Professional Documents
Culture Documents
1.1 INTRODUCTION
Privacy is a state of affairs where information regarding individual’s life and conditions
that are private in nature is beyond the reach and knowledge of others. In the current
technological milieu where one can access the personal details and information regarding
individual’s diverse affairs, all what privacy means is that people want to have a control
over what information needs to be there in the public domain. Privacy ordains that the
individual is at liberty to avoid unsanctioned intrusions in his life and personal affairs and
pre-supposes that the individual will have unqualified control over the information
pertaining to him. Privacy is an interest of the human personality. It protects the inviolate
personality, the individual’s independence, dignity and integrity1. The reason behind
protecting one’s privacy are varied. Some people want to maintain anonymity, some
others want to conceal facts about themselves that are embarrassing, discreditable or
which may put them under some risk to their life and property, whereas a few may like
to have peace and solitude. Thus, one can safely argue that basically there are three
elements in privacy: secrecy, anonymity and solitude. It is a state which can be lost,
whether through the choice of the person in that state or through the action of another
person2.
The Discourse on privacy interests and the corresponding legal rights have seen drastic
changes from one technological era to another. Privacy intrusions, in the old legal order,
when there was no telecom, communication and computational technologies available 5
Right to Privacy and its were primarily treated as trespassing, assault, or eavesdropping. Privacy in those days
Legal Framework
had not attained the intensity and magnitude as it has achieved in today’s modern world
where we have telephone wiretaps and microphones for overhearing, digital photography
and spycams for undercover and intelligence operations, computers, mass storage devices
and database software for storing, collating and circulating personal and financial
information. With these inventions no one can be rest assured that his personal information
shall remain within the confines of his home or personal archives. New technologies
have made it possible to clandestinely transmit and broadcast information pertaining to
individual without his knowledge. Organized collection, collation and storage of an
individual’s private and personal information on databases, has made it possible to
invade people’s privacy. The data storage and surveillance potential of computer systems
has given a new direction to the discourse on privacy rights. The question could no
longer be whether the information could be obtained, but rather whether it should be
obtained and, where it has been obtained, how it should be used. Technological inventions
such as data matching, profiling, data mining, smart cards, cookies and spam have
created an increased threat to the privacy of persons.
1.2 OBJECTIVES
After studying this unit, you should be able to:
● discuss the concept of privacy as it exists in different cultures and regions;
● comprehend the range and vastness of the right to privacy;
● know why critics disagree to privacy being a independent right;
● know the modern day principles of privacy laws ;
● know different legal regimes for protecting privacy;
● grasp the human rights angle of privacy ;
● know the threats to privacy in new technological milieu; and
● discuss digital and Internet challenges to the concept of privacy.
6
1. Information privacy, which involves the establishment of rules governing the The Concept of Privacy
collection and handling of personal data such as credit information, and medical
and government records. It is also known as “data protection”;
2. Bodily privacy, which concerns the protection of people’s physical selves against
invasive procedures such as genetic tests, drug testing and cavity searches;
3. Privacy of communications, which covers the security and privacy of mail,
telephones, e-mail and other forms of communication; and
4. Territorial privacy, which concerns the setting of limits on intrusion into the domestic
and other environments such as the workplace or public space. This includes
searches, video surveillance and identity checks.
Please answer the following Self Assessment Question.
9
Right to Privacy and its The four categories of privacy rights having a tortious remedy, as enumerated by Prosser,
Legal Framework
are:
1. Unreasonable intrusion upon the seclusion or solitude of another
● Instances of physical intrusion in a person’s home, namely, undesirable entry,
peeping into the house, through windows with binoculars or camera, telephone
tapping, obtrusive telephone calls, scanning and collating financial and personal
data without person’s consent and information.
2. Appropriation of a person’s name or likeness for advantage of other
● Unlawful use of a person’s name or likeness for advertising and soliciting
clients/consumers on a product label which injures the personal feelings of
the person.
3. Public disclosure of embarrassing private facts
● Financial position, sexual orientation, personal correspondences, family feuds,
medical history, person’s private photographs clicked at his/her home.
4. Publicity placing one in a false light in the public eye
● Instances of putting information in public domain to create a false impression
about the person.
For a detailed discussion on the tortious remedies available for protection of privacy,
please refer to Unit 4 of Block 1.
Please answer the following Self Assessment Question.
1.14 SUMMARY
● Privacy can be defined as an interest of the human personality that protects the
inviolate personality, independence, dignity and integrity of individuals.
● Privacy is a state which can be lost, whether through the choice of the person in
that state or through the action of another person. There are basically three essential
elements in privacy: secrecy, anonymity and solitude. 15
Right to Privacy and its ● Louis Brandeis in his article ‘The Right to Privacy’ articulated the concept of
Legal Framework
privacy that suggested that it was the individual’s “right to be left alone”38. Brandeis
contented that privacy was the most cherished of freedoms in a democracy, and
he was concerned that it should be reflected in the Constitution.
● It is difficult to define the meaning and scope of privacy. One of the problems is
that the very breadth of the idea, and its tendency, produces a lack of definition
which weakens its force in the political discourse. Nonetheless, privacy can be
said to comprise of four separate nonetheless related aspects
(i) Information privacy, which involves the establishment of rules governing the
collection and handling of personal data such as credit information, and medical
and government records. It is also known as “data protection”;
(ii) Bodily privacy, which concerns the protection of people’s physical selves against
invasive procedures such as genetic tests, drug testing and cavity searches;
(iii) Privacy of communications, which covers the security and privacy of mail,
telephones, e-mail and other forms of communication; and
(iv) Territorial privacy, which concerns the setting of limits on intrusion into the
domestic and other environments such as the workplace or public space. This
includes searches, video surveillance and identity checks.
● Concept of right to privacy has historical, cultural and religious connotations which
reinforce the view that how extensively privacy is valued and preserved in various
cultures.
● Critics dispute that privacy can be accorded as separate right because any interest
protected as private can be equally well explained and protected by other interests
or rights, most notably rights to property and bodily security.
● Prosser codified the principles of privacy law in his article Privacy, 48 Cal.L.Rev.
383 (1960). The four categories of privacy rights having a tortious remedy, as
enumerated by Prosser, are:
(i) Unreasonable intrusion upon the seclusion or solitude of another
(ii) Appropriation of a person’s name or likeness for advantage of other
(iii) Public disclosure of embarrassing private facts
(iv) Publicity placing one in a false light in the public eye.
● History of modern day statutory and legislative framework protecting privacy can
be traced as far back as 1361, where the Justices of the Peace Act in England
provided for the arrest of peeping toms and eavesdroppers. Various countries
developed specific protections for privacy in the centuries that followed.
● Modern privacy jurisprudence developed during the latter half of the 1960’s
which saw a flurry of legislative activities across the globe stimulated by
exponential growth in the area of computational technologies and other forms of
telecom and information system automation, such as audio-video devices and
telecommunications.
● Privacy issues do not only figure in academic discourse or courtroom battles and
this importance can be gauged by the fact that most of the international human
rights treaties include a reference to privacy.
● The recent technological advancement in the way data is stored, transmitted,
extrapolated and used poses an imminent threat to danger to privacy.
16
● The advancement in technology has made it possible to inviolate individual’s privacy The Concept of Privacy
without physically entering into his place or property. In the new global order,
electronic database and Internet are vastly being used to share, collate, transmit
and analyse personal information, individual choices and preferences, financial
and medical history.
● Privacy concern has grown manifold in the recent years and has been causing
havoc. It is made possible to infiltrate into someone’s bank account, read private
communications, intercept confidential communication, disparage people’s
reputation and put up individual’s personal details in a virtual market place.
Terminal Questions
1. Refer to section 1.4 of the unit.
2. Refer to section 1.8 of the unit.
3. Refer to section 1.11 of the unit.
17
Right to Privacy and its
Legal Framework 1.17 REFERENCES AND SUGGESTED READINGS
1. “Privacy as an Aspect of Human Dignity”. New York University Law Review
39 (1964): 971
2. “Privacy and the Limits of Law”. Yale Law Journal 89 (1980): 421–428.
6. Privacy and Human Rights 2004. An International Survey of Privacy Laws and
<http://newfirstsearch.oclc.org>.
11. South African Law Reform Commission Privacy and Data Protection report page
12. Supra n. 9.
13. Supra n. 9.
14. Solove, Daniel J. “Conceptualizing Privacy”. California Law Review 90. (2002):
1087.
18
The Concept of Privacy
15. Thomas McIntyre Cooley. Treatise of the Law of Torts. 2nd ed. Callaghan, 1888.
29.
17. Supra n. 8.
18. Mathew, K.K., Judge, Supreme Court of India (Retd.). 4 SCC (Jour) 1 (1979).
22. Samuel Warren and Louis Brandeis. “The Right to Privacy”. Harvard Law Review
4 (1890): 193-220.
23. Supra n. 9.
25. Supra n. 6.
26. Jeanne M. Hauch. “Protecting Private Facts in France: The Warren & Brandeis
Tort is Alive and Well and Flourishing in Paris”. Tulane Law Review 68 (May
1994): 1219.
27. Prof. Dr. Juris Jon Bing. “Data Protection in Norway”. 1996. 8 Jan. 2007
<http://www.jus.uio.no/iri/forskning/lib/papers/dp_norway/dp_norway.html>.
28. Marc Rotenberg. “Fair Information Practices and the Architecture of Privacy (What
29. Supra n. 6.
30. Supra n. 6.
31. Bygrave, Lee A. “Data Protection Pursuant to the Right to Privacy in Human
247–284.
19
Right to Privacy and its
Legal Framework 32. The Privacy Law Sourcebook: United States Law, International Law and Recent
33. Gates, Bill. “Shaping the Internet Age”. Internet Policy Institute Dec. 2000.
103.
35. S.K. Verma & Raman Mittal. Legal Dimension of Cyber Space. ILI. 2004.
37. Divan, Madhavi. “The right to privacy in the age of information and
20
National Legal Framework
UNIT 2 NATIONAL LEGAL FRAMEWORK for Protecting Privacy
2.1 INTRODUCTION
“The privacy, private life, honour and image of persons are inviolable, and the
right to compensation for property or moral damages resulting from their violation
is ensured; the home is the inviolable refuge of the individual, and no one may
enter therein without the consent of the dweller, except in the event of ‘flagrante
delicto’1 or disaster, or to give help, or, during the day, by court order; the secrecy
of correspondence and of telegraphic, data and telephone communications is
inviolable, except, in the latter case, by court order, in the cases and in the manner
prescribed by the law for purposes of criminal investigation or criminal procedural
finding of facts; access to information is ensured to everyone and the
confidentiality of the source shall be safeguarded, whenever necessary to the
professional activity”
21
Right to Privacy and its Article 5 [Equality], provided in Chapter I – Individual and Collective Rights and Duties
Legal Framework
under Title II Fundamental Rights and Guarantees – Constitution of Brazil2.
While privacy issues are now being deliberated upon in the Indian media and have been
of interest amongst academia and jurists, unlike Brazil, the legal safeguards under the
current legal regime in India are limited in nature and scope. Privacy Law in India
comprises a number of central statutes covering particular sectors and activities, and
some constitutional safeguards, which have very occasionally been used in support of
privacy rights through actions for unauthorized surveillance, search and seizures,
disclosure of personal details, DNA testing, matrimonial discord, defamation, trespass
or nuisance.
Majority of countries in the world including India yet do not have a specific data protection
law; a number of them either have general privacy rights, sometimes entrenched in a
constitution, or have sector-specific privacy laws.3 The Constitution of 1950 does not
expressly recognise the right to privacy. However, the Supreme Court first recognised
in 1964 that there is a right of privacy implicit in the Constitution under Article 21 of the
Constitution, which states, “No person shall be deprived of his life or personal liberty
except according to procedure established by law” [Kharak Singh v. State of UP.
ISCR 332 (1964)]. So far the law of privacy has been relegated to a penumbral status
and has never enjoyed the status of a well-defined right. It is necessary to preserve the
tenuous balance between the right of the individual to be let alone and the
fundamental right to free speech, expression and information. In this unit we will
closely examine the legal framework and the judicial trends as they exists in India
for the protection of the right to privacy.
2.2 OBJECTIVES
After studying this unit, you should be able to:
● familiarize yourself with the position of privacy as under Indian constitutional and
legal framework;
● explain how the Constitution of India addresses the privacy issues;
● appreciate to what extent the Information Technology Act 2000 addresses the
issue of privacy; and
● know the position of right to privacy under various Indian legislations.
23
Right to Privacy and its 2.3.3 Right to Privacy versus Freedom of Press
Legal Framework
It is only in R. Rajagopal alias Gopal v. State of Tamil Nadu [(1994) 1 SCC 632],
where a question concerning the freedom of press vis-à-vis the right to privacy of the
citizens of their country was raised, that the Supreme Court unequivocally stated that
the right to privacy is implicit in Art. 21. The dispute in this case was over the publication
of the alleged autobiography/life story of Auto Shankar, who was charged and tried for
as many as six murders. It was claimed that the autobiography set out the close nexus
between Auto Shankar and several IAS and IPS and other officers some of whom
were indeed his partners in several crimes. One of the three questions that arose on the
pleadings is ‘whether a citizen of this country can prevent another person from writing
his life story or biography?’
Whether the freedom of expression guaranteed by Art. 19 entitles the Press to publish
such unauthorized account of a citizen’s life and activities and if so, to what extent and
in what circumstances? What are the remedies open to a citizen of this country in a case
of infringement of his right to privacy and further in case such writing amounts to
defamation?” Supreme Court after considering a number of Indian, American and English
cases came to a conclusion that “the right to privacy is implicit in the right to life and
liberty guaranteed to the citizens of this country by Article 21. It is a right ‘to be let
alone’. A citizen has a right to safeguard the privacy of his own, his family, marriage,
procreation, motherhood, childbearing and education among other matters. None can
publish anything concerning the above matters without his consent—whether truthful or
otherwise and whether laudatory or critical. If he does so, he would be violating the
right to privacy of the person concerned and would be liable in an action for damages.The
position may, however, be different, if a person voluntarily thrusts himself into controversy
or voluntarily invites or raises a controversy”.
31
Right to Privacy and its
Legal Framework 2.10 POSITION UNDER SPECIFIC RELIEF ACT, 1963
According to Section 39 of the Specific Relief Act, 1963, a person has a right to claim
temporary and permanent injunctions against unauthorized disclosure of confidential
information.
2.12 SUMMARY
● Legal safeguards under the current legal regime in India are limited in nature and
scope.
● Neither the Indian Constitution nor there are any sector specific Privacy Laws
which comprehensively addresses the privacy concerns.
● The Privacy Laws in India comprises a number of Central statutes covering
particular sectors and activities, and the constitutional safeguards, which have very
occasionally been used in support of privacy rights through actions for unauthorized
surveillance, search and seizures, disclosure of personal details, DNA testing,
matrimonial discord, defamation, trespass or nuisance.
● Majority of countries in the world including India yet do not have a specific data
protection law; a number of them either have general privacy rights, sometimes
entrenched in a constitution, or have sector-specific privacy laws.
● The Constitution of 1950 does not expressly recognise the right to privacy.
● However, the Supreme Court first recognised in 1964 that there is a right of privacy
implicit in the Constitution under Article 21 of the Constitution, which states, “No
person shall be deprived of his life or personal liberty except according to procedure
established by law.”
● Privacy rights have their genesis in the law of torts and the constitutional law.
● The Indian courts have seized the opportunities whenever they came and tried
successfully to bring the privacy right within the purview of fundamental rights.
Even though right to privacy is not enumerated as a fundamental right in our
Constitution it has been inferred from Article 21.
● The Supreme Court has categorically stated that the rights to privacy like any of
the fundamental rights, is also subject to reasonable restrictions. From these
observations of the Supreme Court the following principles emerge:
1. Right to privacy is a fundamental right, implicit in Article 21.
2. It is not an absolute right, but subject to reasonable restrictions like any
other fundamental rights.
3. Right to privacy can be exercised subject to other rights and values and
compelling State and public interest.
● The Information Technology Act, 2000 (the “Act”) does not directly deal with the
issue of privacy nonetheless a few provisions of the Act do touch upon some
32 aspects of privacy.
● The Act deals with issues related to unauthorized access, damage to computer National Legal Framework
for Protecting Privacy
through computer contaminants, hacking, breach of privacy and confidentiality
and publishing false digital signature certificate for fraudulent purposes.
● Section 72 of the Act entitled ‘penalty for breach of confidentiality and privacy’
directly deals with ‘confidentiality’ and ‘privacy’ of individuals.
● Section 66 of the Act deals with hacking.
● Section 43 of the IT Act entitled ‘Penalty for damage to computer, computer
system, etc.’ deals with unauthorized access to a computer system.
● Section 79 of the Act provides for Network Service Provider’s Liability for violation
of privacy of a third party if it makes available any third party information or data
to a person for the commission of an offence or contravention.
● Section 9 of the Freedom of Information Act, 2002, empowers a Public Information
Officer to reject a request for information where it relates to information, which
would cause unwarranted invasion of the privacy of any person.
● Indian Easements Act, 1882 accords statutory recognition to customary right of
privacy.
● Indian Penal Code (the “IPC”) though not directly dealing with, and carving out
any specific penal provision again the infringement of the right to privacy has given
due weightage to privacy in terms of honouring individual’s right to maintain solitude,
peace, dignity and self respect, and penalizing unsanctioned intrusion in an
individual’s life and affairs.
● Under the Indecent Representation of Women (Prohibition) Act (1987) if an
individual harasses another with books, photographs, paintings, films, pamphlets,
packages, etc. containing “indecent representation of women”; they are liable for
a minimum sentence of 2 years.
● As per the provisions of the Indian Copyright Act, 1957, any person who knowingly
makes use of an illegal copy of a computer program is punishable.
● According to Section 39 of the Specific Relief Act, 1963, a person has a right to
claim temporary and permanent injunctions against unauthorized disclosure of
confidential information.
● The Public Financial Institutions Act, 1993 codifies India’s tradition of maintaining
confidentiality in bank transactions.
33
Right to Privacy and its
Legal Framework 2.14 ANSWERS AND HINTS
Self Assessment Questions
1. Yes, under the constitutional law, the right to privacy is implied in the fundamental
right to life and liberty. The Indian courts have seized the opportunities whenever
they came and tried successfully to bring the privacy right within the purview of
fundamental rights. Even though right to privacy is not enumerated as a fundamental
right in our Constitution it has been read in ‘Right to Life’ under Article 21.
2. Section 43, 66, 72 and 79 of the Information Technology Act, 2000 deal with
privacy related aspects.
3. Information Technology Act, 2000, Right to Information Act, 2002, Indian Penal
Code, 1860, Easements Act, 1882 etc. are some of the legislations touching upon
privacy issues.
Terminal Questions
1. Refer to section 2.3 of the unit.
2. Refer to section 2.4 of the unit.
3. Refer to sections 2.3-2.11 of the unit.
4. Refer to section 2.9 of the unit.
law/icl/br 00000_.html>.
Background paper for Privacy. Seminar Presentation. The Roosevelt Hotel, New
34
International Legal
UNIT 3 INTERNATIONAL LEGAL Framework for
Protecting Privacy
FRAMEWORK FOR PROTECTING
PRIVACY
Structure
3.1 Introduction
3.2 Objectives
3.3 The Position in the United States of America
3.4 The Position in the United Kingdom and the European Union
3.5 International Covenant on Civil and Political Rights and other Conventions
3.6 Summary
3.7 Terminal Questions
3.8 Answers and Hints
3.9 References and Suggested Readings
3.1 INTRODUCTION
The degree of intrusion into the private lives of individuals has been a topic of debate
for years and has also featured prominently in literature for years. Kautilya’s
Arthashastra, an Indian epic dating from approximately 300 B.C. places great emphasis
on the role of knowledge gleaned from spies, both internally in a nation and outside it
and in maintaining a grip on power, the echoes of which can be seen in Machiavelli’s
Prince written hundreds of years later. And as long as surveillance has been a part of
human life so probably has opposition to its excesses. Due to the technology available
a lot of our daily activities are recorded and either monitored in real time by someone
for future reference. When you go to a bank to withdraw money from an ATM, you are
being watched or when you go to a shop or a superstore, you come across a sign that
reads “This store is under surveillance”, so you are forewarned. In Fresno, California,
security measures included, for the first time in a United States airport, use of facial
recognition technology to scan faces for terrorists as passengers entered security
checkpoints. In addition to law enforcement, large companies and businesses use
surveillance for a variety of other purposes. They use technology to monitor employee
productivity, deter theft and fraud, and ensure safety in the workplace. Having seen the
extent of surveillance in our lives it seems to be a given that we need to live with it and
this paper explores the ways by which laws of various jurisdictions seek to achieve “the
preservation of basic human rights” i.e. Privacy. It must be kept in mind that the statutes
and case laws analysed in this paper are indicative and are not exhaustive.
3.2 OBJECTIVES
After studying this unit, you should be able to know:
● the concept of ‘privacy’ in the legal sense;
● the international legal scenario as it stands today, for protection of privacy;
● legal provisions that provide for protection of privacy in US; and
● legal provisions that provide for protection of privacy in EU and UK. 35
Right to Privacy and its
Legal Framework 3.3 THE POSITION IN THE UNITED STATES OF
AMERICA
American scholars as far back as the 1800s have debated the existence of the right to
privacy. Samuel Warren and Louis Brandeis were pioneers in authoring ‘The Right to
Privacy’, which became the most important article recognising a right of privacy.
Subsequently, President Woodrow Wilson appointed Brandeis to the United States
Supreme Court in 1916, where he endeavoured to lay a foundation for the future privacy
law.
The United States Supreme Court has found a limited “right to privacy” stemming from
a combination of the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments.
The First Amendment provides: “Congress shall make no law respecting an establishment
of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech,
or of the press, or the right of the people peaceably to assemble, and to petition the
Government for a redress of grievances.”
The Third Amendment provides: “No soldier shall, in time of peace be quartered in any
house, without consent of the owner, nor in time of war, but in a manner to be prescribed
by law.”
The Fourth Amendment provides that: “The right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures, shall
not be violated, and no warrants shall issue, but upon probable cause, supported by
oath or affirmation, and particularly describing the place to be searched, and the persons
or things to be seized.”
The Fifth Amendment provides in relevant part that: “No person shall ... be compelled
in any criminal case to be a witness against himself, nor be deprived of life, liberty, or
property, without due process of law....”
The Ninth Amendment ‘retained rights clause’ provides: “The enumeration in the
Constitution, of certain rights, shall not be construed to deny or disparage others retained
by the people.”
The Fourteenth Amendment provides in relevant part: “No State shall make or enforce
any law which shall abridge the privileges or immunities of citizens of the United States;
nor shall any State deprive any person of life, liberty, or property, without due process
of law; nor deny to any person within its jurisdiction the equal protection of the laws.”
In Paul vs. Davis [(1976) 424 U.S. 693], the Court found that no privacy right existed
when the police disclosed that the respondent was arrested on a shoplifting charge. The
Court found that the activities detailed were very different from ordered liberty matters
relating to marriage, procreation, contraception, family relationships, child rearing and
education.
The United States Constitution does not provide an explicit right to privacy but it is
implied in the Fourth Amendment. That it protects people, not places. What a person
knowingly exposes to the public, even in his own home or office, is not a subject of
Fourth Amendment protection. But what he seeks to preserve as private, even in an
area accessible to the public, may be constitutionally protected.
In weighing these competing interests, American judges have expanded the principles
that would guide all three branches of the federal government in the application of the
36 Fourth Amendment to national security electronic surveillance. It has been noted that
national security cases present a particularly prickly situation because of the tremendous International Legal
Framework for
governmental interest and the likelihood of both unreasonable invasions of privacy and Protecting Privacy
jeopardy to free speech rights. Although judges have recognised the vital importance
of protecting the national security, the primary concern is ensuring the sanctity of political
dissent – both public and private – in determining the application of the Fourth Amendment
to national security surveillance. The Fourth Amendment is to serve as “an important
working part of the machinery of government, operating . . . to check the ‘well-
intentioned’ but mistakenly over-zealous executive officers.” This constitutional function
can not be guaranteed when domestic security surveillance is left entirely to the discretion
of the executive: “Unreviewed executive discretion may yield too readily to pressure of
obtaining incriminating evidence and overlook potential invasions of privacy and protected
speech”. Thus, the Courts reiterated their assertion that some interposition of the judiciary
between citizens and law enforcement must exist.
The United States has a large number of narrowly-focused privacy laws consistent
with its traditionally increment approach to legislation. This is in contrast to the trans-
sectoral approach of Europe.
Whether the whole adds up to sufficiently comprehensive privacy protection in the US
is in the eye of the beholder. It is clear that to understand completely US privacy
protections, one must look at the various federal pieces, as well as at the matrix of state
laws that adds to the national protections.
Federal privacy (and privacy-affecting) laws include the following:
● Federal Trade Commission Act (1914)
● Fair Credit Reporting Act (1970)
● Privacy Act (1974)
● Freedom of Information Act (1974)
● Family Educational Rights and Privacy Act (1974)
● Foreign Intelligence Surveillance Act (1978)
● Right to Financial Privacy Act (1978)
● Privacy Protection Act (1980)
● Cable Communications Policy Act (1984)
● Electronic Communications Privacy Act (1986)
● Video Privacy Protection Act (1988)
● Employee Polygraph Protection Act (1988)
● Telephone Consumer Protection Act (1991)
● Driver’s Privacy Protection Act (1994)
● Health Insurance Portability and Accountability Act (1996)
● Telecommunications Act (1996)
● Children’s Online Privacy Protection Act (1998)
● Financial Modernization Services Act (1999)
● USA Patriot Act (2001)
It is clear that the United States provides to its citizens an implied right to privacy
through the Constitution as well through its various legislations. The concept of the
rational test basis would imply that a balance would have to be struck between the
rights of the individual on one hand and societal needs on the other. 37
Right to Privacy and its Please answer the following Self Assessment Question.
Legal Framework
3.6 SUMMARY
● Technology is making it increasingly possible to develop physically non-intrusive
techniques. The use of satellites and other remote monitoring tools have lessened
the need to physically intrude on a persons privacy.
● Technology cuts both ways and jurisprudence needs to keep up with these changes
to ensure that the use of technology does not spread unchecked.
● In areas other than national security, a system must be put in place so that the
authority that wants to undertake surveillance does not also become the authority
that takes a decision on whether the surveillance is permissible or not.
● Periodic reporting requirements to the authority that sanctioned the surveillance
could be put in place so that the sanctioning authority is aware of whether the
original premise under which the sanction was granted was correct or not.
● In the event a person finds out he/she is the subject of surveillance they need to
have recourse to the courts of law if the surveillance is intruding on their privacy.
● The EU,UK and US have already enacted legislations to afford protection to their
citizens.
● There is a need to ensure that the checks on the misuse of the system keep pace
with change and thereby prevent unjustified intrusions on individuals privacy.
Terminal Questions
1. Refer to section 3.3 of the unit.
2. Refer to sections 3.3 and 3.4 of the unit.
2001.
4. Serge Gutwirth. Privacy and the information age. Trans. Raf Casert. Rowman and
Littlefield, 2002.
42
Privacy Related Wrongs
UNIT 4 PRIVACY RELATED WRONGS AND and Remedies thereof
REMEDIES THEREOF
Structure
4.1 Introduction
4.2 Objectives
4.3 What are Privacy Related Wrongs?
4.4 Tortious Remedies Available for Protection of Privacy
4.5 IT Act and Damages Available under It
4.6 Summary
4.7 Terminal Questions
4.8 Answers and Hints
4.9 References and Suggested Readings
4.1 INTRODUCTION
There are a number of issues related to privacy related crimes. From a purely academic
point of view one of the most important problems is that of classification —when it is
privacy related crime and when it is a wrong? This difference is important because it
determines which jurisdiction will be applied to the transgression. For cyber crimes, the
jurisdiction of criminal court will be attracted while cyber wrongs are civil wrongs and
therefore only civil court remedies will be attracted. Since it is relatively new field there
are a number of problems with such a classification. For example, in case of fraud,
existing legislation generally seems to be a powerful enough instrument under which to
prosecute. However problems do arise when trying to apply traditional criminal concepts
to acts involving intangible information.1 This is because of the simple reason that
information is not per se not property; thus when a machine has been deceived to
obtain property then it is theft, but when a machine has been deceived to obtain a
service then it is not a theft2. At this point it would do well to note the general computer
crimes of fraud, criminal damage, obscenity, forgery, unauthorized access, unauthorized
modification of the contents of the computer, etc. are all bogged down by issues of
forensics, evidence and the basics of criminal prosecution like burden of proof. A very
viable alternative will be the usage of tortious remedies.
Whenever tortious remedies are used then they can be no longer be called crimes
instead they will have to go by the nomenclature of ‘wrongs’. In this unit we will basically
look at privacy related cyber wrongs. Tortious remedies are in any case can be
considered more appropriate for most privacy related issues. Defamation, for example,
is punished by awarding of damages. There are certain basic ways in which common
law remedies are available for the enforcement of privacy rights. One of the ways
offered is that statutes may impose a duty to exercise care for the protection of data
from intruders in certain express terms given in the legislation. Such a standard of care
may also be interpreted by the courts in a tortious action, especially when the statute is
silent as regards to the civil liability.3
43
Right to Privacy and its The right of privacy is the government’s tortious remedy that attempts to balance two
Legal Framework
opposing interests, of which one is that all individuals have parts of their lives which
should be rightfully be allowed to be kept free from public view; and on the other side
there is the issue of significant public value which is there in the dissemination of
information and the right to free speech. The contours of existing privacy law are
efforts by courts and the society to define the proper balance between right to be free
from intrusion into private space of an individual and the right of society to obtain
information about issues of public concern.
The common law sources in this regard are basically related to two questions — whether
a tort duty to safeguard the security of computerised personal data exists and how
ordinary tort principles and fiduciary-duty law can be applied to this purpose.4
At this juncture it would be fine to remember that when Warren and Brandeis were
publishing their landmark article which basically established the right of personal
privacy as an independent cause of action in tort, they were reacting to new technology,
mainly mechanical devices which enabled a number of actors, like the press to overstep
in every direction the obvious bounds of propriety and of decency. Presently when we
try to conceptualize action against tort wrongs as regards privacy over the Internet
and cyberspace, it seems that the very same concerns have raised their heads again,
even in a different space and time.
However in India, the constitutional remedies available become more important if
anything for the simple reason, that the enforcement is very simple due the convenience
of writs. The Supreme Court has in the past read the Right to Privacy in the Right to
Life (this has been discussed elsewhere in other Blocks) and that means there exists a
constitutional right, and thus one can immediately approach the High Courts in this
regard. On the other hand, if one wants to use law of torts then he will have to go the
lower civil courts. The enactment of the Information Technology Act ( IT Act ) has
resolved things to a certain extent so that some of the tortious remedies have been
incorporated into the provisions of the Act. These provisions are really important for
the reason that the courts in India are generally wary of awarding high damages in tort
cases. The Section 43 of the IT Act on the other hand allows for the highest amount of
compensation that is available in law in India and the buzz is that this amount might be
raised even further by the legislators while amending the IT Act.
4.2 OBJECTIVES
After studying this unit, you should be able to:
● differentiate between a privacy related crime and a privacy related wrong;
● define the various kinds of privacy related wrongs; and
● suggest the legal remedies for such privacy related wrongs.
4.6 SUMMARY
● There are a number of issues related to privacy related crimes. From a purely
academic point of view one of the most important problems is that of classification
—when is it a privacy related crime and when is it a wrong?
● For cyber crimes, the jurisdiction of criminal court will be attracted while cyber
wrongs are civil wrongs and therefore only civil court remedies will be attracted.
Since it is relatively new field there are a number of problems with such a
classification.
● There are certain basic ways in which common law remedies are available for the
enforcement of privacy rights. One of the ways offered is that statutes may impose
a duty to exercise care for the protection of data from intruders in certain express
terms given in the legislation.
● Classes of tort actions in relation to privacy matters can be broadly be classified
into four heads:
● Tort of Intrusion
● Public Disclosure of Private Facts
● False Light Publicity
● Appropriation
● Tort of Intrusion: No strict prohibitions imposed for using the personal information
we voluntarily disclose in an e-mail and other cyberspace communications. This
tort provides probably the best remedy especially because monitoring telephone
or e-mail messages without justification or consent would probably outrage the
conscience of a reasonable person which is an essential ingredient of this tort.
● False Light Publicity: This tort has not been used much for enforcing privacy rights
in cyberspace even though cyber defamation is not unheard of, it is often classified
as a crime rather than a wrong.
● Public Disclosure of Private Facts: It does not apply to information parted online
as in most instances parties have to click-contract the consent to the ISPs/companies
operating online. This information then remains stored in their online databases
50 and can be used for a number of purposes.
● Appropriation: Many problems arise while considering online spaces like online Privacy Related Wrongs
and Remedies thereof
newsletters, websites as news disseminators. In Howard Stern v Delphi Services
Corporation, the court held that the online bulletin board is a news disseminator
and usage of the name and photograph of Stern is permitted as it is allowed for
them to inform the public of the nature of their service and therefore it will be
covered by the exception of incidental use.
● Database Possessor’s Duty of Care: Palsgraf v Long Island Railroad Co. and
Kline v. 1500 Massachusetts Avenue Apartment Corp are the cases which are
the pillars of American tort law and set down the basic rule of duty.
● In negligence cases whenever an undertaking has been given, the economic losses
will not be compensated according to the Restatement of Torts in the US.
51
Right to Privacy and its
Legal Framework 4.9 REFERENCES AND SUGGESTED READINGS
1. Chris Reed, John Angel. Computer Law. New Delhi: Universal Law Publishing,
2002: 279.
2. Ibid.
3. Vincent R. Johnson. “Cyber Security, Identity Theft, and the Limits of Tort Liabil-
4. Ibid.
7. Supra n 3.
52
The Concept of Security
UNIT 5 THE CONCEPT OF SECURITY IN in Cyberspace
CYBERSPACE
Structure
5.1 Introduction
5.2 Objectives
5.3 Cyberspace – Why is it not Secure?
5.4 Why Should We Secure Cyberspace?
5.5 Security Challenges in Cyberspace
5.5.1 Hacking
5.5.2 Child Pornography
5.5.3 Cyber Stalking
5.5.4 Denial of Service
5.5.5 Dissemination of Malicious Software (Malware)
5.5.6 Phishing
5.5.7 Information Warfare
5.5.8 Data related
5.5.9 Network Related
5.6 The Concept of Cyber Security
5.6.1 Technology’s Answers to Cyber Security
5.6.2 Cyber Security and Law
5.7 Computer Related or Computer Facilitated Crime
5.8 Application of Basic Criminal law Concepts
5.9 Summary
5.10 Terminal Questions
5.11 Answers and Hints
5.12 References and Suggested Readings
5.1 INTRODUCTION
It will be interesting for us to understand the meaning of ‘cyberspace’ before addressing
issues concerning its security.
The word ‘cyberspace’ was coined by William Gibson, a Canadian science fiction
writer, in 1982 in his novelette ‘Burning Chrome’ in Omni magazine, and was
subsequently popularised in his novel Neuromancer.
Cyberspace should not be confused with ‘internet’. While the internet is the
interconnection between millions of computers located around the world, each of them
independently managed by persons who have chosen to adhere to common
communications protocols, particularly a fundamental protocol suite known as
Transmission Control Protocol or Internet Protocol (TCP/IP), which makes it practical
for computers to share data even if they are far apart and have no direct line of 5
Data Security communication, the term ‘cyberspace’ is often used simply to refer to objects and
identities that exist largely within the computing network itself, so that a web site, for
example, might be metaphorically said to ‘exist in cyberspace’. According to this
interpretation, events taking place on the internet are not therefore happening in the
countries where the participants or the servers are physically located, but ‘in cyberspace’.
When we sit in front of a computer and swsitch it on, something like magic happens
before us; if we are correctly connected we can bring up an environment of hypertext
with a click of the mouse. It feels like that behind the screen, there is a potentially very
huge reservoir of information that is always in the making. Such a reservoir is somewhere,
out there. We are certainly aware that people who generate information, and place
wherein information resides, are not behind the screen or in the hard drive, but we
nevertheless take the computer as a gateway to another place where other people have
done similar things. Conceptually, we tend to envision a nonphysical ‘space’ existing
between here and there, and believe that we can access that ‘space’ by utilizing
computer-based technologies. We send messages to others by e-mail, or talk to others
in a chat room. We play an online interactive game as if our oponent (in the game) is
right before us, though invisible. By participating in an on-line teleconference, we
experience the presence of other conference participants. But where are we? Where
are the others with whom we communicate? We seem to communicate in a medium
that is not defined, there is a sense of spatiality. Usually, we call this medium ‘cyberspace’,
the ‘space’ that seems to open up or shut down as the computer screen is activated or
deactivated.
5.2 OBJECTIVES
After studying this unit, you should be able to:
● know the meaning of ‘cyberspace’;
● know the reasons for security concerns in cyberspace;
● explain the need to secure cyberspace;
● describe the specific security challenges to cyberspace;
● explain the concept of Cyber Security; and
● know the distinction between computer related and computer facilitated crime.
5.5.1 Hacking
Hacking in simple terms means an illegal intrusion into a computer system and/or
network. There is an equivalent term to hacking i.e. cracking, but from Indian legal
perspective there is no difference between the term hacking and cracking. Every act
committed towards breaking into a computer and/or network is hacking. Hackers write
or use ready-made computer programs to attack the target computer. Some hackers
8 hack for personal monetary gains, such as for stealing credit card information or
transferring money from various bank accounts to their own followed by withdrawal of The Concept of Security
in Cyberspace
money. They also induldge in extortion based on information received while hacking a
particular network of computer system.
i) Unilateral Technology
Unilateral technologies are technologies that each user can decide upon for themselves.
Therefore, neither coordination nor negotiation is needed concerning their use. Important
unilateral technologies for multilateral security are:
● Tools to help even inexperienced users to formulate all their protection goals, if
12 necessary for each and every application or even each and every action;
● (Portable) devices which are secure for their users in order to bootstrap security. The Concept of Security
in Cyberspace
The devices need at minimal physical protection comprising direct input/output
with their users and, if they are multipurpose, an operating system providing fine-
grained access control and administration of rights for applications, adhering to
the principle of least privilege. This is essential to limit the spread of Trojan horses,
and can prevent computer viruses completely;
● Encryption of local storage media to conceal and/or authenticate its contents;
● Hiding of secret data in local multimedia contents or in the local file system using
steganographic techniques, not only to conceal the contents of the secret data, but
also its very existence;
● Watermarking or fingerprinting digital data using steganographic techniques
to help prove authorship or copyright infringements; and
● Using only software whose source code is published and well checked or the
security of which is certified by a trustworthy third party having access to the
complete source code and all tools used for code generation. The best technique
is to combine both approaches with regard to as much of the software as possible.
It is only by using at least one of these two approaches that you can be reasonably
certain that the software you use does not contain Trojan horses. More or less the
same applies to hardware where all sources and tools used for design and
production are needed as well to check for the absence of Trojan horses.
ii) Bilateral Technologies
Bilateral technologies can only be used if the communication partners cooperate. This
means that some coordination and negotiation is needed concerning their use. Bilateral
technologies include tools for negotiating security mechanisms and cryptographic and
steganographic mechanisms for securing content.
Important bilateral technologies for multilateral security are:
● Tools to negotiate bilateral protection goals and security mechanisms.
● Cryptographic mechanisms and steganography mechanisms to secure the
communication content.
iii) Trilateral Technologies
Trilateral technologies can only be used if a third party is involved to fulfill a specific task
for the other participating parties. This means that more coordination and negotiation is
needed concerning their use compared with unilateral – and in most cases as well,
bilateral – technologies. Important trilateral technologies for multilateral security are:
● Tools to negotiate trilateral security mechanisms, e.g. for accountability;
● To provide an access infrastructure, whereby the users use certain access parameters
while transmitting data. Users will have the liberty to change the access tools to
prevent data interception;
● Security gateways provided by third parties are gaining popularity. Security
gateways are provided in the internet to facilitate limited access to participating
users only. This is often used by users for exchange of confidential information at a
pre-determined secured gateway; and
● Mechanisms to provide for digital pseudonyms, i.e. a suitable combination of
anonymity and accountability. In particular, there are mechanisms to securely transfer
signatures between different pseudonyms of the same party. This is called transferring
signatures between pseudonyms. 13
Data Security When pseudonyms are used during accountable value exchange, there are a number of
possibilities for the tasks of the integrated third party:
● Identification of the user in event of fraud (pseudonyms are certified and the
certification authority knows real identities), i.e. privacy of pseudonymous parties
cannot be guaranteed.
● Mandatory deposit of payment with an active trustee to prevent fraud in spite of
completely anonymous pseudonyms, i.e. privacy of the pseudonymous parties
can be guaranteed.
Trilateral security technologies include public key infrastructure techniques which can
use certified public keys, security gateways, and digital pseudonyms.
iv) Multilateral Technologies
Multilateral technologies can only be used if a large number of independent parties
cooperate. This means that coordination and possibly negotiation are needed on a
large scale. Important multilateral technologies for multilateral security are:
● Tools to negotiate multilateral protection goals and security mechanisms, e.g. for
anonymity and unobservability.
● Mechanisms to provide anonymity, unobservability, and unlink ability with regard
to communications, i.e. protect who communicates when to whom and from where
to where.
15
Data Security
5.8 APPLICATION OF BASIC CRIMINAL LAW
CONCEPTS
Common concepts of the criminal law such as “aiding and abetting” or “attempt” may
be also applied to Cybercrime. For example, launching a virus with intent to disrupt
service might be a crime under the concept of intent even if the virus didn’t work as
intended. Similarly, if a nation’s law has the concept of aiding and abetting, that
might be applied to cyber-crime, such that one who intentionally produces a virus and
provides it to another knowing or intending that it will be used to destroy data or
interfere with a system may be guilty of data or network interference caused by the
virus even if the virus was introduced into a network by someone else.
Let us now summarize the point covered in this unit.
5.9 SUMMARY
● ‘Cyberspace’ refers to objects and identities that exist — largely within the
computing network and is different from the term ‘internet’.
● There are serious threats associated with cyberspace on account of the technology
– packet – switching protocols, the end-to-end network design and the impossibility
of centralized control.
● There is an urgent widespread requirement to protect and secure cyberspace on
account of it being a target of creative misuse.
● Some of the common cyber related violations or crimes are as follows:
(i) Hacking
(ii) Child pornography
(iii) Cyber stalking
(iv) Denial of service
(v) Malware
(vi) Phishing
(vii) Information warfare
(viii) Data related violations
(ix) Network related violations
● Cyber Security rests upon the two pillars of (a) technological innovations, and its
applications by end users; and (b) legislations against cyber crimes.
● Technology’s answers to cyber security include unilateral, bilateral, trilateral and
multilateral technologies.
● Illegal cyber interference may be on account of (a) data interception (b) data
interference (c) system interference and (d) illegal access.
● Common concepts of criminal law are applicable to cyber crime.
17
Data Security Terminal Questions
1. Refer to section 5.3 of the unit.
2. Refer to section 5.5 of the unit.
3. Refer to section 5.5 of the unit.
4. Refer to section 5.6 of the unit.
5. Refer to section 5.6 and 5.8 of the unit.
Jan. 2003.
2. Trust and Security In Cyberspace: The Legal And Policy Framework for
Addressing Cyber crime . Global Internet Policy Initiative. Aug. 2002 <http://
internetpolicy.net>.
programs/editorial_0329.shtm>.
Cong.sess.5June.1996. 4Mar.2007<http://www.fas.org/irp/congress/1996_hrs/
s9606052.htm>.
18
Technological
UNIT 6 TECHNOLOGICAL Vulnerabilities
VULNERABILITIES
Structure
6.1 Introduction
6.2 Objectives
6.3 Computer Hacking
6.4 Intrusion Techniques
6.5 Vulnerabilities and Exploitation of Vulnerabilities
6.6 Controls against Malicious Software
6.7 Latest Update on Technological Vulnerabilities
6.8 Definition of Common Attacks and Vulnerabilities
6.9 Summary
6.10 Terminal Questions
6.11 Answers and Hints
6.12 References and Suggested Readings
6.1 INTRODUCTION
Individuals and organizations across the world are increasingly using computers, Internet
and computer networks (collectively hereinafter referred to as “Information Systems”)
in almost all spheres of life from personal use to launch of spacecrafts. This dependence
on Information Systems has made them critical to the very survival of business, economy
and infrastructure of the world. As the criticality of Information Systems increases so
do the vulnerabilities that increasingly face them. Some vulnerabilities are due to human
interference and some others are due to obsolete technology or the usual wear and tear
during usage. This paper aims to provide a basic understanding of some of the more
critical technological vulnerabilities that Information Systems may face today. The paper
also explores some basic concepts of ensuring that Information Systems are protected
from these technological vulnerabilities.
6.2 OBJECTIVES
After studying this unit you should be able to:
● describe technological vulnerabilities of Information Systems;
● know the concept of hacking;
● describe effective security measures that may be implemented to prevent exploitation
of the vulnerabilities of Information Systems;
● know the latest update on technological vulnerabilities; and
● give definitions of common attacks and vulnerabilities.
19
Data Security
6.3 COMPUTER HACKING
In order to understand the technological vulnerabilities of the Information Systems it is
first imperative to understand the information security sphere. Hackers make use of the
vulnerabilities and gain access to Information Systems. Computer hacking is also referred
to technically as “intrusion” which may be defined as an attempt to break into or misuse
a computer system. Misuse of the computer system may be a simple act of sending
prank messages from the user’s e-mail system to a potentially damaging act of stealing
confidential information from the user. Computer hackers are also of many ranges and
types; some hack for intellectual highs while other hack for money. There is no absolute
or foolproof method to prevent hacking or safeguard your computer system against
hacking. However IT professionals need to be aware of the range and risk of hacking
and should take reasonable precautions to safeguard their computer systems.
6.9 SUMMARY
● Hacking is a serious problem and a consistent one for which no permanent solution
has been derived.
● Back ups are an essential and integral process of securing information.
● The most prevalent ways by which a hacker can get into a computer system are
physical intrusion, system intrusion and remote intrusion:
● Software bugs, system configuration bugs, Internet browsers and operating
Systems, password access, Insecure modems, cookies, Denial of service, Attacks
on Internet Domain Name System, Attacks against routers, Viruses and trojans
are some of vulnerabilities, that are exploited by hackers.
● software bugs can be classified into buffer overflows, unexpected combination
and race conditions.
● System configuration bugs are security holes, which develop in the system due
the manner in which the system has been configured for use usually by the
administrator.
● Internet Browsers and Operating Systems also have security holes, which are
regularly exploited by hackers to install bugs, viruses and trojans or for them to be
downloaded through various infected sources. This includes URL, HTTP, HTML,
and JavaScript, Frames, Java and ActiveX attacks.
● Password Access is the key to any computer system. The first major flaw in
password access is weak or easy to guess passwords.
● Social engineering is also used to gain access to passwords, it is hacker-speak for
conning legitimate computer users into providing useful information that helps the
hacker gain unauthorized access to their computer system.
● A cookie is a small program that may be placed on a computer.
● A virus is a small, self-contained piece of computer code hidden within another
computer program, it can reproduce, infect other computers, and then lie dormant
28
for months or years before it strikes.
● A virus is only one of several types of “malicious logic” that can harm your computer Technological
Vulnerabilities
or your entire network. Worms, logic bombs, and trojan horses are similar
“infections” commonly grouped with computer viruses.
● The detection and prevention controls to protect against malicious software and
appropriate user awareness procedures should be implemented.
Terminal Questions
1. Refer to section 6.3 of the unit.
2. Refer to section 6.5 of the unit.
3. Refer to section 6.5 of the unit.
4. Refer to section 6.5 of the unit.
5. Refer to section 6.5 of the unit.
6. Refer to section 6.6 of the unit.
<http://www.giac.org certified_professionals/practicals/gsec/0608.php>. 29
Data Security
2. Ibid.
4. Ibid.
5. Erik Guttman, Lorna Forey, & G. Malkin. Users’ Security Handbook. Internet
6. Ira Winkler. Corporate Espionage: What it is, why its’ Happening in Your Company,
What you Must Do About it. Rocklin, CA: Prima Publishing. 1997.
8. Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach. “Web
9. Supra n 6.
10. Supra n 1.
11. D. L. Carter & A.J. Katz. “Trends and experiences in computer-related crime:
Findings from a national study”. Paper presented at the Annual Meeting of the
9Mar.2007<http:// www1.us.dell.com/content/topics/global.aspx/power/en
pslq_lowery?c=us&1=en&s=gen>.
30
Legal Responses to
UNIT 7 LEGAL RESPONSES TO Technological
Vulnerabilities
TECHNOLOGICAL
VULNERABILITIES
Structure
7.1 Introduction
7.2 Objectives
7.3 India
7.3.1 The Information Technology Act, 2000
7.3.2 RBI Guidelines on Information Security Applicable to Banks in India
7.4 United States of America: The CFAA, DMCA and Case Laws
7.4.1 Computer Fraud and Abuse Act (CFAA)
7.4.2 The Digital Millennium Copyright Act (DMCA)
7.4.3 eBay case in the US
7.4.4 Liability in Torts
7.5 Summary
7.6 Terminal Questions
7.7 Answers and Hints
7.8 References and Suggested Readings
7.1 INTRODUCTION
The information and the supporting processes, the computer systems and the networks,
used for provision of services by an organization or for the running of the organization
are crucial assets of the organization or the individual using the information systems.
The confidentiality, integrity and availability of information is essential for any
organization to maintain its competitive edge, cash-flow, profitability, legal compliance
and commercial image. It is imperative for each organization to put in place adequate
security controls to ensure data accessibility to all the authorized users, data
inaccessibility to all the unauthorized users, and maintenance of data integrity and
implementation of safeguards against all security threats to guarantee information
and information systems security across the organization.
Information systems and the networks of the organization are increasingly facing security
threats from a wide range of sources including computer-assisted fraud, espionage,
sabotage, vandalism etc. The sources of damage such as the computer viruses, computer
hacking and denial of service attacks have become more common, more ambitious and
increasingly sophisticated in the networked environment. Increasingly across information
systems the interconnection between the public and the private networks and the sharing
of the information assets/ resources will increase the difficulty of ensuring security for
information and the information systems.
Apart from the technical and administrative measures, which need to be put in place by
the organization itself to ensure information security; legal responses to tackle and prevent
31
Data Security such information security breaches are essential to ensure that information systems are
protected legally and there are effective recourses available against offenders and
hackers. Governments across the world are realising the importance of having effective
legal responses to hacking and misuse of information systems and have enacted various
laws in this regard. This paper explores some such legal responses by relevant
Governments. At the outset it is clarified that this paper will not deal with data protection
laws, which is different from information security laws, which will be the subject matter
of this paper.
7.2 OBJECTIVES
After studying this unit, you should be able to:
● familiarize yourself with the threat to information systems in different jurisdictions;
● know the different legislatures enacted to counter such threats in India; and
● know the different legislatures enacted to counter such threats in US.
7.3 INDIA
7.3.1 The Information Technology Act, 2000
In May 2000, both the houses of the Indian Parliament passed the Information
Technology Bill. The Bill received the assent of the President in August 2000 and came
to be known as the Information Technology Act, 2000. The Act is a first step towards
making e-commerce and e-transactions in India safer and a viable alternative to paper
based transactions. The Act provides various mechanisms which encourage and
recognise information security measures chief amongst them being digital signatures.
Digital Signatures
The Act has adopted the Public Key Infrastructure (PKI) for securing electronic
transactions. As per Section 2(1) (p) of the Act, a digital signature means an authentication
of any electronic record by a subscriber by means of an electronic method or procedure
in accordance with the other provisions of the Act. Thus a subscriber can authenticate
an electronic record by affixing his digital signature. A private key is used to create a
digital signature whereas a public key is used to verify the digital signature and electronic
record. They both are unique for each subscriber and together form a functioning key
pair.
Section 5 provides that when any information or other matter needs to be authenticated
by the signature of a person, the same can be authenticated by means of the digital
signature affixed in a manner prescribed by the Central Government. Under Section
10, the Central Government has powers to make rules prescribing the type of digital
signature, the manner in which it shall be affixed, the procedure to identify the
person affixing the signature, the maintenance of integrity, security and confidentiality
of electronic records or payments and rules regarding any other appropriate matters.
Furthermore, these digital signatures are to be authenticated by Certifying Authorities
(CAs) appointed under the Act. These authorities would inter alia have the license to
issue Digital Signature Certificates (DSCs). The applicant must have a private key that
can create a digital signature. This private key and the public key listed on the DSC
must form the functioning key pair.
32
Once the subscriber has accepted the DSC, he shall generate the key pair by applying Legal Responses to
Technological
the security procedure. Every subscriber is under an obligation to exercise reasonable Vulnerabilities
care and caution to retain control of the private key corresponding to the public key
listed in his DSC. The subscriber must take all precautions not to disclose the private
key to any third party. If however, the private key is compromised, he must communicate
the same to the Certifying Authority (CA) without any delay.
Issuance, Suspension and Revocation of Digital Signature Certificates
As per Section 35, any interested person shall make an application to the CA for a
DSC. The application shall be accompanied by filing fees not exceeding Rs. 25,000
and a certification practice statement, or in the absence of such statement any other
statement containing such particulars as may be prescribed by the regulations. After
scrutinizing the application, the CA may either grant the DSC or reject the application
furnishing reasons in writing for the same.
While issuing the DSC, the CA must inter alia, ensure that the applicant holds a private
key which is capable of creating a digital signature and corresponds to the public key to
be listed on the DSC. Both of them together should form a functioning key pair. The
CA also has the power to suspend the DSC in public interest on the request of the
subscriber listed in the DSC or any person authorized on behalf of the subscriber.
However, the subscriber must be given an opportunity to be heard if the DSC is to be
suspended for a period exceeding fifteen days. The CA shall communicate the
suspension to the subscriber.
There are two cases in which the DSC can be revoked. Firstly, as per Section 38 (1),
it may be revoked either on the request or death of the subscriber or when the subscriber
is a firm or company, on the dissolution of the firm or winding up of the company.
Secondly, according to Section 38(2), the CA may suo moto revoke it if some material
fact in the DSC is false or has been concealed by the subscriber or the requirements for
issue of the DSC are not fulfilled or the subscriber has been declared insolvent or dead
et al. A notice of suspension or revocation of the DSC must be published by the CA in
a repository specified in the DSC.
Computer Crimes
The Act deals with some more computer crimes and provides for penalties for these
offences. Chapters IX and XI of the Act deal with civil liabilities for offences and
criminal offences respectively. Civil liabilities and awarding of compensation or
damages for certain types of computer frauds has been provided for in the Act.
Section 65 punishes tampering with computer source documents with imprisonment up
to three years, or with fine, which may extend up to two lakh rupees, or with both.
Computer source code; is defined as the listing of programmes, computer commands,
design and layout and programme analysis of computer resource in any form.
Section 66 punishes hacking with computer system, with imprisonment up to three
years, or with fine which may extend upto two lakh rupees, or with both.
Section 72 Penalty for breach of confidentiality and privacy, imprisonment for a term
which may extend to two years, or with fine which may extend to one lakh rupees, or
with both.
Acting as an intermediary between various people accessing the net, Internet Service
Providers run the risk of being held liable for information that is transmitted over his
service network. Chapter XII of the Act excludes the Network Service Provider from
any civil or criminal liability under the Act, Rules or Regulations framed thereunder, for 33
Data Security any third party information or data made available by him, if, he proves that the offence
was committed without his knowledge, or that he had exercised all due diligence to
prevent the commissioning of such offence.
Proposed Amendments to the IT Act 2000
In the wake of growing importance of the need to protect information systems the
Government of India has proposed certain amendments in the IT Act 2000 aimed at
achieving this goal. Section 43 of the IT Act is proposed to be amended to say, if any
body corporate, that owns or handles sensitive personal data or information in a computer
resource that it owns or operates, is found to have been negligent in implementing and
maintaining reasonable security practices and procedures, it shall be liable to pay damages
by way of compensation not exceeding Rs. 1 crore to the person so affected. Reasonable
security practices and procedures have been defined as such security practices and
procedures as appropriate to the nature of the information to protect that information
from unauthorized access, damage, use, modification, disclosure or impairment, as may
be prescribed by the Central Government in consultation with the self-regulatory bodies
of the industry, if any.
Section 66 of the IT Act while making unauthorized access of a computer system an
offence, also makes unauthorized downloading/ extraction of data also an offence.
Under the proposed amendments to Section 72 of the IT Act, if any intermediary who
by virtue of any subscriber availing his services has secured access to any material or
other information relating to such subscriber, discloses such information or material to
any other person, without the consent of such subscriber and with intent to cause injury
to him, such intermediary shall be liable to pay damages by way of compensation not
exceeding Rs. 25 lakhs to the subscriber so affected. Further the amendments to Section
72 also propose to make video voyeurism an offence under the Act.
38
Please answer the following Self Assessment Question. Legal Responses to
Technological
Vulnerabilities
Self Assessment Question 2 Spend 4 Min.
What is the difference between the CFAA and the DMCA?
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
7.5 SUMMARY
● Information security incidents have been on a rise.
● Organizations and individuals have had to suffer a lot of damage.
● India has inadequate laws to deal with such information security issues.
● The Information technology Act, 2000 provides various mechanisms which
encourage and recognise information security measures.
● The Act has adopted the Public Key Infrastructure (PKI) for securing electronic
transactions.
● The Act deals with some more computer crimes and provides for penalties
for these offences. Chapters IX and XI of the Act deal with civil liabilities for
offences and criminal offences respectively.
● India needs to develop jurisprudence on these laws.
● US and UK laws have evolved but are still facing myriad technological challenges
and are struggling to keep pace with the changes.
39
Data Security 5. Analyse and explain the concept of negligence in tort and its relationship to
information security and how liability may be imposed on an individual or an
organization through the concept of negligence.
6. What is the defence available to a charge of negligence in the context of information
security and what processes/policies should an individual/company have in place
to substantiate such defence?
Terminal Questions
1. Refer to section 7.1 of the unit.
2. Refer to section 7.3 of the unit.
3. Refer to section 7.4 of the unit.
4. Refer to section 7.4 of the unit.
5. Refer to section 7.4 of the unit.
6. Refer to section 7.4 of the unit.
10Mar.2007<http:// www.securityfocus.com>.
2. Gary Holtz. “System Security and Your responsibilities. Minimizing your Liability”.
Sans.org. 10Mar.2007<http://www.sans.org/rr/whitepapers/legal/46.php>.
3. Ibid.
40
Security Audits
UNIT 8 SECURITY AUDITS
Structure
8.1 Introduction
8.2 Objectives
8.3 Risk Assessment and Classification of Information Systems
8.4 Security Audits
8.4.1 Understanding the Importance of Information to Your Business
8.4.2 Understanding Information Security Related Assets
8.4.3 Understanding How Assets are Used, by Whom and for What Reason
8.4.4 Understanding Security Management
8.4.5 Understanding Your Broader Obligations
8.5 Security Policy, Standards and Procedures
8.5.1 Security Policy
8.5.2 Security Standards
8.5.3 Protection of System Audit Tools
8.5.4 Importance of Audit Trails During Audits
8.5.5 Sensitive System Isolation
8.5.6 Monitoring of System Use – Procedures and Areas of Risk
8.6 Summary
8.7 Terminal Questions
8.8 Answers and Hints
8.9 References and Suggested Readings
8.1 INTRODUCTION
An organization’s networks and computer systems (“Information Systems”) are the
means, which it uses to communicate and share information with all its users. The
Information Systems during this process may come under attack from both internal as
well as external sources. In order to minimize these attacks and the risks associated
with these attacks, organizations need to do the two most important things, which will
be discussed in this unit and are also the objectives of this unit.
8.2 OBJECTIVES
After studying this unit, you should be able to:
● know the processes of conducting an assessment of risks against all Information
Systems of the organization;
● explain the concept of security audit;
● discuss various Information Security policies and measures (including technological,
administrative and physical); and
41
Data Security ● appreciate the requirements to conduct regular audits to verify the effectiveness of
the Information Security measures and policies.
42
Please answer the following Self Assessment Question. Security Audits
45
Data Security Please answer the following Self Assessment Question.
– Fit appropriate locks or other physical controls to the doors and windows of
rooms where you keep your computers.
– Physically secure lap tops when they are unattended (for example, by locking
them in a drawer overnight).
– Ensure that you control and secure all removable media, such as removable
hard-drives, CDs, floppy disks and USB drives, attached to your business-
critical assets.
– Make sure that you destroy or remove all business-critical information from
media such as CDs and floppy disks before disposing of them.
– Make sure that all business-critical information is removed from the hard
drives of any used computers before you dispose of them.
– Store back-ups of your business-critical information either off-site or in a
fire- and water-proof container.
● Access controls
– Use unique passwords, that are not obvious (not birth dates or easily found
or guessed information) and change them regularly, preferably every three
months.
– Use passwords that contain letters in both upper and lower case, numbers
and special keys, and are six or more characters in length. It helps if you
consider your password as a memorable sentence, rather than a single word.
For example, the sentence: “at forty-two I’m a star!” could be translated
into an eight-character password that looks like this: @42Ima*!
– Don’t write your password down, and never share it with anyone. If you do
have to share it, make sure you change it as soon as possible — no matter
how well you trust the person you shared it with!
● Security technology
– All computers used in your business should have anti-virus software installed,
and the virus definitions must be updated at least once a week (many providers
have a one-click update). All incoming and outgoing traffic should be scanned
for viruses, as should any disk or CD that is used, even if it is from a ‘trusted’
source. At least once a month, computers should be scanned for viruses.
– If your computers are connected to the Internet, and especially if you use a
broadband connection, you must deploy a software firewall. This will help to
prevent malicious code from entering your computer and potentially
compromising the confidentiality, integrity and availability of your network. It
will also help to stop your system being used to attack other systems without
your knowledge. Software firewalls for use by non-professionals are readily
available at a reasonable cost. Your operating system, virus control software
or ISP may also offer a firewall. Consumer and popular trade magazines
compare firewall functions and features of well-known products, and so are
a good source of information. Free shareware firewalls are available, but
these usually require expert knowledge for correct use.
– If your business has a small network that is connected to the Internet, you
should consider deploying an ‘all-in-one’ hardware box that contains a firewall,
anti-virus program and an intrusion detection system. This will greatly simplify
your use and maintenance of essential Internet security technology. 47
Data Security ● Personnel
– Perform integrity checks on all new employees to make sure that they have
not lied about their background, experience or qualifications.
– Give all new employees a simple introduction to information security, and
make sure that they read and understand your information security policy.
Make sure they know where to find details of the information security standards
and procedures relevant to their role and responsibilities.
– Ensure that employees have access only to the information assets they need
to do their jobs. If they change jobs, make sure that they do not retain their
access to the assets they needed for their old job. When dismissing employees,
ensure that they do not take with them any business-critical information.
– Make sure that no ex-employees have access rights to your systems.
– Make sure your employees know about the common methods that can be
used to compromise your system. These include e-mail messages that contain
viruses and ‘social engineering’ ploys used by hackers to exploit employees’
helpfulness to gain information that will give them access to your system.
Examples of ‘social engineering’ include a hacker using the telephone to pose
as a systems maintenance engineer or pretending to be a new employee.
● Security Incident/Response
– A security incident is any event that can damage or compromise the
confidentiality, integrity or availability of your business-critical information or
systems.
– It is important to make your staff aware of telltale signs of security incidents.
These could include:
- strange phone requests, especially for information
- unusual visitors
- strange patterns of computer activity
- unusual appearance of computer screens
- computers taking longer than usual to perform routine tasks.
– Your staff should understand that it is always better to notify the right person
if they observe anything that might be a telltale sign of a security incident.
– If a security incident happens, employees should know who to contact and
how.
– You should have in place a plan to assure business continuity in the event of a
serious security incident. The plan should specify: Designated people involved
in the response, External contacts, including law enforcement, fire and possibly
technical experts. Contingency plans for foreseeable incidents such as:
- Power loss
- Natural disasters and serious accidents
- Data compromise
- No access to premises
- Loss of essential employees
- Equipment failure.
48
– Your plan should be issued to all employees and should be tested at least Security Audits
once a year, even if you haven’t had a security incident.
After every incident when the plan is used, and after every test, the plan should be re-
examined and updated as necessary using the lessons learned.
After this exercise of setting in place appropriate information security policies and
processes you will be ready for an external audit. Again the external audit will ask the
same questions you asked yourself in the internal audit. Only now, all the loopholes will
have been plugged due to the implementation of the Information Security policies and
processes and certification becomes easier.
52
Security Audits
8.6 SUMMARY
● Regular Security Audits are a must for all organizations.
● The audits can be both internal and external.
● The audits reveal the loopholes in the information security system.
● There are various kinds of security audits, which may have to be done depending
upon the vulnerabilities that you want to check. SAS 70 audits, SOX compliance
audits etc are a few of the more specific audits.
● Based on the audits, adequate measures and systems have to be adopted by
organizations. This is mainly done through adopting a security policy.
● Security policy has certain standards to protect the confidentiality and integrity of
information vital to any business. This includes:
– physical security,
– personnel security,
– access controls,
– security technology,
– security response and recovery, and
– security audits.
● There should be controls to safeguard operational systems and audit tools during
system audits to maximize the effectiveness of and to minimize interference to/
from the system audit process.
● Audit trail are the records of activity, used to provide means for restructuring
events and establishing accountability. Therefore, they are very important during
audits for investigation of problems.
● Sensitive systems which are sensitive to potential laws require a special, dedicated
(isolated) computing environment.
● For monitoring the use of information processing facilities, a procedure should be
established to ensure that the user performs only those activities for which they
have been authorized.
● The level of monitoring required for individual information processing facilities
should be determined by risk assessment.
Terminal Questions
1. Refer to sections 8.3 and 8.4 of the unit.
2. Refer to section 8.4 of the unit.
3. Refer to section 8.4 of the unit.
4. Refer to section 8.5 of the unit.
5. Refer to section 8.5 of the unit.
6. Refer to section 8.5 of the unit.
7. Refer to section 8.5 of the unit.
9.1 INTRODUCTION
The transmission and storage of data has undergone a radical change due to advances
in technology and technological processes. The information technology revolution has
made the personal computer as common as a fountain pen and the individual more and
more dependent on a number of public and private services for example, banking,
credit, social security, insurance, employment, direct marketing, statistics, police,
telecommunications etc. that operate with automated administrations. Owing to the
relatively much faster transmissibility and easier storage of data in today’s scenario, it
has become imperative to both prevent and shield data from unauthorized access and
usage. The increased usage of the automated form of processing personal data over the
past few decades has in particular enhanced the risk of illegal use of personal data by
facilitating its transfer between countries with great differences in the level of protection
provided to personal data.
The concept of data protection has thus gained critical importance to ensure that personal
data is not processed in a manner that is likely to infringe or invade personal integrity
and privacy. The concept of protecting data, though in its early stages of practice,
promises on one hand, rapid growth over the coming years to secure for every individual,
whatever the nationality or residence, respect for such individual’s rights and fundamental
freedoms, and in particular the right to privacy, with regard to the automatic processing
of personal data relating to such individual. However, on the other hand, to be able to
5
Data Protection ensure that the right to privacy, and the protection of personal data in particular, are
respected in the electronic superhighways capable of transferring a vast amount of
personal information worldwide in real time at very high speed shall be a pertinent
challenge. Data protection has thus become a topical subject, with an ever-increasing
number of evolving practical questions getting attached to it.1
Before, we study the concept and the measures taken to regulate data protection in
detail, let us first understand what is meant by “data”.
9.2 OBJECTIVES
After studying this unit, you should be able to :
● explain the meaning of the term ‘data’;
● explain the concept of data protection;
● comprehend the need to regulate data protection;
● enlist the measures taken by UK, US and India to regulate data protection; and
● explain the current status of data protection regulation in India.
(b) from the data and other information which is in the possession of, or is likely to
come into the possession of, the data controller,
(c) and includes any expression of opinion about the individual and any indication of
the intentions of the data controller or any other person in respect of the individual.
In view of the information revolution, which has resulted from the coupling of computer
techniques, telecommunications, multimedia and the lightning development of the Internet,
the legislations have also therefore laid stress and emphasis on the computer- processed
and computer stored forms of data.
Please answer the following Self Assessment Question.
7
Data Protection
Self Assessment Question 2 Spend 2 Min.
Provide an example for a common infringement of privacy today?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
9.5.3 EU Directive
In 1995, the EU adopted its data protection directive (95/46/EC), and established a
detailed privacy regulatory structure for prospective and intended adoption into national
law by EU member states. The directive adopted the OECD concepts on data protection
in its directive. However, the directive made several important changes or additions to
the OECD Guidelines such as the creation of a “legitimacy” principle which prohibits
any data to be processed that does not have a legitimate purpose. It further interpreted
the openness principle to require national registration of databases and data controllers
and promoted the free flow of information only between and amongst the EU member
states. The cross border transfer to other countries was prohibited unless the other
country provided an “adequate” level of protection, although the same was made subject
to certain exceptions. Lastly the directive specifically stated that the member states
should encourage the use of codes of conduct thereby providing a means to limit the
possible discretionary exercise of authority and also obtaining flexible means to
update national interpretations.
The EU member states have a tradition of industry- government dialogue and the use of
industry codes of conduct. The EU directive explicitly encourages the use of such “self-
regulatory” measures; thereby making the impact of the directive less burdensome. In
other words, these codes allow regulatory measures to be flexible in order to keep
pace with technological developments and with evolving industry practices. These codes
further assist in avoiding unnecessary regulatory barriers and limiting the discretionary
exercise of regulatory authority.
This directive was thus an important initiative to protect personal information by
prohibiting the transfer of such personal data to those countries, which did not conform
to the privacy protection requirements of the EU2.
Currently there are no specific “data protection” specific laws in India. However, in the
absence of specific laws, the Indian judicial system offers a few stand-in laws and other
indirect safeguards e.g. Information Technology Act, 2000 and the Indian Penal Code,
1860, all of which are discussed in detail in the succeeding units.
However, recognising the need for data protection in the technological environment,
the Central Government has taken several initiatives for the furtherance of data
protection. Some of the initiatives taken by the Ministry of Information Technology in
India may be mentioned:
● Standardisation, Testing and Quality Certification (STQC) Directorate
Due to the international demand that Indian firms should have an international security
standard accreditation, the Indian government has set up the Standardisation, Testing
and Quality Certification (STQC) Directorate (under the Department of Information
Technology (DIT)). The Directorate has been able to launch an independent third-
party certification scheme for the Information Security Management System, as per BS
7799 Part 2, and has achieved international recognition in the form of accreditation
from the RvA, Netherlands.
● Computer Emergency Response Team (CERT)
The Indian Computer Emergency Response Team (CERT) was established by the DIT
to be a part of the international CERT community. CERT was set up to protect India’s
IT assets against viruses and other security threats.
● Information Security Technology Development Council (ISTDC)
The Ministry has recently set up the Information Security Technology Development
Council (ISTDC). The main objective of this program is to facilitate, coordinate and
promote technological advancements, and to respond to information security incidents,
threats and attacks at the national level (Check Regulations in India - http://
www.nasscom.org).
Please answer the following Self Assessment Question.
9.7 SUMMARY
● Faster transmissibility and easier storage of data has increased the requirement to
prevent and shield data from unauthorized access and usage.
● Data protection while securing respect for and individual’s rights raises the question
as to whether the protection it seeks to offer shall merit respect and
acknowledgement in the practical scenario of information transmissibility.
● Data is a representation of information and knowledge intended to be processed
by means of equipment and is recorded in varying forms.
● Regulation of data protection is necessary on account of the free flow of information
that has raised concerns about security, privacy and respect of fundamental rights.
● The European Union initiated data protection laying standards embodied in various
legislation subsequent thereto across the world.
● OECD has set down 8 principles pertaining to privacy
– Collection limitation
– Data Quality
– Purpose specification and notice
12
– Use limitation Introduction to Data
– Security
– Openness
– Access
– Accountability
● The EU Data Protection directive adopted the OCED concepts however, made
alterations such as creation of “legitimacy” principles and requiring transferee
countries to provide adequate protection in case of cross border transfer of data.
● The UK has set out 8 principles for data handling
(i) lawfully processed
(ii) lawfully obtained
(iii) adequate and relevant
(iv) accurate and up to date
(v) stored for specific purpose and reasonable duration
(vi) processed in accordance with owners rights
(vii) stress on technical and organizational measures
(viii) transborder flow between countries
● The US relies on industry self regulatory approach to the OCED Guidelines having
no specific legislation of its own. The FTC imposes a proactive approach.
● APEC endorses a privacy framework based on the core fundamentals of the
OECD Guidelines.
● India has no data protection laws however, the central government has taken
several initiatives such as setting up the STQC Directorate, the CERT and the
ISTDC.
● Data protection monitoring requires both advanced system information processing
and human intervention.
dataprotection.html>.
3. Ibid.
4. Supra n.2.
14
OECD Principles
UNIT 10 OECD PRINCIPLES
Structure
10.1 Introduction
10.2 Objectives
10.3 OECD Guidelines on the Protection of Privacy and Trans Border Flows of
Personal Data
10.3.1 Basis for the OECD Guidelines
10.3.2 Scope of the OECD Guidelines
10.4 OECD Guidelines: Basic Principles of National Application
10.5 OECD Guidelines: Basic Principles of International Application
10.6 Summary
10.7 Terminal Questions
10.8 Answers and Hints
10.1 INTRODUCTION
The Organization for Economic Co-operation and Development (OECD) was originally
established as the inter-governmental Organization for European Economic Co-operation
(OEEC) with support from the United States and Canada to co-ordinate the economic
reconstruction of Europe after World War II. The OECD formally took over from the
OEEC in 1961 and has its headquarter in Paris.
As an economic alliance, the mission of the OECD has been to help member country
governments achieve sustainable economic growth in the form of creation of employment
opportunities and higher standards of living while maintaining financial stability and
thereby contributing to the overall development of the world economy. The OECD
purports to assist sound economic expansion in member countries and other countries
in the process of economic development and thereby contributes to growth in world
trade on a multilateral and non-discriminatory basis.
The OECD produces internationally agreed instruments, decisions and
recommendations with the constituent elements of dialogue, consensus and peer review
in order to promote directives in areas where multilateral agreements may be required
for the economic progress of individual countries in an increasingly global and
competitive economy.
The OECD currently consists of about 30 member countries including the United States,
the United Kingdom, Germany, France, Japan and Korea. The governing body of the
OECD (Council) comprises of representatives from its member countries. In addition
to the member countries, the OECD maintains active relationships with about 70 other
non-member countries including India and with various non-governmental organizations,
offering its analytical expertise and accumulated experience to such countries and
organizations.
15
Data Protection
10.2 OBJECTIVES
After studying this unit, you should be able to:
● explain the background of the OECD;
● describe the basis for the OECD Guidelines;
● describe the scope of the OECD Guidelines;
● explain the principles for national application; and
● explain the principles for international application.
17
Data Protection
Self Assessment Question 1 Spend 4 Min.
What are the various ways in which OECD Guidelines can serve as a basis for
legislation?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
10.6 SUMMARY
● OECD seeks to assist member countries by providing internationally agreed upon
instruments, decisions and recommendations.
● OECD framed Guidelines on protection of privacy and transborder flaws of
personal data on recognition that a critical need to protect personal data privacy
has arisen due to increasingly widespread trans- jurisdiction flow of personal data. 23
Data Protection ● The Guidelines permit application of different measures of data protection, extend
to both automated and non-automated forms of processing personal data, provide
for security and policy based exceptions and seek to be construed as minimum
standards capable of adaptation.
● The Guidelines provide 8 basic principles of national application:
(i) Collection Limitation
(ii) Data Quality
(iii) Purpose Specification
(iv) Use Limitation
(v) Security Safeguards
(vi) Openness
(vii) Individual Participation
(viii) Accountability
● OECD Guidelines lay down principles for international application.
(i) Implication of domestic process and re-export
(ii) Transborder flows to be uninterrupted and secure
(iii) Refrain from restricting transborder flows except under specific exemptions
(iv) Avoid developing law and policies that create obstacles to transborder flows.
Terminal Questions
1. Refer to section 10.3 of the unit.
2. Refer to section 10.3 of the unit.
3. Refer to section 10.3 of the unit.
4. Refer to section 10.4 of the unit.
5. Refer to section 10.5 of the unit.
25
Data Protection
UNIT 11 DATA PROTECTION POSITION
IN INDIA, EU AND US
Structure
11.1 Introduction
11.2 Objectives
11.3 Scenario in India
11.4 EU Data Protection Directive
11.5 Privacy Policy in the United States
11.5.1 International Safe Harbour Privacy Principles and FTC
11.5.2 U.S. Safe Harbor Framework
11.6 United Kingdom
11.7 Summary
11.8 Terminal Questions
11.9 Answers and Hints
11.1 INTRODUCTION
This unit seeks to discuss the data protection regimes across the European Union, the
United States and India. It purports to highlight the individual stages of their evolution
while drawing out a comparative analysis between the same.
Information, particularly digital information which can be stored, searched and
manipulated so easily, is a fundamental economic resource, but also a powerful weapon
which, in the wrong hands, can do incalculable damage to individuals. Just as technology
does not stand still, data protection rules must also continually evolve if they are to be
effective in a world where the collection and exploitation of personal data is becoming
forever easier and more convenient.
In the past, the overwhelming amount of effort involved in accessing information held
on paper files in a multitude of different locations was a real limitation that hindered the
mass collection and processing of personal data. Now, new technologies that enable
companies and governments to engage in the mass collection and processing of personal
data bring with them new risks.
11.2 OBJECTIVES
After studying this unit, you should be able to:
● describe the data protection scenario in India;
● explain the data protection regime in the EU;
● describe the privacy policy in the United States;
● familiarize yourself with the safe harbour framework between the US and EU; and
● explain the data protection regulation in the UK.
26
Data Protection Position in
11.3 SCENARIO IN INDIA India, EU and US
There is no separate data protection legislation in our country, the National Task Force
on Information Technology and Software Development had submitted an ‘Information
Technology Action Plan’ to the Government in July 1998.
In May 2000, the Information Technology Act of 2000 was passed by the Legislature
providing for a comprehensive regulatory environment for e-commerce.
Section 2(1) (o) of the IT Act defines ‘data’ as a ‘representation of information,
knowledge, facts, concepts or instructions which are being prepared or have been
prepared in a formalised manner, and is intended to be processed, is being processed
or has been processed in a computer system or computer network, and may be in any
form (including computer printouts magnetic or optical storage media, punched cards,
punched tapes) or stored internally in the memory of the computer’
Section 43 Explanation (ii) defines ‘computer database’ as ‘a representation of
information, knowledge, facts, concepts or instructions in text, image, audio, video that
are being prepared or have been prepared in a formalised manner or have been produced
by a computer, computer system or computer network and are intended for use in a
computer, computer system or computer network’.
The IT Act also provides for civil and criminal liabilities for violation of data protection
couched in the term ‘cyber contravention’ as section 43 carries an exhaustive list of
penalty for damage to computer, computer system etc. S/s. (b) stipulates that if any
person downloads copies or extracts any data, computer database or information from
such computer, computer system or computer network including information or data
held or stored in any removable storage medium. Section 72 deals with the issue of
breach of confidentiality and privacy. It provides that a person who has access to
confidential information under the powers conferred on him under the Act and discloses
such information can be punished with imprisonment for upto two years or a fine of
Rs. 1 lakh or both. The scope of the section is limited as interception of confidential
information has been left untouched.
The Indian government is well aware of this issue and in an attempt to overcome the
problem; the Indian Department of Information Technology announced in June 2003 its
plans to pass a Data Protection Act in line with the EU requirements. A bill is being
drafted jointly by the Department of Information Technology and the National Association
for Software Service Companies (NASSCOM), which is India’s main trade association
for the IT industry.
The aim is to allow India to be officially designated by the European Commission as a
country that can be assumed to ensure an adequate level of protection. This would
clear the path for any data processing operations involving personal data originated in
the EU to be carried out by India-established companies, as they would have to meet
the same requirements as EU-based companies. However, the procedure to determine
whether a third country is safe from a data protection perspective is rather cumbersome
and bureaucratic.
EU law in particular restricts businesses transferring data to countries with weak privacy
protection, and with Indian IT wage costs rising – albeit still far behind those in the US
and Europe – India wants to eliminate reasons for potential customers to outsource
elsewhere. European firms are severely restricted in terms of the Data Protection Directive
of 1995 as to what data can be transferred or stored in countries without equivalent 27
Data Protection rules and enforcement procedures. At present, India has no such regulations, and relies
on individual contracts negotiated between the main company and the Indian outsourcing
contractor to address the data protection issues.
Please answer the follwoing Self Assessment Question.
32
Data Protection Position in
Self Assessment Question 4 Spend 2 Min. India, EU and US
In the US which Act provides for private right of action in matters relating to data
privacy?
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
11.7 SUMMARY
● The EU Directive has two main objectives (i) protection of right of privacy and (ii)
prevention of obstacles to free flow of information within the EU.
● The EU Directives covers both private and public sectors and requires a receiving
country to have an adequate level of protection.
● The EU directives sets out an industry wide code protecting release of sector
specific data and a system of individual contracts between the transferring entity
and the data protection Commission of the EU country.
● There is no single law in the US for data protection. The various acts include the
Matching and Privacy Act and the Computer Security Act.
● The FTC enforces data protection administrative enforcement procedures along
with the FCRA.
● The UK follows the DPA based on a set of 8 principles. The DPA also deals with
sensitive personal data.
● In India, there has been no separate data protection legislation and the Information
Technology Act, 2000 regulates issues pertaining to data protection.
Terminal Questions
1. Refer to section 11.4 of the unit.
2. Refer to section 11.5 of the unit.
3. Refer to sections 11.4 and 11.5 of the unit.
4. Refer to sections 11.3, 11.5 and 11.6 of the unit.
36
Privacy Policy
UNIT 12 PRIVACY POLICY
Structure
12.1 Introduction
12.2 Objectives
12.3 Information Privacy – Legal Approaches to its Protection
12.3.1 Indian Scenario
12.3.2 Judicial Trends in India Relating to the Concept of Individual Privacy
12.3.3 Privacy in Tort Law
12.3.4 Privacy under Contract Law
12.3.5 EU Privacy Directive
12.4 Information Privacy in E-commerce
12.4.1 Introduction
12.4.2 Privacy Concerns
12.5 Data Protection and Employee’s Privacy
12.6 Requirement of Privacy Statute
12.6.1 Need for a Privacy Statute
12.7 Summary
12.8 Terminal Questions
12.9 Answers and Hints
12.10 References and Suggested Readings
12.1 INTRODUCTION
Privacy is a fundamental human right and a cornerstone of a democratic society. It lies
at the foundation of the rule of law, the secret ballot, doctor-patient confidentiality,
lawyer-client privilege, the notion of private property, and the value our society places
on the autonomy of the individual1.
The concept of information privacy is distinct from other aspects of privacy such as
physical intrusion and surveillance. Information privacy means the claim of individuals
to determine for themselves when, how and to what extent information about them is or
may be communicated to others. It may also be defined as the individual’s ability to
control the circulation of information relating to him or her. Many people are unaware
that when they go online, they leave an electronic record of their movements and
unwittingly provide personal information to people and organizations that track such
data.
Globalisation and the growth of electronic technologies have challenged the ability of
states to ensure the privacy rights of their citizens. Many countries concerned about the
protection of their citizen’s personal information have adopted privacy laws and fair
information practices. Information privacy initially emerged as a value that could not be
taken or misused by government without due process of law. This concept was later
developed into a set of best practice principles, both in the US and in the European 37
Data Protection Union for ensuring fair processing, minimal intrusion and limited purposes in respect of
the use of personal data.
Information privacy was most profoundly affected by the rapid developments in
information technology such as the increased use of computers and the setting up of
national databanks wherein the choice of the individual is seen as central to the
concept of privacy both in allowing physical intrusion and the sharing of information. It
is almost ironic that privacy is being threatened over Internet, as initially, Internet was
perceived as a technology that would afford its users a considerable level of anonymity
and also provide a forum which would encourage and foster freedom of individual
expression.
12.2 OBJECTIVES
After studying this unit, you should be able to:
● appreciate the judicial trends in India relating to information privacy;
● know the distinction between privacy in tort law and contract law;
● familiarize yourself with the concepts of information privacy in e-commerce;
● appreciate that information privacy is most greatly affected by rapid developments
in information technology; and
● know the three types of legal approaches to information privacy.
38
Privacy Policy
Self Assessment Question 1 Spend 3 Min.
What are the three main legal approaches to protection of information privacy?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
12.7 SUMMARY
● Information Privacy is distinct from other aspects of privacy. It is the claim of
individuals to determine when, how and to what extent information may be
communicated to others.
● There are three broad legal approaches to information privacy — Nordic, Civil
and Common.
● India has no statutory enactment guaranteeing a right of privacy but elements in
relation thereto are recognised by Indian Courts. The Indian Constitution also
provides for this right under Article 21.
● The Right to privacy is further present in the law of torts and law of contract.
● The EU privacy directive provides the foundation for workplace privacy in Europe
establishing common rules to encourage free flow of personal data.
● Consumer privacy concerns impact sales of goods and services in e-commerce.
● Issues of consumer privacy concerns include tracking of visits to websites, capture
of e-mail addresses, sales of personal information to third parties and credit card
information risks.
● Employee’s privacy is threatened by many types of privacy invasive monitoring.
● Electronic monitoring practices have eroded employee privacy rights; however
employers assert good business reasons.
● India requires a privacy statute to address numerous issues of concern.
Terminal Questions
1. Refer to section 12.2 of the unit.
2. Refer to section 12.3 of the unit.
3. Refer to section 12.4 of the unit.
4. Refer to section 12.5 of the unit.
5. Refer to section 12.6 of the unit.
48
Privacy Policy
12.10 REFERENCES AND SUGGESTED READINGS
1. Media Awareness Network. 10 Feb.2007<www.media-awareness.ca>.
2. “Privacy Laws in India – Big Brother”s Watching You – (and you can [acute
United States and Canada”. Stanford Technology Law Reveiew 4(2004). 11 Mar.
2 0 0 7 < h t t p : / / s t l r. s t a n f o r d . e d u / S T L R / A r t i c l e s / 0 4 _ S T L R _ 4 > .
paper_session.htm>.
2007<http:/epic.org/ privacy/workplace/>.
6. Supra n 3.
7. Supra n 5.
8. Supra n 2.
49
BPOs and the Legal
UNIT 13 BPOs AND THE LEGAL REGIME Regime in India
IN INDIA
Structure
13.1 Introduction
13.2 Objectives
13.3 Legal Formalities for Setting Up a BPO in India
13.3.1 Compliance Issues in the BPO Sector
13.4 BPO Taxation
13.5 Data Protection and Privacy Issues in the BPO Industry
13.6 Current Methods – Service Contracts
13.7 Data Protection Law in India
13.7.1 Exploring the Options for a Data Protection Law
13.7.2 Some Proposed Amendments
13.8 Summary
13.9 Terminal Questions
13.10 Answers and Hints
13.1 INTRODUCTION
Business Process Outsourcing (“BPO”) has emerged as the most challenging sector
that has not only generated employment potential in India, but has also brought huge
inflow of foreign exchange into the country. Today, India is home to some of the world’s
leading BPO companies. In this context, it is becoming increasingly important to study
and examine the legal regime in India pertaining to BPOs and to undertake an examination
of data protection laws in the light of the growing concern that data transferred to India
may not be adequately protected. The purpose is to identify the deficiencies in Indian
law, if any, examine the well known global regulations that impact the Indian BPO
industry and suggest amendments to the existing laws in India, to bring them in conformity
with the international standards.
A BPO takes within its fold various elements such as finance and accounting, customer
relationship management, human resources, business process, transcription, and so on.
A parent company instead of performing these operations delegates them to a BPO. It
may be an in house operation or a different company may be engaged to perform a
particular task. It may be in the same country or in a different country. The BPO sector
in India has an extremely advantageous position because of its low cost structure and
large pool of skilled manpower. The foreign companies gain significant advantages due
to cost savings as regards the price of production, and also the ability to concentrate on
its core business, instead of having to bother with the back office operations.
There are various statutory, legal, regulatory and contractual requirements in the area of
Business Process Outsourcing. These include certain tax complications that may arise
as the activity may have originated in one country and profits may have been in another
country. The nature of the outsourced work holds a certain value and profits of the 5
Emerging Issues in Data parent company may be attributed to these operations making it difficult to segregate
Protection and Privacy
the costs and profit, thus making the rules for the calculation of tax for BPOs becomes
very complicated. However, it still continues to be a sunshine sector for the Indian
economy, and, as a result certain tax exemptions have been provided as an incentive to
foreign companies to outsource their work. BPOs are privy to confidential information
of the outsourcing companies. This is an important concern due to some of the recent
scandals that have in some measure deterred the potential clients from outsourcing their
work to India.
The Data Protection provisions are written into the service contracts between the Indian
and the foreign parties. These agreements govern a number of issues ranging from the
services that should be provided and provisions relating to the termination of contract,
detailed provisions as regards “escrow” of the source code of software which guards
the companies against the breakdown of business relationships. The seat of arbitration
in case of an infringement could be in a European Union (“EU”), therefore these service
contracts may also be governed by the EU laws. In this context, the provisions of the
Service Contracts assume great significance.
13.2 OBJECTIVES
After studying this unit, you should be able to:
● explain the legal process of setting up a BPO in India;
● list the issues related to data protection in the BPO industry;
● discuss legal remedies as available in India to address issues related to data
protection; and
● discuss the possibility of exploring available options for creating and strengthening
existing legal framework of data protection.
13.8 SUMMARY
● Clearly, as the trend towards outsourcing steps up further, Information Security
will become an even more critical element of the customer strategies of service
providers.
● There is strict legislation governing privacy in all developed countries, but this is
the first time these issues have been addressed in India.
● The law on privacy in India, as it stands today, is limited to the right enshrined
under Article 21 of the Constitution, case law on the subject. However, like other
fundamental rights, it is not absolute, and is subject to reasonable restrictions
imposed by the state.
● At present the IT Act is the only substantive safeguard for companies outsourcing
work to India, which cannot be considered adequate for providing stringent security
measures so India may emerge as a viable offshore destination.
● Given the situation, global customers will continue to feel insecure about the issue
of outsourcing which can severely hinder the growth of the Indian BPO industry.
13
Emerging Issues in Data ● The increasing trend of outsourcing, and the concerns of losing customers to
Protection and Privacy
competing countries, makes it almost obligatory for India to put in place stringent
data protection law.
● With the growth of the BPO space legal complications will only increase
necessitating a comprehensive and rigid legal regime.
Terminal Questions
1. Refer to section 13.1 of the unit.
2. Refer to section 13.5 of the unit.
3. Refer to section 13.7 of the unit.
15
Emerging Issues in Data
Protection and Privacy UNIT 14 PROTECTING KIDS’ PRIVACY
ONLINE
Structure
14.1 Introduction
14.2 Objectives
14.3 Internet Crimes against Minors
14.3.1 Types of Cyber Crime
14.3.2 Characteristics of Cyber Crime
14.4 Legislative Response by Different Countries
14.4.1 Position in the U.S.
14.4.2 Position in the U.K.
14.4.3 Position in India
14.5 Judicial Precedents
14.5.1 U.S. v. Fabiano
14.5.2 U.S. v. Upham
14.5.3 Federal Trade Commission v. Liberty Financial
14.5.4 Federal Trade Commission v. Toysmart.com
14.5.5 Federal Trade Commission v. Monarch Services, Inc., Girls’ Life, Inc.,
Bigmailbox.com and Looksmart Ltd.
14.5.6 Federal Trade Commission v. Lisa Frank, Inc.
14.6 Measures to Protect Minors from Internet Crimes
14.6.1 Non-legislative Measures
14.6.2 Technological Safeguards
14.6.3 Enforcement Measures
14.6.4 Self-disciplinary Measures
14.7 Summary
14.8 Terminal Questions
14.9 Answers and Hints
14.10 References and Suggested Readings
14.1 INTRODUCTION
Internet has become a popular source of entertainment today. It offers minors tremendous
opportunities to:
– Explore new ideas
– Increase their knowledge base in a cost and time effective manner by acting as a
surrogate teacher and guide
– Visit and explore indirectly foreign lands and customs and
16 – Offers minors opportunities to participate in challenging mental games.
Many minors, (the most recent survey on this issue revealed that in fact 90% of school Protecting Kids’
Privacy Online
children) are skilled navigators of the Internet. They are comfortable using computers
and are irresistibly drawn towards the information and images that can be explored at
the click of a mouse. However, certain aspects of the virtual world can be dangerous
and harmful to minors. This unit endeavours to analyse the increasing trend of online
crime against minors and the legislative response towards it by certain countries.
14.2 OBJECTIVES
After studying this unit you should be able to:
● enlist types and related characteristics of Internet crimes against miners;
● explore the legislative responses put into place by a set of representative countries
i.e. U.S., U.K., and India;
● know some of the judicial precedents on the related issues; and
● describe some of the measures which can be implemented for shielding the minors
from these heinous crimes.
17
Emerging Issues in Data
Protection and Privacy Self Assessment Question 1 Spend 3 Min.
What are some of the types of crime that can be committed against minors?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
21
Emerging Issues in Data
Protection and Privacy
14.5.3 Federal Trade Commission (FTC) v. Liberty Financial 5
Before the COPPA Rule was implemented, the FTC addressed children’s privacy in a
lawsuit against Liberty Financial Companies, Inc., the operator of the Young Investor
Web site. The FTC alleged that the Web site falsely represented that personal information
collected from children in a survey would be maintained anonymously. The FTC alleged
that the Liberty Financial Companies did not maintain the information it collected
via the survey anonymously and that it maintained information about the child and
the family’s finances in an identifiable manner.
Give two examples of judicial precedents which were related to crime against minors
in the U.S.
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
Terminal Questions
1. Refer to section 14.3 of the unit.
2. Refer to section 14.4 of the unit.
supct.law.cornell.edusupct/html/96-511.ZS.html>.
copa/20040629copadecision.pdf>.
1999/03/98-1048.htm>. 27
Emerging Issues in Data
Protection and Privacy 4. 1st Cir. 12 Feb. 1999. 8 May. 2007 <http://caselaw.lp.findlaw.com/scripts/
getcase.pl?court =1standnavby=caseandno=981121>.
5. Federal Trade Commission (FTC) v. Liberty Financial. File No. 982-3522. FTC
6 May. 1999.
Parents_Teachers_Online _Privacy_Guide.pdf>.
28
Evolving Trends in
UNIT 15 EVOLVING TRENDS IN DATA Data Protection and
Information Security
PROTECTION AND
INFORMATION SECURITY
Structure
15.1 Introduction
15.2 Objectives
15.3 Privacy
15.4 E-governance
15.5 Information Warfare
15.6 Legal Issues with Retention of Electronic Records by the Government and
other Private Agencies
15.7 Data Transfer Regime
15.8 Summary
15.9 Terminal Questions
15.10 Answers and Hints
15.11 References and Suggested Readings
15.1 INTRODUCTION
With the coming of age of the Internet and information systems, the legal systems which
deal with them, have been forced to evolve rapidly. Though the changes in law have
had to deal with a number of issues in the broad area of cyber laws, the most vibrant of
those have been concerned with privacy, information security, information warfare, e-
governance, e-commerce and crimes on the Internet. The fact that the laws in this
regard are presently evolving along with the fact that there are differences in approach
between most national legal systems lends to the colourful mosaic that the province of
law seems to be bathed in. For example, while in the US, the regime regarding information
gathering by websites is more geared towards self-regulation, in Europe, the EU has
led the way with a number of quite compulsory policies in this regard.1
15.2 OBJECTIVES
After studying this unit, you should be able to:
● explain the issues that have spawned debate in the area of privacy;
● know the meaning and underlying framework requirements in respect of e-
governance;
● describe the issues in respect of grave threat to national security of countries on
account of information warfare;
● explain the legal issues in respect of retention of electronic records; and
● describe the working in general of data transfer regimes.
29
Emerging Issues in Data
Protection and Privacy 15.3 PRIVACY
Two major issues which have spawned considerable debate and even some laws in the
area of privacy, especially in the context of growing internet use are unsolicited
commercial e-mail and ‘cookies’ and other technological features that web site operators
sometime use to track visitors to their sites or to may be build a profile of the specific
Internet user.
In a string of decisions2, unsolicited e-mail has been deemed to be trespassing to personal
property and even permanent injunctions have been issued prohibiting commercial
mailers from mailing subscribers of some providers. Here the mailer’s first amendment
rights to free speech have generally not been allowed as the other party is not the
government. The Controlling the Assault of Non-Solicited Pornography and Marketing
Act of 2003 though have been quite effective in getting control of this problem. This
Act is directed at decreasing the number of spam e-mails3. It basically requires mass
marketers to provide an opt out provision in their e-mail lists and also fixes liability and
also requires them to provide a physical address. This structure is in fact very similar to
the do not call lists which exist for telemarketers4.
However in India, such legislation has not yet been brought into effect. In the news is a
case dealing with unsolicited telemarketing has made headlines. Dr. Harsh Pathak Public
Interest Litigation (PIL), is seeking a direction to be issued by the Supreme Court to
banks and telephone service providers to stop making unsolicited telemarketing calls.
On February 7, 2005 the Supreme Court issued notices to the Union of India, which
has also been made a party to the suit based on the argument that it is the duty of the
state to prevent violation of the rights of citizens and the state so far has failed to do so,
and a host of mobile phone service providers and banks, pursuant to the PIL.
As alleged that the defendants currently use mobile communication links to market their
services and products by making unsolicited calls or “cold calls” and such unsolicited
calls violate the Right to Privacy of the user, the suit also throws up several interesting
points of discussion. Do unsolicited calls by themselves violate privacy, since they do
not in an unauthorized manner interfere in any personal conversation or disclose
personal information to any unauthorized person? Or is the objection based on the
sharing of phone numbers, of users, between commercial entities? Would such sharing
of phone numbers, and their usage for cold calls, be violative of any privacy related
law? Would the Supreme Court read such a prohibition as a measure to safeguard the
Right to Life and Liberty of consumers in Article 21? These are questions which will go
a long way in determining the right to Privacy on the Internet as well since the principles
are the same.
However when the issue turns to cookies and other tracking features of websites, there
are very few legislative provisions which govern these in US or in Europe. Rather the
focus is on industry self regulation and thus the setting of industry standards and policies.
These systems are designed to both preserve the privacy of users and also garner
information for webmasters and online marketers for information about current/potential
customers. In this regard the Open Profiling Standard (OPS) and World Wide Web
Consortium’s Platform for Privacy Preferences Project (P3P) were standards which
were supposed to give users control over the amount of information that they reveal
over the Net. This shows how the information industry can have an important role in the
safeguarding of private individual’s information on the Internet. The importance of this
lies in the speed with which the companies comply with the industry guidelines and
30
respond to the pressures of the marketplace. Besides newer systems especially those Evolving Trends in
Data Protection and
under the Uniform Computer Information Transactions Act (UCITA) talk about licensing Information Security
of personal information to websites. An advantage of this contractual approach to
protecting information privacy is that multiple interests of people can be accom-
modated and the idea of consent with regard to use of personal data is also satisfied.5
As far as the US and Europe are concerned they have basic and in some cases stringent
laws which protect the privacy of all individuals in their geographies. These laws lay
down the basic principles of protection of privacy and the means and methods to protect
them. However as technology evolves, these privacy laws will find it difficult to keep up
in pace with the new implications of technology. For example, biometrics has become
an area of technological innovation, which is a growing trend, and there are privacy
implications of the use of biometrics. “Biometric” means a fingerprint, retina or hand
scan of a person which is stored in information systems and this information can be
accessed to validate the person for identification purposes. Biometrics is mostly being
used by Government Authorities who can access further personal information stored
on the information systems to confirm the identity of the person. However this process
of validation using biometrics can be undertaken on the street, in airports, schools,
banks, swimming pools or office buildings. Therefore this process of validation can be
very invasive and the Government and even private entities may be able to maintain
huge amounts of information about individuals in their data banks. Effective legislations
controlling the use of biometrics will be another trend to watch out for in the coming
years.
Please answer the following Self Assessment Question.
15.4 E-GOVERNANCE
E-governance represents the application of information technology for the improvement
of administration. Basically it means that the Government of a country will interact with
its citizens wherever possible through the Internet and information systems. Further the
Government will use information technology and systems in the day to day running of
the various departments ranging from passport and land revenue departments to the
judiciary. In order to enable this process of e-governance it is essential to ensure that
there is an effective legal framework which guides and nurtures e-governance. While in
the US and in Europe there have been sufficient number of guidelines and legislations in
this regard, in India this is yet to happen. Therefore one trend of legislations, which we
31
Emerging Issues in Data can expect in the near future, is that relating to e-governance. While the Information
Protection and Privacy
Technology Act, 2000 does set the context for e-governance and enables various
transactions in the e-governance sphere a lot more needs to be done in this area. An
effective legal framework ensures that governments have the opportunity to keep pace
with the new era of global communication and efficiently provide citizens with valuable
services. This framework should identify and address the various transactions, which
happen in the e-governance model such electronic payments, electronic contracting
and also disputes which arise during e-transactions. There should also be a regulator
similar to the Telecom Regulatory Authority of India to ensure that transactions in the e-
governance space are smooth and in accordance with applicable law.
Please answer the followings Self Assessment Question.
15.8 SUMMARY
● Laws have been forced to evolve rapidly with increasing use of information
systems.
● Two major issues in privacy are unsolicited commercial email and cookies and
such other tracking devices
● The US and EU have basic and sometimes stringent laws to protect the privacy of
all individuals in their geographies.
● India still lacks E-governance guidelines and an effective legal framework to ensure
that governments provide citizens with valuable services.
● Information Warfare is about computer based information operations that could
provide adversaries of a country with an asymmetric response to that country’s
military superiority.
● Legal issues are increasingly arising in respect of retention of electronic records in
terms of how much information is being recorded, for what purpose and how the
security provisions are faring in respect of the same.
● The EU Data Protection Directive provides for data export only where adequate
levels of protection are present or adequate safeguards can be insured.
35
Emerging Issues in Data
Protection and Privacy 15.9 TERMINAL QUESTIONS
1. What is your opinion on the changing and dynamic technology and the struggle of
policy and law to keep pace with this technology?
2. What are the evolving trends in privacy laws in India and the rest of the world and
what measures do you think India should take in order to keep up with the changing
technology?
3. How is increasing electronic retention of records becoming an issue for both
protection of privacy and information security?
4. What measures need to be taken by India to ensure that an effective e-governance
regime is established?
5. What is your understanding of the concept of information warfare and what counter
measures must be taken?
Terminal Questions
1. Refer to section 15.3 of the unit.
2. Refer to section 15.3 of the unit.
3. Refer to section 15.6 of the unit.
4. Refer to section 15.4 of the unit.
5. Refer to section 15.5 of the unit.
34(1997):1153.
36
Evolving Trends in
2. Cyber Promotions. Inc. v. American Online 948 F.Supp. 456, 459(E.D. Pa.1996). Data Protection and
Information Security
CompuServe Inc. v. Cyber Promotions Inc. 962 F. Supp. 1015 (S.D. Ohio 1997)
cyber/casesconcent1.html>.
Morrison-Foerster Legal updates and News. May 2005. 24 Mar. 2007 <http://
www.mofo.com/news/updates/files/update02026.html>.
1125.
nic/testimony_cyberthreat.html>.
7. Ibid.
Rules under the Final Privacy and Security Standards. Negotiating Technology
9. Rowland, “Data Retention and the War Against Terrorism – A Considered and
Rowland/>.
10. Susan Grindin. “As the Cyber-World Turns: The European Union’s Data Protec-
tion Directive and Trans-border Flows of Personal Data”. 24 Jan 1998. 2 Apr.
2007 <http://www.info-law.com/eupriv.html>.
11. Karin Retzer. “Land in Sight: The Latest Developments Concerning Data
Transfers from the EU”. Morrison-Foerster Legal Updates and News. Feb. 2005.