Cyber Laws

Topic: The Public Privacy vs. National Security Debate

Submitted by: Submitted to:

Diya Vig Dr. Ivneet Walia
Roll Number- 21017 RGNUL, Punjab
 Acknowledgment

First and foremost, I would like to thank my supervisor, Dr. Ivneet Walia, for her
kind support and patience and her trust and belief in me that increased my self-
confidence and encouraged me to work and exploit all that I have in mind to do
better throughout all the periods of preparing my dissertation.
My sincere thanks go to Dr. Ivneet Walia for devoting her time and effort to read
and evaluate my work, and to everyone who tendered me a helping hand in my
research.

Diya Vig
21017
Fourth Year
 RAJIV GANDHI NATIONAL UNIVERSITY OF LAW, PUNJAB

SUPERVISOR’S CERTIFICATE

Dr. Ivneet Walia

Date:

1. (Assistant Professor of Law)

Rajiv Gandhi National

University of Law Patiala,
Punjab

This is to certify that the project submitted to Rajiv Gandhi National University
of Law, Patiala in partial fulfillment of the requirement of the BA LLB(Hons)
Course is an original and bonafide research work carried out by Ms. Diya Vig
under my supervision and guidance. No part of this project has been submitted
to any University for the award of any degree or diploma, whatsoever.
4
 2. INTRODUCTION

When we contemplate an invasion of privacy such as having our personal information gathered by
companies in databases, we instinctively recoil. Most discussions on privacy appeal to people’s
fears and anxieties. However, what commentators often fail to do, is translate those instincts into
a reasoned, well-articulated account of why privacy problems are harmful. When people claim that
privacy should be protected, it is unclear precisely what they mean. This lack of clarity creates a
difficulty when it comes to policy making or resolving cases because lawmakers, enforcement
agencies and judges cannot easily articulate the privacy harm. The interests on the other side
including free speech, efficient consumer transactions and security-–are often much more readily
articulated. Therefore, courts and policymakers frequently struggle in recognizing privacy interests
and when this occurs, cases are dismissed or laws are not passed. The result is that privacy is not
balanced against countervailing interests.

3. WHAT IS PRIVACY?

While it is tempting to engage in an etymological inquiry of the definition of privacy, it would be

a rather futile exercise because practically, privacy cannot be understood independently from
society. As sociologist Barrington Moore Jr. aptly observes, “the need for privacy is a socially
created needandwithout society there would be no need for privacy.” Perhaps the most symbolic
definition of privacy is simply ‘the right to be left alone’, but this definition too turns out to be
rather inadequatewhen the everyday realities of the information age are factored in. One can also
argue that privacy is the relief from a range of kinds of social friction. However, privacy is not
freedom from all forms of social friction but rather, it is protection from a cluster of related
activities that impinge upon people in related ways. These activities often are not inherently
problematic or harmful and more that often the element of consent forms the pivot whether an
activity is violative of one’s privacy.
 4. WHY IS PRIVACY RELEVANT?

Privacy as a matter of subjective as well as objective interest has pervaded public debate over the
recent past for a variety of causes and reasons but which can be largely traced to the growth and
development of electronic communications. A brief inquiry into the practical implications on the
right to privacy in the digital age reveals the vast myriad of threats. Threats to privacy arise over a
large spectrum of sectors ranging from law enforcement and national security to data protection
and biometrics. Very broadly, one hand, there is real and direct threat to an individual’s privacy
from surveillance both private (which is illegal) and state sponsored (which remains legal).

On the other hand, while Information and Communications Technologies (ICTs) have greatly
enhanced our capacities to collect, store, process and communicate information, the rapid increase
in the adoption and use of Information Communication Technologies platforms has also revealed
a host of issues ranging from protection of commercial and financial data to protecting one’s online
identity. Firstly, data on personal computers can be compromised with consequences ranging from
personal embarrassment to financial loss. Secondly, transmission of data over the Internet and
mobile networks is equally fraught with the risk of interception — both lawful and unlawful —
which could compromise our privacy. Thirdly, in the age of cloud computing when much of “our”
data – emails, chat logs, personal profiles, bank statements, etc., reside on distant servers of the
companies whose services we use, privacy becomes only as strong as these companies internal
electronic security systems. Fourthly, the privacy of children, women and minorities tend to be
especially fragile in this digital age and they have become frequent targets of exploitation. Fifthly,
The internet has spawned new kinds of annoyances from electronic voyeurism to spam or offensive
email to ‘phishing’ – impersonating someone else’s identity for financial gain — each of which
have the effect of impinging on one’s priva

In particular, the right to privacy of a citizen against the state has become a subject of concern and
intense debate in the public realm as a result of growing evidence of increased state-sponsored
surveillance in countries across the world including ‘democracies’ like the United States of
America (NSA’s PRISM) and India (CMS). It is a confirmed fearthat the explosion of digital
communications content and information about communications (known as communications
metadata), coupled with decreasing costs of storing and mining large sets of data and the provision
of personal content through third party service providers make state surveillance possible at an
unprecedented scale. Communications surveillance in the modern environment encompasses the
monitoring, interception, collection, preservation, retention, interference, or access to information
that includes, reflects, arises from or is about a person’s communications in the past, present or
future. Reports of the extensive use of dragnet technologies and other clandestine operations by
state agencies under the pretence of national security has set alarm bells ringing across the public
domain andseveral crucial questions regarding the legality and ethics and more importantly the
efficacy of such operations remain unanswered.

Further, there are concerns with privacy and autonomy issues with regard to the collecting and
aggregation of private or personal information both by the state as well as internet companies and
service providers. Massive data collection initiatives of the state like the UID, NATGRID, CCTNS
etc.involve collection and storage of vast amounts of sensitive data of people in data centres. More
worrying is the lack of an adequate security framework for protection of this data. On the other
hand, service providers including telecom operators or social media platforms also handle large
amounts of personal information and data which are liable to be breached or exposed if adequate
security measures are not taken. Adding to this is the growing threat of cyber-terrorism and
information warfare.

Therefore, the causes and solutions to these issues have multiple dimensions and facets and legal
or administrative fixes are not always sufficient. Apart from strengthening the legal structures,a
socio-technological approach to these issues is warranted.

5. CONCEPT OF PRIVACY

Although various attempts at explicating the meaning of “privacy” have been made, few have
attempted to identify privacy problems in a comprehensive and concrete manner. The modern
contours of the tort of privacy can be traced back to the seminal article The Right to Privacy which
seized upon the metaphor of ‘man’s house as his castle’ to call for a common law right to privacy.
A more comprehensive attempt was undertaken in 1960 by the legendary torts scholar William
Prosser and he discerned four types of harmful activities redressed under the rubric of privacy:

• Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs.

• Public disclosure of embarrassing private facts about the plaintiff.

 • Publicity which places the plaintiff in a false light in the public eye.

• Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness.

The concept of privacy has however evolved through into the information age and a modern
taxonomy of privacy devised by Daniel Soloveis founded on the premise that the state of privacy
law today is in disarray. The objective of the article is to codify and make sense of the harms caused
by a breach of privacy in the present era. Privacy harms have been categorized into four distinct
categories namely information collection, information processing, information dissemination and
invasion.

The first group of activities that affect privacy involves information collection which includes
Surveillance and Interrogation. The second group of activities involves the way information is
stored, manipulated, and used and is collectively referred to as “information processing.” The third
group of activities involves the dissemination of information which includes aspect of Breach of
confidentiality, Disclosure, Exposure, Increased Accessibility; Blackmail is the threat to disclose
personal information. Appropriation involves the use of the data subject’s identity to serve the aims
and interests of another. Distortion consists of the dissemination of false or misleading information
about individuals. Information Dissemination activities all involve the spreading or transfer of
personal data or the threat to do so. The fourth and final group of activities involves invasions into
people’s private affairs. Invasion, unlike the other groupings, need not involve personal
information (although in numerous instances, it does). Intrusion concerns invasive acts that disturb
one’s tranquillity or solitude. Decisional interference involves the government’s incursion into the
data subject’s decisions regarding her private affairs.

