1. PRIVACY IN THE DIGITAL AGE – LEGAL
SCENARIO (WITH SPECIFIC REFERENCE TO INDIA)
2. AGENDA
Privacy
Data Privacy
Different categories/types of Private data
Indian Legal scenario on Privacy
Some of the global laws
Mom’s gyan
4. WE’LL EXPECT REASONABLE PRIVACY IN LIFE…..BUT
THEN…!
….and so many other ways by which we’re being tracked…!
5. INFORMATION/DATA PRIVACY
Attitude of an organization or individual to determine
what data in a computer system can be shared with third
parties
Private data is known as –
Personally Identifiable Information (PII)
Personal data
Sensitive Personal Data/Information
6. PERSONALLY IDENTIFIABLE INFORMATION
o US Privacy Laws
Information that can be used on its own or with other information to
identify, contact, or locate a person, or to identify an individual in
context
7. PERSONAL DATA AND SENSITIVE PERSONAL DATA
Data Protection Act – UK
Personal data - Data relating to a living individual which helps in his identification and
includes any expression of opinion him
Sensitive personal data - Personal data consisting of information as to –
the racial or ethnic origin of the data subject,
his political opinions,
his religious/spiritual beliefs
His professional associations,
his physical or mental health or condition,
his sexual life,
the commission or alleged commission by him of any offence, or
any proceedings for any offence committed or alleged to have been committed by him, the disposal of
such proceedings or the sentence of any court in such proceedings.
8. SENSITIVE PERSONAL DATA/INFORMATION
The Information Technology
Act, 2000 (Amd. 2008) –
India
SPDI
Passw
ord
Health
condition
Sexual
orientati
on
Health
records
Bio-
metric
s
Financ
ial info
Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
9. INDIA ON PRIVACY
Constitution of India
Art. 19 - Freedom of Speech and Expression
Art. 21 – Right to Life and Personal Liberty
IT Act, 2000 (Amd. 2008)
Data privacy
Personal privacy
Powers of Government
10. KEY ISSUES
Liability of Company (Sec. 85)
Data protection – Concern for outsourcing industry
Privacy – Individual’s concern
Increasing Government control/interference
11. PREAMBLE OF THE IT ACT
Purpose behind enacting IT Act –
To provide legal recognition to e-commerce
To facilitate e-governance
To provide remedy to cyber crimes
To provide legal recognition to digital evidence
o Preamble doesn’t specify that the Act aims @
establishing IT Security framework in India
12. SECTION 43 – UNAUTHORISED ACCESS
Unauthorised Access
Remedy – Damages by the way of compensation
Amount – Unlimited
What needs to be proved – Amount of damages suffered
Adjudication –
For claims upto Rs. 5 Crores – Adjudicating Officer (IT
Secretary of State)
For claims above Rs. 5 Crores – Civil courts
13. If any person without
permission of the owner or
incharge of a computer
Accesses or
secures access
to a computer Downloads,
copies or
extracts data
Introduces
computer
contaminant or
virus
Damages
computer
Disrupts
computer or
networkCauses
denial of
access
Provides
assistance to
facilitate illegal
access
Charges the
services availed
of by a person on
the account of
another person
Destroys,
deletes, alters ,
diminishes value
or utility or
affects
injuriously
Steals,
conceals,
destroys or
alters computer
source code
14. CASES DECIDED U/SEC. 43
Thomas Raju vs. ICICI Bank
Ramdas Pawar vs. ICICI Bank
Saurabh Jain vs. Idea Cellular
Fraudulent transfer of money from petitioners account
Duplicate SIM cards made without document verification
Court is of opinion that bank/cellular company has failed to establish a due
diligence and in providing adequate checks and safeguards to prevent
unauthorised access
Bank has not adhered to the RBI circular of July 2010 for 'guidelines on
information security, electronic banking and cyber frauds
Idea has issued a SIM based on a fake license and police FIR
15. SEC. 43A – COMPENSATION FOR FAILURE TO
PROTECT DATA
If a body corporate, possessing, dealing or handling any
sensitive personal data or information in a computer resource
which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices
and procedures and thereby causes wrongful loss or
wrongful gain to any person
Liability – Damages by the way of Compensation – Unlimited
damages
16. WHO IS LIABLE?
Sec. 85
Company
itself, being
a legal
person
Top
managemen
t including
directors
and
Managers
If it is
proved that
they had
knowledge
of the
contraventio
n or they
have not
used due
diligence or
that it was
caused due
to their
negligence
17. ISSUES
What is Sensitive Personal data or Information?
What are Reasonable Security Practices and
Procedures?
18. SOLUTION
The Information Technology (Reasonable security
practices and procedures and sensitive personal data or
information) Rules, 2011
Enforceable from 11th April, 11
To be read with Sec. 43A
20. REASONABLE SECURITY PRACTICES
Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
An agreement between the parties regarding protection of “Sensitive Personal Information”
The International Standard IS/ISO/IEC 27001 – is one of a standard
Managerial, technical, operational and physical security control measures
commensurate with the information assets and nature of business
Implementing comprehensive documented information security programme and policies
21. AUDITING
Necessary to get the codes or procedure certified or
audited on regular basis
Needs to be done by the Government Certified Auditor
who will be known as “Govt. Certified IT Auditor”
Not appointed yet
23. COLLECTION OF INFORMATION
About obtaining consent of the information provider
Consent in writing through letter/fax/email from the provider of
the SPDI regarding purpose of usage before collection of such
information
Need to specify –
Fact that SPDI is being collected
What type of SPDI is collected?
How long SPDI will be held?
Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
24. COLLECTION OF INFORMATION
Provider should know –
Purpose of collection
Intended recipients
Details of the agency collecting the information and agency retaining
the information
Body Corporate not to retain information longer than required
Option should be given to withdraw the information provided
SPDI shall be used only for the purpose for which it has been
collected
Shall appoint “Grievance Officer” to address any discrepancies and
grievances about information in a timely manner – Max. time – One
month
25. PRIVACY POLICY
Policy about handling of SPDI
Shall be published on website or should be available to view/inspect @ any
time
Shall provide for –
Type of SPDI collected
Purpose of collection and usage
Clear and easily accessible statements of IT Sec. practices and policies
Statement that the reasonable security practices and procedures as provided
under rule 8 have been complied
Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
26. DISCLOSURE OF INFORMATION
Disclosure –
Prior permission of provider necessary before disclosure to third party
OR
Disclosure clause needs to be specified in the original contract OR
Must be necessary by law
Third party receiving SPDI shall not disclose it further
Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
27. TRANSFER OF INFORMATION
Transfer to be made only if it is necessary for performance of
lawful contract
Disclosure clause should be a part of Privacy and Disclosure
Policy
Transferee to ensure same level of data protection is
adhered while and after transfer
Details of transferee should be given to provider
Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
28. SEC 72(A) (CRIMINAL OFFENCE)
Punishment for Disclosure of information in breach of
lawful contract -
Knowingly or intentionally disclosing “Personal Information"
in breach of lawful contract
IMP – Follow contract
Punishment - Imprisonment upto 3 years or fine up to 5 lakh
or with both (Cognizable but Bailable)
29. OTHER PROVISIONS U/IT ACT
o Section 66E – Punishment for Violation of personal privacy
Popularly known as Voyeurism
Covers acts like hiding cameras in changing rooms, hotel rooms, etc.
Punishment –imprisonment upto 3 years or fine upto Rs. 2 lakh or both
oSection 67C – Preservation and retention of information by intermediaries
oSection 69 – Power to issue directions for interception or monitoring or decryption
of any information through any computer resources.
oSection 69A – Power to issue directions for blocking public access to any
information through any computer resource
oSection 69B – Power to authorize to monitor and collect traffic data or information
through any computer resource for cyber security
oSection 79 – Intermediary not liable in certain circumstances
31. GRAMM–LEACH–BLILEY ACT (GLBA, USA)
Focuses on finance
Safeguards Rule - Disclosure of Nonpublic Personal Information
It requires financial institutions to develop a written information
security plan that describes how the company is prepared for, and
plans to continue to protect clients’ nonpublic personal information.
This plan must include –
Denoting at least one employee to manage the safeguards,
Constructing a thorough risk analysis on each department handling the
nonpublic information,
Develop, monitor and test a program to secure the information, and
Change the safeguards as needed with the changes in how information
is collected, stored and used
32. THE FEDERAL INFORMATION SECURITY
MANAGEMENT ACT OF 2002 (FISMA, USA)
Focus on economic and national security interests of the
United States
Emphasized on “risk-based policy for cost-effective
security”
Responsibility attached to federal agencies, NIST and
the Office of Management and Budget (OMB) to
strengthen information system security
Not mandatory
No penalty for non-compliance
33. DATA PROTECTION DIRECTIVE (EU)
European Union directive regulating the processing of
personal data within the EU
Protection of individual’s personal data and its free movement
Coming soon - European Data Protection Regulation
Not mandatory
No penalty for non-compliance
34. OTHER LAWS IN THE US
o Children's Internet Protection Act of 2001 (CIPA)
o Children's Online Privacy Protection Act of 1998 (COPPA)
o Driver's Privacy Protection Act of 1994
o Telephone Consumer Protection Act of 1991 (TCPA)
o Video Privacy Protection Act of 1988
o Electronic Communications Privacy Act of 1986 (ECPA)
o Privacy Protection Act of 1980 (PPA)
o Right to Financial Privacy Act of 1978 (RFPA)
o Family Education Rights and Privacy Act of 1974
o Privacy Act of 1974
36. PROTECT YOUR OWN PRIVACY
o Understand – the type of personal information you disclose
o Always ask –
WHY they want it ?
HOW will they use it ?
WHO will it will be shared with ?
Will YOU get access to it ?
o Know your rights
o Question if you are in doubt
37. IF YOU ARE A COMPANY
o Am I complying with Law?
o Do you manage (have, use, access, store, obtain, etc.) personal information
?
o Am I collecting only the what is REALLY needed and not more ?
o Have I differentiated between Sensitive Personal Information and other
information?
o Do I protect information even during Transit/Process ?
o How are you making sure all employees know their responsibilities and rights
?
o How will you extend the data privacy protection to your third-parties, vendors
?
o What will you do if there is a privacy breach ?
o Do you in-house competences to conduct basic investigations ?