Module 4

Robots and Privacy

Module 4


How are robots and privacy related:
What are Robots? A robot is a machine designed to execute one or more tasks
“automatically” with speed and precision. An autonomous robot acts as a stand-alone
system, complete with its own computer (called the controller). The most advanced
example is a smart robot, which has a built-in artificial intelligence (AI) system that can
learn from its environment and its experience and build on its capabilities based on that
knowledge. Next Generation robots are in the research-and-development phase, and
include features such as artificial intelligence, self-replication, self-assembly,
and nanoscale size. The ultimate in robotic intelligence and sophistication might take on
forms yet to be imagined and that is exactly what we should be concerned about. The
amount of sophistication and real presence that is being made into robots is the cause
of concern as to where does it create a line as to differentiate what is to dealt with and
in what manner, the AI is becoming involved in our lives, in our daily activities be it in
the usage of mobile phones to the cars we drive to the defense system of a Nation. Are
we sure enough to become reliant on all the robotics and AI to hand over the security of
a Nation in their figurative hands? Sure, these AIs have become sophisticated to
understand our commands but are they good enough to analyze the situation and
create a response.

The point of our vulnerability and question is - What is the information that these robots
process and how is it gathered? Robots are equipped with the ability to sense, process,
and record the world around them. Robots can go places humans cannot go, see things
humans cannot see. Robots are, first and foremost, a human instrument. And after
industrial manufacturing, the principle uses to which we’ve put that instrument has
been surveillance. Yet increasing the power to observe is just one of ways in which

robots may implicate privacy, another concern that lies other that the privacy is the
security because with access to our personal information we give them access to follow
us around to monitor us- we give them full surveillance autonomy. This was in the
private life of an individual, robots form part of a much bigger picture, they are not just
concerned with what one does in his day to day life but they have vast applications in
the automobile industry which gives them remote access to our vehicles to turn then on
& off, to track our movements etc, these automobile applications takes us to a rather
vast picture where these autonomous technology is used in our defense systems, the
unmanned aerial vehicles used in surveillance and combats, no denying the fact that
these AI-robots do help us in combat but they make us equally vulnerable to the cyber
attacks by the enemy state.

Robots are getting smarter and faster at knowing what humans are feeling and thinking
just by "looking" into their faces, a development that might one day allow more
emotionally perceptive machines to detect changes in a person's health or mental state.
The Case Western Reserve robots are doing it in real time. New machines developed by
Kiju Lee, the Nord Distinguished Assistant Professor in mechanical and aerospace
engineering at the Case School of Engineering, and graduate student Xiao Liu, are
correctly identifying human emotions from facial expressions-98 percent of the time
almost instantly. Previous results from other researchers had achieved similar results

These days it is not about the huge mechanical figures walking around with us following
our commands robotics is anything that listens to us and does as we command (not
necessarily now because now we have AI, now they have a brain of their own), they are
anything ranging from a smart phone in our hand to a machine in industry working on
its own. Recently, Google launched a new application for its assistant- Google Duplex,
what is it? The service works with an AI-driven voice, which was designed to help people
make appointments to businesses over the phone, but without any interaction from the
user. The AI voice could not only understand the voice of the human on the other end of
the call, but it could respond back with correct answers to that real person’s inquiries

and questions as well. Google Duplex’s voice even put in words like “um” and pause

breaks to make it sound even more like a real human.




We have R&D going on all over to make them more equipped to understand, analyze
and respond to a situation but at what cost. Are we compromising the privacy of
individuals who give remote access to robots and AIs in their day to day life who
understand their emotions their responses to the situations? Are we making robots
human or humans’ robot?

Application of Robots which might pose a risk to people’s privacy:
We as an individual person have given access to these autonomous robotic devices in
our day to day life, we rely on them to clean our houses, to book our appointments
(latest google home edition), to managing our house-work security. Robots are
increasingly human-like and socially interactive in design, making them more engaging
and salient to their end users and the larger community appeal. With prices coming
down and new players entering the industry, the market for home robots sometimes
called personal or service robots is rapidly expanding. Home robots can be either
cleaning devices or a mere AI thermostat which come equipped with an array of

sensors, including potentially standard and infrared cameras, sonar or laser
rangefinders, odor detectors, accelerometers, and global positioning systems (“GPS”).
These devices now come installed with a monitoring and recording software which
recognize our usage and demand patterns which is not the concern, but they also store
information regarding what time we are home what time we sleep etc. Most varieties
of these home robots connect wirelessly to the home network, some to relay images
and sounds across the Internet in real time, others to update programming in most
cases. The popular WowWee Rovio, for instance, is a commercially available robot used
for security and entertainment. It can be controlled remotely via the Internet and
broadcasts both sound and video to a website control panel.

The increasing number of smart phones, networked sensors into the home does
concern citizen privacy. At a minimum, the government will be able to secure a warrant
for recorded information with enough legal process, physically seizing the robot, gaining
live access to the stream of the recorded or live data. Just as law enforcement is
presently able to compel in-car navigation service providers to turn on a microphone in
one’s car or telephone companies to compromise with mobile phones and location of an
individual, so could the government tap into the data stream from a home robot or even
maneuver the robot to the room or object it wishes to observe.

Now a days we rely on these robots to clean our houses, schedule our day to taking
care-monitoring of our infants- basically act like our personal staff doing our chores and
while giving them these services we also give them unrestricted access to our house and
lives. The electronic self-cleaning devices we use, they work on mapping technology
where with time they learn and scale out the entire building-every inch of it, it is done
so as to increase the work efficiency of these cleaning robots but what is at risk is that
these robots are open to access by anyone who can hack into them, once hacked into,
the hacker shall have access to not only the floor map of the building or house but they
shall also know when no one is home as these devices generally monitor the presence of
any human being as well, the hacker shall have access to the house via various sensors

present in the robot, similarly in case of the monitoring devices for our infants, we
install various cameras and monitoring devices to look out if our child is at any risk
during the day or when we are not physically present around him. These wireless home
monitoring devices are more prone to hacking attacks than any other system and the
entire family is at risk they give unlimited access of the house to the hacker, Smart home
security cameras are meant to give you the ability to keep an eye on your home even
when you aren’t there. When someone else gets access to your camera, though, you
can suddenly feel much less safe.
It gets out of hand and for worse. You may have heard stories of home security cameras
being hacked. Recently, a California family experienced a troubling incident when a
hacker warned them through their Nest camera of a false North Korean missile attack
on the United States. In another incident, a hacker took control of a Nest camera and
told the owner’s Amazon Alexa device to begin playing Justin Bieber’s version of
“Despacito” while the owner, bewildered, tried to figure out what was going on. The
hacks prompted Nest to issue a statement telling customers to change their passwords.
While the most recent incidents involved Nest cameras, any device can be infiltrated by
hackers. A Calgary, Alberta based group claimed they hacked into as many as ten
security cameras and communicated with the people on the other ends of the feeds.

1

Well this is not how or where this stops, recently, Trend Micro published some statistics
that just about everyone should find disturbing. According to their latest statistics, the
security company has blocked more than five million cyber-attacks against IP cameras,
just in the past five months. Worse, IP cameras don't tend to have great security in place
to begin with, making it relatively easy for hackers to control them remotely.2
Moving on from home security devices, now we have robots who live with you, can
understand emotions and respond like humans, Pepper, as the humanoid robot is
affectionately known, might actually scare you once we explain how it works. The
robot’s emotions literally function the same way as a human’s. Pepper is able to “feel”
things independently based on processing information from its cameras, touch sensors,
accelerometer as well as other sensors, just as a human’s body would process emotion

based on interactions with its five senses. "There has been a lot of research on detecting

human emotions. We do the opposite. We synthesize emotions for the machine," said
Patrick Levy-Rosenthal. “Pepper’s emotions are influenced by people’s facial expressions


1 https://www.weforum.org/agenda/2019/03/here-are-the-biggest-cybercrime-trends-of-2019/
2 https://www.cstsupport.com/2019/07/20/ip-camera-hacking-attempts-are-rising/

and words, as well as his surroundings,” a statement from the company says. “For
example, Pepper is at ease when he is around people he knows, happy when he is
praised, and gets scared when the lights go down.” Here’s the most unsettling part of all
though: Pepper can actually learn- we don’t know what should our reaction to this be
but we shall find out if this much of AI and humanoids are a boon or a bane.

According to a recent report by Credence Research, the global medical robotics market
was valued at $7.24 billion in 2015 and is expected to grow to $20 billion by 2023. A
wide range of robots is being developed to serve in a variety of roles within the medical
environment. Robots specializing in human treatment include surgical robots and
rehabilitation robots. The field of assistive and therapeutic robotic devices is also
expanding rapidly. These include robots that help patients rehabilitate from serious
conditions like strokes, empathic robots that assist in the care of older or
physically/mentally challenged individuals, and industrial robots that take on a variety of
routine tasks, such as sterilizing rooms and delivering medical supplies and equipment,
including medications. The discipline of telepresence signifies the technologies that
permit an individual to sense as if they were at another location without being actually
there. Robots are utilized in the discipline of medicine to execute operations that are
normally performed manually by human beings.

These operations may be extremely professional and facilitated to diagnose and treat
the patients. Though medical robotics may still be in its infancy, the use of medical
robots for numerous operations may increase the quality of medical treatment.
Utilization of telepresence in the medical operations has eliminated the barriers of
distance, due to which professional expertise is readily available. Use of robotics in the
medical field and telepresence minimize individual oversight and brings specialized
knowledge to inaccessible regions without the need of physical travel.

