+

Need for shifting paradigm of considering personal data as ‘oil’: A critical analysis of the Personal Data Protection Bill, 2019

People are increasingly making their personal information available publicly. Today, there is an unprecedented amount of personal data available with government and private sector players. Digital India, Aadhaar and the telecom initiatives have added to the already growing pool of personal data siphoning with various public and private players to pursue their activities.

Covid-19 has pushed us all towards digitisation and we are now at the point of no return. Work from home has never been envisaged at such a colossal level, but it has now been accepted as the new normal. Online traffic has escalated due to jacked up video conferencing, meetings, online classes, and excessive chatting. The online payment gateways using the apps like Paytm, Google Pay, BHIM, PhonePe, etc. has also witnessed a surge among its users.

However, it was not only the creative and prolific use of cyberspace that has increased, but the detrimental misuse of the internet has also gone up substantially. The Internet Crime Report for 2020, released by the USA’s Internet Crime Complaint Centre of the Federal Bureau of Investigation, has revealed that India stands third in the world among top 20 countries that are victims of internet crimes. Hackers have even attempted to hack the heavily secured computer network systems of the heavyweight organisations such as the Indian State Tax Department to steal the sensitive information regarding PAN Cards, GST numbers, phone numbers, and e-mails. Even the Prime Minister’s COVID fund has also not been spared by the vicious targets of the Hackers.

Under the “PM Cares” Corona Virus fund, established by the Prime Minister’s office, at least half a dozen of fake versions of the said website emerged and have successfully solicited Crores of rupees from unsuspecting donors. Senior officials from India’s Home Ministry said that more than 8,000 such Complaints have been received from Indians, both from the country and abroad who have got duped into donating money to fake versions of the government’s flagship fund account.

CYBER CRIME AND IT ACT, 2000

Cyber Crime is a technology related offence and Technology is never static. It keeps on changing and getting advanced constantly. At the same time Cyber Criminals are also exploiting the advancing technology to discover even more sophisticated and adroit means of committing such crimes. The Information Technology Act is the only saviour in the nation to combat the menace of cyber-crimes. Information Technology Act, 2000 is the only specific action we have which acts as the basis of cyber laws and provides appropriate Remedies for different cybercrimes, and punishment regarding the same.

It is interesting to note that Cybercrime as a term was not defined under the IT Act 2000. It was only delved with few instances of computer-related crimes. These acts as defined under the Chapter XI of the aforesaid Act are: Section 43 which concerns, Illegal access, the introduction of virus, denial of services, causing damage and manipulating computer accounts, Section 65– Tampering, destroying and concealing computer code and Section 67– Acts related to publishing, transmission or causing publication of obscene/ lascivious in nature.

Section 66C of the IT Act 2000, deals with the misuse of Digital Signatures. Dishonest use of someone else’s digital signature has been made punishable with imprisonment which may extend to three years along with fine which may extend to one lakh rupees Whereas under Section 66D- Cheating, using computer resource has been made punishable with imprisonment of either description for a term which may extend to three years along with fine which may extend to one lakh rupees.

Moreover, by way of the recent amendment of the year 2008, which was the outcome of the infamous 26/11 terror attack in India, under the said amendment Section 66F was incorporated under the Act, which talks about the acts concerning cyber terrorism along with such acts which tends to threaten the unity, integrity or sovereignty of India or strike terror among the people or any section of the people of the country.

In this mechanical era of computerization wherein every word or phenomena is getting prefixed by the letter ‘E’ which is indicative of being computer or internet related, the governments of various countries and even the Government of India for that matter is not lacking behind and in order to provide its services to the citizens on their fingertips, the Government is also turning towards E-Governance. E-Governance is nothing but efficiently providing Government’s Services in a faster, cheaper and more convenient manner, to the citizens through the internet and computer system. The Information Technology Act, 2000 also gives recognition to the Electronic Governance. The aim of electronic governance is to ensure transparency in the Government system. It also makes the various plans and the Government accessible even to the citizen residing in the most remote villages of the country.

ome of the lacunae in IT 2000 act are regarding the Cyber-crimes being committed by the websites of foreign origin which includes crimes like infestation of viruses and worms into the computer system, selling banned medicines and drugs, dealing in illegal and contraband goods, cyber phishing, illegal monetary transactions and counterfeit currency manipulation and selling goods and devices harmful for the internal security of India etc. such crimes do not find mention in the IT Act, 2000.

Another very crucial matter is of the Jurisdiction of electronic contracts, which as such is not clearly defined under the Act. The Cross-border contracts since “Click-Wrap” contracts are not legally recognized as equivalent to digitally signed contract, body corporates relying on “Click-Wrap Contracts” (Wherein the user clicks on a button or checkbox “I agree”) need to take such additional measures as may be required to provide a supplementary evidentiary base for validating the contracts. Moreover, the major offences covered under this Act have been enumerated under the crimes of bailable nature. Thus, the interim reliefs, anticipatory bails etc. would be in vogue in pursuance to the cyber criminals.

The IT (Amendment) Act, 2008, reduced the quantum of punishment for a majority of cyber-crimes. This needs to be rectified. The reasonable part of cyber-crimes needs to be held as the offenses of non-bailable nature. The IT Act also does not cover a majority of crimes committed through the mobile phones. This needs to be reconsidered and rectified as well, according to the necessity. A comprehensive data protection regime needs to be incorporated under the law so as to make the cyber-crime combat mechanism more effective.

OTHER LAWS TO ENSURE CYBER SECURITY

Besides the IT Act, 2000, the Indian Penal Code, 1986 also provides with some of the punishments and remedies pursuant to the cyber-crimes. For instance, Section 419 of the IPC deals with the offences committed under the frauds by impersonation. Section 354 of IPC deals with the crime of cyber-stalking and online harassment and its punishment which provides for imprisonment up to 2-3 years. The persons spreading fake news can be prosecuted under Section 505 of the IPC and Section 54 of Disaster Management Act, 2005 and can be punished with an imprisonment up to 3 years and fine up to 1 lakh or both.

India’s cyber security landscape is witnessing an interesting phase and while the country’s cybersecurity needs are not different from that of the rest of the world, some of the issues being faced require a unique approach. The IT Act was further sharpened by the Amendment Act of 2008, yet the Act is still in its budding stage and demands sumptuous improvements. There is a grave underreporting of cyber-crimes in the nation. Cyber Crimes are being committed every now and then round the country, but are hardly being reported. The cases of cyber-crime which reaches the Courts of Law for adjudication level are therefore very few as compared to the actual figure of commission of such crimes. There are also practical difficulties in collecting, storing and appreciating Digital Evidence and paucity of an efficiently functioning crime reporting system makes prosecution in cyber-crimes a farfetched goal. Thus, the Act has miles yet to cover and promises to keep of the victims of cyber-crimes Safe.

CYBER SAFETY AND BANKING

The sharp rise in value and volume of digital transactions which has touched record levels in March 2017 manifests the accelerated shift towards electronic payments. Due Diligence is itself an area of major debate and banks needs to give serious attention towards it, especially to showcase its prowess on the security front and exhibit its cyber law compliance. For instance, a mail with unlawful content in individual name through a mail provider like Gmail or Yahoo! and another with the same content, from the bank’s email id like sender@ xxxbank.com, have entirely different ramifications and banks cannot feign ignorance and escape culpability in the latter scenario, by taking the defence that the sender alone is responsible and not the bank.

The bank also has an equal liability to share for such e-mails and can be proceeded against treating its lack of supervision and monitoring as non-observance of reasonable security practices.

It does not need a seer to say that growing technology in banks is an indicator that the traditional multi-layered defence that banks already have is not adequate as per the requirements. Globally, not a day passes with no news of any data breach, and the incidents of cyber-crimes in banks. Understandably, most often, banks will be reticent to reveal the news for fear of adverse publicity and its impact on public confidence, which the banks currently enjoy. As stated above, the RBI being the regulating authority has a much larger role to play, than being just an enabler of e-commerce and facilitator of online banking

People are increasingly making their personal information available publicly. Today there is an unprecedented amount of personal data available with Government and private sector players. Digital India, Aadhaar and the telecom initiatives have added to the already growing pool of personal data siphoning with various public and private players to pursue their activities. Lack of understanding of the security and privacy implications may already have resulted into exposure of large amount of data.

THE DATA PROTECTION BILL, 2019

A strong legal framework is considered to be a significant tool for the protection of rights and strengthening the larger public interest, generally and specifically. In this regard, a strong data protection bill is need of the hour. The Data Protection Bill 2019 is under the pipeline of the parliamentary procedure and under scrutiny by the parliamentary committee. If the bill successfully clears the parliamentary scanner, it shall be India’s first comprehensive law for data protection.

Why is Data Important?

If we look into our day-to-day lifestyle, we live in the physical world, but our maximum activities are dependent on the virtual world. Now while doing those virtual things, what do we do? We often share our data, time and again –we are always engaged in the virtual world and in some or the other manner, we keep on sharing our personal data. Right from our name, contact details to bank information and other personal/professional details, knowingly or unknowingly, we share them. The amount of data that we are sharing

For the protection of data, firstly we have to move from the concept that Data is the new Oil. We have to change this concept as data can never be the oil. Data cannot be treated as a commodity as it is an inherent part of an individual’s identity and existence. The facts like medical conditions and other personal details are very much exclusive and essential to an individual’s identity. Pandemic and the digitalisation of medical treatment has substantially increased the volume of personal data being shared. The dependency on telemedicine software and apps and treatment through video conferencing requires the patient to share all the personal details including the very sensitive and confidential medical data. The digitalisation of medical services has uncertainly benefitted the people at large, especially during the COVID-19 times, but at the same time has increased the risk of personal sensitive data being shared in various platforms. Amidst this pandemic, the digital sharing of medical history and data of patients has substantially increased, which indeed calls for a strong data protection law to stop the misuse of such information by the telemedicine industry.

In this regard, the Government of India’s plan of National Digital Health Mission (NDHM) through National Health Portal and Digital Health Profile is also a matter of discussion. This shall work in the manner that all the patients visiting a medical practitioner will have a unique Medical ID applicable across the nation. All the Doctors and Hospitals shall refer to the same unique ID for finding out the medical history of the patients. So irrespective of the fact that a patient visits different doctors at different places in India, the complete medical history of the patient shall be visible through the unique medical ID. While this plan of the government is for enhancing and advancing the health sector, but it also brings the threat of patient’s personal and sensitive data being uploaded in the digital platform. Therefore, the extent of protection required also needs to be robust. So, considering the future and plans of the government, the data protection law has to be as robust as possible as there can be no scope for intervention and breach of privacy in such matters.

WHAT ARE THE ESSENTIALS OF A WELL-BUILT DATA PROTECTION LAW?

There are certain requisites which must be incorporated to make a strong data protection law, mainly: – consent, State’s authority, data localisation and categorisation of personal data.

Consent: A YES or A NO

The data protection bill 2019 provides for taking the consent of the people for sharing their personal data. But there are some exceptions to the same wherein the data sharing would be allowed even without the consent. These exceptions must be narrow not broad, i.e., the cases in which larger public interest overpowers the personal data, only then sharing without consent should be allowed. As in the case of Right to Information Act, there are some exemptions in which the sharing of information is barred by law (matters of national security, etc.). These exemptions have been placed on the similar ground that in few matters, the larger public and national interest is more important than sharing of information. Therefore, a balance between public interest and personal data must be considered. For instance, sharing of the personal data of a fugitive offender may be considered necessary in the larger public interest as compared to the offender’s right to privacy.

STATE’S AUTHORITY MUST NOT BE ABSOLUTE

The Supreme Court of India in the privacy judgement (Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India And Ors.) while declaring right to privacy as a fundamental right allowed the narrow scope of state’s intervention and discretion in the matters of privacy of the people. This is interrelated to the data protection bill 2019 as it provides quite a few discretionary powers to the state with regards to the usage and sharing of personal data. Therefore, the provisions of the law must be in consonance with the right to privacy to allow the state’s authority only in matters of larger public and national interest.

DATA LOCALISATION: VOCAL FOR LOCAL

Data localization refers to a requirement that any entity that processes the personal data of a given country’s citizens must store that data on servers within that country’s borders. In the era of global digitalisation, social media and e-commerce, data localization is very essential part of a strong data protection law. The Multinationals and Global Tech-Giants such as Google, Facebook, Twitter have opposed the protectionist policy as they’ll have to ensure the localisation of data. Before the Reserve Bank of India’s order for a deadline in September 2020, most of the data was not stored within the country. To ensure the same, robust provisions and proper compliance of data localisation is most definitely required.

CATEGORISATION OF PERSONAL DATA

The Data Protection Bill 2019 categorises the data into sensitive and critical personal data. Based on this category, the significance of data would be fixed meaning that more sensitive data would be given higher protection.

The General Data Protection Regulation (GDPR) of the European Union is considered to be the most vigorous data protection law. On the basis of a comparative analysis of the GDPR with India’s Data Protection Bill 2019, it can be inferred that a lot of provisions and rules can be adopted into India’s law to make it more robust. The GDPR of EU has very few exceptions to the consent clause where the exemption of sharing the data without consent is provided. Similarly, as compared to India’s bill, the State’s authority and discretion is very limited in GDPR. The GDPR also doesn’t categorise the personal data and protects the data in a broader and equal manner without any further classification. As the bill is under the scrutiny of joint parliamentary committee, a reference to the GDPR must be drawn to make India’s Data Protection Law more comprehensive and effective.

CONCLUSION

The increasing presence of the web-world in our lives can be considered from the fact that more than 50 % of Indians have access to internet, eventually increasing the relation with the virtual world and sharing of data at various platforms. Therefore, the protection of data is as significant as the protection of human lives and properties. We emphasize on the protection of ourselves and our properties in the physical world, but equal protection in the virtual world is the need of the hour.

Tags: