PRIVACY IN THE DIGITAL AGE – LEGAL SCENARIO (WITH SPECIFIC

REFERENCE TO INDIA)

AGENDA

Privacy

Data Privacy

Different categories/types of Private data

Indian Legal scenario on Privacy

Some of the global laws

Mom’s gyan

PRIVACY

To separate/seclude from the rest

Types – Personal privacy

Informational

Organizational

WE’LL EXPECT REASONABLE PRIVACY IN LIFE…..BUT THEN…!

….and so many other ways by which we’re being tracked…!

INFORMATION/DATA PRIVACY

Attitude of an organization or individual to determine what data in a computer system can be shared with third parties

Private data is known as –

Personally Identifiable Information (PII)

Personal data

Sensitive Personal Data/Information

PERSONALLY IDENTIFIABLE INFORMATION

o US Privacy LawsInformation that can be used on its own or with other information to identify, contact, or locate a person, or to identify an individual in context

PERSONAL DATA AND SENSITIVE PERSONAL DATA

Data Protection Act – UK Personal data - Data relating to a living individual which helps in his

identification and includes any expression of opinion him Sensitive personal data - Personal data consisting of information

as to – the racial or ethnic origin of the data subject,

his political opinions,

his religious/spiritual beliefs

His professional associations,

his physical or mental health or condition,

his sexual life,

the commission or alleged commission by him of any offence, or

any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

SENSITIVE PERSONAL DATA/INFORMATION

The Information Technology Act, 2000 (Amd. 2008) – India

SPDI

Password

Healthconditi

onSexua

l orienta

tion

Health record

s

Bio-metric

s

Financial

info

Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

INDIA ON PRIVACY

Constitution of India

Art. 19 - Freedom of Speech and Expression

Art. 21 – Right to Life and Personal Liberty

IT Act, 2000 (Amd. 2008)

Data privacy

Personal privacy

Powers of Government

Liability of Intermediary

KEY ISSUES

Liability of Company (Sec. 85)

Data protection – Concern for outsourcing

industry

Privacy – Individual’s concern

Increasing Government control/interference

PREAMBLE OF THE IT ACT

Purpose behind enacting IT Act – To provide legal recognition to e-commerce To facilitate e-governance To provide remedy to cyber crimes To provide legal recognition to digital evidence

o Preamble doesn’t specify that the Act aims @ establishing IT Security framework in India

SECTION 43 – UNAUTHORISED ACCESS

Unauthorised Access Remedy – Damages by the way of compensation Amount – Unlimited What needs to be proved – Amount of damages suffered Adjudication –

For claims upto Rs. 5 Crores – Adjudicating Officer (IT Secretary of State)

For claims above Rs. 5 Crores – Civil courts

If any person without

permission of the owner or incharge of a

computer

Accesses or secures access to a computer

Downloads, copies or

extracts dataIntroduces computer

contaminant or virus

Damages computer

Disrupts computer or

network

Causes denial of access

Provides assistance to

facilitate illegal access

Charges the services

availed of by a person on the

account of another person

Destroys, deletes, alters ,

diminishes value or utility

or affects injuriously Steals,

conceals, destroys or

alters computer

source code

CASES DECIDED U/SEC. 43

Thomas Raju vs. ICICI Bank Ramdas Pawar vs. ICICI Bank Saurabh Jain vs. Idea Cellular

Fraudulent transfer of money from petitioners account Duplicate SIM cards made without document verification Court is of opinion that bank/cellular company has failed to establish a

due diligence and in providing adequate checks and safeguards to prevent unauthorised access

Bank has not adhered to the RBI circular of July 2010 for 'guidelines on information security, electronic banking and cyber frauds

Idea has issued a SIM based on a fake license and police FIR

SEC. 43A – COMPENSATION FOR FAILURE TOPROTECT DATA

If a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person

Liability – Damages by the way of Compensation – Unlimited damages

WHO IS LIABLE?

Sec. 85

Company

itself, being a legal perso

n

Top manageme

nt includi

ng direct

ors and

Managers

If it is proved that

they had

knowledge of the contravention or they have not

used due

diligence or that it was

caused due

to their

negligence

ISSUES

What is Sensitive Personal data or Information?

What are Reasonable Security Practices and Procedures?

SOLUTION

The Information Technology (Reasonable security

practices and procedures and sensitive personal

data or information) Rules, 2011

Enforceable from 11th April, 11 To be read with Sec. 43A

SPDI

Password

Healthcondition

Sexual orientatio

nHealth records

Bio-metrics

Financial info

SENSITIVE PERSONAL DATA OR INFORMATION

Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

REASONABLE SECURITY PRACTICES

Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

AUDITING

Necessary to get the codes or procedure certified or audited on regular basis

Needs to be done by the Government Certified Auditor who will be known as “Govt. Certified IT Auditor”

Not appointed yet

COMPLIANCE POLICIES

COLLECTION OF INFORMATION

About obtaining consent of the information provider Consent in writing through letter/fax/email from the

provider of the SPDI regarding purpose of usage before collection of such information

Need to specify – Fact that SPDI is being collected What type of SPDI is collected? How long SPDI will be held?

Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

COLLECTION OF INFORMATION

Provider should know – Purpose of collection Intended recipients Details of the agency collecting the information and agency retaining

the information Body Corporate not to retain information longer than required Option should be given to withdraw the information provided SPDI shall be used only for the purpose for which it has been

collected Shall appoint “Grievance Officer” to address any discrepancies

and grievances about information in a timely manner – Max. time – One month

PRIVACY POLICY

Policy about handling of SPDI

Shall be published on website or should be available to view/inspect @ any time

Shall provide for – Type of SPDI collected Purpose of collection and usage Clear and easily accessible statements of IT Sec. practices and policies Statement that the reasonable security practices and procedures as

provided under rule 8 have been complied

Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

DISCLOSURE OF INFORMATION

Disclosure – Prior permission of provider necessary before disclosure to

third party OR Disclosure clause needs to be specified in the original

contract OR Must be necessary by law

Third party receiving SPDI shall not disclose it further

Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

TRANSFER OF INFORMATION

Transfer to be made only if it is necessary for performance of lawful contract

Disclosure clause should be a part of Privacy and

Disclosure Policy

Transferee to ensure same level of data protection is adhered while and after transfer

Details of transferee should be given to provider

Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

SEC 72(A) (CRIMINAL OFFENCE)

Punishment for Disclosure of information in breach of lawful contract -

Knowingly or intentionally disclosing “Personal Information" in breach of lawful contract

IMP – Follow contract Punishment - Imprisonment upto 3 years or fine up

to 5 lakh or with both (Cognizable but Bailable)

OTHER PROVISIONS U/IT ACT

o Section 66E – Punishment for Violation of personal privacyPopularly known as Voyeurism Covers acts like hiding cameras in changing rooms, hotel rooms,

etc.Punishment –imprisonment upto 3 years or fine upto Rs. 2 lakh or

bothoSection 67C – Preservation and retention of information by

intermediariesoSection 69 – Power to issue directions for interception or monitoring or

decryption of any information through any computer resources.oSection 69A – Power to issue directions for blocking public access to any

information through any computer resourceoSection 69B – Power to authorize to monitor and collect traffic data or

information through any computer resource for cyber securityoSection 79 – Intermediary not liable in certain circumstances

SOME OF THE GLOBAL LAWS

GRAMM–LEACH–BLILEY ACT (GLBA, USA)

Focuses on finance Safeguards Rule - Disclosure of Nonpublic Personal

Information It requires financial institutions to develop a written

information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.

This plan must include – Denoting at least one employee to manage the safeguards, Constructing a thorough risk analysis on each department

handling the nonpublic information, Develop, monitor and test a program to secure the information,

and Change the safeguards as needed with the changes in how

information is collected, stored and used

THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002 (FISMA, USA)

Focus on economic and national security interests of the United States

Emphasized on “risk-based policy for cost-

effective security”

Responsibility attached to federal agencies, NIST and the Office of Management and Budget (OMB) to strengthen information system security

Not mandatory No penalty for non-compliance

DATA PROTECTION DIRECTIVE (EU)

European Union directive regulating the processing of personal data within the EU

Protection of individual’s personal data and its free movement

Coming soon - European Data Protection Regulation Not mandatory No penalty for non-compliance

OTHER LAWS IN THE US

o Children's Internet Protection Act of 2001 (CIPA) o Children's Online Privacy Protection Act of 1998 (COPPA) o Driver's Privacy Protection Act of 1994o Telephone Consumer Protection Act of 1991 (TCPA)o Video Privacy Protection Act of 1988o Electronic Communications Privacy Act of 1986 (ECPA) o Privacy Protection Act of 1980 (PPA) o Right to Financial Privacy Act of 1978 (RFPA) o Family Education Rights and Privacy Act of 1974 o Privacy Act of 1974

MOM’S GYAN

PROTECT YOUR OWN PRIVACY

o Understand – the type of personal information you discloseo Always ask –

WHY they want it ?HOW will they use it ?WHO will it will be shared with ?Will YOU get access to it ?

o Know your rightso Question if you are in doubt

IF YOU ARE A COMPANY

o Am I complying with Law?o Do you manage (have, use, access, store, obtain, etc.) personal

information ?o Am I collecting only the what is REALLY needed and not more ?o Have I differentiated between Sensitive Personal Information and

other information?o Do I protect information even during Transit/Process ?o How are you making sure all employees know their responsibilities

and rights ?o How will you extend the data privacy protection to your third-

parties, vendors ?o What will you do if there is a privacy breach ?o Do you in-house competences to conduct basic investigations ?

GET IN TOUCH

PHONE

+919623444448

EMAIL

CONTACT@SAGARRAHURKAR.COM