The use of robotic assistance in surgery has expanded exponentially since it was first
approved in 2000.It is estimated that, worldwide, more than 570,000 procedures were
performed with the da Vinci robotic surgical system in 2014, with this figure growing

almost 10% each year. Robotic-assisted surgery (RAS) has found its way into almost
every surgical subspecialty and now has approved uses in urology, gynecology,
cardiothoracic surgery, general surgery, and otolaryngology. RAS is most commonly
used in urology and gynecology; more than 75% of robotic procedures performed are
within these two specialties. Robotic surgical systems have the potential to improve
surgical technique and outcomes, but they also create a unique set of risks and patient
safety concerns.

Automation in any industry poses risks, same is the case here- as much facility and ease
does the medical robotics provide they are still prone to the cyber risks of hijacking and
malfunctioning. “During the procedure, there were mechanical problems as the robotic
arms were not responding as expected. The urologist persisted in using the robotic
technology and ultimately was able to complete the procedure. The operation took
twice as long as expected, but the urologist felt it had been successful. Postoperatively,
the patient developed serious bleeding requiring multiple blood transfusions. He was
taken back to the operating room where it was noted the inferior epigastric artery (a
key artery in the pelvis) had been damaged during the original procedure. The injury
was repaired but this second operation was prolonged and complicated due to the
degree of bleeding. The patient ultimately required several additional surgeries and a
prolonged hospital stay.” No doubt that automation and robotics provide accuracy but
are we sure that we want to someone’s life at risk for our ease.

The cinematic concept of combat robots has been around since the turn of the last
century. But they aren't just science fiction anymore. The military has deployed
thousands of them for use in the battle fields. The U.S. is already using unmanned aerial
vehicles to conduct surveillance and drop missiles on suspected terrorists overseas in
places like Pakistan and Yemen. The efficacy and morality of these and other operations
are controversial, but supporters say drones are less costly, minimize collateral damage
and don't require putting troops at risk. That's partly because humans can operate these
machines – often in far flung, dangerous places – from the safety and comfort of a

domestic operations center. While drones do their work from high above, other robots
are operating on the ground in battlefields worldwide. Forces relied on bomb-squad
robots to inspect and defuse possible explosive devices during military operations
around the world. The remote-controlled machines moved via tank tread and featured
infrared vision, multiple cameras, floodlights and mechanical arms in order to spot
bombs and dispose of them, all while human operators stayed a safe distance away.

Growing military investment in robotic technology—by some 40 other nations indicates
that robots are rapidly becoming an important piece of tomorrow’s military arsenal. The
U.S. fields more than 5,300 unmanned aerial vehicles and more than 12,000 ground
robots to reduce risk to soldiers, gather intelligence, and strike stealthily at remote
enemies. Israel and South Korea use armed robots to patrol their borders. Operators in
cubicles in the U.S. routinely fly drone aircraft via remote control, monitoring, and
attacking potential targets.

Every state wants to save the lives of its troops, the soldiers on their borders who are
ready to lay their lives for their Nation but why not save a lie when we can that is exactly
why the automated armed robots are being deployed in service by every nation around
the world. The increased usage of AI and robots in the defense sector poses its own risk
to the national security and the life of the troop, more than that it also gives the
controlling and technologically developed nations with access to more advanced
resources a much more influential as well as terrorizing power over others.

“Robotic warfare is open-source warfare,” . “The technology is highly commercialized
and affordable. With $1,000, an enemy could build a drone that has roughly the same
capabilities of the Raven drones used by the soldiers in Iraq.” The Raven is a small drone
used as a scout by ground troops. During the Israeli invasion of Lebanon in 2006,
Hezbollah fighters fielded at least four drones. The combination of robotics and
terrorism will empower individuals at the expense of states and make it easier to launch
terrorist attacks. An Air Force study that found that drones were the optimal platform

for deploying weapons of mass destruction and one against which we have no effective
defenses. drone strikes can be counterproductive.

“In a May 2009 opinion piece in The New York Times, David Kilcullen (a former adviser
to General David Petraeus, and Andrew Exum, an Army officer in Iraq and Afghanistan
and now a fellow at the Center for a New American Security) observed that many
targets are not positively identified and air strikes not always precise. Thus, some
attacks kill more civilians than terrorists. Coverage via the Internet and traditional media
brings the horror of civilian deaths home to everyone in the region, radicalizing the
population and driving civilians into the arms of local militants.”3

Social media plays a vital role in our lives today, as much as we try to deny it but we rely
on smart phones more than we shall rely on another human. If we are sad we take it to
social media, if bored we take it to social media, if angry we take it out via social media,
it is like a living organism we address and consult when the need arises and social media
responds. It can create an outrage around the world in matter of hours, we get
responses be it support or criticism from around the world and this is all for free access
and in a very famous quote it is said- IF YOU ARE NOT PAYING FOR A PRODUCT, YOU
ARE THE PRODUCT, this quote applies very rightly to our situation, if we are not paying
for any of these services then how are they accessible to us. It is our personal
information and our privacy that we are selling or rather I would say the companies and
social media websites store- sell-use our information as they please disregarding all the
privacy terms that we sign up to. Social media holds the power to alter minds, to alter
our thinking, they know what we like, they know what we look up for, and they know
who our loved ones are- by they I mean everyone. The information is out there in the
web server of a social media as to where you had your last meal, what you had for your
last meal and with who. And it is us who is to be blamed for this as well, we are the ones
who have uploaded our information and have let our minds be swayed by the deceptive
information being broadcasted over the internet. With the increasing number of users


3 https://www.asme.org/topics-resources/content/risks-of-robotic-warfare

on social media and internet, with ever increasing number of smart phones in the
market more than half of the world is open to cyberattacks and phishing threats, their
information is only a few set of hacking codes away from being out open in the public
and every second person is adding on to the cart of social media.



NUMBER OF SOCIAL MEDIA USERS WORLDWIDE FROM 2010 TO 2021*. (IN BILLIONS)

Most of the devices we purchase or give access to these days, we also enter into to
confidentiality agreement with the service provider where-when any collection of our
personal information is done or shall be done in the future, to protect our personal
information which the device has collected or has stored or has sent to be analyzed and
worked on there servers to make the service experience better in future. Our concern
here is not the collection of the personal information at the intricate level but the usage
of this information as to how it shall be used and who shall have access to our personal
information. Here the information gathered can range from our house location to our
eating habits to our sleeping patterns depending on the device or software we have
been using. The agreements entered by us do have vague conditions and pointers which
give advantage to the service provider to exploit the information gathered as it may like.
With this our concern also lies as to how secure are the networks which are used to save

this information? How concrete is the Personal Data Processing Policy of the service
provider? How much access can the government gain?

Privacy laws around the world:
Over 2.5 quintillion bytes of data are created each day. Much of this data consists of
information that would allow people to be personally and individually identified (or,

personal information). The complex problems arise when personal information is

collected-processed by powerful new technologies and then stored and disclosed
online. "Information is power, and when other people collect it they have power over us
and that leaves us vulnerable”. An important aspect of this is that people often consent
to their information being stored and shared. The user agreements we don't read when
downloading new apps or creating online accounts they are most common way of
handing out our personal information of a platter. But Hartzog, in his book, Privacy's
Blueprint: The Battle to Control the Design of New Technologies, argues that social
media apps, surveillance technologies, and the internet of things are built in ways that
make it difficult to guard personal information—and the law says this is OK because it is
up to users to protect themselves. As right and apt as it sounds, it is equally scary
because out in open there is very little knowledge about how someone’s personal
information can be used to make his duplicate. You just need access to one of the
government ID account or any office data to create do profile mapping and create an
entirely same human being just with a different face.

Privacy is a fundamental right, essential to the autonomy and the protection of human
dignity, it serves as the foundation upon which many other human rights are built.
Privacy enables us to create barriers and manage boundaries to protect ourselves from
unwarranted interference in our lives, which allows us to negotiate who we are and how
we want to interact with the world around us. Privacy helps us establish boundaries to
limit who has access to our bodies, places and things, as well as our communications
and our information.

The rules that protect privacy give us the ability to assert our rights in the face of
significant power imbalances. As a result, privacy is an essential way to protect
ourselves and society against arbitrary and unjustified use of power, by reducing what
can be known about us and done to us, while protecting us from others who may wish
to exert control.

Technology has always been intertwined with this right. For instance, our capabilities to
protect privacy are greater today than ever before, yet the capabilities that now exist
for surveillance are without precedent.

Privacy is a qualified, fundamental human right. The right to privacy is articulated in all
the major international and regional human rights instruments, including:

United Nations Declaration of Human Rights (UDHR) 1948, Article 12: “No one shall be
subjected to arbitrary interference with his privacy, family, home or correspondence,
nor to attacks upon his honor and reputation. Everyone has the right to the protection
of the law against such interference or attacks.”
International Covenant on Civil and Political Rights (ICCPR) 1966, Article 17: “1. No one
shall be subjected to arbitrary or unlawful interference with his privacy, family, home or
correspondence, nor to unlawful attacks on his honor or reputation. 2. Everyone has the
right to the protection of the law against such interference or attacks.”

The right to privacy is also included in:

Article 14 of the United Nations Convention on Migrant Workers;

Article 16 of the UN Convention on the Rights of the Child;

Article 10 of the African Charter on the Rights and Welfare of the Child;

Article 4 of the African Union Principles on Freedom of Expression (the right of access to
information);

Article 11 of the American Convention on Human Rights;

Article 5 of the American Declaration of the Rights and Duties of Man,

Articles 16 and 21 of the Arab Charter on Human Rights;

Article 21 of the ASEAN Human Rights Declaration; and

Article 8 of the European Convention on Human Rights.

Over 130 countries have constitutional statements regarding the protection of privacy,
in every region of the world.

An important element of the right to privacy is the right to protection of personal data.
While the right to data protection can be inferred from the general right to privacy,
some international and regional instruments also stipulate a more specific right to
protection of personal data, including:

1. the OECD's Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data,

2. the Council of Europe Convention 108 for the Protection of Individuals regarding
the Automatic Processing of Personal Data, several European Union Directives
and its pending Regulation, and the European Union Charter of Fundamental
Rights,

3. the Asia-Pacific Economic Cooperation (APEC) Privacy Framework 2004, and
4. The Economic Community of West African States has a Supplementary Act on

data protection from 2010.

Over 100 countries now have some form of privacy and data protection law.

Europe's New Privacy Law promises that it will Change the Web. European privacy law
that restricts how personal data is collected and handled. The rule, called General Data
Protection Regulation or GDPR, focuses on ensuring that users know, understand, and
consent to the data collected about them. Under GDPR, pages of fine print won’t
suffice. Neither will forcing users to click yes in order to sign up.

Instead, companies must be clear and concise about their collection and use of personal
data like full name, home address, location data, IP address, or the identifier that tracks
web and app use on smartphones. Companies have to spell out why the data is being
collected and whether it will be used to create profiles of people’s actions and habits.
Moreover, consumers will gain the right to access data companies store about them, the
right to correct inaccurate information, and the right to limit the use of decisions made
by algorithms, among others.
The law protects individuals in the 28 member countries of the European Union, even if
the data is processed elsewhere. That means GDPR will apply to publishers like WIRED;
banks; universities; much of the Fortune 500; the alphabet soup of ad-tech companies
that track you across the web, devices, and apps; and Silicon Valley tech giants.
As an example of the law’s reach, the European Commission, the EU’s legislative arm,
says on its website that a social network will have to comply with a user request to
delete photos the user posted as a minor — and inform search engines and other
websites that used the photos that the images should be removed. The commission also
says a car-sharing service may request a user’s name, address, credit card number, and
potentially whether the person has a disability, but can’t require a user to share their
race. (Under GDPR, stricter conditions apply to collecting “sensitive data,” such as race,
religion, political affiliation, and sexual orientation.)

GDPR has already spurred, or contributed to, changes in data-collection and -handling
practices. Following the GDPR, Google announced that it would stop mining emails in
Gmail to personalize ads. (The company says that was unrelated to GDPR and done in
order to harmonize the consumer and business versions of Gmail.) Google has
revamped its privacy dashboard, first launched in 2009, to be more user-friendly. Later,
Facebook also announced its own privacy dashboard, which has yet to launch. Though
the law applies only in Europe, the companies are making changes globally, because it’s
simpler than creating different systems, be it for the reason of simpler compliance
privacy is a right to all and the companies should deal in protecting people’s privacy as a
doctor cares for a dying patient.

Privacy laws in India:
Often confused with trade secrets and confidentiality, privacy refers to the use and
disclosure of personal information and is only applicable to information specific to

individuals. Since personal information is a manifestation of the personality of an
individual, the Indian courts including the Supreme Court of India, have thus recognized
that the right to privacy it as an integral part of the right to life and personal liberty.
Recently, in the landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of
India and Ors., the constitution bench of the Hon'ble Supreme Court has held Right to
Privacy as a fundamental right, subject to certain reasonable restrictions.

India presently does not have any express legislation governing data protection or
privacy. However, the relevant laws in India dealing with data protection are the
Information Technology Act, 2000 and the (Indian) Contract Act, 1872. A codified law on
the subject of data protection is likely to be introduced in India in the near future.

The (Indian) Information Technology Act, 2000 deals with the issues relating to payment
of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and
misuse of personal data and violation of contractual terms in respect of personal data.

Under section 43A of the (Indian) Information Technology Act, 2000, a body corporate
who is possessing, dealing or handling any sensitive personal data or information, and is
negligent in implementing and maintaining reasonable security practices resulting in
wrongful loss or wrongful gain to any person, then such body corporate may be held
liable to pay damages to the person so affected. It is important to note that there is no
upper limit specified for the compensation that can be claimed by the affected party in
such circumstances.

The Government has notified the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The
Rules only deals with protection of "Sensitive personal data or information of a person",
which includes such personal information which consists of information relating to:-

Passwords;
Financial information such as bank account or credit card or debit card or other
payment instrument details;

Physical, physiological and mental health condition;
Sexual orientation;
Medical records and history;
Biometric information.

It is to be noted that s 69 of the Act, which is an exception to the general rule of
maintenance of privacy and secrecy of the information.

Computer related offences, Section 66 provides that if any person, dishonestly or
fraudulently does any act referred to in section 43, he shall be punishable with
imprisonment for a term which may extend to three years or with fine which may
extend to Rs 5,00,000 (approx. US$ 8,000)) or with both.

Penalty for Breach of Confidentiality and Privacy:

Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy.
The Section provides that any person who, in pursuance of any of the powers conferred
under the IT Act Rules or Regulations made thereunder, has secured access to any
electronic record, book, register, correspondence, information, document or other
material without the consent of the person concerned, discloses such material to any
other person, shall be punishable with imprisonment for a term which may extend to
two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with
both.

Current Data Privacy laws in India:

When the Information Technology Act, 2000 (hereinafter referred to as the "IT Act")
first came into force on October 17, 2000 it lacked provisions for protection and the
procedure to be followed to ensure the safety and security of sensitive personal
information of an individual. This led to several other amendments and bills being
passed and finally The Information Technology (Amendment) Act, 2008 inserted Section
43A in the IT Act which notified the Information Technology (Reasonable security

practices and procedures and sensitive personal data or information) Rules, 2011
(hereinafter referred to as the "2011 Rules"). The key features of 2011 Rules are:



These 2011 Rules only apply to body corporates and persons located in India. Section
43A of the IT Act explicitly provides that whenever a corporate body possesses or deals
with any sensitive personal data or information, and is negligent in maintaining a
reasonable security to protect such data or information, which thereby causes wrongful
loss or wrongful gain to any person, then such body corporate shall be liable to pay
damages to the person(s) so affected.

A list of items has been provided which are to be treated as “sensitive personal data”
which include passwords, biometric information, sexual orientation, medical records
and history, credit/ debit card information, etc. but any information which is freely
available or accessible in the public domain is not considered to be sensitive personal
data.

Any body corporate seeking such sensitive personal data must draft a privacy
policy which has to be published on the website of the body corporate,
containing details of information being collected and the purpose for its use.
The body corporate must establish reasonable security practices for
maintenance of confidentiality of such data, obtain consents from persons for
collecting such sensitive personal data for lawful and necessary purpose.
The purpose must be clear and information used only for such consent as given
and data to be retained only till such time as needed.
The 2011 Rules also provide Grievance Office who shall be responsible to
address grievances of information providers within 1 month for resolution of
such Grievances. Body corporates must have an audit of the reasonable security
practices and procedures implemented by it by an auditor at least once a year or

as and when the body corporate or a person on its behalf undertake significant
upgradation of its process and computer resources.
The punishment for disclosure of information in breach of lawful contract and
imprisonment under the IT Act may be for a term not exceeding three years, or
with a fine which may be Indian Rupees 5 million or with both.


Thus, as can be seen, Section 43A of the IT Act and the 2011 Rules do provide for many
similar provisions as under GDPR but applicable only for residents of India. However,
this does mean that most companies already have a privacy policy in place which can
now be further developed and extended to include and encompass the stricter
regulations of GDPR so that they do not face any penalties for breaches under the
GDPR.

Aadhaar cards and right to privacy:

Aadhaar system (a nationwide biometric identification system) is being currently
challenged in India with the key dispute being whether the norms for compilation of the
demographic biometric data by the Government violates the right to privacy.

The Aadhaar card has to be applied for by individuals and in the application requires a
person to provide his or her personal data. This card is provided by the Government of
India. Recently, the Government has mandated that even foreign residents who are
Taxpayers in India must obtain an Aadhaar card along with the already in place PAN
(Permanent Account Number). Thus, with the recent GDPR coming into force, the
information obtained by the Government of India under the Aadhaar system is
impacted, especially for EU citizens currently residing in India.

The Aadhaar scheme which was first introduced as a means of targeted distribution of
subsidies, is today being implemented towards a variety of purposes, including the fight
against black money, transaction authentication, and 'know your customer'
requirements for banks and telecom companies. Aspects of Aadhaar Act, such as (i)

security of the Aadhaar system, (ii) the inability of the individual to file complaints (for
violation under the Aadhaar Act) relating to theft or misuse of their data, and (iii) the
inability to withdraw / delete one's data once registered with the UIDAI (government
authority dealing with Aadhaar laws) is under scrutiny.

While the judgement which delivered the decision regarding privacy as a fundamental
right of individuals subject to reasonable restrictions was not directly intended to
impact the use of Aadhaar card, it will now have a significant impact on the pending
litigation. The outcome of this pending litigation will significantly impact data protection
policies in India.

The Data (Privacy and Protection Bill), 2017:

Recently, a Bill was introduced in Parliament proposing to bring privacy under the ambit
of legislation. This is not the first Bill on privacy introduced in Parliament. However, this
Bill is different from the previous Bills in the sense that it seeks to make the consent of
an individual for collection and processing of personal data mandatory. The Bill states
that the individual will have the sole right and the final right to modify or remove
personal data from any database, public or private. In the context of sensitive and
personal information, the person must provide his or her express and affirmative
consent for the collection, use, storage of any such data.

This Bill applies not only to private corporations or body corporate, but is equally
applicable to state entities, government agencies or any other persons acting on their
behalf. Even the definition of a “third party” under this Bill includes the public
authorities. This symbolises a significant change in law from the existing regime under
the IT Act and 2011 Rules in India.

However, with respect to sensitive, personal data, Section 20(2) provides that no
sensitive data shall be processed for any other purpose apart from its intended use but
can be used by welfare schemes and social protection laws. Hence, this would imply
that the Aadhaar scheme, as mentioned earlier, would also have access to a person’s

personal, sensitive information. This Section is analogous with the present dispute at
the Supreme Court and will continue to be subject to debate due the existing privacy
concerns.

Although this Bill, which is still pending to be passed into legislation, is much more in
line with the stricter GDPR norms it is unlikely to come into force until the pending
litigation regarding the Aadhaar scheme comes to a conclusion regarding the use of the
Government of the personal, sensitive data of the residents in India.





Are we at risk of Robots invading privacy?

The rapid growth of AI and robotic systems has implications on a wide variety of fields. It
can prove to be a boon to disparate fields such as healthcare, education, global logistics
and transportation, to name a few. However, these systems will also bring forth far-
reaching changes in employment, economy and security. Technology around us is ever
changing and in the current state we are surrounded by gadgets that have access to our
personal information all the time, they have access to our location, to the places we
visit, places we are going to visit, they have the capability of guessing what we are going
to do next better than any human being we know. These robots and AI study our day to
day life pattern, what we do how we do it, they maintain a record of all the activities of
our daily schedule which they analyze and provide us much better response when ever
we search for something. They work on the algorithm of self-improvement where they
correct and learn from their own actions and mistakes.
Consensus opinion has it that robots will take over human jobs by the millions; however,
well before that happens workplace privacy might well be long gone. Workplace privacy
is already being threatened by privacy-invasive monitoring such as closed-circuit video

monitoring, Internet monitoring and filtering, e-mail monitoring, instant-message
monitoring, phone monitoring, location monitoring etc.

Cases of invasion of privacy:

Edward Snowden is a former National Security Agency subcontractor who made
headlines in 2013 when he leaked top secret information about NSA surveillance
activities. NSA is National security agency of the U.S. who had been keeping tab on the
citizens worldwide, anyone with a phone and access to internet via the cameras on their
devices or the microphones and they tracked every movement of any person under
surveillance at any point, remotely.
More recently, in 2018 the most popular and populous social media website Facebook
was hacked and personal data of more than a million users was leaked and put online to
which everyone had access right before it was taken down by the authorities. Of those
more than a million people around 85,000 were Indians.
2018: Year of Privacy
February

Telefonica-funded Wibson is launched as a blockchain-based “Personal Data
Marketplace”, following the steps of prior initiatives in the Personal Information
Management space like Citizen.me, Digi.me, People.io, or Datum.
March

The Cambridge Analytica scandal hits Facebook, eventually affecting an
estimated 87 million users.
May

The EU’s General Data Protection Regulation (“GDPR”) comes into force on the
25th

Vienna-based non-profit NOYB (“None Of Your Business”) files initial claims
against Facebook, Whatsapp, Instagram, and Google (Android)under the GDPR
(with the French, Belgian, Austrian, and Hamburg state Supervisory Authorities,
most likely dragging the Irish Data Protection Agency into all of them)
Under Armour discloses a major data breach affecting an estimated 150 million
people in the United States.

June

Facebook suffers its biggest ever data breach, through the Nametests app using
its Login feature. It affects 120 million people
Adidas discloses a data breach potentially affecting “millions”, related to online
customers in the USA
The California Consumer Privacy Act (“CCPA”) is signed into law on the 28th.

July

PrivacyCloud (founded on March 8th) launches its first mobile application on July
14th, reaching 2,000 installs in its test markets (Spain & Ireland) in a single week.

August

Google is faced with a major scandal with regards to the manner in which its
apps collect the user’s location history regardless of the user’s choice to disable
such tracking.

September

Facebook suffers a new security breach affecting 50 million people
The first private lawsuit is filed against Google under the location history
revelations
A new update to Google Chrome (69) forces users into a browser-level login,
resulting in public outcry and a subsequent amendment

The French data protection agency (CNIL) issues its first formal warning against
an AdTech firm: the DSP Vectaury happened to be using the IAB Consent
Framework (publicly disclosed on November 9th)
Tim-Berners-Lee announces the launch of Inrupt, a private venture built on top
of Solid, a decentralized web platform he and others had been working on at MIT
Hu-manity.co launches a mobile app for people to claim their data as property (a
“31st human right”).

October

Google announces closure of its Google+ social network after a second
undisclosed data breach affecting 50million users.

November

Facebook confirms having engaged a lobby firm to link negative public
perceptions of the firm to the billionaire George Soros.
A separate Facebook leak shows that selling user data was actually pondered as
an initial business model.
Complaints are filed by Privacy International against Criteo, Experian,
Quantcast, Tapad, Acxiom, Oracle, and other major AdTech players.
Marriott discloses the worlds largest ever data breach, affecting some 500
million people.

December

Facebook, it now emerged, bent its own personal data rules for major
customers, allowing Apple, Amazon, Sony, or Netflix to read, edit, or delete
private messages.