6. RIGHT TO PRIVACY

It is commonly believed that Indians do not place much value on individual autonomy. Although
the latter has begun to enter Indian life and exercises varying degrees of influence on different
sections of society and in different areas, its reach remains rather limited and its impact uneven.8

In spite of this notion, considerable questions have been raised regarding privacy infringements
before courts and the law of privacy in India has been largely developed through precedent.
Alleged breaches of privacy and complaints of unwanted state intrusion have been examined by
the courts over the decades and the right to privacy has been sustained by expanding the scope of
right to life and liberty under Article 21 of the Indian Constitution.

The judgements in Kharak Singh v. State of Uttar Pradesh and Gobind v. State of Madhya
Pradesh are of significance in this regard. The 1997 case of PUCL v. Union of India is also
significant with regard to state intrusions and right to privacy as the Courtset out procedural
safeguards which would have to be followed for wiretapping under the Indian Telegraph Act.
Further, the concern of right to privacy has intermittently but certainly been stretched beyond
breaches by the state and Courts have over the years examined and expounded on issues like the
right to privacy of medical records of patientsthe conflict between right to privacy and free
speech[and more recently, privacy in the context of sexual identities.

In spite of this limited judicial oversight, it is but a fact that there is still limited protection for the
right to privacy as India does not currently have a sui-generis statute that safeguards privacy
horizontally across different contexts. However various statutes dealing with issues as diverse as
banking and finance, professional ethics of lawyers, doctors and chartered accountants,
information technology and telephony contain provisions which either explicitly or impliedly
protect privacy or offer victim remedies for their breach.

7. LAW OF PRIVACY

The Information Technology Act, 2000 which is of much relevance today contains a number of
provisions which are intended to safeguard against online/computer related privacy. The Act
provides for civil and criminal liability with respect to hacking (Sections 43 & 66) and
imprisonment of up to three years with fine for electronic voyeurism (Sec. 66E), phishing and
identity theft (66C/66D) or sendingoffensive emails (Sec. 66A) etc.

On the flipside, Section 69 is titled the “power to issue directions for interception or monitoring or
decryption of any information through any computer resource.” This section is perhaps the legal
basis for all the latest state sponsored surveillance activities that may be undertaken in the pretext
of intelligence gathering and national security including the Central Monitoring System. The
section mirrors section 5(2) of the Telegraph Act, containing the same limitations on the exercise
of the power to issue directions. It contains a similar structure adhering to the constitutional
limitations as prescribed in PUCL v. Union of India judgment, where the direction may only be
issued when a public emergencyor a public safetysituation exists. It also contains the requirement
of recording reasons for issuing the direction and mentioning the 5 classes of events as contained
in section 5(2). It however does not cause surprise that the recent regulations prescribed under
section 69(2) for providing the procedure for issuing directions also broadly follow Rule 419-A of
the archaic Indian Telegraph Act. The fact that the present laws mirror most of the procedural
safeguards of documentary adherence, oversight and automatic expiry of an older, archaic law
reflect the apathetic approach of the state in preserving the right to privacy of its subjects.

8. DATA PROTECTION AND LAW

The overall scheme of the law relating data protection in India is structured under the provisions
of the Information Technology Act and is a rather recent development. Contextually,the data
protection regime in India is direct result of the development of information technology industry
with Indian companies playing a major role in the global outsourcing business. Over the past
decade, it was perceived that the lack of a proper data protection regime would adversely impact
upon the flow of outsourcing business from European Union countries and concerns were raised
that this lacunae might divert outsourcing business within the European Union to the new Eastern
European member states, or to other countries that provided adequate levels of protection for
personal data via legislative or other means.Therefore, it can be safely assumed that the importation
of personal data from EU countries thus appears to be the driving force behind the Indian data
protection debate, and earlier attempts to introduce data protection legislation.

