MODULE 2
THE LEGAL ASPECTS OF DATA PROTECTION AND PRIVACY IN
INDIA
2.1 INTRODUCTION
With the advent of the Internet, it has become easy for anyone to gather,
compile and exploit the private information of individuals. What were scattered,
unimportant, small bits of data has now become a potent large set of data that
can be misused by companies or by antisocial elements. This has prompted
many countries to come up with legislation on privacy.
2.2 INTERNATIONAL PRIVACY INITIATIVES
On July 25, 1995, the EU announced the adoption of a directive on the
protection of individuals’ personal data and on the free movement of such data.
The directive seeks to prevent abuse of personal data and lays down
comprehensive rules, including an obligation to collect data only for specified,
explicit and legitimate purposes, as well as to only hold data if it is relevant,
accurate and up-to-date.
The directive requires all companies concluding business in the EU to meet
certain minimum standards of data protection. Any company that does not meet
these stringent standards faces sanctions. The Electronic Communications
Privacy Act in the US governs the privacy of e-mail in public e-mail systems. It
bars interception, use, or disclosure of e-mail by third parties and sets the
standards which law enforcement authorities must meet to gain access to e-mail.
1
2.3 INDIAN LAW RELATING TO PRIVACY
Significantly, India does not have any specific law governing privacy. The
courts in India have not yet had the opportunity to look at privacy issues relating
to the Internet. Analogies to the Internet will, therefore, have to be drawn from
cases that the court has actually dealt with. The Constitution of India does not
patently grant the fundamental right to privacy. However, the courts have read
the right to privacy into the other existing Fundamental Rights: Freedom of
Speech and Expression, under Article 19 [1] [a] and the Right to Life and
Personal Liberty under Article 21. In India, the right to privacy is one of the un-
enumerated rights granted to the individual.
Barring a few exceptions, the Fundamental Rights secured to the individual are
limitation on State action. They are not meant to protect persons against the
conduct of private persons. It is to be noted that the Constitutional guarantee of
the right to privacy is valid only against the State and no Constitutional remedy
for violation of privacy lies against any individual. Further, common law also
does not provide direct for invasion of privacy. It seeks to provide protection by
the use of civil wrongs such as defamation and breach of confidence. However,
with the advent of e-commerce, such common law seems manifestly unsuited to
this environment.
The new proposed legislation in India: PDP Bill, 2019
The Personal Data Protection Bill1 [PDP Bill] is India’s maiden attempt to
locally regulate the data protection framework for the security of information
and to set up a Data Protection Authority in the nation.2
1 The Personal Data Protection Bill, 2019, No. 373, Bills of Parliament, 2019 [India].
2
According to the provisions of the Bill, any personal information belonging to
the citizens can’t be stored, worked upon or distributed online without their
consent. Only such data which who’s purpose of use is already defined and is
necessary in nature can be used. Various obligations are imposed on corporates
depending upon the size of data they take and store from the consumers.3 These
include security audits at regular intervals, hiring of a data protection officer,
and many more obligations as mentioned in the legislation.4
Majority of the principles laid down in both the laws are similar in nature. Even
then, there are some differences between the two sets of rules that need to be
discussed. The Bill put more clarity on the table in matters of legal outcomes in
events of withdrawal of consent, as compared to the GDPR. Data can be kept
stored by entities for longer periods of time if they are stored for research
purposes, as per the GDPR,5 but the same cannot be done under the PDP Bill
unless a clear consent by the Data Principal is provided or the said storage has
to do with any sort of compliance to any law in force at that time.6 While the
Bill allows the governing authority to formulate and instruct the means and
modes in which the auditors are to conduct the audits, the GDPR remains silent
on the same. On the other hand, the ambit of data to be provided to the authority
is smaller in the Bill in comparison to the GDPR.7
2 Rudra Srinivas, All you need to know about India’s first Data Protection Bill, CISOMAG [Jan. 3, 2020],
https://www.cisomag.com/all-you-need-to-know-about-indias-first-data- protection-bill/.
3 Sharda Balaji, Personal Data Protection Bill, 2018 – An overview with brief analysis, NOVOJURIS LEGAL
BLOG [Aug. 21, 2018] https://www.novojuris.com/thought-leadership/personal-data-protection-bill-2018-an-
overview-with-brief-analysis.
4 Id.
5 James Hutchinson, Document Retention under the GDPR and the Data Protection Act 2018 December 2018,
BEALE AND CO. [Dec. 2018], https://beale-law.com/publications/799-document-retention-under-the-gdpr-and-
the-data-protection-act-2018.php.
6 Hari Subramaniam & Aditi Subramaniam, India: Data Protection 2019, INTERNATIONAL COMPARATIVE
LEGAL GUIDES [Jul. 3, 2019], https://iclg.com/practice-areas/data-protection-laws-and-regulations/india.
7 Aditi Chaturvedi, Comparison of General Data Protection Regulation and Data Protection Directive, CENTRE
FOR INTERNET AND SOCIETY BLOG [Feb. 7, 2017], https://cis-india.org/internet-governance/blog/comparison-of-
general-data-protection-regulation-and-data-protection-directive.
3
The PDP Bill is one of the primary steps in the path of digital transformation as
well as data protection in India. However, various dimensions of data protection
[such as segregation of personal information into sensitive personal data and
critical personal data, elements of anonymous data, conditions for relief from
certain sections of the PDP Bill, types of SDFs, conditions for enrollment as a
consent manager and handling of personal data and sensitive personal data of
children], which will be of prime importance towards an productive and
flawless implementation of the new regulations, have been assigned to the
Central Government.8
A hope still remains that once the Bill acquires its final form and comes out as a
full-fledged legislation, it will provide sufficient time to organisations to adapt
their business methodologies in order to comply with the new regulations.
2.4 SOLUTIONS AND REGULATION: AN EPILOGUE
2.4.1 A PERSPECTIVE ON POSSIBLE SOLUTIONS
Even an example that might otherwise be thought to favour the assertion of
jurisdiction by a local sovereign--protection of local citizens from fraud and
antitrust violations--shows the beneficial effects of a Cyberspace legal regime.
How should we analyse "markets" for fraud and consumer protection purposes
when the companies at issue do business only through the World Wide Web?
Consumer protection doctrines could also develop differently online--to take
into account the fact that anyone reading an online ad is only a mouse click
away from guidance from consumer protection agencies and discussions with
8 Radhika Iyer et al., India: The Personal Data Protection Bil, 2019, MONDAQ [Jan. 7, 2020],
https://www.mondaq.com/india/data-protection/880766/the-personal-data-protection-bill-2019.
4
other consumers. Nevertheless, that does not mean that fraud might not be made
"illegal" in at least large areas of Cyberspace. Those who establish and use
online systems have an interest in preserving the safety of their electronic
territory and preventing crime. They are more likely to be able to enforce their
own rules. And, as more fully discussed below, insofar as a consensually based
"law of the Net" needs to obtain respect and deference from local sovereigns,
new Net-based law-making institutions have an incentive to avoid fostering
activities that threaten the vital interests of territorial governments.
Cyberspace could be treated as a distinct marketplace for purposes of assessing
concentration and market power. Concentration in geographic markets would
only be relevant in the rare cases in which such market power could be
inappropriately leveraged to obtain power in online markets--for example by
conditioning access to the net by local citizens on their buying services from the
same company [such as a phone company] online. Claims regarding a right to
access to particular online services, as distinct from claims to access particular
physical pipelines would remain tenuous as long as it is possible to create a new
online service instantly in any corner of an expanding online space.
This text focuses also on technological developments as enabling change. But
these technologies will not determine the future of the Internet. The future will
be determined by individuals and organisations that find new uses for the
technologies and policies that either encourage or discourage certain activities.
Existing and proposed uses raise important issues in the areas of electronic
contracts, authentication, taxation, jurisdiction, intellectual property protection,
privacy, consumer protection, security, reliability, competition policy and
standards, among others. Although the future is impossible to predict, it seems
highly likely that the exciting possibilities that we can envision based upon
5
technological progress will continue to raise new issues and demand creative
policy responses.
2.5 SECURITY CONCERNS, TRADE SECRETS AND PRIVACY:
DEVELOPING TRENDS
“One of the most facile and legalistic approaches to safeguarding privacy that
has been offered to date is the notion that personal information is a species of
property. If this premise is accepted, the natural corollary is that a data subject
has the right to control information about him and is eligible for the full range of
legal protection that attaches to property ownership.”9
As laws, policies, and technological designs increasingly structure people's
relationships with social institutions, individual privacy faces new threats and
new opportunities. Over the Internet as a medium, there has to be a
harmonisation of the specific rules for the treatment of personal information.
India has no data protection laws. Having said this, the ambit of "personal
liberty" as covered by the Constitution of India has been successfully
interpreted in cases relating to privacy [Gobind v. State of M.P].10 and
protection of confidential information. Over the last several years, the realm of
technology and privacy has been transformed, creating a landscape that is both
dangerous and encouraging. Significant changes include large increases in
communication bandwidths; the widespread adoption of computer networking
and public-key cryptography; mathematical innovations that promise a vast
family of protocols for protecting identity in complex transactions; new digital
media that support a wide range of social relationships; a new generation of
technologically sophisticated privacy activists; a massive body of practical
9 [Arthur Miller: The Assault on Privacy: Computers, Data Banks and Dossiers 211 [1971]].
10 [1975] 2 SCC 148
6
experience in the development and application of data-protection laws; and the
rapid globalisation of manufacturing, culture, and policy making.
Potentially the most significant technical innovation, though, is a class of
privacy-enhancing technologies [PETs]. Beginning with the publication of the
first public-key cryptographic methods in the 1970s, mathematicians have
constructed a formidable array of protocols for communicating and conducting
transactions while controlling access to sensitive information. These techniques
have become practical enough to be used in mass-market products, and sharp
conflicts have been provoked by attempts to propagate them. PETs also mark a
significant philosophical shift. By applying advanced mathematics to the
protection of privacy, they disrupt the conventional pessimistic association
between technology and social control. No longer are privacy advocates in the
position of resisting technology as such, and no longer can objectives of social
control [if there are any] be hidden beneath the mask of technical necessity. As
a result, policy debates have opened where many had assumed that none would
exist, and the simple choice between privacy and functionality has given way to
a more complex trade-off among potentially numerous combinations of
architecture and policy choices.
This contrast reflects another, deeper divide. Powerful socio-economic forces
are working toward a global convergence of the conceptual content and the
legal instruments of privacy policy. These forces include commonalties of
technology, a well-networked global policy community, and the strictures on
cross-border flows of personal data in the European Union’s Data Protection
Directive. While the United States has moved slowly to establish formal privacy
mechanisms and standardise privacy practices over the last two decades, it now
appears that the globalisation of markets, the growing pervasiveness of the
7
Internet, and the implementation of the Data Protection Directive will bring new
pressures to bear on the American privacy regime.
The evolution of privacy policy, meanwhile, has interacted with individual
nations’ political philosophies. This interaction should be viewed not on a
nation-by-nation basis but rather as the expression of a series of partial
accommodations between the uniform regulation of data handling and liberal
political values that tend to define privacy issues in terms of localised
interactions among individuals. [This tension runs throughout the contemporary
debate and will recur in various guises.]
One constant across this history is the notorious difficulty of defining the
concept of privacy. The lack of satisfactory definitions has obstructed public
debate by making it hard to support detailed policy prescriptions with logical
arguments from accepted moral premises. Attempts to ground privacy rights in
first principles have floundered, suggesting their inherent complexity as social
goods. Privacy is more difficult to measure than other objects of public concern,
such as environmental pollution. The extreme lack of transparency in societal
transfers of personal data, moreover, gives the issue a nebulous character.
Citizens may be aware that they suffer harm from the circulation of
computerised information about them, but they usually cannot reconstruct the
connections between the cause and effect. This may account in part for the
striking mismatch between public expression of concern in opinion polls and the
almost complete absence of popular mobilisation in support of privacy rights.
The new technologies also have implications for conceptions of relationship,
trust, and public space. Technology and codes of practice determine whether
databased “relationships” between organisations and individuals are fair, or
whether they provoke anxiety. These concerns are a traditional motivation for
8
data protection regulation, but they are amplified by technologies that permit
organisations to maintain highly customised “relationships” by projecting
different organisational personae to different individuals. Such “relationships”
easily become asymmetric; with the organisation, having the greater power to
control what information about it is released while simultaneously obscuring the
nature and scope of the information it has obtained about individuals. Examine,
for instance, the conditions under which individuals can establish private zones
that restrict access by outsiders. A secure telephone line is arguably a
precondition for the establishment of an intimate relationship, an interest that
has long been regarded as a defining feature of human dignity. This concern
with the boundaries that are established around a relationship complements
concern with the boundaries that are negotiated within a relationship. It also
draws attention to the contested nature of those boundaries.
Beneficial relationships are generally held to require trust. As the information
infrastructure supports relationships in more complex ways, it also creates the
conditions for the construction of trust. Trust has an obvious moral significance,
and it is economically significant when sustained business relationships cannot
be reduced to periodic zero-sum exchange or specified in advance by contract.
Trust and uncertainty are complementary; cryptography establishes the
boundaries of trust by keeping secrets. This approach, however, reduces
trustworthiness to simple reliability, thereby introducing tacit norms against
trusting behaviour. Just as technology provides the conditions for negotiating
relationships, it also provides the conditions for creating trust. Legal systems
evolve to the institutional conditions by which a technical architecture comes to
support these conditions or else evolves toward a regime of coercive
surveillance.
9
No matter how well crafted a privacy code might be, privacy will only be
protected if the necessary information practices are actually followed. Policy-
makers need to understand how privacy issues actually arise in the daily
activities of information workers, and organisational cultures need to
incorporate practicable norms of privacy protection. Once established, these
norms will only be sustained if the public understands the issues well enough to
make informed choices and to assert their rights when necessary.
2.6 CONFIDENTIAL INFORMATION
Confidential information constitutes the essence of software development. From
the instructions/specifications received from the client/trade partners, to the
algorithms developed by the co-workers, every part of the development of an
item of software code involves the use of confidential information. All of this
information is invaluable to the software company developing the code and
even more so to its competitors. There is no copyright in ideas or information as
such and accordingly there is no remedy under the copyright law for
unauthorised use of confidential ideas or information obtained directly or
indirectly by one person from another. A remedy will have to be sought by
proceedings for breach of confidence or breach of trust. The relief that can be
obtained is by a suit for an injunction or damages.
2.6.1 PROTECTION OF CONFIDENTIAL INFORMATION
If ideas and information are acquired by a person in such circumstances that it
would be a breach of good faith to disclose them to a third party or utilise them
and he has no just cause or excuse for doing so, the court will grant an
injunction against him. It is well settled that information imparted in confidence
[especially information which is parted in confidence to servants and agents]
10
will be protected. The courts will restrain the use of it if it is breach of good
faith. The law on this subject does not depend on any implied contract. It
depends on the broad principle of equity that he who has received information
in confidence shall not take unfair advantage of it. He must not make use of it to
the prejudice of him who gave it without obtaining his consent.
2.6.2 NATURE OF CONFIDENTIAL INFORMATION
It is a matter of common knowledge that, under a system of free private
enterprise and therefore of competition, it is to the advantage of a
trader/commercial entity to obtain as much information as possible concerning
the business of his rivals and to let him know as little as possible of his own.
The information may be a trade secret, for example, a method of production not
protected by a patent, or a business secret, such as the financial structuring of an
undertaking or a piece of domestic ‘in-house’ information like the salary scale
of clerks, or the efficiency of the firm’s filing system. Some of this information
would be of a highly confidential nature, as being potentially damaging if a
competitor should obtain it, some would be less so and much would be
worthless to a rival organisation.
2.6.3 CONFIDENCE IMPLIED IN A CONTRACT
If two parties make a contract under which one of them obtains for the purpose
of contract or in connection with it some confidential matter, even though the
contract is silent on the issue of confidence, the law will imply an obligation to
treat that confidential matter in a confidential way, as one of the implied terms
11
of contract, but the obligation to respect confidence is not limited to cases where
the parties are in a contractual relationship.
2.6.4 CONFIDENCE IMPLIED BY CIRCUMSTANCES
An action for breach of confidence does not depend upon any right of property
or contract or right of law. It results on an equitable obligation of confidence,
which may be implied, from the circumstances of the case. Even if there exists
no contractual relationship between the plaintiff and the defendant, if a
defendant is proved to have used confidential information obtained directly or
indirectly from the plaintiff and without his consent express or implied, he will
be guilty of infringement of the plaintiff’s rights.
2.6.5 IDENTIFICATION OF CONFIDENTIAL INFORMATION
In identifying confidential information, four elements must be discerned: First,
the information must be information the release of which the owner believes
would be injurious to him or of advantage to his rivals or others. Second, the
owner must believe that the information is confidential or secret, i.e. that it is
not already in the public domain. It may be that some or all of his rivals already
have the information, but as long as the owner believes it to be confidential, he
is entitled to try to protect it. Third, the owner’s belief under the two previous
headings must be reasonable. Fourth, the information must be judged in the
light of the usage and practice of the particular industry or trade concerned. It
may be that information, which does not satisfy all these requirements, may be
entitled to protection as confidential information or trade secrets, but that any
information, which does satisfy them, must be of a type, which is entitled to
protection.
12
2.6.6 ESSENTIAL REQUIREMENTS OF BREACH OF CONFIDENCE
Three elements are normally required if, apart from contract, a case of breach of
confidence is to succeed. First, the information itself must have the necessary
quality of confidence about it. Secondly, that information must have been
imparted in circumstances importing an obligation of confidence. Thirdly, there
must be unauthorised use of that information to the detriment of the party
communicating it.
2.6.7 EXCEPTIONS TO BREACH OF CONFIDENCE
Where the information is such that it ought to be divulged in the public interest
to one who has an interest in receiving it, the Court will not restrain such a
disclosure. Information relating to anti-national activities, which are against
national security, breaches of the law or statutory duty or fraud, may come
under this category. In fact, whenever there is strong public interest in the
disclosure of the matter, Courts may not consider such disclosure as breach of
confidence.
2.6.8 REMEDIES FOR BREACH OF CONFIDENCE
The remedies for breach of confidence consists of an injunction and damages
and deliver-up where applicable. The injunction may be interlocutory or
permanent. The information may remain confidential only for a limited period
in which case, the injunction will not extend beyond that period. Since the
information, alleged to be confidential, might be of value to the plaintiff only
for a certain period, an interim injunction will ordinarily be granted only for a
specified period depending upon the circumstances and the nature of
confidential information.
13
In the balance of convenience, the following factors have to be considered:
• whether the effect of an injunction would be harmful to the defendants;
• whether the terms of the injunction are such that it is extremely difficult
for the defendants to know what they may do and what they may not do;
• whether it is certain upon the material before the Court that even if they
were successful in the trial, the plaintiff would obtain an injunction rather
than damages.
Damages or compensation is determined based on the market value of the
confidential information based on a notional sale between a willing seller and a
willing purchaser. This method may be more appropriate for confidential
information relating to industrial designs or processes or business secrets.
Where a plaintiff elects in favour of an account of profits, he will in the normal
course receive the difference between the sale price of the goods and the sum
expended in manufacturing them. The sum would be abated by the amounts, if
any, expended by the defendants as commission in relation to the contract.
2.7 EMPLOYEE PRIVACY RIGHTS
Employee privacy is considered one of the most important issues facing
companies today11. This is so because no longer is employee privacy relegated
to the employer “monitoring their workers’ performance by observing
production lines, counting sales orders, and simply looking over the employee’s
shoulder.” Instead, employers now have the capability to monitor their
11 [Laurie Thomas Lee, Watch Your E-Mail! Employee E-Mail Monitoring and Privacy Laws in the Age of the
“Electronic Sweatshop”, 28 J. Marshall L. Rev. 139, 139 [1994]]
14
employees through electronic means, including computers and e-mail. This
“development of sophisticated technology is greatly expanding the advanced
and highly effective methods by which employers monitor the workplace.”12
Although it is obvious that e-mail gives companies a great deal of technological
advantages and is an important tool in today's business world, it also creates a
problem for employers and employees in the area of employee privacy. The
question becomes, do employers have the right to look at employees’ e-mails,
and do employees have a right of privacy that should prevent such an intrusion?
Employers argue that they need the right to electronically monitor employees in
order to enhance job performance, prevent theft, fraud, and other illegal
conduct. They also argue that productivity, efficiency, and quality controls are
all enhanced by electronic surveillance. The employee on the other hand,
maintains that he has an expectation of privacy, and that electronic surveillance
is an invasion of that right. A number of e-mail’s attributes led employees to
believe these messages were their own private communications.13
The need for passwords, the ability to personally address e-mail, the use of the
word “mail”, the most confidential form of communication used by the public,
in e-mail, and even the ability to “delete” messages after reading them, all
contribute to employee e-mail users believing that their e-mail communications
are private.
Functionally, a proper e-mail privacy standard lies at the confluence of two
critical questions: how much access do employers have to an employee’s
workspace, and is that access limited by a right of the employee to control their
12 [Larry O. Natt Gantt, II, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector
Workplace, 8 Harv. J.L. & Tech. 345, 345 [1995]].
13 [Benkler, Yochai, Rules of the Road for the Information Superhighway: Electronic Communications and the Law,
West Publishing, 1996 at 402]
15
workspace; and how much of a right do employees have to use the employer’s
property as resources to pursue their own, private purposes. The laws
concerning this employee privacy are unclear at best, non-existent in many
situations, and still in discussion in India.
2.8 EMPLOYER PROTECTION
The question thus is how can an employer protect against liability. First, it is
important to reduce the employee’s expectation of privacy with notice, and
second, it is important to do so in a manner that evidences the employee’s
understanding of the policy.
In Watkins [featured in The Times, July 2000], the employer warned employees
that business telephone calls would be monitored, but that personal calls would
only be monitored to the extent necessary to determine whether the call was
personal or business. The court held that this disclosure protected employees’
personal calls and only implied consent to the monitoring of business calls. This
implies that employers will escape liability if they publish a policy expressly
warning employees that all e-mail messages will be monitored and not just
business -related ones. However, the scope of the employer’s intrusion must be
matched by a legitimate business interest justifying the invasion, such as desire
to protect business property or trade secrets.
The London law firm Baker & McKenzie, suggests the following policy to
protect employers from employee e-mail invasion of privacy claims.
“The guidelines and warnings listed below are of critical importance and non-
compliance could in certain circumstances constitute a serious disciplinary
matter.
16
1. Beware what you say in email or voicemail messages. Improper statements
can give rise to personal or company liability. Work on the assumption that
messages may be read or listened by third parties.”14
Whether the current employer/employee relationship exhibits it or not, there is a
judicially created right to privacy. Privacy law has attempted to balance two
basic interests: first, the employer has an interest in minimising losses and
injuries, preventing fraud and crime in his workplace, and maximising
production, productivity, and success. Second, the employee has an interest in
being free from intrusion into his/her private affairs. Neither of these basic
interests is more important than the other. In fact, privacy law has taken on a
“circumstances” based inquiry. How then, does this “circumstances” based
inquiry apply to the relatively new concept of privacy in the employer/employee
context of e-mail transmission?
The answer is, it really has not gone far enough. The Constitution does not
explicitly give the right to privately employed individuals, and there is some
doubt whether it applies to e-mail at all. At present, legislation is under review,
but without an element of finality. Case law is sketchy at best, and is not on
point in e-mail and internet-related activities.
Therefore, to prevent unnecessary situations in the future, there are things that
employers and employees can do. First, employers should notify employees
about policies that exist within the company, which may allow the executive to
search and conduct surveillance of the employee. Thus, the expectation of
privacy needs to be managed. Second, the employer should limit the inquiry to
matters associated to the workplace and the ability of an individual to do their
14 [See www.netdoor.com/com/bakernet/publicat/europe/alrt21/t-alrt21.html for other warning suggestions protecting
employers’ interests].
17
job. It probably does not benefit the employer to delve into an employee’s
personal e-mail. Third, employers should limit the amount of sensitive
information employees see. This would essentially negate the need to monitor.
Fourth, employers should not release any private information about the
employee. Lastly, employees should keep their personal correspondence where
it belongs - at home and out of the workplace. If both employers and employees
practice these techniques, a more compatible environment for e-mail monitoring
will be available.
Nevertheless, one thing is for sure. Today, the growing restrictions arising from
both judicially created and any company who uses e-mail must consider
statutory law. In addition, any employer, who is thinking about monitoring and
“snooping” over e-mail, had better make sure that the employee has an
awareness of this intent. Because although the laws are ambiguous today, the
trend is toward a more protective environment for the employee.
2.9 BREACH OF CONFIDENTIALITY AND PRIVACY: THE
INDIAN PERSPECTIVE - AN ‘OFFENCE’ UNDER THE INDIAN
INFORMATION TECHNOLOGY ACT, 2000 [IT ACT]
India has, as such, no specific privacy laws in place as yet. Yet, drawing
analogy from the rulings of the Indian Supreme Court on Article 21, one can
safely presume that the existing standards and case precedents of the developed
world will have a significant impact on the laws of India and the rulings of the
Indian courts. There are obvious enhancements of the scope of the Article 21 in
the cases of Kharak Singh and Gobind. The implementation of the Information
Technology Act, 2000, is bound only to strengthen this position.
18
Section 72 of the IT Act prohibits unauthorised disclosure of the contents of an
electronic record. Privacy, in fact, involves at least two kinds of interests;
informational privacy interest and autonomy privacy interest. Information
privacy interest means interest in precluding the dissemination or misuse of
sensitive and confidential information. Autonomy interest means interests in
making intimate personal decisions or conducting personal activities without
observation, intrusion or interference.15 Both the interests deserve protection. In
regard to autonomy privacy interests, there are, however, certain limitations and
exceptions as set out in sections 67, 68, 69 of the IT Act, while Section 72
protects the informational privacy interests. It prohibits disclosure of
information received by a person in pursuance of the powers conferred under
the Act. Such disclosure is punishable with imprisonment for a term, which may
extend to two years and/or fine, which may extend to one lakh rupees.
Disclosure could, however, be made without any penal liability to the law
enforcing agencies or pursuant to proper authorisation by the Controller or with
the consent of the concerned person.
2.10 PRIVACY AND INTERNET LAW
Privacy protection is a critical element of consumer and user trust in the online
environment and a necessary condition for the development of electronic
commerce. Three international organizations have developed guidelines or rules
that set forth basic consumer privacy protections:
• Organisation for Economic Co-operation and Development -- Guidelines
on the Protection of Privacy and Transborder Flows of Personal Data16
[Privacy Guidelines] [1980]
15 Hill v. National Collegiate Athletic Association, 865 P 2d 633 [1994]
16 http://www.oecd.org/dsti/sti/it/secur/index.htm
19
• Council of Europe -- Convention for the Protection of Individuals with
Regard to Automatic Processing of Personal Data [1981]17
Articles 4 - 10 set out the basic principles for data protection.
• Internet Privacy Guidelines [23 February 1999] -- practical, non-binding
advice for Internet users and service providers18
• A good overview of the privacy rules and recommendations issued by the
Council of Europe19
• European Union -- Data Protection Directive [1995]20 Articles 5 - 17 spell
out in somewhat more detail the basic privacy principles.
• Guide to the data privacy directive -- focuses on who is entitled to handle
personal information and how such information can be processed21.
2.11 PRIVACY OVERVIEW
There are two aspects to the concept of privacy:
Consumer privacy - the right of individuals to control information about them
generated or collected in the course of a commercial interaction. Referred to in
Europe as "data protection."
17 http://conventions.coe.int/treaty/EN/cadreprincipal.htm
18 http://www.coe.fr/dataprotection/rec/elignes.html
19 http://www.coe.fr/dataprotection/eintro.htm
20 http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html
21 http://europa.eu.int/comm/internal_market/en/media/dataprot/news/guide_en.pdf
20
Privacy rights of the individual against the government - the individual's
protection against unreasonable government intrusions on privacy, such as
searches of the home or interceptions of communications.
Internet law needs to address both sets of issues.
2.11.1CONSUMER PRIVACY
Consumer privacy protection in the US and Europe, as well as under the
guidelines of the OECD, is based on the following principles:
Notice and Consent - before the collection of data, the data subject should be
provided: notice of what information is being collected and for what purpose
and an opportunity to choose whether to accept the data collection and use.
In Europe, data collection cannot proceed unless data subject has
unambiguously given his consent [with exceptions].
Collection Limitation - data should be collected for specified, explicit and
legitimate purposes. The data collected should be adequate, relevant and not
excessive in relation to the purposes for which they are collected.
Use/Disclosure Limitation - data should be used only for the purpose for which
it was collected and should not be used or disclosed in any way incompatible
with those purposes.
Retention Limitation - data should be kept in a form that permits identification
of the data subject no longer than is necessary for the purposes for which the
data were collected.
21
Accuracy - the party collecting and storing data is obligated to ensure its
accuracy and, where necessary, keep it up to date; every reasonable step must be
taken to ensure that data which are inaccurate or incomplete are corrected or
deleted
Access - a data subject should have access to data about himself, in order to
verify its accuracy and to determine how it is being used
Security - those holding data about others must take steps to protect its
confidentiality.
2.11.2PRIVACY PROTECTION AGAINST THE GOVERNMENT
The right to privacy is internationally recognized as a human right. However,
most governments claim the authority to invade privacy through the following
means:
• interception of communications in real-time
• interception of traffic data [routing information] in real-time
• access to data stored by service providers, including traffic data being
stored for billing purposes
• access to data stored by users
These means of access to communications and stored data must be narrowly
defined and subject to independent controls under strict standards. Real-time
interception of communications should take place only with prior approval by a
judge, issued under standards at least as strict as those for policy searches of
private homes.
22
2.12 INTERNATIONAL PRIVACY INITIATIVES
On July 25, 1995, the EU announced the adoption of a directive on the
protection of individuals’ personal data and on the free movement of such data.
The directive seeks to prevent abuse of personal data and lays down
comprehensive rules, including an obligation to collect data only for specified,
explicit and legitimate purposes, as well as to only hold data if it is relevant,
accurate and up-to-date.
The directive requires all companies concluding business in the EU to meet
certain minimum standards of data protection. Any company that does not meet
these stringent standards faces sanctions. In the Netherlands and New Zealand,
codes of conduct or self-regulation are also employed.
The Electronic Communications Privacy Act in the US governs the privacy of
e-mail in public e-mail systems. It bars interception, use, or disclosure of e-mail
by third parties and sets the standards which law enforcement authorities must
meet to gain access to e-mail.
2.13 INDIAN LAW RELATING TO PRIVACY: AN EPILOGUE
Significantly, India does not have any specific law governing privacy. The
courts in India have not yet had the opportunity to look at privacy issues relating
to the Internet. Analogies to the Internet will, therefore, have to be drawn from
cases that the court has actually dealt with.
The Constitution of India does not patently grant the fundamental right to
privacy. However, the courts have read the right to privacy into the other
23
existing Fundamental Rights: Freedom of Speech and Expression, under Article
19 [1] [a] & Right to Life and Personal Liberty under Article 21. In India, the
right to privacy is one of the un-enumerated rights granted to the individual.
Barring a few exceptions, the Fundamental Rights secured to the individual are
limitation on State action. They are not meant to protect persons against the
conduct of private persons. It is to be noted that the Constitutional guarantee of
the right to privacy is valid only against the State and no Constitutional remedy
for violation of privacy lies against any individual.
2.14 IDENTIFYING GOALS AND OBJECTIVES
On December 18, 2000, the European Union and the United States issued a joint
statement regarding the necessity for building consumer confidence in order to
further global e-commerce. The joint statement went on to point out that
generating consumer confidence requires a combination of private sector
initiatives and a “clear, consistent and predictable legal framework.”
It went to ‘reaffirm these important goals and objectives, including the
agreement to provide ‘active support for the development, preferably on a
global basis, of self-regulators codes of conduct and technologies to gain
consumer confidence in electronic commerce’.”
2.15 IMPLEMENTATION IS MORE DIFFICULT
Does the consumer in fact enjoy the same kind of protection in e-commerce that
he or she has in other kinds of transactions? Does the consumer need the same
level of protection or does the e-commerce consumer have greater relative
bargaining strength? How much should courts enforce agreements by
consumers to give up valuable substantive and procedural rights?
24
As with all worthy goals, the difficulty is in implementation. This fact is
particularly true when dealing with a worldwide medium like the Internet.
Obviously, if we had the same standards for e-commerce around the world, the
system would be relatively clear and consistent. But for global binding
standards, we would need intergovernmental agreement, which historically
takes many years to reach.
Governmentally-endorsed guidelines and recommendations could be a fallback
position, so long as there was a reasonable amount of harmony among the
various positions. The American Bar Association in 2000 embarked on a special
project, “Alternative Dispute Resolution in Online Commerce” which hopes to
develop a system of guidelines for ADR in e-commerce disputes. The project
focuses particularly on consumer disputes, since the amount of money involved
in consumer matters seldom warrants elaborate ADR machinery.
2.16 CONCERNS OF CONSUMERS
Studies show that key concerns on the part of consumers involve some or all of
the following:
Lack of confidence in online financial transactions, e.g., concern over misuse of
debit and credit cards:
• Non-delivery or late delivery of goods and services.
• Fraud.
• Hidden costs, such as postal charges and taxes.
• Unrestricted or hidden collection of personal data and channelling of such
data to third parties.
• Lack of independent certification of website policies and practices.
25
2.17 FAILURE OF E-COMMERCE BUSINESS TO FOLLOW BEST
PRACTICES
In September 2000, ClickSure conducted a best practice analysis of Internet
business websites in Europe and the United States. It measured six aspects:
privacy, security, clarity of website information, transaction management,
quality and monitoring. Its resulting report concluded that there was a clear
failure to measure up to internationally-recognized best practices.
Consumes International [“CI”] subsequently conducted a privacy study
concluded in January 2001. It found that, although the majority of websites
collected personal information from the user, “only a tiny minority provided
privacy policy that gave users meaningful information about how that data
would be used. It concluded that websites in both the U.S. and E.U. fall
woefully short of the standards set by international guidelines on data
protection.”
According to the CAI study, the majority of sites ignore even the most basic
principles of fair information use, such as telling consumers how their data will
be used, how it can be accessed, what choices the consumer has about its use
and how the security of that data is maintained.
