28th January of every year is observed as Data Privacy Day! Begun in 2007 in the European Union (E.U.) and adopted by the U.S. in 2008, Data Privacy Day is an international effort to encourage better protection of data and respect for privacy. In January 2020, Satya Nadella of Microsoft reiterated that Data privacy is a Human right.
Crime in legal sense is an act or omission clearly defined by law. Every wrong or impropriety is not crime. In classical sense crime can be committed by a human being or attributable to his conduct. To fix a criminal liability on a person, the criminal act or omission of the person requires evidence of his "intention" or "Motive" of causing harm to others or "knowledge" that his act or omission was likely to cause harm.
Once a crime is defined, a mechanism is required to be put in place to deal with crime and criminals which give rise to the issue of jurisdiction. The jurisdiction is a complex subject but, it is enough to understand that jurisdiction in classical sense is based on territory or physical effect of an action or physical presence of the offender. But cyber space is a different Universe which is not in a physical form and it is not possible to draw boundaries or lines in the cyber space. A person may be present at several locations in the cyber space at a given moment. It is almost impossible to limit the cyber space within territorial boundaries. Cyber space is fluid and interconnected. Therefore, a law made by one country or one Government may not be adequate and sufficient to deal with Cyber crime. Although at national level, technology based safeguards may be provided by the technical experts to prevent and detect cyber crimes, but without a robust international co-operation, it is difficult to enforce cyber laws and bring the cyber criminals and cyber attackers to book.
Understanding of cyber technology
So far cyber crime has not been defined under any law in India. National Cyber Crime Reporting Portal refers cyber crime to 'mean any unlawful act where a computer or communication device or computer network is used to commit or facilitate the commission of crime'.
The pace of cyber technology development is so rapid that it is causing many disruptions in the known lifestyle of mankind. The layperson, a businessman or a politician are not able to comprehend the way new technologies operate. The financial system, the mobile network, banking network, online shopping and payments are crafted by the engineers. But those engineers are not psychologist or experts in the field of assessing human behaviour, so they are not in a position to assess the social, business and political implications of their bona fide technological developments.
The use of technology has created enormous potential to manipulate the world and reshape the thinking of humans but it is a reality that except a handful, the human race does not understand the complexity of ecology of cyber technology. Take the example of artificial intelligence, block chain, genetic engineering, machine learning etc., How many Indians understand the nitty-gritty of these technological terms? only a minuscule number, but at the same time, in reality, these technologies are part and parcel of daily life of overwhelming majority of people. The ignorance of people about the effect of technology can be gauged from one example. Pls recall Mr Donald Trump's appeal to build a concrete wall on the borders of Mexico and California which generated a lot of interest in USA but hardly anyone realised that raising a firewall instead, could be more potent strategy than building a concrete wall. It is so because people can relate to and understand the perceived benefits of building a concrete wall on the border in order to preserve their liberty and prosperity from the perceived onslaught of outsiders but it is too difficult for them to comprehend the effect of the technology emanating from other countries which is affecting their life on daily basis.
Cybercrimes and cyber security
In India the Information Technology Act 2000 (the IT Act) and the rules and regulations framed thereunder deal with cybersecurity and the cybercrimes, so far. Cybercrimes and cyber security go hand in hand but both fall within the overarching ambit of the subject of data security and data privacy. The types of Cybercrimes are multifarious. There are cyber crimes which are mainly intended to target State players and institutions and, there are cyber crimes which affect the common masses. The relevant considerations for dealing with both type of cyber crimes would be different. The concept of data privacy is people-centric.
One of the areas of serious concern for commoners are the cyber threat to the integrity of banking system. Cyber Banking system runs on the strength of data of their consumers. With the rise of digital payments, cybercrimes involving payment transactions in the online space have significantly increased and become complex. RBI has been active in requiring companies operating payment systems to build secure authentication and transaction security mechanisms (such as 2FA authentication, EMV chips, PCI DSS compliance and tokenisation). But these payment companies mostly offer real-time smooth payments experiences to their consumers, which leaves less time for banks and other entities operating in the payment ecosystem to identify and respond to cyberthreats. Today, the vehicles are loaded with sensors, programmable chips, data processing devices and on the top of it connected to the internet. We are on the verge of commercial introduction of self driven vehicles which can run automatically with inputs from the cyber space. If such vehicles are targeted by the cyber criminals, the gravity of the result can be easily understood.
