselves or information about themselves and thereby reveal themselves selectively. Privacy can be understood as a right of an individual to decide who can access the information, when they can access the information, what information they can access ((Available at http://www.ijest.info/docs/IJEST10-02-05-136.pdf accessed on 26-03-2013)). Privacy is a human need, rather it is an individual’s interest with several dimensions and one of these dimensions is privacy of personal data known as ‘Data Privacy’ ((Dr. Jyoti Rattan, Cyber Laws & Information Technology, Bharat Law House Pvt. Ltd, New Delhi, 2012, Page no: 383.)). According to Warren and Brandeis in their essay ‘The Right to Privacy’, the object of privacy is to protect the ‘inviolate personality’ ((Warren and Brandeis, The Right to Privacy, Harvard Law Review, volume 4 No.5, 15th December, 1890, Page no: 193-220)). Privacy and Data Protection goes hand-in-hand in cyberspace since the latter is protected the former will not be invaded. Data protection involves the protection of sensitive personal data or information ((Rule 3 of The Information Technology (Reasonable Security Practices and Procedures and sensitive Personal Data or Information) Rules, 2011)), confidential information, proprietary information, trade secrets including software codes. Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize intrusion into one’s privacy caused by the collection, storage and dissemination of personal data. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private organization or an agency. Cyber Security is a complex and complicated branch to manage and the awareness in India and World Wide is not up to the mark.

Privacy of Online Data

The right to privacy is analysed with respect to the rights inter se private parties and the constitutional right against the state. Internet has been a major source of disseminating information, through various modes such as registration pages, survey forms, order forms and online contests, and by software in ways that are not obvious to online consumer. There are chances of website owners following the consumers through cookies and tracking software, online activities and gather information about their personal interests and preferences. Following are some of the cases on privacy. Indian constitution defines the privacy as personal liberty in Article 21. “Protection of Life and Personal Liberty” No person shall be deprived of his life or personal liberty except according to procedure established by law. The privacy is considered as one of the fundamental rights provided by constitution in list I. Privacy is recognized at international level as Human Rights in different dimension as Privacy of person, Privacy of personal behaviour, Privacy of personal communication, Privacy of personal data ((Supra note 3)).
In Doubleclick case ((In re Doubleclick Inc. Privacy Litigation, No. 00-0641, 2002 U.S. Dist. Lexis 27099 (S.D.N.Y 23rd May, 2002).)), class action law suits were filed against Doubleclick, Inc. which was decided by United States District Court for Southern District of New Zealand. The allegation was that defendant unauthorisedly used ‘cookies’ and use of Abacus direct database to analyse the sensitive information of net surfers with their browsing preference. The court held that Double click was not liable under any of the three federal laws, The Stored Communications Act, The Wiretap Statute, and The Computer Fraud and Abuse Act because it fell within the consent exceptions under The Stored Communications Act, The Wiretap Statute, and the Consumer Fraud and Abuse Act did not apply as the consumer failed to prove that they had incurred a loss of US $ 5,000 per person. The superior court of California overruled this decision and held that Doubleclick user evaded the right to privacy which was also in direct violation of the constitution of California ((Nemiroff, Elisa A., and Freeman Jr. D Reed, “ Privacy Law in Q1 2002” at http://library .findlaw.com/2002/Jan/1/241484 accessed on 07-04-2013)).
In Real Network case ((Cotrone v/s Real Networks, No. C00-330 (WD Washington, filed 1st March, 2000)), the defendants Real Networks unauthorisedly collected the personnel sensitive information of the plaintiffs and sold the information to the third party unauthorisedly the act was against the provisions of Electronic Communication Privacy Act ((The Electronic Communications Privacy Act (ECPA) of 1986 is a federal statute that specifies standards for government monitoring of cell phone conversations and Internet communications. When first written, ECPA was a forward-looking statue that provided important privacy protections to subscribers of then-emerging wireless and Internet services. However, while technology has advanced dramatically in the 25 years since ECPA was enacted, the statute’s privacy standards have not been updated, leaving important information without full protection. Meanwhile, the courts have been slow in extending the warrant requirement of the Constitution’s Fourth Amendment to new technologies))[ECPA] and other applicable Federal and State Legislations.