2.18 THE INTERNET AND CONTRACTUAL CHOICE OF LAW AND
FORUM
2.18.1GENERAL CONSIDERATIONS
26
Many disputes involving electronic commerce arise between parties who are
bound by a contract determining the terms and conditions upon which they have
agreed to interact. Frequently, the online contract itself may provide that any
dispute concerning it is to be heard in the courts of a specified state [“choice
of forum” clause or “forum selection” clause] and is to be determined under the
substantive law of a specified state [“choice of law” clause].7
If parties to the contract are presumed to have equal bargaining power and,
therefore, an equal ability to accept or reject such clauses, the clauses are
generally uncontroversial and enforced. However, equality between buyer and
seller has not always been presumed when one party to the contract is a
consumer. Instead, the seller is assumed to define is market and set the terms of
the contract for its own benefit. The buyer, in contrast, is assumed to be
confronted with either [a] accepting the terms imposed by one of a limited
number of sellers serving the buyer’s market or [b] foregoing the purchase. As
discussed above, in order to protect the customer from perceived
disadvantageous choice of forum and law clauses, the E.U. will enforce them
only if they favour the consumer,8 although in the U.S. they are enforced unless
they are “unreasonable.”9
Matthew S. Yeo and Marco Berliri have offered an analysis and perspective on
the problem of determining the governing law in E-Commerce transactions. In a
paper posted online, they post three alternative E.U. approaches to resolve
conflicts.10
7 Contract terms themselves, of course, also supply a set of substantive rules to govern the transaction, which will be
used by a court unless they violate the public policy of the forum.
8 See subsection I.A. 3 supra.
9 See subsection II. B. 2 supra
10 <http://pubs.bna.com/ip/BNA/EIP.NSF/b3e99e4adbdfc8cc85256580004f6e47/f916e63b1616fb7b852567
06001efe99?OpenDocument>
27
• The first is to simply permit the merchant to designate any law that has a
substantial connection to the transaction. The difficulty is that the
consumer may not know or be able reasonably to determine his rights
under such law. The resulting apprehension on the part of the consumer
may retard the growth of E-Commerce.
• The second alternative is to adopt the mandatory rules concept. The
contract can specify the law that will apply to the transaction but would
not trump mandatory consumer protection rules. This creates confusion
and increase the cost of compliance, because the merchant is required to
be familiar with the mandatory rules of each jurisdiction.
• The third alternative, which the authors favour, is to harmonise national
consumer protection laws. This would create a lower cost mechanism,
similar to the model rules enjoyed by other areas of uniform law.
Merchants would not have to lean the law of each jurisdiction and
consumers would know their rights irrespectively of choice of law.
Because harmonization is such a monumental task, probably the only
practical low-cost solution is a system of e-commerce dispute resolution,
such as that discussed later.
2.18.2 PRE-DISPUTE SELECTION USING CLICK-WRAP
AGREEMENTS.
2.18.2.1 U.S. CASE LAW.
A “click-wrap” agreement is one which a provider of goods or services presents
online to a user, who can agree to the terms and conditions of the agreement by
either clicking a designated icon or button or typing specified words or phrases.
In the online environment, a user may view the terms and conditions on the
28
screen, using a control such as a keyboard, or mouse to scroll through or
otherwise navigate the terms and then click a button or bar indicating asset. A
true click-wrap assent should be distinguished from situation where the terms
and conditions are merely posted on the website and agreement to those terms
and conditions is implied without the user being required actually to expressly
indicate agreement.
Perhaps the earliest reported case in the U.S. supporting online agreement was
the federal appellate court decision in CompuServe, Inc. v. Patterson.11 this was
not strictly a click-wrap, since the user actually typed “agree” to an online
agreement whose choice of jurisdiction was used as one of several contacts to
warrant holding the user subject to personal jurisdiction in service provider’s
home state. Subsequently, a state court upheld a click-wrap choice of forum
by an AOL subscriber where the subscriber could only enrol on AOL by
clicking the “ I agree” button placed next to the “read me” button of the “ I
agree” button next to the “I disagree” button at the conclusion of the
subscription agreement, which contained the forum selection clause.12
Another state court sustained a click-wrap forum selection where subscribers to
the Microsoft Network could click a box saying “I Agree” or another saying “I
Don’t Agree” at any time while scrolling the adjacent terms and conditions,
which included the forum selection clause; before registering for the service.13
Since the subscriber clicked “I Agree”, the court drew analogy to the pre-
contractual opportunity to read the fine-print terms in Carnival Cruise Lines and
refused to treat electronic and paper presentations of terms differently.
11 89 F.3d 1257 [6th Cir. 1996]
12 Groff v. American Online. Inc., 1998 WL, 307001 [R.I. Super. May 27, 1998].
13 Caspi v. Microsoft Network L.I.C. 732 A.2d 528 [ N.J. App. Div. 1999]
29
Another federal court found a click-wrap binding on the user as against a
defence of procedural unconscionability, where arbitration clause appeared in
the final paragraph of the agreement under the caption “Miscellaneous”, which
included provisions on choice of law and forum.14 Finding the click-wrap
binding, the court noted that the clause was in same front as the rest of the
agreement and was freely scrollable and viewable and without time restrictions
and a viewer had to agree to the online license agreement before being able to
install software from the provider’s website. A number of other cases have
upheld clickwrap choice of forum.15
More recently, courts have found grounds on which to decline to enforce
consumer click-wraps. Thus, the California Court of Appeal this year invoked a
public policy exception to consumer choice law.16 The trial court had found the
forum selection clause in a clickwrap agreement made during installation
process on CD-ROM unfair and unreasonable, because the clause was not
negotiated at arm’s length, was in standard form contract, was not readily
identifiable by plaintiff in small text and placed at the end of the agreement, and
was contrary to California public policy giving its citizens specific and
meaningful remedies that are readily accessible and available. The prime
difference between the Virginia consumer law and that of California was that in
14 In the RealNetworks, Inc., Privacy Litigation 2000 WL 631341 [N.D. III. May 8, 2000].
15 America Online, Inc. v. Booker [“Booker”] 781 So. 2d 423 [Fla 2001 Ct. App.] [forum selection provision in an
online ISP subscription “freely negotiated” and not shown “unreasonable or unjust” decision unclear on whether
agreement to the forum was express via a click-through or simply implied in some way]; Clemins v. America
Online. Inc., 748 So. 2d 1041 [Fla. Ct. App. 1999] [ electronic agreement with Internet service provider enforced
forum selection clause; no indication whether there was click-through or implied assent]; Lieschke v. RealNetworks,
Inc., 2000 WL 198424 [N.D. III. Feb. 11, 2000] [ arbitration clause on Real Networks site contained in a click-wrap
licence which users were required to traverse before they could download software to play and record music]; Rudder
v. Microsoft Corp., 1999Carswell Ont. 3195 [WL] [Ontario Super . Ct. Justice Oct 8, 1999] [Canadian court
expressly upheld the validity of a forum selection clause in click-through contract where subscription procedure
required the validity of a forum selection clause in click-through contract where subscription procedure required the
user to accept the agreement terms each time they appeared on the monitor, and entire agreement could be viewed by
scrolling down screen, with terms not analogous to fine print].
16 America Online, Inc. v. Superior Court, 90 Cal. App. 4th 1 [2001]
30
California a consumer can bring a class action while a Virginia consumer could
not. It therefore found a Virginia forum selection clause was therefore invalid.
The appellate court shifted the usual burden of proof to the party seeking to
uphold a forum selection clause contrary to California’s Consumers Legal
Remedies Act [“CLRA”]. It emphasized the anti-waiver provision in the
CLRA and California consumer protection provisions, which would be
substantially diminished in Virginia, but the court of appeals, did not explicitly
rule on the validity of the click-wrap agreement. [Recheck].
A California federal district court declined to enforce a click-wrap in
Ticketmaster involved an online agreement where the home page of
Ticketmaster’s website contained instructions, a directory to subsequent event
pages [ each with separate electronic address and a hypertext link] and, upon
scrolling to the bottom, terms and conditions, including prohibitions against
deep linking and against copying for commercial use, as well as a term saying
that anyone going beyond the home page thereby agreed to the terms and
conditions.17 There was no “I agree” button or other signification of assent by
the website user, who could go directly to the linked page without seeking the
terms and conditions]. Later, the court reaffirmed its ruling.18 Addressing
arguments of copyright and trespass, the court briefly reiterated that contract
claim lacked “sufficient proof of agreement by defendant.” The judgement was
affirmed.19
A Massachusetts case declined to enforce a click-wrap in a class action lawsuit
concerning installation of software which damaged the user’s system before the
17 Ticketmaster Corp. v. Tickets.com Inc., 54 U.S.P.Q. 1344, 2000 U.S. Dist. LEXIS 4553, 2000 WL 525390
[C.D.Cal. March 27, 2000]
18 2000 WL 1887522[C.D. Cal Cug. 10,2000]
19 2001 WL 51509 [9th Cir. Jan. 8, 2001] [unpublished].
