The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by Enhelion, 2021-11-09 01:08:08

Module 5

Module 5

MODULE 5

ANALYZING DATA PROTECTION, PRIVACY AND THE LAW

5.1 INTRODUCTION

With the advent of the Internet, it has become easy for any one together,
compile and exploit the private information of individuals. What were
scattered, unimportant, small bits of data has now become a potent large set
of data that can be misused by companies or by antisocial elements. This
has prompted many countries to come up with legislation on privacy.

5.2 INTERNATIONAL PRIVACY INITIATIVES

On July 25, 1995, the EU announced the adoption of a directive on the
protection of individuals’ personal data and on the free movement of such
data. The directive seeks to prevent abuse of personal data and lays down
comprehensive rules, including an obligation to collect data only for
specified, explicit and legitimate purposes, as well as to only hold data if it
is relevant, accurate and up-to-date.

The directive requires all companies concluding business in the EU to meet
certain minimum standards of data protection. Any company that does not
meet these stringent standards faces sanctions. The Electronic
Communications Privacy Act in the US governs the privacy of e-mail in
public e-mail systems. It bars interception, use, or disclosure of e-mail by

third parties and sets the standards which law enforcement authorities must
meet to gain access to e-mail.

5.3 INDIAN LAW RELATING TO PRIVACY1

Significantly, India does not have any specific law governing privacy. The
courts in India have not yet had the opportunity to look at privacy issues
relating to the Internet. Analogies to the Internet will, therefore, have to be
drawn from cases that the court has actually dealt with. The Constitution of
India does not patently grant the fundamental right to privacy. However, the
courts have read the right to privacy into the other existing Fundamental
Rights: Freedom of Speech and Expression, under Article 19 (1) (a) and the
Right to Life and Personal Liberty under Article 21. In India, the right to
privacy is one of the un-enumerated rights granted to the individual.

Barring a few exceptions, the Fundamental Rights secured to the individual
are limitation on State action. They are not meant to protect persons against
the conduct of private persons. It is to be noted that the Constitutional
guarantee of the right to privacy is valid only against the State and no
Constitutional remedy for violation of privacy lies against any individual.
Further, common law also does not provide direct for invasion of privacy.
It seeks to provide protection by the use of civil wrongs such as defamation
and breach of confidence. However, with the advent of e-commerce, such
common law seems manifestly unsuited to this environment.

India is not a party to any convention on protection of personal data which
is equivalent to the GDPR or the Data Protection Directive. However, India

1 https://www.linklaters.com/en/insights/data-protected/data-protected---india

has adopted or is a party to other international declarations and conventions
such as the Universal Declaration of Human Rights and the International
Covenant on Civil and Political Rights, which recognise the right to privacy.

India has also not yet enacted specific legislation on data protection.
However, the Indian legislature did amend the Information Technology Act
(2000) (“IT Act”) to include Section 43A and Section 72A, which give a
right to compensation for improper disclosure of personal information. The
Indian central government subsequently issued the Information Technology
(Reasonable Security Practices and Procedures and Sensitive Personal Data
or Information) Rules, 2011 (the “Rules”) under Section 43A of the IT Act.
A clarification to the above Rules was issued on 24 August 2011 (the
“Clarification”). The Rules have imposed additional requirements on
commercial and business entities in India relating to the collection and
disclosure of sensitive personal data or information which have some
similarities with the GDPR and the Data Protection Directive.

India has introduced a biometric based unique identification number for
residents called ‘Aadhaar’. Aadhaar is regulated by the Aadhaar (Targeted
Delivery of Financial and Other Subsidies Act) 2016 (“Aadhaar Act”) and
rules and regulations issued thereunder. Entities in regulated sectors such
as financial services and telecom sector are subject to obligations of
confidentiality under sectoral laws which require them to keep customer
personal information confidential and use them for prescribed purposes or
only in the manner agreed with the customer.

Finally, personal data is protected through indirect safeguards developed by
the courts under common law, principles of equity and the law of breach of

confidence. In a landmark judgment delivered in August 2017 (Justice K.S
Puttaswami & another Vs. Union of India), the Supreme Court of India has
recognised the right to privacy as a fundamental right under Article 21 of
the Constitution as a part of the right to “life” and “personal liberty”.
“Informational privacy” has been recognised as being a facet of the right to
privacy and the court held that information about a person and the right to
access that information also needs to be given the protection of privacy
(“Privacy Judgment”). The court stated that every person should have the
right to control commercial use of his or her identity and that the “right of
individuals to exclusively commercially exploit their identity and personal
information, to control the information that is available about them on the
internet and to disseminate certain personal information for limited
purposes alone” emanates from this right. This is the first time that the
Supreme Court has expressly recognised the right of individuals over their
personal data.

Fundamental rights are enforceable only against the state and
instrumentalities of the state and the Supreme Court in the same judgment
recognised that enforcing the right to privacy against private entities may
require legislative intervention.

The Government of India therefore constituted a committee to propose a
draft statute on data protection. The committee proposed a draft law and the
Government of India has issued the Personal Data Protection Bill 2019
(“PDP Bill”) based on the draft proposed by the committee. This will be
India’s first law on the protection of personal data and will repeal S. 43A of

the IT Act. Brief details of the likely requirements of the Bill are set out
below.

Section 43A and Section 72A of the IT Act came into force on 27 October
2009. The Rules came into force on 11 April 2011. The Aadhaar Act came
into force on 12 September 2016.

A joint Parliamentary Committee is currently considering the PDP Bill and
a revised draft of the PDP Bill is expected to be issued during 2020. The
PDP Bill would then have to be passed by both houses of Parliament and
notified in the official gazette before it becomes law. Even after enactment,
the law is likely to be implemented in a phased manner. Currently, there is
no information about that implementation timeline.

5.4 SOLUTIONS AND REGULATION: AN EPILOGUE

5.4.1 A Perspective On Possible Solutions

Even an example that might otherwise be thought to favour the assertion of
jurisdiction by a local sovereign--protection of local citizens from fraud and
antitrust violations--shows the beneficial effects of a Cyberspace legal
regime. How should we analyse "markets" for fraud and consumer
protection purposes when the companies at issue do business only through
the World Wide Web? Consumer protection doctrines could also develop
differently online--to take into account the fact that anyone reading an
online ad is only a mouse click away from guidance from consumer
protection agencies and discussions with other consumers. Nevertheless,
that does not mean that fraud might not be made "illegal" in at least large

areas of Cyberspace. Those who establish and use online systems have an
interest in preserving the safety of their electronic territory and preventing
crime. They are more likely to be able to enforce their own rules. And, as
more fully discussed below, insofar as a consensually based "law of the Net"
needs to obtain respect and deference from local sovereigns, new Net-based
law-making institutions have an incentive to avoid fostering activities that
threaten the vital interests of territorial governments.

Cyberspace could be treated as a distinct marketplace for purposes of
assessing concentration and market power. Concentration in geographic
markets would only be relevant in the rare cases in which such market power
could be inappropriately leveraged to obtain power in online markets--for
example by conditioning access to the net by local citizens on their buying
services from the same company (such as a phone company) online. Claims
regarding a right to access to particular online services, as distinct from
claims to access particular physical pipelines would remain tenuous as long
as it is possible to create a new online service instantly in any corner of an
expanding online space.

This text focuses also on technological developments as enabling change.
But these technologies will not determine the future of the Internet. The
future will be determined by individuals and organisations that find new
uses for the technologies and policies that either encourage or discourage
certain activities. Existing and proposed uses raise important issues in the
areas of electronic contracts, authentication, taxation, jurisdiction,
intellectual property protection, privacy, consumer protection, security,
reliability, competition policy and standards, among others. Although the

future is impossible to predict, it seems highly likely that the exciting
possibilities that we can envision based upon technological progress will
continue to raise new issues and demand creative policy responses.