The Information Technology Act, 2000was therefore amended and specifically, Section 43A was
introduced in 2008 which made a start at introducing a mandatory data protection regime in India.
The provision obliges corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data
to implement and maintain ‘reasonable security practices’, failing which, they would be liable to
compensate those affected by any negligence attributable to this failure. In addition to this,
Information Technology (Reasonable security practices and procedures and sensitive personal data
or information) Rules, 2011 were subsequently notified and the Rules lay down more
comprehensive guidelines regarding data privacy.
Overall, there are three key aspects of the Act and Rules that bear highlighting. Firstly, the Act and
Rules cater to three groups namely Body Corporates, Information Providers (or Data subjects) and
the Government. These rules address the:

1. Obligation of the corporates who collect the sensitive personal data of an individual – the
obligations being those pertaining to its use and disclosure.

2. The rights of the information provider, with a view to curb indiscriminate disclosure of
such information without the consent of the data subject.

3. The right of the Government to access sensitive personal data of individuals in cases of
investigation, etc.

The second aspect is the definition of ‘Sensitive personal data or information” which is defined as
any information that the Central Government may designate as such, when it sees fit to. By
definition, Sensitive Data includes within its ambit the following types of information:

1. Passwords

2. Financial information such as Bank account or credit card or debit card or other payment
instrument details ;

3. Physical, physiological and mental health condition;

4. Sexual orientation; medical records and history;

5. Biometric information;

6. Any detail relating to the above clauses as provided to body corporate for providing
service; and

7. Any of the information received under above clauses by body corporate for processing,
stored or processed under lawful contract or otherwise:

8. Any of the information received under above clauses by body corporate for processing,
stored or processed under lawful contract or otherwise.

While the definition of sensitive personal data appears and attempts to be comprehensive, it has in
fact been observed to be of a broad character and it can be interpreted to include, within its ambit,
a wide array of information. In this aspect, it is essential to determine a precise definition of
‘sensitive personal information’ because broad interpretation will add to the ambiguity of the scope
of not only these Rules but also of Section 43A. Thus, it seems to follow that, any ambiguity in
the definition, fails to serve the very purpose of the Rules, to begin with, since the whole enactment
deals with the concept of processing of ‘Sensitive Personal Data or Information’. In order for this
provision to be clearer, the definition could be amended to include inter alia, ‘information which
is capable of personally identifying a person, individually or when aggregated’. Another aspect
that the present laws fails to distinguish is between two distinct types of data namely personal data
and sensitive personal data as the processing of sensitive personal data must be subject to
conditions that are stricter than those applied to personal data.

Thirdly, the ‘reasonable security practices’ which the Act obliges body corporate to observe are
restricted to such measures as may be specified either ‘in an agreement between the parties’ or in
any law in force or as prescribed by the Central Government. However, the Rules provide that in
the absence of such agreement ‘reasonable security practices and procedures’ to be adopted by any
corporate entity to secure sensitive personal information are procedures that comply with the
IS/ISO/IEC 27001 standard or with the codes of best practices for data protection as approved by
the Central Government.

In practice, data controllers are obligated to formulate a privacy policy for handling or dealing with
personal information and sensitive personal information. The policy must be available to be viewed
by the data subjects who provide information under a lawful contract and must include the
following aspects.