Collection of data about personal identity, data of human behaviour, data about personal health and wellbeing, Data of the devices we wear and carry with us, install in our homes, our channels of communications, sensors in our transport and our streets all generate more and more data. The reality of the digital environment today, is that almost every single activity undertaken by an individual involves some sort of data transaction or the other. Cyber technologies are so useful because of the availability of and the capacity to process this enormous data. Data may be generated and collected by default, by consent, by design, by force, by deceit and so many other ways.
Therefore, the starting point of a cyber crime is generation and creation of DATA which means that every form of knowledge, experiences, perceptions, physical identity and existence is fed into a computer system in the shape of binary codes which occupy space on a hard disk or a cloud. This is DATA.
Data privacy need of the hour
Now the sequence begins, what does a man intend to do with the data in his possession? how does and with whom he shares the data? What if the data is stolen, erased or manipulated? And more. These issues necessarily leads us to the direction of Data protection and Data privacy as a matter of prevention of cybercrimes.
Data protection is essentially a technical issue and in the matter of strategic sectors it is also a political issue which may be governed and enforced by procedures and protocols. But data privacy is essentially a legal issue dealing with substantive rights of people as individuals or as a group. Data privacy cannot be ensured unless the personal data gets respect and protection by the person or the system handling the data. It can be explained with a simple example. When you swipe your credit card, you're doing two things. First of all, you're trusting the service provider and payment system with your personal data protection —you want them to make sure, among other things, that cybercriminals and third parties can't access your credit information. At the same time, you're also trusting them to honor your data privacy by not misusing the information themselves for any other purpose.
On a daily basis, many people feel that companies are accessing personal information that they did not explicitly provide. Yet, in spite of all these concerns, people are very open with sharing information about themselves, a conflict which seems to have become a permanent fixture in our everyday lives. Social media platforms have become critical in maintaining social relationships, and there is no way we can turn our backs on them. Although we claim to want our privacy, we tend to focus more on the benefits we'll get out of our online activities than on the risks we take by engaging in them.
Therefore, the technology alone cannot ensure the privacy of personal data. Most privacy protection protocols are still vulnerable to unauthorized individuals who might access the data. In short, no number of technological safeguards can eliminate the central role of trust in ensuring data privacy. Therefore, law is required to regulate the conduct of humans who are entrusted with data to not betray the trust reposed in them by the unsuspecting public. However, the technology has thrown a new challenge i.e. what should be done when data is entrusted to a machine having artificial intelligence and machine learning abilities? Only time will tell whether we can expect the machines to honour and preserve the trust more faithfully than men, and in case of breach of trust by the artificial intelligence, who shall be made liable? Therefore, similar provisions may be required to be made for the persons responsible for ensuring the integrity of the processes operating through artificial intelligence and machine learning.
Law alone can't fix all
A staggering 137 million records were exposed in the 10 largest data breaches in 2019. Interpol recently reported that there has been a surge in cybersecurity attacks since the pandemic. This highlights the magnitude of the problem, and this trend shows no sign of letting up.
Today when personal data is the key to gain a competitive edge, data ethics is at the heart of business success. Unfortunately, many companies believe they have done their duty by publishing data privacy and security policies, but many consumers simply skip reading the "Terms & Conditions" before pressing the Accept button.
Under these circumstances, it becomes very important to understand the difference between development of technology and putting the technology to use. A law cannot control the development of technology but it can regulate the use of technology and fix accountability for misuse thereof. But as soon as the law will have to take into consideration the machine learning and artificial intelligence, it will be more complex and cumbersome to fix accountability. Please note that a machine cannot be punished or held responsible for a harm caused to the human beings, even if by any legal fiction, it is held accountable. We shall face in near future another complex task of finding a remedy against harm caused by a machine not controlled by human beings.