5.5 SECURITY CONCERNS, TRADE SECRETS AND PRIVACY:
DEVELOPING TRENDS

“One of the most facile and legalistic approaches to safeguarding privacy
that has been offered to date is the notion that personal information is a
species of property. If this premise is accepted, the natural corollary is that
a data subject has the right to control information about him and is eligible
for the full range of legal protection that attaches to property ownership.”2

As laws, policies, and technological designs increasingly structure people's
relationships with social institutions, individual privacy faces new threats
and new opportunities. Over the Internet as a medium, there has to be a
harmonisation of the specific rules for the treatment of personal information.
India has no data protection laws. Having said this, the ambit of "personal
liberty" as covered by the Constitution of India has been successfully
interpreted in cases relating to privacy (Gobind v. State of M.P).3 and
protection of confidential information. Over the last several years, the realm
of technology and privacy has been transformed, creating a landscape that
is both dangerous and encouraging. Significant changes include large
increases in communication bandwidths; the widespread adoption of
computer networking and public-key cryptography; mathematical
innovations that promise a vast family of protocols for protecting identity in

2 (Arthur Miller: The Assault on Privacy: Computers, Data Banks and Dossiers 211 (1971)).
3 (1975) 2 SCC 148

complex transactions; new digital media that support a wide range of social
relationships; a new generation of technologically sophisticated privacy
activists; a massive body of practical experience in the development and
application of data-protection laws; and the rapid globalisation of
manufacturing, culture, and policy making.

Potentially the most significant technical innovation, though, is a class of
privacy-enhancing technologies (PETs). Beginning with the publication of
the first public-key cryptographic methods in the 1970s, mathematicians
have constructed a formidable array of protocols for communicating and
conducting transactions while controlling access to sensitive information.
These techniques have become practical enough to be used in mass-market
products, and sharp conflicts have been provoked by attempts to propagate
them. PETs also mark a significant philosophical shift. By applying
advanced mathematics to the protection of privacy, they disrupt the
conventional pessimistic association between technology and social control.
No longer are privacy advocates in the position of resisting technology as
such, and no longer can objectives of social control (if there are any) be
hidden beneath the mask of technical necessity. As a result, policy debates
have opened where many had assumed that none would exist, and the simple
choice between privacy and functionality has given way to a more complex
trade-off among potentially numerous combinations of architecture and
policy choices.

This contrast reflects another, deeper divide. Powerful socio-economic
forces are working toward a global convergence of the conceptual content
and the legal instruments of privacy policy. These forces include

commonalties of technology, a well-networked global policy community,
and the strictures on cross-border flows of personal data in the European
Union’s Data Protection Directive. While the United States has moved
slowly to establish formal privacy mechanisms and standardise privacy
practices over the last two decades, it now appears that the globalisation of
markets, the growing pervasiveness of the Internet, and the implementation
of the Data Protection Directive will bring new pressures to bear on the
American privacy regime.

The evolution of privacy policy, meanwhile, has interacted with individual
nations’ political philosophies. This interaction should be viewed not on a
nation-by-nation basis but rather as the expression of a series of partial
accommodations between the uniform regulation of data handling and
liberal political values that tend to define privacy issues in terms of localised
interactions among individuals. (This tension runs throughout the
contemporary debate and will recur in various guises.)

One constant across this history is the notorious difficulty of defining the
concept of privacy. The lack of satisfactory definitions has obstructed public
debate by making it hard to support detailed policy prescriptions with
logical arguments from accepted moral premises. Attempts to ground
privacy rights in first principles have floundered, suggesting their inherent
complexity as social goods. Privacy is more difficult to measure than other
objects of public concern, such as environmental pollution. The extreme
lack of transparency in societal transfers of personal data, moreover, gives
the issue a nebulous character. Citizens may be aware that they suffer harm
from the circulation of computerised information about them, but they

usually cannot reconstruct the connections between the cause and effect.
This may account in part for the striking mismatch between public
expression of concern in opinion polls and the almost complete absence of
popular mobilisation in support of privacy rights.

The new technologies also have implications for conceptions of
relationship, trust, and public space. Technology and codes of practice
determine whether databased “relationships” between organisations and
individuals are fair, or whether they provoke anxiety. These concerns are a
traditional motivation for data protection regulation, but they are amplified
by technologies that permit organisations to maintain highly customised
“relationships” by projecting different organisational personae to different
individuals. Such “relationships” easily become asymmetric; with the
organisation, having the greater power to control what information about it
is released while simultaneously obscuring the nature and scope of the
information it has obtained about individuals. Examine, for instance, the
conditions under which individuals can establish private zones that restrict
access by outsiders. A secure telephone line is arguably a precondition for
the establishment of an intimate relationship, an interest that has long been
regarded as a defining feature of human dignity. This concern with the
boundaries that are established around a relationship complements concern
with the boundaries that are negotiated within a relationship. It also draws
attention to the contested nature of those boundaries.

Beneficial relationships are generally held to require trust. As the
information infrastructure supports relationships in more complex ways, it
also creates the conditions for the construction of trust. Trust has an obvious

moral significance, and it is economically significant when sustained
business relationships cannot be reduced to periodic zero-sum exchange or
specified in advance by contract. Trust and uncertainty are complementary;
cryptography establishes the boundaries of trust by keeping secrets. This
approach, however, reduces trustworthiness to simple reliability, thereby
introducing tacit norms against trusting behaviour. Just as technology
provides the conditions for negotiating relationships, it also provides the
conditions for creating trust. Legal systems evolve to the institutional
conditions by which a technical architecture comes to support these
conditions or else evolves toward a regime of coercive surveillance.

No matter how well crafted a privacy code might be, privacy will only be
protected if the necessary information practices are actually followed.
Policy-makers need to understand how privacy issues actually arise in the
daily activities of information workers, and organisational cultures need to
incorporate practicable norms of privacy protection. Once established, these
norms will only be sustained if the public understands the issues well
enough to make informed choices and to assert their rights when necessary.

5.6 CONFIDENTIAL INFORMATION

Confidential information constitutes the essence of software development.
From the instructions/specifications received from the client/trade partners,
to the algorithms developed by the co-workers, every part of the

development of an item of software code involves the use of confidential
information. All of this information is invaluable to the software company
developing the code and even more so to its competitors. There is no
copyright in ideas or information as such and accordingly there is no remedy
under the copyright law for unauthorised use of confidential ideas or
information obtained directly or indirectly by one person from another. A
remedy will have to be sought by proceedings for breach of confidence or
breach of trust. The relief that can be obtained is by a suit for an injunction
or damages.

5.6.1 Protection Of Confidential Information

If ideas and information are acquired by a person in such circumstances that
it would be a breach of good faith to disclose them to a third party or utilise
them and he has no just cause or excuse for doing so, the court will grant an
injunction against him. It is well settled that information imparted in
confidence [especially information which is parted in confidence to servants
and agents] will be protected. The courts will restrain the use of it if it is
breach of good faith. The law on this subject does not depend on any implied
contract. It depends on the broad principle of equity that he who has received
information in confidence shall not take unfair advantage of it. He must not
make use of it to the prejudice of him who gave it without obtaining his
consent.

5.6.2 Nature Of Confidential Information

It is a matter of common knowledge that, under a system of free private
enterprise and therefore of competition, it is to the advantage of a

trader/commercial entity to obtain as much information as possible
concerning the business of his rivals and to let him know as little as possible
of his own.

The information may be a trade secret, for example, a method of production
not protected by a patent, or a business secret, such as the financial
structuring of an undertaking or a piece of domestic ‘in-house’ information
like the salary scale of clerks, or the efficiency of the firm’s filing system.
Some of this information would be of a highly confidential nature, as being
potentially damaging if a competitor should obtain it, some would be less
so and much would be worthless to a rival organisation.