31
user could review and assented to the agtement.20 The agreement terms were
accessible only by twice overriding the default choice of “I Agree” and clicking
“Read Now” twice. The court here also invoked public policy, citing the
impropriety of requiring residents of Massachusetts with small claims to litigate
in Virginia].
2.18.3PRACTICES BY WHICH ONLINE PROVIDERS MAY
PROPERLY OBTAIN ASSENT TO ONLINE TERMS
In those jurisdictions which will honour clickwrap choice of law and forum
when fairness requirements are met, legal parishioners should advise their
clients to create the best factual basis to support validity of the agreement. The
goal involves several important parts:
1] a reasonable opportunity for the newer to access the terms and conditions and
review them;
2] sufficient conspicuousness and readability of the terms and conditions;
3] clear and unambiguous manifestation of asset to the terms and conditions;
4] preclusion of online contracting by a viewer who has not clearly manifested
consent.
To satisfy the first requirement, proposed terms that involve any choice of law
or forum should be presented to the user before the user has any opportunity to
take an action to be bound by the agreement’s terms. All the terms should either
appear automatically or the user should be required to click on a clear icon or
hyperlink that accesses the terms. The user should then be afforded user
sufficient opportunity to review the agreement terms, with the ability to read the
terms and his or her own pace and to navigate back and forthwith in the terms
20 William v. American Online. Inc. 201 WL 135825 [Mass. Super. Ct. Feb.8, 2001]
32
by scrolling or changing pages. Once the user views the terms, those terms
should remain accessible to the user for further reference.
In the U.S., sufficient conspicuousness includes having the format and content
of the terms comply with requirements in applicable laws, such as the Uniform
Commercial Code, as to notice, disclosure language, conspicuousness, and the
like. The terms should be plain language and legible. It is equally important
that other information on the website should not contradict the agreement terms
or render the agreement ambiguous.
The format of the assent must comply with any applicable laws requiring
particular assent to a particular type of term, as well as an overall assent to all
of the terms. It is desirable that there can be an express statement just before the
user is able to click his agreement that stresses the effect agreement. Thus, the
user might be expressly warned that:
“By clicking ‘I agree’ below you acknowledge that you have read, understand,
and agree to be bound by the terms above.”
In order to assure that the user has the opportunity to see all of the agreement
before assenting; it is advisable to place the means of assent at the end of the
agreement terms. It is also important to use clear language of asset, e.g. “I
agree,” “I consent,” or “I assent,” rather than more ambiguous language, .e.g.,
“Continue,”, “Submit,” or “Enter.” Such clear language of assent should be
combined with clear choice for the user not only to assent but to reject the terms
and to be informed of the consequence of rejection. Ideally, the option to reject
will occur at the same point in the process where final assent is requested, and
involve an equally clear and unambiguous button or term, such an “I disagree,”
“I do not agree,” “Not agreed,” “No,” or “I decline.”
33
Finally, a user who rejects the online agreement should not be able to take the
transaction any further, without choosing to go back and specifically agreeing to
the terms and conditions.
2.18.4TOWARD LOW COST AND TRUSTED DISPUTE RESOLUTION:
NOTES BY WAY OF EPILOGUE
One of the conclusions drawn by the report prepared by the American Bar
Association’s two year project on Jurisdiction in Cyberspace was that
cyberspace may need new forms of dispute resolution, in order to reduce
transaction costs for small value disputes and have structures that will work
effectively across national boundaries.21 Following submission of the report, the
ABA constituted a multi-disciplinary special committee to develop criteria and
recommendations for such a dispute resolution system. That group has held a
number of meetings over the past eleven months, starting in the late November
2000, and is currently working on a set of guidelines which might form a
worldwide-acceptable basis of dispute resolution procedures. If industry and
consumers can both “buy in” to such guidelines, consumers may become more
comfortable in online transactions, and the results of whose law and forum
should apply will become essentially moot.
In conclusion, the E-Commerce Law set forth a number of provisions intended
to secure B2C transactions. The provision of general and pre-contractual
information, the clarification of the contract formation process, the grant of a
right of withdrawal and the requirement placed on the provider to bear the
burden of proof regarding a number of obligations resting on him are favourable
to consumers and should assist in building confidence for online transactions.
21 Report, Achieving Legal Business Order in Cyberspace, 55 BUS. LAW. 1801,1824 [2000].
34
Nevertheless, the right of the providers to bring electronic evidence is not so
clear.
The provider should also make sure that the T&C comply with general
consumer law provisions. For international transactions, the providers will need
to ensure that the site architecture and the T&C comply not only with
Luxembourg laws, but also with the laws of the country of the buyers’ place of
residence, as consumer protection provisions usually cannot be derogated from.
Finally, the intent of the law, which is to give consumes a satisfactory level of
protection by giving them a number of rights, is partly defeated by the fact that
the E-Commerce law is not clear on the applicable sanctions in the event that its
consumer protection provisions are not complied with. Moreover, the existing
dispute resolution mechanisms are not adapted to small online transactions and
no recognition is made in the Law of electronic dispute resolution mechanisms.
2.18.5CONSUMERS PROTECTION AND PRIVACY: THE UK
PERSPECTIVE
The principal commercial advantage of using the internet, and also perhaps its
biggest drawback, is its ability vast amounts of data almost simultaneously to
any number of persons in any number of locations virtually anywhere in the
world. However, this is also a concern for companies doing business
electronically where personal information about individuals is involved,
whether this involves existing or prospective clients, employees or other third -
party individuals. There is a huge sensitivity surrounding the use of personal
data in databases, both the United Kingdom and the European Union, of which
business and lawyers alike need to be aware. The European Union and certain
other jurisdiction such as Australia, Canada and Hong Kong have enacted data
35
protection legislation to protect individuals in their respective jurisdictions.
These laws have a major effect on the use of the internet.
2.18.5.1 PRIVACY POLICIES
By 1998, the vast majority of the top 100 visited websites had including privacy
policies. However, a recent Consumers International survey of 751 e-commerce
sites worldwide revealed that while two-third of sites collected personal data,
the majority did not give the individual users a choice as to whether such data
was to be kept private, or that there was any prohibition on it being passed to
third parties or kept on the collector’s mailing list.
2.18.5.2 UK DATA PROTECTION ACT
Under the EU Data Protection Directive and the UK implementing legislation,
the Data Protection Act 1998, a party to the European Economic Area [“EEA”]
who is controlling personal data must:
• use the data held fairly and lawfully;
• Obtain data for specified purposes and use it only in ways compatible
with those purposes.
• Hold only such data as is adequate, relevant and not excessive.
• Ensure the data is accurate and up to date.
• not retain the data longer than necessary for the stated purposes.
• take appropriate measures against unauthorized or unlawful use of data
and its accidental loss or damage;
36
• not transfer data outside the EEA except to a country that ensures an
adequate level of protection of a data subject’s right in that data.
Personal data will not be regarded as being held or used fairly or lawfully unless
the data subject has consented to that use [although there are a limited number
of exceptions] in general, a data controller may not do anything on
contravention of the above principles except with the consent of the data
subject.
Consent can be either explicit or implicit. This may consist of the site visitor
knowing that the data will be collected or used for a specific purpose, e.g.
completing a purchase order form. However, if the information is sensitive
personal data, express consent is required. Express consent requires, at the very
least, a positive act such as clicking on a tick box to indicate consent. Sensitive
data includes such matters as information relating to racial, political or sexual
matters.
Data subjects also have a right, subject to paying a small fee, to be given details
of data held on them by any organization.
Privacy policies in the United Kingdom should be written accordingly. They
therefore need to contain:
• the identity of the collecting entity which has control of the data;
• a clear statement of the users of the data;
• details of the persons receiving the information, if such is the case, and
those to whom it may be transferred outside the EEA;
• Clarification, where relevant, that the information has been collected by
means of a ‘cookie’. [A cookie is a file stored by a browser on an
37
individual’s computer system that holds information. Typically, such files
store information to identify site users, such as their names, addresses
and e-mail details, and to record a user’s choices or preferences. This
means of gathering information may not be apparent on the face of the
site.]
• the express consent of the subject, where sensitive data is collected;
• a statement that the data subject has a right to view the information held
by the recipient;
• an opt-out box for one or more of the specified purposes for which the
information is collected;
• a statement of the safeguards relating to transfer where the information is
to be transferred outside the EEA.
2.19 TRANSFERRING DATA TO THE UNITED STATES AND THE
SAFE HARBOUR SCHEME
The privacy policies that many US companies have put in place are at least
equal to those commonly found on European-based websites. However, under
the Data Protection Directive [and the UK enabling legislation, European
companies are not permitted to transfer data protection. There is no exemption
for intra-group transfers, e.g. this prohibition would therefore apply prima facie
to a UK company that transfers personal data obtained from its website to its US
parent.
