Privacy and Cyber Security
Written by: Mr Usama Mubarak
The internet has revolutionized the way we think today and brought the world one click away. However, every boon comes with a side-effect. Breach of privacy on the internet is a common occurrence and has legal implications. There are a number of international legislations, including EU Directives, as well as the domestic laws of countries. In India, the Constitution accords the right to privacy of every individual, and internet privacy is protected by the Information Technology Act, 2000. This paper analyses law relating to the right to privacy and cybersecurity on the internet.”
Privacy and Cyber Security are multidimensional terms, which can have any connotations of a certain aspect. But the aspect which is outrightly to be highlighted here is that individual freedom and personal liberty. The most basic and fundamental right of a citizen is to live a healthy and hassle-free life but unfortunately, this is not the case in the present scenario. As well all have encountered troubled times in the recent past i.e lockdown period.
Every sector switched to the digital mode for communication but meanwhile, certain cyberattacks happened and data theft was reported as almost all used applications like zoom, google meet, MS Teams etc. There were reports of cyber attacks on these E-platforms Just as the 17th and 18th centuries are referred to as the Age of Enlightenment, today’s time can rightfully be referred to as the Age of Technology. The past decade or so has witnessed a boom in information technology as well as internet-related technology which has completely redefined society and our way of life.
From its humble beginnings, the internet has come a long way with even entire businesses being set up online to meet the needs of the modern-day consumer. While this incremental development in the field of technology is definitely a boon for humankind, it can also be misused, which means that one’s personal data and privacy are under constant threat in cyberspace.
Computers have become indispensable to us in all aspects of life and there is a prevailing misconception that the internet is an anonymous world and that any and all information posted by an individual online remains private. But this is a massive fallacy. The information posted online can be accessed through a myriad of data collection services and other techniques that more often than not, operate without the knowledge or consent of the user. Hence, the concerns pertaining to the breach of individual privacy on the internet are well-founded and are of tantamount importance.
In 2012, the United Nations Human Rights Council affirmed that freedom of expression on the internet is a basic human right which implies that the rights of an individual existing offline must also be protected online. Here in India, the right to privacy is a fundamental right under Article 21 of our Constitution and therefore, one’s privacy in cyberspace also must be safeguarded as in the case of privacy in the general sense.
Reasons For Adopting Comprehensive Laws
The three eminent reasons for the development of laws related to protecting data privacy are as follows:
To remedy past injustices. Countries, specifically ones in Central Europe, South America and South Africa, have been rapidly evolving laws to remedy violations of privacy that occurred under the previously existing authoritarian and totalitarian regimes.
To promote the growth of electronic commerce. Countries, especially those in Asia and North America have realized that it is in their interests that the development of electronic trade and commerce is promoted and continued. Consumers are wary of disclosing personal information and it being broadcasted throughout cyberspace. The setting up of uniform rules with respect to electronic commerce is intended to simplify as well as to secure the process for the ease of the consumers.
So as to conform to the norms predominant in Europe, countries in Central and Eastern Europe have been adopting laws based on the Council of Europe Convention and the European Union Data Protection Directive. This is happening as a result of these countries’ desire to join the European Union in the near future. Countries in other regions too are adopting new laws so as to ensure the continuity of trade without being affected by the regulations imposed by the E.U. Directives.
Online Privacy in India
The main piece of legislation in India dealing with the world of cyberspace is the Information Technology Act, 2000 (hereinafter, IT Act, 2000) which lays down the penalties for various cyber-crimes and other offences concerning technology committed via digital or electronic media. This Act was not passed for the purpose of protecting individuals’ data but is in fact generic legislation covering a broad range of technology-related issues like digital signature, e-governance, cyber contraventions, cyber offences, confidentiality and privacy. The issue of online privacy has been summarily addressed in the IT Act, 2000 and further elaborated on in the Information Technology (Amendment Act, 2008) and the Data Privacy Rules, 2011 which safeguard personal and sensitive data.
Position under the Information Technology Act, 2000
The following provisions of the IT Act, 2000 address the issue of privacy in cyberspace:
Breach of confidentiality and privacy (Section 72)
Section 72 of the IT Act, 2000 entails a penalty for breach of confidentiality and privacy and is vital for safeguarding internet privacy. It provides imprisonment of a maximum of two years, or with fine up to one lakh rupees, or with both that if any person in pursuance of the powers conferred under the Act secures access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned and discloses such electronic record etc. to any other person. This section imposes criminal liability ie imprisonment of up to 2 years or a fine of up to one lakh rupees for an individual breaching the privacy or confidentiality of another individual.
This Section of the IT Act, 2000 is rather narrow in its scope as it specifically states “person who in pursuance of any of the powers conferred under this Act…” while the infringement need not be committed by a person authorised by law. This means that any user of the internet is allowed to make an infringement for which there exists no legal remedy. For instance, six million passwords of LinkedIn users were released by hackers on the internet via a Russian web forum. This can definitely be classified as a breach of privacy without the consent of the person but the hacker would not be liable under Section 72 of the IT Act, 2000 since this particular Section covers only those individuals with whom powers have been vested by this Act.
Disclosure of information in breach of lawful contract (Section 72A)
This Section was added as a measure to further strengthen data privacy laws by the IT (Amendment) Act, 2008. It lays down punishment for disclosing information in breach of a lawful contract. This section prevents any person from disclosing personal information obtained from a user without the consent of that particular user and is thus an additional safeguard of online privacy.
Cyber Voyeurism (Section 66 E)
Section 66 E is a Section added by the IT (Amendment) Act, 2008 is another provision with the intention to protect online privacy and provide punishment for a violation of said privacy. As the title suggests, this section is a safeguard against cyber voyeurism which results in a breach of privacy. It provides a punishment of up to 3 years or a fine of up to two lakh rupees in case of any intentional capturing, publishing or transmitting the image of a private area of any person without his or her consent. Privacy, as used in this section, has been understood in the physical sense without any regard being given to personal information. Voyeurism not only infringes the privacy of the person but also is a serious violation of human dignity.
Failure to protect data (Section 43A)
Section 43A provides that a corporate body must adequately compensate the injured parties for its failure to protect their private data. A corporate body, possessing, dealing or handling any sensitive personal data through a computer resource who is negligent in the maintenance of reasonable security practices and thus causes wrongful loss or wrongful gain to any person, is held by law to be liable to pay compensation to the individuals affected. The provision is quite wide in its ambit and the corporation is made liable for mere possession of personal data if the manner in which this data or information is handled is not up to the standards expected from a reasonable person. This section specifically deals with only sensitive personal data but at the same time does not lay down criteria for differentiating sensitive personal data from the rest.
Online Privacy and National Security (Section 69)
The right to privacy and confidentiality has to be balanced with the need to safeguard national security. No right is ever absolute, i.e. every right has certain limitations and restrictions placed upon it by law. Not even the right to life contained in the Constitution of India is exempt from this rule. Due to the volatile nature of the global scenario, the primary duty of the State is to protect national interests and as a result, the protection and enforcement of all other rights become secondary. Section 69 provides for online surveillance by the Central and State Governments by means of intercepting, monitoring and decrypting any manner of electronic communication.
This Section was amended in 2008 and was consequently given a wider scope. Another change that has been brought is that it mandates procedural safeguards to be adhered to so as to avoid arbitrariness. Also, reasons must be recorded in writing before exercising the powers under the section. Communication over the internet is a means of utilizing the freedom of speech and expression we possess and hence unless absolutely necessary or in extenuating circumstances, this Section cannot be applied by the Central and State Governments. On a multitude of occasions, the Supreme Court stated that individual privacy can be compromised to further national and public interests.
The Government has been given vast amounts of power when it comes to surveillance. But these powers are exercised with the utmost caution as there is much scope for its misuse for politically motivated reasons.
The intention behind Section 69 is more of a public policy measure and should thus be limited to only that purpose. The defining argument justifying the government’s power of surveillance is that if investigations of crimes committed in the physical world can invade the privacy of citizens’ lives when necessary, then the same principle should be applied when it comes to online resources too. The constitutionality of this section has been contended repeatedly.
It is yet to be seen whether it is challenged in the courts but since there is a system of checks and balances in place to regulate the interception of communications, it is rather unlikely that this Section will be struck down as unconstitutional. A similar line of reasoning was used when the Supreme Court upheld the constitutional validity of MCOCA, 1999 as there were sufficient procedural mechanisms in place so as to prevent it from being misused.
Data Privacy Rules, 2011: A Step Forward
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter, Data Privacy Rules, 2011) came into effect in April 2011. These Rules are meant to supplement the empowerment of the legislation under Section 43A and aim to further the field of data protection. In a nutshell, it is aimed at protecting sensitive data and personal information of individuals while simultaneously regulating the methods of collection and disclosure of such information. Sensitive personal data or information of a person has been clearly listed out as information pertaining to:
- Financial information;
- Condition of physical as well as mental health;
- Sexual orientation;
- Medical records;
- Biometric information;
- Any information relating to the above subjects as provided to corporate bodies while availing a service;
- Any information received under the above clauses by corporate bodies.
These Rules safeguard users’ personal information by making it necessary for corporates to procure permission from users before disclosing their personal information to any third party, except in cases where the due disclosure of the information is a legal obligation.
The framing of the Data Privacy Rules, 2011 is a positive step towards the conformity of Indian rules regarding the protection of users in cyberspace to that followed by other nations. These Rules have one fundamental flaw. Their implementation as well as the penalty for their infringement is obscure. Until these grey areas are removed, legal recourse is available via Section 45 of the IT Act that requires anyone flouting the norms laid down by the Act to pay a compensation of Rs. 25,000 which is clearly a paltry and insufficient sum. Also, these Rules are only applicable to corporate bodies located within the territory of India.
It is clearly observed that private individuals are not the only residents of cyberspace. Governments have been trying to control and monitor the activities occurring through this relatively new medium since the advent of the internet itself, and because of the absence of a clear definition of what is acceptable, many questions have been raised about the legality of government actions. Ensuring the safety and wellbeing of citizens is one of the primary responsibilities of the government but they must also respect the privacy of citizens unless they have just and probable cause.
Although there are many well-defined laws and precedents for how to handle invading a person’s life, the laws for monitoring private digital life are very much a grey and ambiguous field. While intercepting and reading a piece of posted mail is a tedious and hard to disguise task, it is a simple and easy to read electronic mail, and it is almost undetectable as well. With this ease and difficulty of stopping interception of online communications arises the very real fear that governments will soon begin to pry into every aspect of human life, all in the name of national security.
Even in India, pending the launch of the Central Monitoring System(CMS) project, Lawful Intercept and Monitoring (LIM) systems, which have been deployed by the Centre for Development of Telematics (C-DoT) to monitor citizens’ activities on the internet, and sometimes this occurs by blatantly flouting the rules.[lxv]This is the sentiment that gave rise to the phrase “Big Brother is watching”. Great care has to be taken to ensure the safety of citizens, while still maintaining their privacy.