Privacy in India: Legal issues
-
Upload
sagar-rahurkar -
Category
Law
-
view
405 -
download
5
description
Transcript of Privacy in India: Legal issues
PRIVACY IN THE DIGITAL AGE – LEGAL SCENARIO (WITH SPECIFIC
REFERENCE TO INDIA)
AGENDA
Privacy
Data Privacy
Different categories/types of Private data
Indian Legal scenario on Privacy
Some of the global laws
Mom’s gyan
PRIVACY
To separate/seclude from the rest
Types – Personal privacy
Informational
Organizational
WE’LL EXPECT REASONABLE PRIVACY IN LIFE…..BUT THEN…!
….and so many other ways by which we’re being tracked…!
INFORMATION/DATA PRIVACY
Attitude of an organization or individual to determine what data in a computer system can be shared with third parties
Private data is known as –
Personally Identifiable Information (PII)
Personal data
Sensitive Personal Data/Information
PERSONALLY IDENTIFIABLE INFORMATION
o US Privacy LawsInformation that can be used on its own or with other information to identify, contact, or locate a person, or to identify an individual in context
PERSONAL DATA AND SENSITIVE PERSONAL DATA
Data Protection Act – UK Personal data - Data relating to a living individual which helps in his
identification and includes any expression of opinion him Sensitive personal data - Personal data consisting of information
as to – the racial or ethnic origin of the data subject,
his political opinions,
his religious/spiritual beliefs
His professional associations,
his physical or mental health or condition,
his sexual life,
the commission or alleged commission by him of any offence, or
any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
SENSITIVE PERSONAL DATA/INFORMATION
The Information Technology Act, 2000 (Amd. 2008) – India
SPDI
Password
Healthconditi
onSexua
l orienta
tion
Health record
s
Bio-metric
s
Financial
info
Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
INDIA ON PRIVACY
Constitution of India
Art. 19 - Freedom of Speech and Expression
Art. 21 – Right to Life and Personal Liberty
IT Act, 2000 (Amd. 2008)
Data privacy
Personal privacy
Powers of Government
Liability of Intermediary
KEY ISSUES
Liability of Company (Sec. 85)
Data protection – Concern for outsourcing
industry
Privacy – Individual’s concern
Increasing Government control/interference
PREAMBLE OF THE IT ACT
Purpose behind enacting IT Act – To provide legal recognition to e-commerce To facilitate e-governance To provide remedy to cyber crimes To provide legal recognition to digital evidence
o Preamble doesn’t specify that the Act aims @ establishing IT Security framework in India
SECTION 43 – UNAUTHORISED ACCESS
Unauthorised Access Remedy – Damages by the way of compensation Amount – Unlimited What needs to be proved – Amount of damages suffered Adjudication –
For claims upto Rs. 5 Crores – Adjudicating Officer (IT Secretary of State)
For claims above Rs. 5 Crores – Civil courts
If any person without
permission of the owner or incharge of a
computer
Accesses or secures access to a computer
Downloads, copies or
extracts dataIntroduces computer
contaminant or virus
Damages computer
Disrupts computer or
network
Causes denial of access
Provides assistance to
facilitate illegal access
Charges the services
availed of by a person on the
account of another person
Destroys, deletes, alters ,
diminishes value or utility
or affects injuriously Steals,
conceals, destroys or
alters computer
source code
CASES DECIDED U/SEC. 43
Thomas Raju vs. ICICI Bank Ramdas Pawar vs. ICICI Bank Saurabh Jain vs. Idea Cellular
Fraudulent transfer of money from petitioners account Duplicate SIM cards made without document verification Court is of opinion that bank/cellular company has failed to establish a
due diligence and in providing adequate checks and safeguards to prevent unauthorised access
Bank has not adhered to the RBI circular of July 2010 for 'guidelines on information security, electronic banking and cyber frauds
Idea has issued a SIM based on a fake license and police FIR
SEC. 43A – COMPENSATION FOR FAILURE TOPROTECT DATA
If a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person
Liability – Damages by the way of Compensation – Unlimited damages
WHO IS LIABLE?
Sec. 85
Company
itself, being a legal perso
n
Top manageme
nt includi
ng direct
ors and
Managers
If it is proved that
they had
knowledge of the contravention or they have not
used due
diligence or that it was
caused due
to their
negligence
ISSUES
What is Sensitive Personal data or Information?
What are Reasonable Security Practices and Procedures?
SOLUTION
The Information Technology (Reasonable security
practices and procedures and sensitive personal
data or information) Rules, 2011
Enforceable from 11th April, 11 To be read with Sec. 43A
SPDI
Password
Healthcondition
Sexual orientatio
nHealth records
Bio-metrics
Financial info
SENSITIVE PERSONAL DATA OR INFORMATION
Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
REASONABLE SECURITY PRACTICES
Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
AUDITING
Necessary to get the codes or procedure certified or audited on regular basis
Needs to be done by the Government Certified Auditor who will be known as “Govt. Certified IT Auditor”
Not appointed yet
COMPLIANCE POLICIES
COLLECTION OF INFORMATION
About obtaining consent of the information provider Consent in writing through letter/fax/email from the
provider of the SPDI regarding purpose of usage before collection of such information
Need to specify – Fact that SPDI is being collected What type of SPDI is collected? How long SPDI will be held?
Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
COLLECTION OF INFORMATION
Provider should know – Purpose of collection Intended recipients Details of the agency collecting the information and agency retaining
the information Body Corporate not to retain information longer than required Option should be given to withdraw the information provided SPDI shall be used only for the purpose for which it has been
collected Shall appoint “Grievance Officer” to address any discrepancies
and grievances about information in a timely manner – Max. time – One month
PRIVACY POLICY
Policy about handling of SPDI
Shall be published on website or should be available to view/inspect @ any time
Shall provide for – Type of SPDI collected Purpose of collection and usage Clear and easily accessible statements of IT Sec. practices and policies Statement that the reasonable security practices and procedures as
provided under rule 8 have been complied
Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
DISCLOSURE OF INFORMATION
Disclosure – Prior permission of provider necessary before disclosure to
third party OR Disclosure clause needs to be specified in the original
contract OR Must be necessary by law
Third party receiving SPDI shall not disclose it further
Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
TRANSFER OF INFORMATION
Transfer to be made only if it is necessary for performance of lawful contract
Disclosure clause should be a part of Privacy and
Disclosure Policy
Transferee to ensure same level of data protection is adhered while and after transfer
Details of transferee should be given to provider
Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
SEC 72(A) (CRIMINAL OFFENCE)
Punishment for Disclosure of information in breach of lawful contract -
Knowingly or intentionally disclosing “Personal Information" in breach of lawful contract
IMP – Follow contract Punishment - Imprisonment upto 3 years or fine up
to 5 lakh or with both (Cognizable but Bailable)
OTHER PROVISIONS U/IT ACT
o Section 66E – Punishment for Violation of personal privacyPopularly known as Voyeurism Covers acts like hiding cameras in changing rooms, hotel rooms,
etc.Punishment –imprisonment upto 3 years or fine upto Rs. 2 lakh or
bothoSection 67C – Preservation and retention of information by
intermediariesoSection 69 – Power to issue directions for interception or monitoring or
decryption of any information through any computer resources.oSection 69A – Power to issue directions for blocking public access to any
information through any computer resourceoSection 69B – Power to authorize to monitor and collect traffic data or
information through any computer resource for cyber securityoSection 79 – Intermediary not liable in certain circumstances
SOME OF THE GLOBAL LAWS
GRAMM–LEACH–BLILEY ACT (GLBA, USA)
Focuses on finance Safeguards Rule - Disclosure of Nonpublic Personal
Information It requires financial institutions to develop a written
information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.
This plan must include – Denoting at least one employee to manage the safeguards, Constructing a thorough risk analysis on each department
handling the nonpublic information, Develop, monitor and test a program to secure the information,
and Change the safeguards as needed with the changes in how
information is collected, stored and used
THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002 (FISMA, USA)
Focus on economic and national security interests of the United States
Emphasized on “risk-based policy for cost-
effective security”
Responsibility attached to federal agencies, NIST and the Office of Management and Budget (OMB) to strengthen information system security
Not mandatory No penalty for non-compliance
DATA PROTECTION DIRECTIVE (EU)
European Union directive regulating the processing of personal data within the EU
Protection of individual’s personal data and its free movement
Coming soon - European Data Protection Regulation Not mandatory No penalty for non-compliance
OTHER LAWS IN THE US
o Children's Internet Protection Act of 2001 (CIPA) o Children's Online Privacy Protection Act of 1998 (COPPA) o Driver's Privacy Protection Act of 1994o Telephone Consumer Protection Act of 1991 (TCPA)o Video Privacy Protection Act of 1988o Electronic Communications Privacy Act of 1986 (ECPA) o Privacy Protection Act of 1980 (PPA) o Right to Financial Privacy Act of 1978 (RFPA) o Family Education Rights and Privacy Act of 1974 o Privacy Act of 1974
MOM’S GYAN
PROTECT YOUR OWN PRIVACY
o Understand – the type of personal information you discloseo Always ask –
WHY they want it ?HOW will they use it ?WHO will it will be shared with ?Will YOU get access to it ?
o Know your rightso Question if you are in doubt
IF YOU ARE A COMPANY
o Am I complying with Law?o Do you manage (have, use, access, store, obtain, etc.) personal
information ?o Am I collecting only the what is REALLY needed and not more ?o Have I differentiated between Sensitive Personal Information and
other information?o Do I protect information even during Transit/Process ?o How are you making sure all employees know their responsibilities
and rights ?o How will you extend the data privacy protection to your third-
parties, vendors ?o What will you do if there is a privacy breach ?o Do you in-house competences to conduct basic investigations ?