5.6.3 Confidence Implied In A Contract

If two parties make a contract under which one of them obtains for the
purpose of contract or in connection with it some confidential matter, even
though the contract is silent on the issue of confidence, the law will imply
an obligation to treat that confidential matter in a confidential way, as one
of the implied terms of contract, but the obligation to respect confidence is
not limited to cases where the parties are in a contractual relationship.

5.6.4 Confidence Implied By Circumstances

An action for breach of confidence does not depend upon any right of
property or contract or right of law. It results on an equitable obligation of
confidence, which may be implied, from the circumstances of the case. Even

if there exists no contractual relationship between the plaintiff and the
defendant, if a defendant is proved to have used confidential information
obtained directly or indirectly from the plaintiff and without his consent
express or implied, he will be guilty of infringement of the plaintiff’s rights.

5.6.5 Identification Of Confidential Information

In identifying confidential information, four elements must be discerned:
First, the information must be information the release of which the owner
believes would be injurious to him or of advantage to his rivals or others.
Second, the owner must believe that the information is confidential or
secret, i.e. that it is not already in the public domain. It may be that some or
all of his rivals already have the information, but as long as the owner
believes it to be confidential, he is entitled to try to protect it. Third, the
owner’s belief under the two previous headings must be reasonable. Fourth,
the information must be judged in the light of the usage and practice of the
particular industry or trade concerned. It may be that information, which
does not satisfy all these requirements, may be entitled to protection as
confidential information or trade secrets, but that any information, which
does satisfy them, must be of a type, which is entitled to protection.

5.6.6 Essential Requirements Of Breach Of Confidence

Three elements are normally required if, apart from contract, a case of
breach of confidence is to succeed. First, the information itself must have
the necessary quality of confidence about it. Secondly, that information
must have been imparted in circumstances importing an obligation of

confidence. Thirdly, there must be unauthorised use of that information to
the detriment of the party communicating it.

5.6.7 Exceptions To Breach Of Confidence

Where the information is such that it ought to be divulged in the public
interest to one who has an interest in receiving it, the Court will not restrain
such a disclosure. Information relating to anti-national activities, which are
against national security, breaches of the law or statutory duty or fraud, may
come under this category. In fact, whenever there is strong public interest in
the disclosure of the matter, Courts may not consider such disclosure as
breach of confidence.

5.6.8 Remedies For Breach Of Confidence

The remedies for breach of confidence consists of an injunction and
damages and deliver-up where applicable. The injunction may be
interlocutory or permanent. The information may remain confidential only
for a limited period in which case, the injunction will not extend beyond that
period. Since the information, alleged to be confidential, might be of value
to the plaintiff only for a certain period, an interim injunction will ordinarily
be granted only for a specified period depending upon the circumstances
and the nature of confidential information.

In the balance of convenience, the following factors have to be considered:

• whether the effect of an injunction would be harmful to the
defendants;

• whether the terms of the injunction are such that it is extremely
difficult for the defendants to know what they may do and what they
may not do;

• whether it is certain upon the material before the Court that even if
they were successful in the trial, the plaintiff would obtain an
injunction rather than damages.

Damages or compensation is determined based on the market value of the
confidential information based on a notional sale between a willing seller
and a willing purchaser. This method may be more appropriate for
confidential information relating to industrial designs or processes or
business secrets.

Where a plaintiff elects in favour of an account of profits, he will in the
normal course receive the difference between the sale price of the goods and
the sum expended in manufacturing them. The sum would be abated by the
amounts, if any, expended by the defendants as commission in relation to
the contract.

5.7 EMPLOYEE PRIVACY RIGHTS

Employee privacy is considered one of the most important issues facing
companies today4. This is so because no longer is employee privacy
relegated to the employer “monitoring their workers’ performance by
observing production lines, counting sales orders, and simply looking over

4 (Laurie Thomas Lee, Watch Your E-Mail! Employee E-Mail Monitoring and Privacy Laws in the Age of the
“Electronic Sweatshop”, 28 J. Marshall L. Rev. 139, 139 (1994))

the employee’s shoulder.” Instead, employers now have the capability to
monitor their employees through electronic means, including computers and
e-mail. This “development of sophisticated technology is greatly expanding
the advanced and highly effective methods by which employers monitor the
workplace.” (Larry O. Natt Gantt, II, An Affront to Human Dignity:
Electronic Mail Monitoring in the Private Sector Workplace, 8 Harv. J.L. &
Tech. 345, 345 (1995)).

Although it is obvious that e-mail gives companies a great deal of
technological advantages and is an important tool in today's business world,
it also creates a problem for employers and employees in the area of
employee privacy. The question becomes, do employers have the right to
look at employees’ e-mails, and do employees have a right of privacy that
should prevent such an intrusion? Employers argue that they need the right
to electronically monitor employees in order to enhance job performance,
prevent theft, fraud, and other illegal conduct. They also argue that
productivity, efficiency, and quality controls are all enhanced by electronic
surveillance. The employee on the other hand, maintains that he has an
expectation of privacy, and that electronic surveillance is an invasion of that
right. A number of e-mail’s attributes led employees to believe these
messages were their own private communications (Benkler, Yochai, Rules
of the Road for the Information Superhighway: Electronic Communications
and the Law, West Publishing, 1996 at 402). The need for passwords, the
ability to personally address e-mail, the use of the word “mail”, the most
confidential form of communication used by the public, in e-mail, and even
the ability to “delete” messages after reading them, all contribute to

employee e-mail users believing that their e-mail communications are
private.

Functionally, a proper e-mail privacy standard lies at the confluence of two
critical questions: how much access do employers have to an employee’s
workspace, and is that access limited by a right of the employee to control
their workspace; and how much of a right do employees have to use the
employer’s property as resources to pursue their own, private purposes. The
laws concerning this employee privacy are unclear at best, non-existent in
many situations, and still in discussion in India.

5.8 EMPLOYER PROTECTION

The question thus is how can an employer protect against liability. First, it
is important to reduce the employee’s expectation of privacy with notice,
and second, it is important to do so in a manner that evidences the
employee’s understanding of the policy.

In Watkins [featured in The Times, July 2000], the employer warned
employees that business telephone calls would be monitored, but that
personal calls would only be monitored to the extent necessary to determine
whether the call was personal or business. The court held that this disclosure
protected employees’ personal calls and only implied consent to the
monitoring of business calls. This implies that employers will escape
liability if they publish a policy expressly warning employees that all e-mail
messages will be monitored and not just business related ones. However,
the scope of the employer’s intrusion must be matched by a legitimate

business interest justifying the invasion, such as desire to protect business
property or trade secrets.

The London law firm Baker & McKenzie, suggests the following policy to
protect employers from employee e-mail invasion of privacy claims.

“The guidelines and warnings listed below are of critical importance and
non-compliance could in certain circumstances constitute a serious
disciplinary matter.

1. Beware what you say in email or voicemail messages. Improper
statements can give rise to personal or company liability. Work on the
assumption that messages may be read or listened by third parties.”5

Whether the current employer/employee relationship exhibits it or not, there
is a judicially created right to privacy. Privacy law has attempted to balance
two basic interests: first, the employer has an interest in minimising losses
and injuries, preventing fraud and crime in his workplace, and maximising
production, productivity, and success. Second, the employee has an interest
in being free from intrusion into his/her private affairs. Neither of these
basic interests is more important than the other. In fact, privacy law has
taken on a “circumstances” based inquiry. How then, does this
“circumstances” based inquiry apply to the relatively new concept of
privacy in the employer/employee context of e-mail transmission?

5 (See www.netdoor.com/com/bakernet/publicat/europe/alrt21/t-alrt21.html for other warning suggestions
protecting employers’ interests).

The answer is, it really has not gone far enough. The Constitution does not
explicitly give the right to privately employed individuals, and there is some
doubt whether it applies to e-mail at all. At present, legislation is under
review, but without an element of finality. Case law is sketchy at best, and
is not on point in e-mail and internet-related activities.

Therefore, to prevent unnecessary situations in the future, there are things
that employers and employees can do. First, employers should notify
employees about policies that exist within the company, which may allow
the executive to search and conduct surveillance of the employee. Thus, the
expectation of privacy needs to be managed. Second, the employer should
limit the inquiry to matters associated to the workplace and the ability of an
individual to do their job. It probably does not benefit the employer to delve
into an employee’s personal e-mail. Third, employers should limit the
amount of sensitive information employees see. This would essentially
negate the need to monitor. Fourth, employers should not release any private
information about the employee. Lastly, employees should keep their
personal correspondence where it belongs - at home and out of the
workplace. If both employers and employees practice these techniques, a
more compatible environment for e-mail monitoring will be available.

Nevertheless, one thing is for sure. Today, the growing restrictions arising
from both judicially created and any company who uses e-mail must
consider statutory law. In addition, any employer, who is thinking about
monitoring and “snooping” over e-mail, had better make sure that the
employee has an awareness of this intent. Because although the laws are

ambiguous today, the trend is toward a more protective environment for the
employee.

5.9 BREACH OF CONFIDENTIALITY AND PRIVACY: THE
INDIAN PERSPECTIVE - AN ‘OFFENCE’ UNDER THE
INDIAN INFORMATION TECHNOLOGY ACT, 2000 (IT
ACT)

India has, as such, no specific privacy laws in place as yet. Yet, drawing
analogy from the rulings of the Indian Supreme Court on Article 21, one can
safely presume that the existing standards and case precedents of the
developed world will have a significant impact on the laws of India and the
rulings of the Indian courts. There are obvious enhancements of the scope
of the article 21 in the cases of Kharak Singh and Gobind. The
implementation of the Information Technology Act, 2000, is bound only to
strengthen this position.

Section 72 of the IT Act prohibits unauthorised disclosure of the contents of
an electronic record. Privacy, in fact, involves at least two kinds of interests;
informational privacy interest and autonomy privacy interest. Information
privacy interest means interest in precluding the dissemination or misuse of
sensitive and confidential information. Autonomy interest means interests
in making intimate personal decisions or conducting personal activities
without observation, intrusion or interference. [Refer to Hill v. National
Collegiate Athletic Association, 865 P 2d 633 (1994)]. Both the interests
deserve protection. In regard to autonomy privacy interests, there are,
however, certain limitations and exceptions as set out in sections 67, 68, 69
of the IT Act, while Section 72 protects the informational privacy interests.

It prohibits disclosure of information received by a person in pursuance of
the powers conferred under the Act. Such disclosure is punishable with
imprisonment for a term, which may extend to two years and/or fine, which
may extend to one lakh rupees. Disclosure could, however, be made without
any penal liability to the law enforcing agencies or pursuant to proper
authorisation by the Controller or with the consent of the concerned person.

5.10 PRIVACY AND INTERNET LAW

Privacy protection is a critical element of consumer and user trust in the
online environment and a necessary condition for the development of
electronic commerce. Three international organizations have developed
guidelines or rules that set forth basic consumer privacy protections:

• Organisation for Economic Co-operation and Development --
Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data6 (Privacy Guidelines) (1980)

• Council of Europe -- Convention for the Protection of Individuals
with Regard to Automatic Processing of Personal Data (1981)7

Articles 4 - 10 set out the basic principles for data protection.

• Internet Privacy Guidelines (23 February 1999) -- practical, non-
binding advice for Internet users and service providers8

6 http://www.oecd.org/dsti/sti/it/secur/index.htm
7 http://conventions.coe.int/treaty/EN/cadreprincipal.htm
8 http://www.coe.fr/dataprotection/rec/elignes.html

• A good overview of the privacy rules and recommendations issued by
the Council of Europe9

• European Union -- Data Protection Directive (1995)10 Articles 5 - 17
spell out in somewhat more detail the basic privacy principles.

• Guide to the data privacy directive -- focuses on who is entitled to
handle personal information and how such information can be
processed11.

5.11 PRIVACY OVERVIEW

There are two aspects to the concept of privacy:

Consumer privacy - the right of individuals to control information about
them generated or collected in the course of a commercial interaction.
Referred to in Europe as "data protection."

Privacy rights of the individual against the government - the individual's
protection against unreasonable government intrusions on privacy, such as
searches of the home or interceptions of communications.

Internet law needs to address both sets of issues.

5.11.1 Consumer Privacy

9 http://www.coe.fr/dataprotection/eintro.htm
10 http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html
11 http://europa.eu.int/comm/internal_market/en/media/dataprot/news/guide_en.pdf

Consumer privacy protection in the US and Europe, as well as under the
guidelines of the OECD, is based on the following principles:

Notice and Consent - before the collection of data, the data subject should
be provided: notice of what information is being collected and for what
purpose and an opportunity to choose whether to accept the data collection
and use.

In Europe, data collection cannot proceed unless data subject has
unambiguously given his consent (with exceptions).

Collection Limitation - data should be collected for specified, explicit and
legitimate purposes. The data collected should be adequate, relevant and not
excessive in relation to the purposes for which they are collected.

Use/Disclosure Limitation - data should be used only for the purpose for
which it was collected and should not be used or disclosed in any way
incompatible with those purposes.

Retention Limitation - data should be kept in a form that permits
identification of the data subject no longer than is necessary for the purposes
for which the data were collected.

Accuracy - the party collecting and storing data is obligated to ensure its
accuracy and, where necessary, keep it up to date; every reasonable step
must be taken to ensure that data which are inaccurate or incomplete are
corrected or deleted

Access - a data subject should have access to data about himself, in order to
verify its accuracy and to determine how it is being used

Security - those holding data about others must take steps to protect its
confidentiality.

5.11.2 Privacy Protection Against The Government

The right to privacy is internationally recognized as a human right.
However, most governments claim the authority to invade privacy through
the following means:

• interception of communications in real-time

• interception of traffic data (routing information) in real-time

• access to data stored by service providers, including traffic data being
stored for billing purposes

• access to data stored by users

These means of access to communications and stored data must be narrowly
defined and subject to independent controls under strict standards. Real-time
interception of communications should take place only with prior approval
by a judge, issued under standards at least as strict as those for policy
searches of private homes.

5.12 INTERNATIONAL PRIVACY INITIATIVES

On July 25, 1995, the EU announced the adoption of a directive on the
protection of individuals’ personal data and on the free movement of such
data. The directive seeks to prevent abuse of personal data and lays down
comprehensive rules, including an obligation to collect data only for
specified, explicit and legitimate purposes, as well as to only hold data if it
is relevant, accurate and up-to-date.

The directive requires all companies concluding business in the EU to meet
certain minimum standards of data protection. Any company that does not
meet these stringent standards faces sanctions. In the Netherlands and New
Zealand, codes of conduct or self-regulation are also employed.

The Electronic Communications Privacy Act in the US governs the privacy
of e-mail in public e-mail systems. It bars interception, use, or disclosure of
e-mail by third parties and sets the standards which law enforcement
authorities must meet to gain access to e-mail.

5.13 INDIAN LAW RELATING TO PRIVACY: AN EPILOGUE

Significantly, India does not have any specific law governing privacy. The
courts in India have not yet had the opportunity to look at privacy issues
relating to the Internet. Analogies to the Internet will, therefore, have to be
drawn from cases that the court has actually dealt with.

The Constitution of India does not patently grant the fundamental right to
privacy. However, the courts have read the right to privacy into the other
existing Fundamental Rights: Freedom of Speech and Expression, under
Article 19 (1) (a) & Right to Life and Personal Liberty under Article 21. In
India, the right to privacy is one of the un-enumerated rights granted to the
individual. Barring a few exceptions, the Fundamental Rights secured to the
individual are limitation on State action. They are not meant to protect
persons against the conduct of private persons. It is to be noted that the
Constitutional guarantee of the right to privacy is valid only against the State
and no Constitutional remedy for violation of privacy lies against any
individual.

5.14 IDENTIFYING GOALS AND OBJECTIVES

On December 18, 2000, the European Union and the United States issued a
joint statement regarding the necessity for building consumer confidence in
order to further global e-commerce. The joint statement went on to point
out that generating consumer confidence requires a combination of private
sector initiatives and a “clear, consistent and predictable legal framework.”

It went to ‘reaffirm these important goals and objectives, including the
agreement to provide ‘active support for the development, preferably on a
global basis, of self-regulators codes of conduct and technologies to gain
consumer confidence in electronic commerce’.”

5.15 IMPLEMENTATION IS MORE DIFFICULT

Does the consumer in fact enjoy the same kind of protection in e-commerce
that he or she has in other kinds of transactions? Does the consumer need
the same level of protection or does the e-commerce consumer have greater
relative bargaining strength? How much should courts enforce agreements
by consumers to give up valuable substantive and procedural rights?

As with all worthy goals, the difficulty is in implementation. This fact is
particularly true when dealing with a worldwide medium like the Internet.
Obviously, if we had the same standards for e-commerce around the world,
the system would be relatively clear and consistent. But for global binding
standards, we would need intergovernmental agreement, which historically
takes many years to reach.

Governmentally-endorsed guidelines and recommendations could be a
fallback position, so long as there was a reasonable amount of harmony
among the various positions. The American Bar Association in 2000
embarked on a special project, “Alternative Dispute Resolution in Online
Commerce” which hopes to develop a system of guidelines for ADR in e-
commerce disputes. The project focuses particularly on consumer disputes,
since the amount of money involved in consumer matters seldom warrants
elaborate ADR machinery.

5.16 CONCERNS OF CONSUMERS

Studies show that key concerns on the part of consumers involve some or
all of the following:

Lack of confidence in online financial transactions, e.g., concern over
misuse of debit and credit cards:

• Non-delivery or late delivery of goods and services.

• Fraud.

• Hidden costs, such as postal charges and taxes.

• Unrestricted or hidden collection of personal data and channelling of
such data to third parties.

• Lack of independent certification of website policies and practices.

5.17 FAILURE OF E-COMMERCE BUSINESS TO FOLLOW BEST
PRACTICES

In September 2000, ClickSure conducted a best practice analysis of Internet
business websites in Europe and the United States. It measured six aspects:
privacy, security, clarity of website information, transaction management,
quality and monitoring. Its resulting report concluded that there was a clear
failure to measure up to internationally-recognized best practices.

Consumes International (“CI”) subsequently conducted a privacy study
concluded in January 2001. It found that, although the majority of websites
collected personal information from the user, “only a tiny minority provided
privacy policy that gave users meaningful information about how that data
would be used. It concluded that websites in both the U.S. and E.U. fall
woefully short of the standards set by international guidelines on data

protection. “ According to the CAI study, the majority of sites ignore even
the most basic principles of fair information use, such as telling consumers
how their data will be used, how it can be accessed, what choices the
consumer has about its use and how the security of that data is maintained.

5.18 THE INTERNET AND CONTRACTUAL CHOICE OF LAW
AND FORUM

5.18.1 GENERAL CONSIDERATIONS

Many disputes involving electronic commerce arise between parties who
are bound by a contract determining the terms and conditions upon which
they have agreed to interact. Frequently, the online contract itself may
provide that any dispute concerning it is to be heard in the courts of a
specified state (“choice of forum” clause or “forum selection” clause) and
is to be determined under the substantive law of a specified state (“choice
of law” clause).7

If parties to the contract are presumed to have equal bargaining power and,
therefore, an equal ability to accept or reject such clauses, the clauses are
generally uncontroversial and enforced. However, equality between buyer
and seller has not always been presumed when one party to the contract is a
consumer. Instead, the seller is assumed to define is market and set the
terms of the contract for its own benefit. The buyer, in contrast, is assumed
to be confronted with either (a) accepting the terms imposed by one of a
limited number of sellers serving the buyer’s market or (b) foregoing the

7 Contract terms themselves, of course, also supply a set of substantive rules to govern the transaction, which
will be used by a court unless they violate the public policy of the forum.

purchase. As discussed above, in order to protect the customer from
perceived disadvantageous choice of forum and law clauses, the E.U. will
enforce them only if they favour the consumer,8 although in the U.S. they
are enforced unless they are “unreasonable.”9

Matthew S. Yeo and Marco Berliri have offered an analysis and perspective
on the problem of determining the governing law in E-Commerce
transactions. In a paper posted online, they post three alternative E.U.
approaches to resolve conflicts.10 the first is to simply permit the merchant
to designate any law that has a substantial connection to the transaction. The
difficulty is that the consumer may not know or be able reasonably to
determine his rights under such law. The resulting apprehension on the part
of the consumer may retard the growth of E-Commerce. The second
alternative is to adopt the mandatory rules concept. The contract can specify
the law that will apply to the transaction but would not trump mandatory
consumer protection rules. This creates confusion and increase the cost of
compliance, because the merchant is required to be familiar with the
mandatory rules of each jurisdiction.

The third alternative, which the authors favour, is to harmonise national
consumer protection laws. This would create a lower cost mechanism,
similar to the model rules enjoyed by other areas of uniform law. Merchants
would not have to lean the law of each jurisdiction and consumers would
know their rights irrespectively of choice of law. Because harmonization is

8 See subsection I.A. 3 supra.
9 See subsection II. B. 2 supra
10 <http://pubs.bna.com/ip/BNA/EIP.NSF/b3e99e4adbdfc8cc85256580004f6e47/f916e63b1616fb7b852567
06001efe99?OpenDocument>

such a monumental task, probably the only practical low-cost solution is a
system of e-commerce dispute resolution, such as that discussed later.

5.18.2 Pre-Dispute Selection Using Click-Wrap Agreements

5.18.2.1 U.S. Case Law

A “click-wrap” agreement is one which a provider of goods or services
presents online to a user, who can agree to the terms and conditions of the
agreement by either clicking a designated icon or button or typing specified
words or phrases. In the on-line environment, a user may view the terms
and conditions on the screen, using a control such as a keyboard, or mouse
to scroll through or otherwise navigate the terms and then click a button or
bar indicating asset. A true click-wrap assent should be distinguished from
situation where the terms and conditions are merely posted on the website
and agreement to those terms and conditions is implied without the user
being required actually to expressly indicate agreement.

Perhaps the earliest reported case in the U.S. supporting online agreement
was the federal appellate court decision in CompuServe, Inc. v. Patterson.11
this was not strictly a click-wrap, since the user actually typed “agree” to an
online agreement whose choice of jurisdiction was used as one of several
contacts to warrant holding the user subject to personal jurisdiction in
service provider’s home state. Subsequently, a state court upheld a click-
wrap choice of forum by an AOL subscriber where the subscriber could
only enrol on AOL by clicking the “ I agree” button placed next to the
“read me” button of the “ I agree” button next to the “I disagree” button at

11 89 F.3d 1257 (6th Cir. 1996)

the conclusion of the subscription agreement, which contained the forum
selection clause.12

Another state court sustained a click-wrap forum selection where
subscribers to the Microsoft Network could click a box saying “I Agree” or
another saying “I Don’t Agree” at any time while scrolling the adjacent
terms and conditions, which included the forum selection clause; before
registering for the service.13 Since the subscriber clicked “I Agree”, the
court drew analogy to the pre-contractual opportunity to read the fine-print
terms in Carnival Cruise Lines and refused to treat electronic and paper
presentations of terms differently.

Another federal court found a click-wrap binding on the user as against a
defence of procedural unconscionability, where arbitration clause appeared
in the final paragraph of the agreement under the caption “Miscellaneous”,
which included provisions on choice of law and forum.14 Finding the click-
wrap binding, the court noted that the clause was in same front as the rest of
the agreement and was freely scrollable and viewable and without time
restrictions and a viewer had to agree to the online license agreement before
being able to install software from the provider’s website. A number of other
cases have upheld clickwrap choice of forum.15

12 Groff v. American Online. Inc., 1998 WL, 307001 (R.I. Super. May 27, 1998).
13 Caspi v. Microsoft Network L.I.C. 732 A.2d 528 ( N.J. App. Div. 1999)
14 In the RealNetworks, Inc., Privacy Litigation 2000 WL 631341 (N.D. III. May 8, 2000).
15 America Online, Inc. v. Booker (“Booker”) 781 So. 2d 423 (Fla 2001 Ct. App.) (forum selection provision in
an online ISP subscription “freely negotiated” and not shown “unreasonable or unjust” decision unclear on
whether agreement to the forum was express via a click-through or simply implied in some way); Clemins v.
America Online. Inc., 748 So. 2d 1041 (Fla. Ct. App. 1999) ( electronic agreement with Internet service provider
enforced forum selection clause; no indication whether there was click-through or implied assent); Lieschke v.
RealNetworks, Inc., 2000 WL 198424 (N.D. III. Feb. 11, 2000) ( arbitration clause on Real Networks site
contained in a click-wrap licence which users were required to traverse before they could download software to
play and record music); Rudder v. Microsoft Corp., 1999Carswell Ont. 3195 (WL) (Ontario Super . Ct. Justice

More recently, courts have found grounds on which to decline to enforce
consumer click-wraps. Thus, the California Court of Appeal this year
invoked a public policy exception to consumer choice law.16 The trial court
had found the forum selection clause in a clickwrap agreement made during
installation process on CD-ROM unfair and unreasonable, because the
clause was not negotiated at arm’s length, was in standard form contract,
was not readily identifiable by plaintiff in small text and placed at the end
of the agreement, and was contrary to California public policy giving its
citizens specific and meaningful remedies that are readily accessible and
available. The prime difference between the Virginia consumer law and that
of California was that in California a consumer can bring a class action while
a Virginia consumer could not. It therefore found a Virginia forum selection
clause was therefore invalid.

The appellate court shifted the usual burden of proof to the party seeking to
uphold a forum selection clause contrary to California’s Consumers legal
Remedies Act (CLRA). It emphasized the anti-waiver provision in the
CLRA and California consumer protection provisions, which would be
substantially diminished in Virginia, but the court of appeals, did not
explicitly rule on the validity of the click-wrap agreement. [Recheck].

A California federal district court declined to enforce a click-wrap in
Ticketmaster involved an online agreement where the home page of
Ticketmaster’s website contained instructions, a directory to subsequent

Oct 8, 1999) (Canadian court expressly upheld the validity of a forum selection clause in click-through contract
where subscription procedure required the validity of a forum selection clause in click-through contract where
subscription procedure required the user to accept the agreement terms each time they appeared on the monitor,
and entire agreement could be viewed by scrolling down screen, with terms not analogous to fine print).
16 America Online, Inc. v. Superior Court, 90 Cal. App. 4th 1 (2001)

event pages ( each with separate electronic address and a hypertext link)
and, upon scrolling to the bottom, terms and conditions, including
prohibitions against deep linking and against copying for commercial use,
as well as a term saying that anyone going beyond the home page thereby
agreed to the terms and conditions.17 There was no “I agree” button or other
signification of assent by the Website user, who could go directly to the
linked page without seeking the terms and conditions). Later, the court
reaffirmed its ruling.18 Addressing arguments of copyright and trespass, the
court briefly reiterated that contract claim lacked “sufficient proof of
agreement by defendant.” The judgement was affirmed.19

A Massachusetts case declined to enforce a click-wrap in a class action
lawsuit concerning installation of software which damaged the user’s
system before the user could review and assented to the agtement.20 The
agreement terms were accessible only by twice overriding the default choice
of “I Agree” and clicking “Read Now” twice. The court here also invoked
public policy, citing the impropriety of requiring residents of Massachusetts
with small claims to litigate in Virginia).

5.18.3 Practices By Which Online Providers May Properly Obtain
Assent To Online Terms

In those jurisdictions which will honour clickwrap choice of law and forum
when fairness requirements are met, legal parishioners should advise their

17 Ticketmaster Corp. v. Tickets.com Inc., 54 U.S.P.Q. 1344, 2000 U.S. Dist. LEXIS 4553, 2000 WL 525390
(C.D.Cal. March 27, 2000)
18 2000 WL 1887522(C.D. Cal Cug. 10,2000)
19 2001 WL 51509 (9th Cir. Jan. 8, 2001) (unpublished).
20 William v. American Online. Inc. 201 WL 135825 (Mass. Super. Ct. Feb.8, 2001)

clients to create the best factual basis to support validity of the agreement.
The goal involves several important parts: 1) a reasonable opportunity for
the newer to access the terms and conditions and review them; 2) sufficient
conspicuousness and readability of the terms and conditions; 3) clear and
unambiguous manifestation of asset to the terms and conditions; 4)
preclusion of online contracting by a viewer who has not clearly manifested
consent.

To satisfy the first requirement, proposed terms that involve any choice of
law or forum should be presented to the user before the user has any
opportunity to take an action to be bound by the agreement’s terms. All the
terms should either appear automatically or the user should be required to
click on a clear icon or hyperlink that accesses the terms. The user should
then be afforded user sufficient opportunity to review the agreement terms,
with the ability to read the terms and his or her own pace and to navigate
back and forthwith in the terms by scrolling or changing pages. Once the
user views the terms, those terms should remain accessible to the user for
further reference.

In the U.S., sufficient conspicuousness includes having the format and
content of the terms comply with requirements in applicable laws, such as
the Uniform Commercial Code, as to notice, disclosure language,
conspicuousness, and the like. The terms should be plain language and
legible. It is equally important that other information on the website should
not contradict the agreement terms or render the agreement ambiguous.

The format of the assent must comply with any applicable laws requiring
particular assent to a particular type of term, as well as an overall assent to

all of the terms. It is desirable that there can be an express statement just
before the user is able to click his agreement that stresses the effect
agreement. Thus, the user might be expressly warned that: “By clicking ‘I
agree’ below you acknowledge that you have read, understand, and agree to
be bound by the terms above.”

In order to assure that the user has the opportunity to see all of the agreement
before assenting; it is advisable to place the means of assent at the end of
the agreement terms. It is also important to use clear language of asset, e.g.
“I agree,” “I consent,” or “I assent,” rather than more ambiguous language,
.e.g., “Continue,”, “Submit,” or “Enter.” Such clear language of assent
should be combined with clear choice for the user not only to assent but to
reject the terms and to be informed of the consequence of rejection. Ideally,
the option to reject will occur at the same point in the process where final
assent is requested, and involve an equally clear and unambiguous button or
term, such an “I disagree,” “I do not agree,” “Not agreed,” “No,” or “I
decline.”

Finally, a user who rejects the online agreement should not be able to take
the transaction any further, without choosing to go back and specifically
agreeing to the terms and conditions.

5.18.4 Toward Low Cost And Trusted Dispute Resolution: Notes
By Way Of Epilogue

One of the conclusions drawn by the report prepared by the American Bar
Association’s two year Project on Jurisdiction in Cyberspace was that
cyberspace may need new forms of dispute resolution, in order to reduce

transaction costs for small value disputes and have structures that will work
effectively across national boundaries.21 Following submission of the report,
the ABA constituted a multi-disciplinary special committee to develop
criteria and recommendations for such a dispute resolution system. That
group has held a number of meetings over the past eleven months, starting
in the late November 2000, and is currently working on a set of guidelines
which might form a worldwide-acceptable basis of dispute resolution
procedures. If industry and consumers can both “buy in” to such guidelines,
consumers may become more comfortable in online transactions, and the
results of whose law and forum should apply will become essentially moot.

In conclusion, the e-Commerce Law set forth a number of provisions
intended to secure B2C transactions. The provision of general and pre-
contractual information, the clarification of the contract formation process,
the grant of a right of withdrawal and the requirement placed on the provider
to bear the burden of proof regarding a number of obligations resting on him
are favourable to consumers and should assist in building confidence for
online transactions. Nevertheless, the right of the providers to bring
electronic evidence is not so clear.

The provider should also make sure that the T&C comply with general
consumer law provisions. For international transactions, the providers will
need to ensure that the site architecture and the T&C comply not only with
Luxembourg laws, but also with the laws of the country of the buyers’ place

21 Report, Achieving Legal Business Order in Cyberspace, 55 BUS. LAW. 1801,1824 (2000).

of residence, as consumer protection provisions usually cannot be derogated
from.

Finally, the intent of the Law, which is to give consumes a satisfactory level
of protection by giving them a number of rights, is partly defeated by the
fact that the e-Commerce law is not clear on the applicable sanctions in the
event that its consumer protection provisions are not complied with.
Moreover, the existing dispute resolution mechanisms are not adapted to
small online transactions and no recognition is made in the Law of electronic
dispute resolution mechanisms.

5.18.5 Consumers Protection And Privacy: The Uk Perspective

The principal commercial advantage of using the internet, and also perhaps
its biggest drawback, is its ability vast amounts of data almost
simultaneously to any number of persons in any number of locations
virtually anywhere in the world. However, this is also a concern for
companies doing business electronically where personal information about
individuals is involved, whether this involves existing or prospective clients,
employees or other third party individuals. There is a huge sensitivity
surrounding the use of personal data in databases, both the United Kingdom
and the European Union, of which business and lawyers alike need to be
aware. The European Union and certain other jurisdiction such as Australia,
Canada and Hong Kong have enacted data protection legislation to protect

individuals in their respective jurisdictions. These laws have a major effect
on the use of the internet.

5.18.5.1 Privacy Policies

By 1998, the vast majority of the top 100 visited websites had including
privacy policies. However, a recent Consumers International survey of 751
e-commerce sites worldwide revealed that while two-third of sites collected
personal data, the majority did not give the individual users a choice as to
whether such data was to be kept private, or that there was any prohibition
on it being passed to third parties or kept on the collector’s mailing list.

5.18.5.2 UK Data Protection Act

Under the EU Data Protection Directive and the UK implementing
legislation, the Data Protection Act 1998, a party to the European Economic
Area (EEA) who is controlling personal data must:

• use the data held fairly and lawfully;

• Obtain data for specified purposes and use it only in ways compatible
with those purposes.

• Hold only such data as is adequate, relevant and not excessive.

• Ensure the data is accurate and up to date.

• not retain the data longer than necessary for the stated purposes.

• take appropriate measures against unauthorized or unlawful use of
data and its accidental loss or damage;

• not transfer data outside the EEA except to a country that ensures an
adequate level of protection of a data subject’s right in that data.

Personal data will not be regarded as being held or used fairly or lawfully
unless the data subject has consented to that use ( although there are a
limited number of exceptions) in general, a data controller may not do
anything on contravention of the above principles except with the consent
of the data subject.

Consent can be either explicit or implicit. This may consist of the site visitor
knowing that the data will be collected or used for a specific purpose, e.g.
completing a purchase order form. However, if the information is sensitive
personal data, express consent is required. Express consent requires, at the
very least, a positive act such as clicking on a tick box to indicate consent.
Sensitive data includes such matters as information relating to racial,
political or sexual matters.

Data subjects also have a right, subject to paying a small fee, to be given
details of data held on them by any organization.

Privacy policies in the United Kingdom should be written accordingly. They
therefore need to contain:

• the identity of the collecting entity which has control of the data;

• a clear statement of the users of the data;

• details of the persons receiving the information, if such is the case,
and those to whom it may be transferred outside the EEA;

• Clarification, where relevant, that the information has been collected
by means of a ‘cookie’. (A cookie is a file stored by a browser on an
individual’s computer system that holds information. Typically, such
files store information to identify site users, such as their names,
addresses and e-mail details, and to record a user’s choices or
preferences. This means of gathering information may not be apparent
on the face of the site.)

• the express consent of the subject, where sensitive data is collected;

• a statement that the data subject has a right to view the information
held by the recipient;

• an opt-out box for one or more of the specified purposes for which the
information is collected;

• a statement of the safeguards relating to transfer where the
information is to be transferred outside the EEA.

5.19 TRANSFERRING DATA TO THE UNITED STATES AND
THE SAFE HARBOUR SCHEME

The privacy policies that many US companies have put in place are at least
equal to those commonly found on European-based websites. However,
under the Data Protection Directive (and the UK enabling legislation,
European companies are not permitted to transfer data protection. There is
no exemption for intra-group transfers, e.g. this prohibition would therefore
apply prima facie to a UK company that transfers personal data obtained
from its website to its US parent.

The European Union’s expectations of what is ‘adequate’ stringent. In
addition to the need to adapt the legislation and data principles applicable to
EU Member States, the European Union requires that each government must
establish a relevant agency that monitors data protection, and keeps a
mandatory register of entities processing personal data. For example, an
EU-based company may legitimately transfer data to Hong Kong as it
satisfies the necessary requirements.

The European Union has now reached agreement with the US Department
of Commerce such that, subject to compliance with certain safe harbour
rules, data may be transferred to the United States. Transfer of data to
members involved in the scheme may be made without the need for specific
consent from the affected data subject. However, this does not remove the
requirement that the EU data subject must know the uses to which the data
will be put, including any intended transfers of that data.

5.20 CYBERCRIME: CONCEPTS AND LEGAL THEORY

‘Cybercrime’ has emerged as a distinct category of study and an ever
increasing problem requiring the sustained attention of governments, law

enforcement agencies and judicial systems of countries world-wide.
Jurisdictions that already had developed computing and digital
communications infrastructure have, over the last decade or so, been forced
to confront the reality of criminal expansion into the ‘cyberworld’, and to
evaluate and understand the adequacy of existing legal systems in order to
insure the necessary transnational investment and co-operation.

Through the course of this brief chapter, it must be emphasised that whether
in India or for that matter, anywhere in the world, criminal or penal sanctions
can only be one element of the overall response to cybercrime. Moreover,
as has been seen from bitter experience, such sanctions are not necessarily
the most efficient or desirable form of response. Other ways of preventing
or minimising the harm of cybercrime include technological measures,
regulatory controls and civil proceedings. In the last resort, where most
jurisdictions have recognised the need for some form of punitive measures,
particularly where the level of criminality or harm caused or threatened is
especially serious.

5.20.1 Cybercrime: Defining Aspects

There is no universally accepted general definition of cybercrime, no
national legislation provides us with a definition or explicitly employs the
term12! Cybercrime comprises two overlapping domains. The first is illegal

12 An analysis of legislation introduced in Asia relating to crimes on the Internet is not quite illustrative as regards
a definition. For instance, the laws introduced in Malaysia [1997] covering computer crimes, copyright,
telemedicine and digital signatures were promoted by the Malaysian Government’s Multimedia Super Corridor
as a package of “cyberlaws” [http://www.mdc.com.my/msc.comm/html/cyberights01.html]. In India, Chapter X
of the Indian Information Technology Act 2000 establishes the “Cyber Regulations Appellate`Tribunal”: Ministry
of Law, Justice and Company Affairs [Legislative Department], accessible through the Ministry of Information
Technology web site at http://www.mit.gov.in/itbillmain.htm. The Australian Parliament is currently considering
the Cybercrime Bill 2000 [introduced 27 June 2001]; see http://www.aph.gov.au/legis.htm.

activities directed at or perpetrated through the use of computers. This can
include crimes through and via the medium that is the Internet: willful
damage to computer systems or networks, unlawful access to or interference
with the operation of computer systems, transmitting offensive or illegal
content and committing fraud or other offences through the use of the
medium13.

The second related area is the protection of information. This has been a
concern of legal systems from well before the introduction of modern
technologies of mass-communication, but is clearly brought into focus by
the development of global networked computer-based information media
such as the World Wide Web and the Internet14. Principal legal measures
related to the protection of information from unlawful use, distribution or
exploitation include intellectual property laws, privacy laws, laws relating
to secrecy and national security, and laws relating to unfair commercial
advantage.

5.20.2 Cybercrime Legislation World-Wide

A more systematic international understanding of the legal aspects of
cybercrime is emerging through sources such as:

13 Grabosky, P.N., Smith, R.G. & Dempsey G. 2001, Electronic Theft: Unlawful Acquisition in Cyberspace,
Cambridge University Press, Cambridge.
14 Tan, K.H. 2000, “Prosecuting foreign-based computer crime: International law and technology collide”,
Symposium on the Rule of Law in the Global Village, Panel on Borderless Crime, 12-14 December 2000,
Palermo; see http://www.odccp.org/palermo/convmain.html.

• The Council of Europe’s Draft Convention on Cybercrime (Council
of Europe 2001)15;

• The United Nations symposium on “The Challenge of Borderless
Cybercrime” held in conjunction with the Palermo signing conference
of the Convention Against Transactional Organised Crime (see
Grabosky 2000; Tan 2000);

• The United Nations President’s Working Group on Unlawful Conduct
on the Internet (United States Department of Justice 2000)16;

• Cross-national comparative studies such as Cyber Crime … and
Punishment? Archaic Laws Threaten Global Information
(McConnell International 2000)17.

The most significant international development is the Council of Europe’s
Convention on Cybercrime (final draft released on 25 May 2001). The text,
which has taken almost four years and many redrafts to reach its present
form, was approved by the Parliamentary Assembly (24 April 2001) with
recommendations to include provisions on human rights and a protocol to
ban “hate speech”, and adopted by the European Committee on Crime
Problems at its 50th plenary session (18-22 June 2001). The final draft will

15 Council of Europe 2001, Draft Convention on Cybercrime [Final Draft and Explanatory Note], European
Committee on Crime Problems and Committee Experts on Crime in Cyber-Space, Strasbourg, 29 June 2001; see
http://conventions.coe.int/treaty/EN/projets/projets.htm.
16 United States Department of Justice 2000, The Electronic Frontier: Unlawful Conduct Involving the Use of the
Internet, Report of the President’s Working Group on Unlawful Conduct on the Internet, March 2000; see
http://usdoj.gov/criminal/cybercrime/unlawful.htm
17 McConnell International 2000, Cyber Crime…and Punishment? Archaic Laws Threaten Global Information,
online report; see http://www.mcconnellinternational.com/services/CyberCrime.pdf.

be submitted to the Committee of Ministers for adoption during its 109th
Session, on 8 November 2001.
The convention will be the first international treaty to address criminal law
and procedural aspects of various types of criminal behaviour directed
against computer systems, networks, or data and other types of similar
misuse. Signatories to the Convention include the 43 member states of the
Council of Europe plus the United States, Canada and Japan.
The legal analysis that follows adopts the Council of Europe’s classification
of computer offences, and also reviews offence provisions under national
intellectual property laws.

5.20.3 Adequacy Of Legislation
Countries can be initially categorised according to whether they have:
1. basic criminal and commercial laws;
2. a developed system of intellectual property laws; and
3. legislation directed specifically at computers and electronic

commerce.

Each of the countries considered below may be observed to fall within one
or more of these categories, with most satisfying the second category and
having made some progress towards the third. Whether the existing legal
system in any country can adequately address cybercrime depends on the
precise scope and interaction of its criminal, commercial, intellectual
property and computer-related laws. As a general rule, however, the
development of each of the later categories has been necessitated in part by
the perceived inadequacy of legal remedies provided by other categories.
The reliance on specific intellectual property laws to protect valuable
information, for example, is partly attributable (in jurisdictions based on the
English system) to the common law doctrine that information is not properly
capable of being stolen. Thus, information piracy is not amenable to
prosecution under the criminal law relating to theft or dishonest
acquisition18. In many countries there are also difficulties in prosecuting
under criminal law acts which may be performed outside the jurisdiction but
which result in harm within the jurisdiction, such as the posting of offensive
or obscene content on the Internet.

Clearly, there are also significant differences in the legal, social and political
contexts within which these laws have been formulated and are enforced.
Before reviewing the legislative provisions, it is useful to explore these
contexts in greater detail.

5.20.4 Fears Of Over Policing

18 Grabosky, P.N. & Smith, R.G. 1998, Crime in the Digital Age: Controlling Telecommunications and
Cyberspace Illegalities, Transaction Publishers/Federation Press, New Brunswick, New Jersey.

During the parliamentary debates and discussions leading up to the
enactment of the Information Technology bill, the Indian Internet
Community awaited the final shape of the proposed legislation.
Understandably, there were fears over possible excessive policing.
Observers wondered whether the Draconian provisions would fit in to
existing Indian Criminal and Commercial laws19.

Some provisions attracted controversy and were the focus of debate in the
Parliament and within the Internet and legal community. These provisions
are:

• Section 79 wherein police personnel have been granted extensive
powers to arrest and seize material from individuals and corporates

• Section 73 (a) which makes it mandatory for person hosting a website
or a portal on a server located in India to give details of the website,
portal, person and such other details as may be prescribed by the
Controller, failure will entail penalty;

• Section 73 (b) wherein the government mandates that all people
visiting cyber cafes will have to maintain a log sheet of all the web
sites visited by them. Failure will entail monetary penalty and
imprisonment [later removed from the legislation]

19 The Indian Information Technology Act 2000 attempts to recognise electronic business and it does so, by
amending several archaic legislations like the Indian Evidence Act, 872, Indian Penal Code, 1860, General Clauses
Act, 1897, the Reserve Bank of India Act, 1934 and the Bankers Book Evidence Act, 1891. Through the
amendment of these laws it will now be possible for courts to recognise digital signatures and electronic records
and hence permit electronic commerce.

5.20.5 Liability Of Net Work Service Providers (NWSP)

Certain activists groups have been asking for Network Service Provider's /
Internet Service Providers ("ISP's") to be made responsible for information,
which is transmitted through their system. The reason for doing so would
be to try and put a check on any mischief, which may take place through
such systems and affix the liability on the ISP's. However, the impossibility
of monitoring millions of mails and accesses has promoted the government
to absolve NWSP/ISPs from any third party civil and criminal liability.

There are divergent views to such a provision. The ISPs have hailed this
move, as they are now be able to provide access without the tension or undue
interference or the prospect of civil or criminal liability. However, activists
groups have criticised this provision and seek an amendment.

5.20.6 Computer Crime And Data Protection

After the Love Bug crisis, legal experts have realised the lacuna that exists
in the current legal regime in India. If such a virus or contaminant was
launched in India and the culprit were to be arrested then under the current
legal framework, such a person would not be punishable.

An extensive definition clause defines numerous activities that can amount
to a cyber crime. Under this provision, almost every conceivable computer
mischief can face civil and criminal liabilities.


Click to View FlipBook Version