Data protection

Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize intrusion into one’s privacy caused by the collection, storage and dissemination of personal data. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private organization or an agency ((Available at http://www.vaishlaw.com/article/information_technology_laws/data_protection_laws_in_india.pdf accessed on 07-04-2013)). The Constitution of India does not deliberately grant the fundamental right to privacy. However, the Courts have read the right to privacy into the other existing fundamental rights, i.e., freedom of speech and expression under Article 19(1) (a) and right to life and personal liberty under Article 21 of the Constitution of India. However, these Fundamental Rights under the Constitution of India are subject to reasonable restrictions given under Article 19(2) of the Constitution that may be imposed by the State.
Today business is customer centric and success of any business is depend on users personal preference, in temptation to have technological adaptation, we pass on our personal and some time sensitive information very easily without giving much concern to privacy. From creating a mail account to open an online banking account we pass on our personal information everywhere in day to day life. Ideally the provided information must be used with limited purpose only for which it has been collected but in reality this information is further processed, transmitted and exploited for unauthorized purposes without the permission of data owner.
In a day we receive almost many unintended calls which offer you various products and services and we never came to know from where this telecaller gets information and details to call us. Actually these calls are resultant of information provided by us unknowingly at some moment of time like when we buy a SIM or opens an account or perform online shopping. Although, invasion in privacy lead to disturbance and mental harassment yet some time it may lead financial loss, damage and even it may cause loss of reputation or life.
This has given primary concern to privacy issue in all over the world in different forms, different countries have adopted various laws and framework to protect privacy not only at legal level but privacy has been endeavoured to protect at technical side.
India presently does not have separate legislation governing data protection or privacy. However, the relevant laws in India dealing with data protection are the Information Technology Act, 2000 and the (Indian) Contract Act, 1872. A codified law on the subject of data protection is likely to be introduced in India in the near future. The Information Technology Act, 2000 deals with the issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data. Under Section 43A of the Information Technology Act, 2000, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected ((Section 43A Compensation for failure to protect data, The Information Technology Act, 2000)). It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances. Under Section 72A of the Information Technology Act, 2000, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years and fine extending to fie lakh rupees or both ((Section 72A Penalty for disclosure of information in breach of lawful contract, The Information Technology Act, 2000)).
As of now, the issue of data protection is generally governed by the contractual relationship between the parties, and the parties are free to enter into contracts to determine their relationship defining the terms personal data, personal sensitive data, data which may not be transferred out of or to India and mode of handling of the same.
It is to be noted that section 69 of the Act, which is an exception to the general rule of maintenance of privacy and secrecy of the information, provides that where the Government is satisfied that it is necessary in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or Public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource. This section empowers the Government to intercept, monitor or decrypt any information including information of personal nature in any computer resource ((Section 69: Power to issue directions for interception or monitoring decryption of any information through any computer resource, The Information Technology Act, 2000)).
There are many organizations that are working on globally adapted structure of privacy framework like OECD. Based on OECD guidelines UK has adopted Data Protection Act, 1998 (DPA) which include 8 principles and addresses issues like what is personal information, sensitive information, who is data owner, data subject, who is data processor and who is responsible to protect the privacy
Data of individuals and companies require both constitutional as well as statutory protection. The constitutional analysis of data protection in India has still not attracted the attention of either Indian individuals/companies nor of Indian government. The statutory aspects of data protection in India are scattered under various enactments. The Information Technology Act 2000 (IT Act 2000), which is the cyber law of India, also incorporate few provisions regarding data protection in India. However, till now we have no dedicated statutory and constitutional data privacy laws in India and data protection law in India.
Privacy rights in India are still not recognised although the Supreme Court of India has interpreted Article 21 of Indian constitution as the source of privacy rights in India. Just like data protection, provisions pertaining to privacy laws in India are also scattered in various statutory enactments. Privacy rights and laws in India need to be strengthened keeping in mind the privacy rights in India in the information age. Another related aspect pertains to data security in India. In the absence of proper data protection, privacy rights and cyber security in India, data security in India is also not adequate. Further, we do not have a dedicated cyber security law in India as well ((Available at http://perry4law.org/cecsrdi/?topic=data-protection-laws-in-india accessed on 26-03-2013)).
Government had started initiative with due care of privacy, though India has no codified law to deal with privacy but all the major privacy issue is handled through Indian Penal Code, 1860 Information Technology (Amendment) Act 2008, Copyright Act, 1957 Special relief Act, 1963 Telegraph Act, 1885 Contract Act, 1872 Article 21 of Indian Constitution and so many other as per of the nature of case. Recently government of India passed special legislation on privacy Information Technology Amendment Act 2008 which gives basic definition of Privacy. To implement privacy and data protection in Indian work culture government has established Data Security Council of India ((Available at http://www.dsci.in/ accessed on 19-04-2013))[DSCI] which was initiative by National Association for National Association of Software and Service Companies ((Available at http://www.nasscom.org/ accessed on 19-04-2013))[NASSCOM]. Its mission is to create trustworthiness of Indian company as global sourcing service provider its main aim to create privacy and security awareness among organization. Through awareness and training program DSCI has taken initiative to deal with privacy issue. Privacy is the most concerned for individual attribute so any case which has been pending in court means mental harassment for user. In India, it is necessary to establish fast court system for fast judgment.
There is following are the grey areas in present Indian legal frame work for privacy ((Available at http://www.ijest.info/docs/IJEST10-02-05-136.pdf accessed on 21-04-2013));

  • No comprehensive law and still the privacy issue is dealt with some proxy has no convergence on the privacy issue.
  • No classification of Information as public information, private information sensitive information.
  • No legal frame work that talks about ownership of private and sensitive information and data
  • No certain procedure of creating, processing transmitting and storing the information.
  • Lack of any guidelines that defines about Data Quality, Proportionality and Data Transparency.
  • No framework that deals with the issue of cross-country flow of information.

International legislations relating to Privacy and Data Protection

The “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” have provided general guidance on the handling of personal information in the public and private sectors since 1980. The Guidelines:

  • Represent an international consensus on how best to balance effective privacy protection with the free flow of personal data.
  • Are technology-neutral, flexible, allow for various means of compliance, and apply in all environments, including on global networks.
  • Have been put to use in a large number of national regulatory and self-regulatory instruments and are still widely used in both the public and private sectors ((Available at http://www.oecd.org/sti/ieconomy/37626097.pdf accessed on 08-04-2013)).

The important 8 principles are Collection limitation, Data quality, Purpose specification, Use limitation, Security safeguards, Openness, Individual participation, Accountability principle. OECD guidelines address to member countries, business and industry, and individual users. Privacy Online OECD Guidance on Policy and Practice has been prepared under the auspices of the OECD Committee for Information, Computer and Communications Policy (ICCP) by its Working Party on Information Security and Privacy (WPISP). Focused on the implementation of the OECD Privacy Guidelines online, the policy and practical guidance offered in this publication is based on the work achieved within the OECD to fulfil the 1998 Ministerial Declaration on the Protection of Privacy on Global Networks. It reflects the OECD ministerial high level objective to build bridges between different national approaches to ensure the effective protection of privacy and personal data as well as the continued trans-border flow of personal data on global networks. Intended to reinforce the impact and visibility of the action of the OECD, and the importance of the OECD Privacy Guidelines in the development and implementation of a mix of solutions for ensuring global privacy and the free flow of information, the volume is structured as follows ((Available at http://www.oecd.org/sti/privacyonlineoecdguidanceonpolicyandpractice.htm accessed on 08-04-2013)):

Part I provides an overview of the work achieved by the WPISP between 1998 and 2002.
Part II offers policy and practical guidance based on this work.
Part III includes all documents and other instruments (e.g. Internet based tools) presented in Part I. These include the:

  • Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
  • Ministerial Declaration on the Protection of Privacy of Global Networks
  • Inventory of Instruments and Mechanisms Contributing to the Implementation and Enforcement of the OECD Privacy Guidelines on Global Networks
  • OECD Privacy Policy Statement Generator
  • Building Trust in the Online Environment: Business-to-Consumer Dispute Resolution, Report of the December 2000 OECD Conference
  • Legal Provisions Related to Business-to-Consumer Alternative Dispute Resolution in Relation to Privacy and Consumer Protection
  • Resolving E-commerce Disputes Online: Asking the Right Questions About Alternative Dispute Resolution
  • Report on Compliance with, and Enforcement of, Privacy Protection Online
  • Inventory of Privacy-enhancing Technologies (PETs)
  • Privacy-Enhancing Technologies: Report on the OECD Forum Session
  • Transborder Data Flow Contracts in the Wider Framework of Mechanisms for Privacy Protection on Global Networks

The United Nations
In 1989, the United Nations General Assembly (UNGA) adopted a set of draft guidelines for the regulation of computerised personal data files. The first section of these guidelines covers principles concerning the minimum guarantees that should be provided in national legislation. These principles echo those put forward by both the Council of Europe Convention and OECD Guidelines. But the UNGA guidelines added three terms ((Edited by: S.K.Verma & Raman Mittal, Legal Dimensions of Cyberspace, Indian Law Institute, New Delhi, 2004, Chapter 8, Cyber Privacy, Raman Mittal & Neelotpal Deka,)):
Principle of non-discrimination- Sensitive data, such as racial or ethnic origin, should not be complied at all.
Power to make exceptions- justified only for the reasons of national security, public order, public health or morality.
Supervision and sanctions- the data authority shall offer guarantees of impartiality, independence vis-à-vis persons or agencies responsible for processing.

Privacy Laws in US

The United States Constitution does not expressly list a right to privacy. However, several of the rights that are specifically guaranteed in the “Bill of Rights”, clearly shows that a privacy right exists. The Fourth Amendment’s guarantee that citizens will be “secure in their persons, houses, papers, and effects, against unreasonable searches and seizures” implies that privacy is a matter of right. The Fifth Amendment’s guarantee that a citizen shall not “be compelled in any criminal case to be a witness against himself” suggests that the right to keep information private is permitted in the US. There is no general U.S law restricting the use of someone’s personal information, but there are certain laws for the protection of privacy such as health care providers can’t disclose protected health care information without the patient’s consent. The Privacy Act, 1974 and laws banning tampering with U.S. Mail and stalking, are sufficient evidence to show that privacy is a citizen’s right and violation of that right produces unfavourable consequences for the individual and for society as a whole. The U.S Small Business Administration provides input on privacy laws of U.S ((Available at http://www.sba.gov/community/discussion-boards/rules-conduct-and-disclaimer accessed on 15-04-2013)). The companies, particularly carrying on e-business, it is compulsory to post privacy policies that describe how consumer’s personal information is collected, used, shared, and secured. Though creating a privacy policy is not required by law, but is important if a business house wants people to buy its e-commerce products.
Section 5(a) of the Federal Trade Commission (FTC) Act is used to discourage improper use of personal data. The Act does not

Cyber security

Cyber security or Computer security or IT Security is applied to computers and networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction. Computer security also includes protection from unplanned events and natural disasters ((Available at http://en.wikipedia.org/wiki/Computer_security accessed on 28-05-2013)).
Indian Computer Emergency Response Team ((Section 70-B of The Information Technology Act, 2000))[CERT-In]. This is the national nodal agency for responding to computer security incidents as and when they occur. Through Information Technology (Amendment) Act, 2008 CERT-In has been designated to serve as the national nodal agency for responding to perform the following functions in area of cyber security. The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,-

(a) Collection, analysis and dissemination of information on cyber incidents
(b) Forecast and alerts of cyber security incidents
(c) Emergency measures for handling cyber security incidents
(d) Coordination of cyber incidents response activities
(e) Issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
(f) Such other functions relating to cyber security as may be prescribed.

Security practices

The data processor must maintain reasonable security practices and procedures in relation to sensitive personal data or information. The Information Technology (Reasonable Security Practices Procedures and Sensitive Personal Data or Information) Rules, 2011does not provide for any specific practices and procedure. However, the IT RSPPSPI Rules recognise International Standard ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” (ISO/IEC 27001). The IT RSPPSPI Rules must be read in conjunction with section 42A of the IT Act ((Available at http://ipandit.practicallaw.com/1-505-9607 accessed on 24-04-2013)).
A body corporate or any person who on behalf of the body corporate collects, receives, possesses, stores, deals with or handles information must have a privacy policy (Rule 4, IT RSPPSPI Rules). The privacy policy must be published on the website of the body corporate or any person acting on its behalf, and include the following:

  • Clear and easily accessible statements of the body corporate’s practices and policies.
  • The type of personal or sensitive personal data collected under Rule 3 of the IT RSPPSPI Rules.
  • The purpose of collection and use of the information.
  • Details regarding the restriction on publishing sensitive personal data or information under Rule 6(3) of the IT RSPPSPI Rules.
  • Reasonable security practices and procedures as provided under Rule 8 of the IT RSPPSPI Rules.

Consent

Consent to disclosure is usually required. However, information collected can be shared, without obtaining prior consent from the data subject, with government agencies mandated under the law to either (Rule 6, IT RSPPSPI Rules):

  • Obtain information including sensitive personal data or information to verify identity.
  • Prevent, detect and investigate in relation to cyber incidents, prosecution and punishment of offences, among other things.

Rights of individuals

The IT RSPPSPI Rules do not require any information to be provided to data subjects at the point of collection of the personal data. There are no relevant provisions under the IT Act. No other specific rights are granted to data subjects.
The IT RSPPSPI Rules do not provide data subjects with the right to request the deletion of their data. However, the data subject can withdraw consent previously given to a body corporate (Rule 5 (7), IT RSPPSPI Rules). In addition, the body corporate or any person on its behalf must not retain the information obtained for longer than required either (Rule 5(4), IT RSPPSPI Rules):

  • For the purpose for which the information may lawfully be used.
  • Under any other law for the time being in force.

Security requirements

Rule 8 of the IT RSPPSPI Rules requires a body corporate (or any person acting on its behalf) to comply with reasonable security practices and procedure. Reasonable security practices and procedures means those designed to protect personal data from unauthorised access, damage, use, modification, disclosure or impairment. These may be specified in an agreement between the parties or in any relevant law in force (or, if there is no agreement or relevant law, by the central government in consultation with professional bodies or associations) (section 43A, IT RSPPSPI Rules).
The IT RSPPSPI Rules recognise ISO/IEC 27001. Annex A of ISO/IEC 27001 provides implementation advice and guidance on best practice, including in relation to:

  • Information security.
  • Asset management security.
  • Human resources security.
  • Physical and environmental security.
  • Communications and operations management.
  • Access control.
  • Information system acquisition.
  • Development and maintenance.
  • Information security incident management.

The IT RSPPSPI Rules do not provide a requirement to notify personal data security breaches to data subjects or the national regulators.

Conclusion:

Privacy and data protection are the two requirements for the effective functioning of the cyberspace. Data protection and privacy rights are two of the most important rights conferred by any civilized nation. Every individual and organisation has a right to protect and preserve his/her/its personal, sensitive and commercial data and information. We have no dedicated data privacy, data protection laws in India, privacy rights and laws in India. The legal challenge in Indian context includes lack of privacy, data protection and cyber security legislation model so it is extremely difficult to ensure protection for same. But in absence of specific laws there are some laws or incident safeguard that the government is using for privacy purpose. Certain legislative framework that provides indirect support to privacy concerns and data protection in India are Article 21 of Indian Constitution, Information Technology Act 2000, Indian Contract Act 1872, Indian Penal Code 1860, Indian Copyright Act, 1957, Consumer Protection Act 1986, Specific Relief Act 1963, Indian Telegraph Act. The other issues includes no classification of information as public information, private information and sensitive information, no legal frame work that talks about ownership of private and sensitive information and data, no certain procedure of creating, processing transmitting and storing the information and lack of any guideline that defines about Data Quality, Proportionality and Data Transparency, no framework that deals with the issue of cross-country flow of information. This are some of the challenges that cannot be ignored and if ignored would lead to severe consequences on both individuals as well as on nation. In the light of above there is requirement of plugging the loopholes in the best interest of the country.