2018 started with a massive data breach of personal records of 1.1 Billion Indian Aadhaar cardholders. UIDAI revealed that around 210 Indian Government websites had leaked Aadhaar details of people online. Data leaked included Aadhaar, PAN and mobile numbers, bank account numbers, IFSC codes and mostly every personal information of all individual cardholders. If it wasn't enough shocking, anonymous sellers were selling Aadhaar information of any person for Rs. 500 over Whatsapp. Also, one could get any person's Aadhaar card printout by paying an extra amount of Rs.300.
In 2018, a cyber attack was perpetrated on Cosmos Bank in Pune. This daring attack shook the whole banking sector of India when hackers siphoned off Rs. 94.42 crore from Cosmos Cooperative Bank Ltd. in Pune. Hackers hacked into the bank's ATM server and took details of many visas and rupee debit cardholders. Money was wiped off while hacker gangs from around 28 countries immediately withdrew the amount as soon as they were informed.
The Covid-19 pandemic has given an unprecedented opportunity to cyber criminals. The work-from-home working module adopted by such organizations has been attributed to the rise of cyber attacks. The security gap between the home and office network has played a key role to make way for the data breaches in 2020. This issue has resulted in the theft of confidential information, leading to the loss of millions of dollars for breached organizations.
The crux is that data-sharing between government agencies also, if not wellregulated, can create a "back door" which allows circumvention of individual privacy and data protection safeguards. Comprehensive population databases, like those established as part of ID systems, are a tempting resource for People in power, law enforcement authorities, particularly when they contain biometrics.
Right to privacy
Right to privacy is a human right recognized under Article 12 of the Universal Declaration of Human Rights1 issued by the United Nations on December 10, 1948, of which India is a signatory. Many human rights received the status of fundamental rights under the Indian constitution, thanks to the Supreme Court of India.
On August 24, 2017, a bench of nine judges of the SC in the case Justice K S Puttaswamy (Retd.) and Anr. Versus Union of India and Ors4 declared that the Right to Privacy is a fundamental right, intrinsic to life and liberty; therefore, it comes under Article 21 of the Constitution. The judgment writes: "'Fundamental Rights' are the modern name for what has been traditionally known as 'natural rights'" Justice S A Bobde, now CJI wrote: "Privacy, with which we are here concerned, eminently qualifies as an inalienable natural right, intimately connected to two values whose protection is a matter of universal moral agreement: the innate dignity and autonomy of man." D.Y. Chandrachud J. wrote "Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be left alone. Privacy safeguards individual autonomy and recognises the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy... Privacy attaches to the person since it is an essential facet of the dignity of the human being."
Policymakers and courts have struggled with striking the appropriate balance between protecting the privacy of registrants and supporting criminal investigations.
India's IT Rules
In India, The IT Rules have been incorporated vide Section 43A of the IT Act and provide for minimum standards on collection, disclosure and transfer of personal information—which is defined as "any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person."
The IT Rules further mandate a body corporate shall obtain prior consent from the provider of 'sensitive personal data or information' for using such sensitive information. The Rules provide for a list of personal information that can be construed to be 'sensitive' and includes passwords, financial information, health parameters, sexual orientation, etc.
There are RBI guidelines, regulations and circulars to maintain secrecy of client information and propounds methods to evolve voluntary norms that banks must enforce on themselves. The DoT in consonance with the TRAI continues to issue guidelines for protection and localisation of data collected by service providers from their customers. The Medical Council of India under the ambit of the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002, governs issues relating to collection of personal data of patients, issues of consent and the extent to which complicated procedures may be carried out. In August 2018, amendments were made to the Drugs and Cosmetics Rules, 1945, requiring e-pharmacists to localise the data generated of their customers, provided that in no case the data generated or duplicated through the e-pharmacy portal shall be sent or stored outside India.
There are entities who have promulgated procedures for safely storing records of database/information acquired by them: (a) NASSCOM has set up the Data Security Council of India that is committed to making the cyberspace safe, secure and trusted by establishing best practices and standards in the cybersecurity space. (b) SEBI promulgated the Data Sharing Policy in October 2018, which aimed at simplifying the process of data sharing and formalisation of data protection 10 measures to prevent data from misuse. (c) IRDAI introduced IRDAI (Outsourcing of Activities by Indian Insurers) Regulations' 2017 that apply to all insurers registered under IRDAI and any outsourcing arrangements entered into by them.
Data protection bill
Now after the Aadhar judgment, Personal Data Protection Bill, 2019 is before the Parliament for consideration. The proposed Legislation seeks to bring a strong and robust data protection framework for India and to set up an Authority for protecting personal data and empowering the citizens' with rights relating to their personal data ensuring their fundamental right to "privacy and protection of personal data".
The salient features of the Data Protection Bill, 2019, inter alia, are as under— (i) to promote the concepts such as consent framework, purpose limitation, storage limitation and the data minimisation; (ii) to lay down obligations on entities collecting personal data (data fiduciary) to collect only that data which is required for a specific purpose and with the express consent of the individual (data principal); (iii) to confer rights on the individual to obtain personal data, correct inaccurate data, erase data, update the data, port the data to other fiduciaries and the right to restrict or prevent the disclosure of personal data; (iv) to establish an Authority to be called the "Data Protection Authority of India" (the Authority) which shall consist of a Chairperson and not more than six wholetime Members to be appointed by the Central Government; (v) to provide that the Authority shall protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of the proposed legislation and promote awareness about the data protection; (vi) to specify a provision relating to "social media intermediary" whose actions have significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India and to empower the Central Government, in consultation with the Authority, to notify the said intermediary as a significant data fiduciary; (vii) to confer a "right of grievance" on data principal to make a complaint against the grievance to the data fiduciary and if aggrieved by the decision of such data fiduciary, he may approach the Authority; (viii) to empower the Central Government to exempt any agency of Government from application of the proposed Legislation; (ix) to empower the Authority to specify the "code of practice" to promote good practices of data protection and facilitate compliance with the obligations under this legislation; (x) to appoint the "Adjudicating Officer" for the purpose of adjudging the penalties to be imposed and the compensation to be awarded under the provisions of this legislation; (xi) to establish an "Appellate Tribunal" to hear and dispose of any appeal from an order of the Authority under clause 54 and the Adjudicating Officer under clauses 63 and 64; and (xii) to impose "fines and penalties" for contravention of the provisions of the proposed legislation.
The bill recognises that the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy; it also recognises that the growth of the digital economy has expanded the use of data as a critical means of communication between persons; The statement of objects of the bills says that it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto.
Respect data and its privacy
It is good for India to have a comprehensive law on Data privacy, however, it should not be hurried like several bills which have given rise to resentment and agitations. It is so because, so long as the humanity exists, the expansion of technology should be the means to achieve certain ends and should not become an end in itself. The Human existence cannot be left at the discretion of artificial intelligence of machines processing Big Data. Humanity is diverse which needs to be preserved. Idea of Privacy is a part of human evolution and the innate dignity and autonomy of man needs to be protected in the interest of humanity.
Ultimately, it is the integrity and honesty of men handling data which can save the dignity and autonomy of humans. A robust data privacy legal regime shall guide the men to respect the data integrity and data privacy. Data privacy cannot be achieved by data privacy program but by building a data privacy culture. Effective Data privacy regime shall not only protect human dignity, it shall certainly reduce the incidents of cyber crime as well.
Disclaimer: This is a guest post by Sanjai Kumar Pathak, an Advocate-on-Record, Supreme Court of India. The author has over two decades of experience in the legal profession. His interest areas include Constitutional law, Human Rights, Cyber laws, Social Issues etc.