1. Clear and easily accessible statements of the data controller’s practices and policies;

2. The type of personal information or sensitive personal information that may be collected;

3. The purpose of collection and use of the information;

4. Conditions of disclosure of information; and

5. Reasonable security practices and procedures implemented to ensure confidentiality of

information.
Another important facet of data protection is the guidelines concerned with collection of
information and retention of data which fundamentally involve concept of consent. Rule 5 of the
Rules deals with the collection of sensitive personal data or information and it states inter alia that
a body corporate has to first obtain consent in writing through letter, fax or email, from the provider
of such information, regarding purpose of usage, before collection of such information. This rule
is conterminous with Article 7 of the EU Directive which reflects the same principle as it states
that personal data may be processed only if the data subject has unambiguously given his consent
to the same. Further, Rule 5 gives ‘the provider of information’ certain privileges of modifying
such information as and when necessary and withdrawing the consent given earlier. Therefore,
data controllers must obtain the data subject’s consent regarding the purpose of use, before
collecting any sensitive personal information and no sensitive personal information must be
collected unless the information is collected for a lawful purpose and is connected with a function
or activity of the data controller and which is considered necessary for that purpose.

Data controllers must also not retain sensitive personal information for a period longer than it is
required for fulfilling the purposes for which the information is collected or as may be required by
law. Data collectors must also obtain the consent of the provider of the information for any transfer
of sensitive personal information to any other corporate entity or person in India, or in any other
country that ensures the same level of data protection as provided for under Rules. However,
consent is not necessary for the transfer if it is required for the performance of a lawful contract
between the corporate entity and the provider of information or as otherwise specified in the Act.

Another pertinent aspect is thatcollectors of information must also provide an option to the data
subjects not to provide the data or information sought to be collected. Data subjects also should
have an option of withdrawing consent given for use of sensitive personal information. However,
the rules fail to clearly distinguish between ‘the provider of information’ and ‘individual to whom
the data pertains’ which gives rise to a lot of uncertainty on a prima facie reading of the rules.

Rule 6 deals with disclosure of information and it states that prior permission of the provider of
information has to be obtained before any disclosure is made to a third party and any third party
receiving such information is not entitled to disclose it further unless the disclosure has been
already agreed to in the contract between the data subjects and the data controllers or disclosure is
necessary for compliance with a legal obligation. The exception to this rule is where either
disclosure must be made to government agencies mandated under law to obtain information for
the purposes of verification of identity, prevention, detection and investigation of crimes, or
prosecution or punishment of offences, or an order under law (such as a court order) has been
made.

The Information Technology Act also prescribes penalties and punishments for contraventions of
the Act. For instance, disclosure by the government of information obtained in the course of
exercising its interception powers under the Act is punishable with imprisonment of up to two
years and fine(Sec. 72). Section 72A of the Act penalizes the unauthorized disclosure of “personal
information” by any person who has obtained such information while providing services under a
lawful contract. Such disclosure must be made with the intent of causing wrongful loss or obtaining
a wrongful gain and is punishable with imprisonment which may extend to 3 years or a fine of
Rs.500,000 or both.

There is however growing dissatisfaction over the present framework for data protection created
under S. 43A and corresponding Rules. The information services industry in India is heavily reliant
on strong data protection measures yet data transfers to India continue to occur on the strength of
contractual data protection requirements. Adequate protection standards (for incoming European
data) are secured primarily by incorporation of the Standard Contractual Clauses within the
binding terms of the data transfer contract. Compared to the EU data protection directives, the
India data protection regimeis limited and definitively not sufficient to ensure adequate protection.
In that sense, Regulations issued by the RBI contain more certain provisions containing data
protection but are limited in scope. There is therefore an impending need to revamp the existing
law and develop a more comprehensive regime which is on par with the EU data protection regime.

9. PRIVACY LEGISLATION: IMPERATIVE NEED AND

CONCLUSION

The commoditization of information has had large scale socio-political and economic implications
in the last decade and prevailing issues of privacy extend beyond commonly perceived causes. The
initiation of national programmes like Unique Identification Number (UID), National Intelligence
Grid (NATGRID), Crime and Criminal Tracking Network System(CCTNS), DNA Profiling,
Reproductive rights of Women, Privileged Communications and Brain Mapping, most of which
will be implemented through ICT platforms, have increased collection of citizen information by
the government and serious concerns have emerged on their impact on the privacy of persons. The
lack of an overarching policy governing the collection of information by the government or other
private has led to ambiguity over who is allowed to collect data, what data can be collected, what
are the rights of the individual, and how the right to privacy will be protected.Moreover, the extent
of personal information being held by various service providers, and especially the enhanced
potential for convergence that digitization carries with it is a matter that raises issues about privacy.

It is under these considerations that the Justice AP Shah Report on Privacy is of much relevance
today. The report envisages a five point framework encompassing technological neutrality and
inter-operability with international standards on multi-dimensional privacy issues in like
surveillance, collection of DNA, physical privacy, horizontal applicability between the
government and private sector, conformity with certain privacy principles and establishment of a
co–regulatory enforcement regime. The report in its recommendations also proposes a framework
for a Privacy Act which is intended to establish clear boundaries and clarify definitions and
harmonise legislations, policy, and practices over a vast array of issues. The Act also articulates an
enforcement regime including establishing the office of the Privacy Commissioner at the regional
and central levels, defining the role of self regulatory organizations and co-regulation, and creating
a system of complaints and redressal for aggrieved individuals. The Act could also prescribe
safeguards for physical privacy including search and seizure and enumerate offences, associated
remedies, and penalties. It is worth noting that the report address issues of growing relevance and
is an important step forward in strengthening the law on privacy.

10.BIBLIOGRAPHY

[1] Judith Jarvis Thomson, Philosophy & Public Affairs, Vol. 4, No. 4 (Summer, 1975), pp. 295-
314
[2] Daniel Solove, A Taxonomy of Privacy, University of Pennsylvania Law Review
[3] Prashant Iyengar, Privacy and the Information Technology Act — do we have the Safeguards
for Electronic Privacy?
[4] International Principles on the Application of Human Rights to Communications Surveillance
available at
[5] Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 197
(1890)
[6] Daniel J. Solove, A Taxonomy of Privacy, 154 U. PA. L. REV. 477, 482-483 (2006)
[7] Bhikhu Parekh, Private and Public Spheres in India, 12 Critical Rev. Int’l Soc. & Pol. Phil.
313, 317 (2009)
[8] Apar Gupta, Balancing Online Privacy in India, Indian Journal of Law and Technology, Vol
6 (2010)
[9] AIR 1963 SC 1295 (SubhaRao, J., dissenting) (concerned a challenge to the constitutionality
of Rule 236 of the U.P. Police Regulations)
[10] (1975) 2 SCC 148 (Per K. K. Mathew, J. et al.) (holding that unnecessary domiciliary visits
and picketing were a breach of the petitioner’s right to privacy)
[11] (1997) 1 SCC 30
[12] Mr. ‘X’ v. Hospital ‘Z’, AIR 1999 SC 495
[13] R. Rajagopal v. State of Tamil Nadu,(1994 SCC (6) 632)
[14] Naz Foundation v. Union of India,WP No. 7555 of 2011
[15] Privacy in the Developing World, IDRC
[16] R Ananthapur, “India’s new Data Protection Legislation”, (2011) 8:2 SCRIPTed 192
[17] Apar Gupta,2011, Comments on Draft Sensitive Personal Information Rules
[18] External Link
[19] Directive 95/46/EC
[20] Data Protection Laws of the World, DLA Piper
[21] Radha Raghavan and Ramya Ramchandran , Data Protection Law in India: An Overview
[22] Comparison of International Privacy Principles, Report of The Group of Experts on Privacy
2012, Planning Commission, Government of India
[23] Ibid
[24] Interception, the use of personal identifiers, the use of audio and video recordings, the use of
bodily and gene-material, and the use of personal information by the government and the private
sector