The European Union’s expectations of what is ‘adequate’ stringent. In addition
to the need to adapt the legislation and data principles applicable to EU Member
38
States, the European Union requires that each government must establish a
relevant agency that monitors data protection, and keeps a mandatory register of
entities processing personal data. For example, an EU-based company may
legitimately transfer data to Hong Kong as it satisfies the necessary
requirements.
The European Union has now reached agreement with the US Department of
Commerce such that, subject to compliance with certain safe harbour rules, data
may be transferred to the United States. Transfer of data to members involved in
the scheme may be made without the need for specific consent from the affected
data subject. However, this does not remove the requirement that the EU data
subject must know the uses to which the data will be put, including any intended
transfers of that data.
2.20 CYBERCRIME: CONCEPTS AND LEGAL THEORY
Computer and Internet network together forms a cyber world. Combination of
computer and Internet network has given birth to new sets of crimes in the 21st
century. Crimes committed on the World wide web is known as cybercrime.
Cybercrime has no boundaries and can be committed by a person sitting in the
one corner of the world causing damage to person sitting in the other part of the
world. Phishing, hacking, spoofing, pharming, cyber vandalism etc. are some of
the most common cybercrimes. These crimes are committed to gain vital
information which can be used against the person or organisation to provide
huge loss to them. Government, companies, banks, and other institutions pay a
huge amount of money to protect their sensitive information on the world wide
web.
39
The crimes committed in the virtual world not only affect a person or an
organisation economically but it affects the mental state of a person.
Cybercrimes like cyberbullying, body shaming, sharing pornographic materials
affect a person mentally.
The Information Technology Act, 2000
In India, there was no law related to cybercrimes before the year 2000. There
was no act under which if a person’s or organizations legal right has been
violated on the world wide web can get a remedy. Seeing the increase in
cybercrimes, both the Houses of the Indian Parliament passed the Information
Technology Bill, in the year 2000 which later on came to be known as The
Information Technology Act, 2000. It was enacted to protect e-commerce, e-
administration, e-banking and protect the legal right of an
individual/organization on world wide web in our country.
The Information Technology Act, 2000 defines ’computer’ means any
electronic, magnetic, optical or other high-speed data processing device or
system which performs logical, arithmetic, and memory functions by
manipulations of electronic, magnetic or optical impulses, and includes all
input, output, processing, storage, computer software or communication
facilities which are connected or related to the computer in a computer system
or computer network22. The aforementioned act was then amended as IT
Amendment Act, 2008.
After the amendment in 2008, the scope of the act was increased. Important
terms such as 'communication devices' were added and given a broader
meaning. The term 'digital signature' was replaced by 'electronic signature' as it
includes biometrics and other new forms of electronic signature. Such important
22 Section 2[i], Information Technology Act, 2000
40
changes in the act increased its scope and applicability and provided a new
dimension to the act.
Some important sections of the Information Technology Act, 2000 -
Section 43 of the act talks about ‘damage to the computer, computer system
etc’23.
A person will be liable under sec. 43[a] when he gets access to a computer or
computer network without the permission of its owner.
Illustration:
'A' is the owner of a firm. He stores all the vital data of the firm on his laptop.
'B' is an employee of A. When A was away for some work, B gets access to A's
laptop without permission. B will be liable under section 43[a] of the
Information Technology Act, 2000.
Section 66 basically talks about the punishment for crime committed under
Section 43 of the Information Technology Act, 2000.
It says “If any person, dishonestly or fraudulently, does any act referred to in
section 43, he shall be punishable with imprisonment for a term which may
extend to three years or with fine which may extend to five lakh rupees or with
both”24.
Although ITA & ITAA is a big step towards cybersecurity and cyber safety still
same important amendments are needed, most important issue being Territorial
jurisdiction. The term territorial jurisdiction is not addressed in the act. Since
23 Section 43, Information Technology Act, 2000
24 Section 66, Information Technology Act, 2000
41
cybercrime can be committed from any part of the country, territorial
jurisdiction is a major issue.
Cyber Law and Cybercrimes in the USA
In the USA, The Computer Fraud and Abuse Act [CFAA], 18 U.S.C 1030, is
the regulatory act which deals with cyber security and crimes on the web. This
act protects the computer in which there is a federal interest like a bank
computer and federal computer.
Currently, the seven paragraph of subsection 1030[a] defines cybercrimes in the
USA. These include trespassing in government cyberspace, unauthorised access,
espionage, online fraud and much more. It also includes jurisdiction and
penalties regarding cybercrime.
The penalties for conspiracy to violate, or for violations or attempted violations
of, paragraph 1030[a][3] are imprisonment for not more than one year and/or a
fine of not more than $100,000 [$200,000 for organizations] for the first offense
and imprisonment for not more than 10 years and/or a fine of not more than
$250,000 [$500,000 for organizations] for all subsequent convictions.25
Cyber Law and Cybercrimes in Europe
The Convention on Cybercrime which is popularly known as the Budapest
convention on cybercrime is the first and only international treaty related to
cybercrime. This treaty was drawn by the council of Europe in the year 2001.
The draft came into force from the year 2004.
During the time of demonstration 34 countries showed there interest in the
convention but later on only 6 countries have embraced the convention. No
genuine power countries of Europe showed any interest to get limited by the
25 18 U.S.C 1030[c], 3571
42
Convention. The primary countries which have endorsed it were Albania,
Croatia, Estonia, Hungary, Lithuania, and Romania.
As of now, 64 countries have ratified the convention with India and Brazil
notably missing.
The convention was drafted to deal with cybercrimes like copyright
infringement, online fraud, pornographic material, online safety and security
and much more.
Some important changes and development were made in the conviction in later
years. In 2011, developments were made in the area regarding child
pornography and online sexual exploitation of children. In 2018, the committee
suggested a regulation regarding cross border access to electronic evidence for
criminal investigation. In 2019, new directives were measured regarding online
and non-cash payment.
As modern society is getting more and more dependent on computer and
Internet, cyber crimes are bound to increase. Changes like the addition of
territorial jurisdictions must be done in the Information Technology Act.
Moreover, Cybercrimes are not an issue of one single country but it's a global
problem. To tackle with cybercrimes unification of law is the vital need of the
hour. International unified law in harmony with the country law is needed to
make the web a safer space
‘Cybercrime’ has emerged as a distinct category of study and an ever increasing
problem requiring the sustained attention of governments, law enforcement
agencies and judicial systems of countries world-wide. Jurisdictions that already
had developed computing and digital communications infrastructure have, over
the last decade or so, been forced to confront the reality of criminal expansion
into the ‘cyberworld’, and to evaluate and understand the adequacy of existing
43
legal systems in order to insure the necessary transnational investment and co-
operation.
Through the course of this brief chapter, it must be emphasised that whether in
India or for that matter, anywhere in the world, criminal or penal sanctions can
only be one element of the overall response to cybercrime. Moreover, as has
been seen from bitter experience, such sanctions are not necessarily the most
efficient or desirable form of response. Other ways of preventing or minimising
the harm of cybercrime include technological measures, regulatory controls and
civil proceedings. In the last resort, where most jurisdictions have recognised
the need for some form of punitive measures, particularly where the level of
criminality or harm caused or threatened is especially serious.
2.20.1CYBERCRIME: DEFINING ASPECTS
There is no universally accepted general definition of cybercrime, no national
legislation provides us with a definition or explicitly employs the term26!
Cybercrime comprises two overlapping domains. The first is illegal activities
directed at or perpetrated through the use of computers. This can include crimes
through and via the medium that is the Internet: willful damage to computer
systems or networks, unlawful access to or interference with the operation of
computer systems, transmitting offensive or illegal content and committing
fraud or other offences through the use of the medium27.
26 An analysis of legislation introduced in Asia relating to crimes on the Internet is not quite illustrative as regards a
definition. For instance, the laws introduced in Malaysia [1997] covering computer crimes, copyright, telemedicine
and digital signatures were promoted by the Malaysian Government’s Multimedia Super Corridor as a package of
“cyberlaws” [http://www.mdc.com.my/msc.comm/html/cyberights01.html]. In India, Chapter X of the Indian
Information Technology Act 2000 establishes the “Cyber Regulations Appellate Tribunal”: Ministry of Law, Justice
and Company Affairs [Legislative Department], accessible through the Ministry of Information Technology website
at http://www.mit.gov.in/itbillmain.htm. The Australian Parliament is currently considering the Cybercrime Bill 2000
[introduced 27 June 2001]; see http://www.aph.gov.au/legis.htm.
27 Grabosky, P.N., Smith, R.G. & Dempsey G. 2001, Electronic Theft: Unlawful Acquisition in Cyberspace,
Cambridge University Press, Cambridge.
44
The second related area is the protection of information. This has been a
concern of legal systems from well before the introduction of modern
technologies of mass-communication, but is clearly brought into focus by the
development of global networked computer-based information media such as
the World Wide Web and the Internet28. Principal legal measures related to the
protection of information from unlawful use, distribution or exploitation include
intellectual property laws, privacy laws, laws relating to secrecy and national
security, and laws relating to unfair commercial advantage.
2.20.2CYBERCRIME LEGISLATION WORLD-WIDE
A more systematic international understanding of the legal aspects of
cybercrime is emerging through sources such as:
• The Council of Europe’s Draft Convention on Cybercrime [Council of
Europe 2001]29;
• The United Nations symposium on “The Challenge of Borderless
Cybercrime” held in conjunction with the Palermo signing conference of
the Convention Against Transactional Organised Crime [see Grabosky
2000; Tan 2000];
• The United Nations President’s Working Group on Unlawful Conduct on
the Internet [United States Department of Justice 2000]30;
28 Tan, K.H. 2000, “Prosecuting foreign-based computer crime: International law and technology collide”,
Symposium on the Rule of Law in the Global Village, Panel on Borderless Crime, 12-14 December 2000, Palermo;
see http://www.odccp.org/palermo/convmain.html.
29 Council of Europe 2001, Draft Convention on Cybercrime [Final Draft and Explanatory Note], European
Committee on Crime Problems and Committee Experts on Crime in Cyber-Space, Strasbourg, 29 June 2001; see
http://conventions.coe.int/treaty/EN/projets/projets.htm.
30 United States Department of Justice 2000, The Electronic Frontier: Unlawful Conduct Involving the Use of the
Internet, Report of the President’s Working Group on Unlawful Conduct on the Internet, March 2000; see
http://usdoj.gov/criminal/cybercrime/unlawful.htm
45
• Cross-national comparative studies such as Cyber Crime … and
Punishment? Archaic Laws Threaten Global Information [McConnell
International 2000]31.
The most significant international development is the Council of Europe’s
Convention on Cybercrime [final draft released on 25 May 2001]. The text,
which has taken almost four years and many redrafts to reach its present form,
was approved by the Parliamentary Assembly [24 April 2001] with
recommendations to include provisions on human rights and a protocol to ban
“hate speech”, and adopted by the European Committee on Crime Problems at
its 50th plenary session [18-22 June 2001]. The final draft was submitted to the
Committee of Ministers for adoption during its 109th Session, on 8 November
2001.
The convention was the first international treaty to address criminal law and
procedural aspects of various types of criminal behaviour directed against
computer systems, networks, or data and other types of similar misuse.
Signatories to the Convention included the 43 member states of the Council of
Europe plus the United States, Canada and Japan.
The legal analysis that followed adopted the Council of Europe’s classification
of computer offences, and also reviewed offence provisions under national
intellectual property laws.
2.20.3ADEQUACY OF LEGISLATION
Countries can be initially categorised according to whether they have:
31 McConnell International 2000, Cyber Crime…and Punishment? Archaic Laws Threaten Global Information, online
report; see http://www.mcconnellinternational.com/services/CyberCrime.pdf.
46
1. basic criminal and commercial laws;
2. a developed system of intellectual property laws; and
3. legislation directed specifically at computers and electronic commerce.
Each of the countries considered below may be observed to fall within one or
more of these categories, with most satisfying the second category and having
made some progress towards the third. Whether the existing legal system in any
country can adequately address cybercrime depends on the precise scope and
interaction of its criminal, commercial, intellectual property and computer-
related laws. As a general rule, however, the development of each of the later
categories has been necessitated in part by the perceived inadequacy of legal
remedies provided by other categories. The reliance on specific intellectual
property laws to protect valuable information, for example, is partly attributable
[in jurisdictions based on the English system] to the common law doctrine that
information is not properly capable of being stolen. Thus, information piracy is
not amenable to prosecution under the criminal law relating to theft or dishonest
acquisition32.
In many countries there are also difficulties in prosecuting under criminal law
acts which may be performed outside the jurisdiction but which result in harm
within the jurisdiction, such as the posting of offensive or obscene content on
the Internet.
Clearly, there are also significant differences in the legal, social and political
contexts within which these laws have been formulated and are enforced.
32 Grabosky, P.N. & Smith, R.G. 1998, Crime in the Digital Age: Controlling Telecommunications and Cyberspace
Illegalities, Transaction Publishers/Federation Press, New Brunswick, New Jersey.
47
Before reviewing the legislative provisions, it is useful to explore these contexts
in greater detail.
2.20.4FEARS OF OVER POLICING
During the parliamentary debates and discussions leading up to the enactment of
the Information Technology bill, the Indian Internet Community awaited the
final shape of the proposed legislation. Understandably, there were fears over
possible excessive policing. Observers wondered whether the Draconian
provisions would fit in to existing Indian Criminal and Commercial laws33.
Some provisions attracted controversy and were the focus of debate in the
Parliament and within the Internet and legal community. These provisions are:
• Section 79 wherein police personnel have been granted extensive powers
to arrest and seize material from individuals and corporates
• Section 73 [a] which makes it mandatory for person hosting a website or
a portal on a server located in India to give details of the website, portal,
person and such other details as may be prescribed by the Controller,
failure will entail penalty;
• Section 73 [b] wherein the government mandates that all people visiting
cyber cafes will have to maintain a log sheet of all the websites visited by
them. Failure will entail monetary penalty and imprisonment [later
removed from the legislation]
33 The Indian Information Technology Act 2000 attempts to recognise electronic business and it does so, by amending
several archaic legislations like the Indian Evidence Act, 872, Indian Penal Code, 1860, General Clauses Act, 1897,
the Reserve Bank of India Act, 1934 and the Bankers Book Evidence Act, 1891. Through the amendment of these
laws it will now be possible for courts to recognise digital signatures and electronic records and hence permit
electronic commerce.
48
2.20.5LIABILITY OF NET WORK SERVICE PROVIDERS [NWSP]
Certain activists’ groups have been asking for Network Service Provider's /
Internet Service Providers ["ISP's"] to be made responsible for information,
which is transmitted through their system. The reason for doing so would be to
try and put a check on any mischief, which may take place through such
systems and affix the liability on the ISP's. However, the impossibility of
monitoring millions of mails and accesses has promoted the government to
absolve NWSP/ISPs from any third party civil and criminal liability.
There are divergent views to such a provision. The ISPs have hailed this move,
as they are now be able to provide access without the tension or undue
interference or the prospect of civil or criminal liability. However, activists
groups have criticised this provision and seek an amendment.
2.20.6COMPUTER CRIME AND DATA PROTECTION
After the Love Bug crisis, legal experts realised the lacuna that exists in the
current legal regime in India. If such a virus or contaminant was launched in
India and the culprit were to be arrested then under the current legal framework,
such a person would not be punishable.
An extensive definition clause defines numerous activities that can amount to a
cyber crime. Under this provision, almost every conceivable computer mischief
can face civil and criminal liabilities.
Perhaps to give teeth to this provision, the IT Bill further empowers a police
officer not below the rank of Deputy Superintendent of Police [“DSP”] to
investigate such an offence, who has the powers to enter in any "public place"
49
and conduct a search and arrest without a warrant if he/she suspects that a
computer crime is being committed. This provision has faced a lot of criticisms
from Human Rights activists who suspect that this provision may be abused to
violate the fundamental rights of the Indian citizens34.
2.20.7ADJUDICATION AND CYBER APPELLATE TRIBUNAL
An Adjudicator shall adjudicate Cyber crime. The decision of Adjudication may
be appealed before the Cyber Appellate Tribunal. A further appeal may be
preferred before the High Court. The following are the drawbacks of such an
elaborate adjudicatory process:
The Adjudicator and the officers of the Cyber Appellate Tribunal are not
required to have any technical or Internet related qualifications. In the
eventuality of a cyber crime or cyber dispute relevant knowledge of technology
is of critical importance.
The above-mentioned appellate framework ensures that there is no finality to
such a dispute and such dispute may continue ad nauseum. In the Internet world,
speedy and timely dispute resolution is of critical importance. The prescribed
dispute resolution mechanism suffers from all the infirmity of present day
dispute resolution in India. This means that in the Internet age such disputes
could continue for years, which would cripple the eBusiness.
34 Not every police officer enjoys such extensive powers under the Act. Only officers above the position of a DSP
may exercise these powers. Furthermore, such powers cannot be delegated and will come under a judicial scrutiny.
Cyber crime happens at Internet speed and since very little infrastructure is needed for conducting such a crime,
evidence can easily be concealed or destroyed. In such a situation, an investigating officer might not find time to
obtain search warrant and such a provision is necessary. This provision ousts the Code of Criminal Procedure,
wherein ordinary police officials may enter into the premises and conduct a search or make arrests in case of
cognizable offences. It is infinitely better to have a senior and trained official exercise discretion in conducting such
searches or raids, rather than have a police sub-inspector or a head constable investigate such an offence.
50
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Module 2
Discover the best professional documents and content resources in AnyFlip Document Base.
Search