Coming to the Indian Aspect:

In February 2019, the Kerala police inducted a robot for police work. The same month,
Chennai got its second robot-themed restaurant, where robots not only serve as waiters

but also interact with customers in English and Tamil. In Ahmedabad, in December 2018,
a cardiologist performed the world’s first in-human telerobotic coronary intervention on
a patient nearly 32 km away. All these examples symbolize the arrival of AI in our
everyday lives. AI has several positive applications, as seen in these examples. But the
capability of AI systems to learn from experience and to perform autonomously for
humans makes AI the most disruptive and self-transformative technology of the 21st
century. If AI is not regulated properly, it is bound to have unmanageable implications.

Predicting and analyzing legal issues and their solutions, however, is not that simple. For
instance, criminal law is going to face drastic challenges. What if an AI-based driverless
car gets into an accident that causes harm to humans or damages property? Who
should the courts hold liable for the same? Can AI be thought to have knowingly or
carelessly caused bodily injury to another? Can robots act as a witness or as a tool for
committing various crimes?

All the above questions are rather about the usages of AI but for the same usages we
have to provide all our personal information to all these robots and how do we know
how secure our personal data is going to be, that no one is going to hack into my
autonomous car to track my movements or might even cause a crash.

The Ministry of Home Affairs issued an order granting authority to 10 Central agencies,
including the Delhi Commissioner of Police, the Central Bureau of Investigation (CBI),
and the Directorate of Revenue Intelligence, to pry on individual computers and their
receipts and transmissions “under powers conferred on it by sub-section 1 of Section 69
of the Information Technology Act, 2000 (21 of 2000), read with Rule 4 of the
Information Technology (Procedure and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009”. It has authorized these “security and
intelligence agencies” to intercept, monitor and decrypt any “information generated,
transmitted, received or stored in any computer resource”. This is seen as an extreme
measure to deny people their right to privacy — more so because agencies such as the
Delhi Police, the CBI, and the Directorate of Revenue Intelligence cannot be strictly

termed as organizations concerned with homeland security. Internal security is the main
excuse being given for issuing such a directive.

The sole fascination of the government seems to be collection of data. With an
unquenchable thirst for information, the government at the Centre and most
governments in the States have set out on a surveillance race.

The little hope we had gained in AADHAR- PAN linkage case seems to be lost as well,
there are several big questions which need to be answered. How are they going to
invade our privacy. It can be big leak by the social media sites whom we very carefreely
handover our personal information or is it going to be the secret government operation
of surveillance keeping tab on everyone, you can never know but can only be cautious.





BIBLIOGRAPHY:

1. https://phys.org/news/2019-04-robots.html
2. https://www.theloop.ca/this-robot-has-real-feelings-and-were-terrified/
3. https://www.digitaltrends.com/home/protect-yourself-from-home-security-camera-

hackers/
4. https://www.thejakartapost.com/life/2018/01/11/new-emotional-robots-aim-to-

read-human-feelings.html
5. https://www.engineering.com/DesignerEdge/DesignerEdgeArticles/ArticleID/18016/

Robot-Butlers-Will-Do-Your-Chores-and-Care-for-Your-Family.aspx
6. https://www.cstsupport.com/2019/07/20/ip-camera-hacking-attempts-are-rising/
7. https://www.asme.org/topics-resources/content/top-6-robotic-applications-in-

medicine
8. https://www.brighthubengineering.com/robotics/95856-use-of-robotics-in-the-

medical-field/

9. https://psnet.ahrq.gov/webmm/case/368/Robotic-Surgery-Risks-vs-Rewards-
10. https://science.howstuffworks.com/robots-replacing-soldiers1.htm
11. https://www.pbs.org/newshour/show/military-expanding-role-of-robots-on-the-

battlefield
12. https://www.asme.org/topics-resources/content/risks-of-robotic-warfare
13. https://www.statista.com/statistics/278414/number-of-worldwide-social-network-

users/
14. https://www.smartinsights.com/social-media-marketing/social-media-strategy/new-

global-social-media-research/
15. https://www.wired.com/story/europes-new-privacy-law-will-change-the-web-and-

more/?verso=true
16. https://medium.com/privacycloud/2018-the-rise-of-privacy-1bff41784832
17. https://www.wsj.com/articles/local-internet-laws-threaten-to-go-global-

1536490801?fbclid=IwAR0v7NQIhvPxp0xzfFnENTzAFm8B4FA7oYE-
1OAv1Cdfaty46kn6knsITT8
18. https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-
fine.html?fbclid=IwAR1ADW8K1xEW2ylgcd0JRFj1aCvDZEbmVjxuTeghKkTl6Jr9B_Hwq
gTzX8k
19. https://inforrm.org/2019/01/29/top-10-privacy-and-data-protection-cases-of-2018-
a-selection/?fbclid=IwAR1ySMb3RTa6fmE7GpjmxlfO-

8IlqIHjteERxHYhFy70hDwohXCQgGDtm4w

20. http://www.mondaq.com/india/x/655034/data+protection/Data+Protection+Laws+i

n+India
21. https://www.roedl.com/insights/india-eu-gdpr-data-privacy-law
22. http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf