MIR-014 Privacy and Data Protection

The Concept of Privacy
UNIT 1 THE CONCEPT OF PRIVACY

Structure
1.1 Introduction
1.2 Objectives
1.3 Concept of Privacy
1.4 Privacy – Historical and Cultural Perspectives
1.5 Meaning and Scope of Privacy
1.6 Critiques of Privacy
1.7 Right to Privacy – Louis Brandeis and Samuel Warren
1.8 Modern Principles of Privacy Law
1.9 Legal Regimes for Protecting Privacy
1.10 Privacy as a Legal Right
1.11 Privacy – The Human Rights Angle
1.12 Threats to Privacy in New Technological Regime
1.13 Digital and Internet Privacy Challenges
1.14 Summary
1.15 Terminal Questions
1.16 Answers and Hints
1.17 References and Suggested Readings
1.1 INTRODUCTION
Privacy is a state of affairs where information regarding individual’s life and conditions
that are private in nature is beyond the reach and knowledge of others. In the current
technological milieu where one can access the personal details and information regarding
individual’s diverse affairs, all what privacy means is that people want to have a control
over what information needs to be there in the public domain. Privacy ordains that the
individual is at liberty to avoid unsanctioned intrusions in his life and personal affairs and
pre-supposes that the individual will have unqualified control over the information
pertaining to him. Privacy is an interest of the human personality. It protects the inviolate
personality, the individual’s independence, dignity and integrity1. The reason behind
protecting one’s privacy are varied. Some people want to maintain anonymity, some
others want to conceal facts about themselves that are embarrassing, discreditable or
which may put them under some risk to their life and property, whereas a few may like
to have peace and solitude. Thus, one can safely argue that basically there are three
elements in privacy: secrecy, anonymity and solitude. It is a state which can be lost,
whether through the choice of the person in that state or through the action of another
person2.
The Discourse on privacy interests and the corresponding legal rights have seen drastic
changes from one technological era to another. Privacy intrusions, in the old legal order,
when there was no telecom, communication and computational technologies available 5
Right to Privacy and its were primarily treated as trespassing, assault, or eavesdropping. Privacy in those days
Legal Framework
had not attained the intensity and magnitude as it has achieved in today’s modern world
where we have telephone wiretaps and microphones for overhearing, digital photography
and spycams for undercover and intelligence operations, computers, mass storage devices
and database software for storing, collating and circulating personal and financial
information. With these inventions no one can be rest assured that his personal information
shall remain within the confines of his home or personal archives. New technologies
have made it possible to clandestinely transmit and broadcast information pertaining to
individual without his knowledge. Organized collection, collation and storage of an
individual’s private and personal information on databases, has made it possible to
invade people’s privacy. The data storage and surveillance potential of computer systems
has given a new direction to the discourse on privacy rights. The question could no
longer be whether the information could be obtained, but rather whether it should be
obtained and, where it has been obtained, how it should be used. Technological inventions
such as data matching, profiling, data mining, smart cards, cookies and spam have
created an increased threat to the privacy of persons.
1.2 OBJECTIVES
After studying this unit, you should be able to:
● discuss the concept of privacy as it exists in different cultures and regions;
● comprehend the range and vastness of the right to privacy;
● know why critics disagree to privacy being a independent right;
● know the modern day principles of privacy laws ;
● know different legal regimes for protecting privacy;
● grasp the human rights angle of privacy ;
● know the threats to privacy in new technological milieu; and
● discuss digital and Internet challenges to the concept of privacy.
1.3 CONCEPT OF PRIVACY

Privacy is a valuable aspect of personality. Sociologists and psychologists agree that a
person has a fundamental need for privacy. A person’s right to privacy entails that such
a person should have control over his or her personal information and should be able to
conduct his or her personal affairs relatively free from unwanted intrusions3. Privacy is
also at the core of our democratic values. An individual has an interest in the protection
of his or her privacy as preserving privacy encourages dignity, self-determination,
individual autonomy and ultimately promotes a more robust and participatory citizenry.
Among all the human rights in the international catalogue, privacy is perhaps the most
difficult to define4. Despite attempts of jurists, scholars and theorists to define privacy,
there remains confusion over the true meaning and scope of privacy. One of the problems
is that, the very breadth of the idea, and its tendency, produces a lack of definition
which weakens its force in the political discourse5. Despite the difficulties to ring fence
the concept of privacy, Privacy International6 has suggested that privacy can be said to
comprise four separate nonetheless related aspects:
6
1. Information privacy, which involves the establishment of rules governing the The Concept of Privacy
collection and handling of personal data such as credit information, and medical
and government records. It is also known as “data protection”;
2. Bodily privacy, which concerns the protection of people’s physical selves against
invasive procedures such as genetic tests, drug testing and cavity searches;
3. Privacy of communications, which covers the security and privacy of mail,
telephones, e-mail and other forms of communication; and
4. Territorial privacy, which concerns the setting of limits on intrusion into the domestic
and other environments such as the workplace or public space. This includes
searches, video surveillance and identity checks.
Please answer the following Self Assessment Question.
Self Assessment Question 1 Spend 2 Min.

What does the word ‘privacy’ connote?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
1.4 PRIVACY – HISTORICAL AND CULTURAL

PERSPECTIVES
Though the interest in the right to privacy increased worldwide in the 1960s and 1970s
with the advent of information technology7, the concept of right to privacy has historical,
cultural and religious connotations which reinforce the view that privacy is extensively
valued and preserved in various cultures.
Psychological and anthropological evidence suggest that every society, even the most
primitive, adopts mechanisms and structures that allow individuals to resist encroachment
from other individuals or groups8. Historical origins of concept of privacy can be traced
in the well known philosophical discussions, most notably Aristotle’s distinction between
the public sphere of political activity and the private sphere associated with family and
domestic life9.
Lord Denning has articulated the need of recognising the ‘right to privacy’ as, “English
law should recognise a right to privacy. Any infringement of it should give a cause of
action for damages or an injunction as the case may require. It should also recognise a
right to confidence for all correspondence and communications which expressly or
impliedly are given in confidence. None of these rights is absolute. Each one of them is
subject to exceptions. Therefore exceptions are to be allowed whenever the public
interest in openness outweighs the public interest in privacy or confidentiality. In every
instance it is a balancing exercise for the courts. As each case is decided, it will form a
precedent for others. So a body of case law will be established”10.
7
Right to Privacy and its
Legal Framework 1.5 MEANING AND SCOPE OF PRIVACY
Although privacy concerns are deeply rooted in history, privacy protection as a public
policy question can be regarded as a comparatively modern notion11.
Academically also most of the privacy theorists are of the view that privacy is a meaningful
and valuable concept. There have been much extensive philosophical debate on the
meaning and scope of privacy in the second half of the twentieth century, and are
deeply affected by the development of privacy protection in the law12.
Various jurists and scholars have extensively analysed the judicial trends and academic
discourse on personal and property rights having a symbiotic relationship with privacy
rights. Discussion on privacy has been further complicated by the fact that privacy
appears to be something we value to provide a sphere within which we can be free
from interference by others, and yet it also appears to function negatively, as the cloak under
which one can hide domination, degradation, or physical harm to women and others13.
Another scholar, Solove in his work ‘Conceptualizing Privacy’14 has summarized privacy
under six recurrent themes, namely (1) the right to be let alone; (2) limited access to the
self – the ability to shield oneself from unwanted access by others; (3) secrecy – the
concealment of certain matters from others; (4) control over personal information – the
ability to exercise control over information about oneself; (5) personhood – the protection
of one’s personality, individuality, and dignity; and (6) intimacy – control over, or limited
access to, one’s intimate relationships or aspects of life. Privacy is both a negative and
positive right. It imposes both a negative obligation upon the State to let alone the
individuals of a society, and positive obligation upon the State to protect individuals via
property rights, tort law, criminal law and other legal devices’. Solove contends that
attempts to conceptualize privacy by locating the common denominator to identify all
instances of privacy have thus far been unsatisfying.
The lack of a single definition should not imply that the issue lacks importance. Privacy
protection is frequently seen as a way of drawing the line at how far society can intrude
into a person’s affairs. Adam Carlyle individual’s ‘right to be left alone’15 has been
defined as “the rightful claim of the individual to determine the extent to which he wishes
to share of himself with others and his control over the time, place and circumstances to
communicate with others. It means his right to withdraw or to participate as he sees fit.
It also means the individual’s right to control dissemination of information about himself;
it is his own personal possession”16. Thus, it can be fairly argued that privacy is the
ability to determine for ourselves when, how, and to what extent information about us is
communicated to others17.

How will you define the meaning of privacy?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
8 ..............................................................................................................................
1.6 CRITIQUES OF PRIVACY
Taking a counter view, critics argue that privacy is not an independent value at all but a
composite of interest in reputation, emotional tranquility and intangible property18. Critics
dispute that privacy can be accorded as a separate right because any interest protected
as private can be equally well explained and protected by other interests or rights, most
notably rights to property and bodily security. Other critics profess that privacy interests
are not distinctive because the personal interests they protect are economically
inefficient19. In some countries individual privacy may conflict with freedom of speech
laws and some laws may require public disclosure of information which would be
considered private in other countries and cultures.20
1.7 RIGHT TO PRIVACY - LOUIS BRANDEIS AND

SAMUEL WARREN
The modern history of privacy can be traced to the famous phrase, the right “to be let
alone” dated 1834. The Supreme Court of U. S. stated that a “defendant asks nothing
— wants nothing, but to be let alone until it can be shown that he has violated the rights
of another”[Wheaton v. Peters, 33 U.S. 591, 634 (1834)]. Later the same statement,
“the right to be let alone”, appeared in Cooley’s book21 as corresponding to the duty
“not to inflict an injury”. This argument was expanded by Warren and Louis Brandeis
(Later, Judge, Supreme Court of U.S.), (who went on to become Judge Brandeis of
the US Supreme Court), in their famous law review article advocated the privacy rights.
(Subsequently, Brandeis used the phrase “the right to be let alone” in his famous dissent
in Olmstead v. U.S. [277 U.S. 438, 478 (1928)], the first wiretapping case heard by
the U.S. Supreme Court.) This article can be credited as the pioneering work, instrumental
in the acceptance by the majority of American States of the existence of a legal right to
privacy within a relatively short period following its publication. Brandeis contented
that privacy was the most cherished of freedoms in a democracy, and he was concerned
that it should be reflected in the Constitution22. Citing “political, social, and economic
changes” and a recognition of “the right to be let alone” they argued that existing law
afforded a way to protect the privacy of the individual, and they sought to explain the
nature and extent of that protection. Focusing in large part on the press and publicity
allowed by recent inventions such as photography and newspapers, but referring as
well to violations in other contexts, they emphasized the invasion of privacy brought
about by public dissemination of details relating to a person’s private life23.
1.8 MODERN PRINCIPLES OF PRIVACY LAW

However, the impact of Warren and Brandeis’ article was not the sole basis for the
development of a legally protected right to privacy in the U.S. In 1960, a renowned tort
scholar William Prosser surveyed over 300 privacy cases which came after the Warren
and Brandeis article. Thus, Prosser codified the principles of privacy law in his article24
which also found a place in the Second Restatement of Torts at pages 652A-652I
(1977).
9
Right to Privacy and its The four categories of privacy rights having a tortious remedy, as enumerated by Prosser,
Legal Framework
are:
1. Unreasonable intrusion upon the seclusion or solitude of another
● Instances of physical intrusion in a person’s home, namely, undesirable entry,
peeping into the house, through windows with binoculars or camera, telephone
tapping, obtrusive telephone calls, scanning and collating financial and personal
data without person’s consent and information.
2. Appropriation of a person’s name or likeness for advantage of other
● Unlawful use of a person’s name or likeness for advertising and soliciting
clients/consumers on a product label which injures the personal feelings of
the person.
3. Public disclosure of embarrassing private facts
● Financial position, sexual orientation, personal correspondences, family feuds,
medical history, person’s private photographs clicked at his/her home.
4. Publicity placing one in a false light in the public eye
● Instances of putting information in public domain to create a false impression
about the person.
For a detailed discussion on the tortious remedies available for protection of privacy,
please refer to Unit 4 of Block 1.

What are the modern principles of right to privacy?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
1.9 LEGAL REGIMES FOR PROTECTING

PRIVACY
History of modern day statutory and legislative framework protecting privacy can be
traced as far back as 1361, where the Justices of the Peace Act in England provided
for the arrest of peeping toms and eavesdroppers. Various countries developed specific
protections for privacy in the centuries that followed. In 1776, the Swedish Parliament
enacted the Access to Public Records Act that required that all government-held
information be used for legitimate purposes25. France prohibited the publication of
private facts and set stiff fines for violators in 185826. The Norwegian Criminal Code
prohibited the publication of information relating to “personal or domestic affairs” in
1889.27
10
Modern privacy jurisprudence developed during the latter half of the 1960’s which saw The Concept of Privacy
a flurry of legislative activities across the globe stimulated by exponential growth in the
area of computational technologies and other forms of telecom and information system
automation, such as audio-video devices, and telecommunications. Many countries
saw the emergence of new information technologies systems as a challenge which the
existing legal regime were incapable to redress. Thus, in the decade of 1970’s, many
western nations proactively enacted legislations and provided privacy protocols to
protect privacy rights.
In 1973, the United States Department of Health Education and Welfare (HEW) issued
a report, Records, Computers, and the Rights of Citizens, which analysed these
problems in depth and recommended the passage of a code of Fair Information Practices.
The Fair Information Practices “played a significant role in framing privacy laws in the
United States,”28 and influenced privacy law around the world.
Legislation in Europe began even earlier, with the West German Land of Hesse passing
the very first Data Protection Act in 1970, and Sweden’s Data Act of 1973 being the
first comprehensive legislation at national level. In the United Kingdom, Private Members’
Bills were introduced in the late 1960’s. Since the early 1970’s, most of the advanced
western nations have legislated. In addition, many of the states of the U.S.A., provinces
of Canada and West Germany have also passed privacy laws. Some of these apply to
all personal data systems, while others are restricted, e.g. to the public sector, or to
automated or computerised systems. In an endeavour to achieve some amount of
consistency in the highly varied approaches, the European Economic Community adopted
a Convention in 1980 (EEC 1980). The United Kingdom ignored the recommendations
but finally responded to commercial pressure to ensure that British companies were not
disadvantaged against their European competitors, and finally in 1984 passed the Data
Protection Act. A detailed discussion on the international legal framework for protecting
privacy has been provided in Unit 3 of Block 1 of this course material.
1.10 PRIVACY AS A LEGAL RIGHT

In the earlier times, legal remedies were only available for physical interference with life
and property, however, with the passage of time and change societal behaviour and
norms gave the recognition to the individual’s right to keep his feelings, emotions and
intellect private. Changes in the legal framework are necessitated because of the
transformation in culture mores, commercial practices, and technologies of the time.
Most of the laws which still govern the commercial transactions, data privacy, and
intellectual property were developed for a time when telegraphs, typewriters, and
mimeographs were the commonly used office technologies and business was conducted
with paper documents sent by mail. Technologies and business practices have
dramatically changed, but the law has not been able to match pace with the advancement
in technologies. Computers, electronic networks, and information systems are now
used to routinely process, store, and transmit digital data in most commercial fields.
Electronic commerce, transborder data flow, and digital databases have necessitated a
change in the legal order governing the modern day’s communication and information
technologies.
Privacy as a justiciable, legally redressable right claimed much wider recognition with
the wide-spread intrusion in individual’s privacy invariably involving new telecom,
surveillance, data storage software and technologies. Prior to such technological
advancement, private affairs and personal data were confined to the realm of private 11
Right to Privacy and its houses, offices or paper thereby making it difficult for the intruders to collect, collate
Legal Framework
and exploit such information harming the individual.
Countries around the world have enacted different legal models for legal protection of
privacy in the new technological milieu. While some countries have comprehensive
general law governing the collection, use and dissemination of personal information by
both the public and private sectors, other countries such as the United States, have
avoided enacting general data protection rules in favour of specific sectoral laws
governing, for example, video rental records and financial privacy29. A detailed discourse
on the national (India) and international legal framework has been provided in Unit 2
and Unit 3, respectively of Block 1 of this course material.
Further, in a number of countries, corporates and industries have established their own
self regulating codes, security and privacy patrolling policies protecting data privacy. A
detailed discussion on the subject is attempted in Unit 4 of Block 3 of this course
material. Unit 4 of Block 2 examines the issues of security policy, standards and
procedures to put in place a secured information system. Internet users on their own
can employ a range of programs and latest privacy technologies and systems to impart
varying degrees of privacy and security to their online communications Unit 3 of Block
4 provides a snapshot of such technology-based systems facilitating the individual users
to protect their privacy at their own level.
1.11 PRIVACY – THE HUMAN RIGHTS ANGLE

Privacy is a basic human right which has its foundation in human dignity, personal liberty
and freedom. Not only the religious texts, scriptures and cultures espouse for it, even
the modern era’s international treaties and conventions, many constitutions and domestic
statutes have accorded it the place of indefeasible human right. It is protected in the
Universal Declaration of Human Rights, the International Covenant on Civil and Political
Rights, and in many other international and regional human rights treaties. Nearly every
country in the world includes a right of privacy in its constitution. At a minimum, these
provisions include rights of inviolability of the home and secrecy of communications.
Most recently written constitutions include specific rights to access and control one’s
personal information. In many of the countries where privacy is not explicitly recognised
in the constitution, the courts have found that right in other provisions. In many countries,
international agreements that recognise privacy rights such as the International Covenant
on Civil and Political Rights or the European Convention on Human Rights have been
adopted into law30.
Privacy issues do not only figure in academic discourse or courtroom battles and this
importance can be gauged by the fact that most of the international human rights treaties
include reference to privacy. The formal normative basis for law and policy on data
protection and privacy laws across the world can be traced to the human rights and
freedoms comprised in these international treaties. This is expressly recognised in many
data protection laws themselves31. Numerous international human rights treaties have
enumerated privacy as a specific right32.
The Universal Declaration of Human Rights (UDHR), 1948 provides for the international
benchmark for safeguarding territorial and communications privacy of individuals. Article
12 affirms that “No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his honour and reputation.
Everyone has the right to the protection of the law against such interference or attacks”.
12
Article 17 of the International Covenant on Civil and Political Rights (ICCPR 1966, The Concept of Privacy
Article 17) is couched in similar language.
The European Convention on Human Rights (1950), Article 8 ‘Right to respect for
private and family life’, states that “Everyone has the right to respect for his private and
family life, his home and his correspondence. There shall be no interference by a public
authority with the exercise of this right except such as is in accordance with the law and
is necessary in a democratic society in the interests of national security, public safety or
the economic well-being of the country, for the prevention of disorder or crime, for the
protection of health or morals, or for the protection of the rights and freedoms of others”.
The Charter of Fundamental Rights of the European Union (2000) deals with privacy in
Articles 7 and 8, and there are many specific European Directives.
Even though the international human rights treaties and conventions touch upon the
concept of privacy, their approach is inconsistent and they do not break common ground
when it comes to defining ‘privacy’. the scope and meaning of privacy is juxtaposed
with a string of other fundamental rights and liberty. It tends to scope out a wide range
of possible meanings, and leaves it to the wisdom of ratifying countries (parties) to
proposed and adopt an interpretation suitable to changing needs and social order.
1.12 THREATS TO PRIVACY IN NEW

TECHNOLOGICAL REGIME
In general parlance, the “right to be let alone”, though wide in ambit and import has
largely been associated with government’s intrusion in individual’s private sphere without
the due process and authority of law. But all that has undergone drastic changes in the
new global era of information highway. Less than a quarter of a century ago, the
Internet was an obscure network of large computers used only by researchers and
scientists. Now, we see it everywhere – within the reach of everyone – corporates,
governments and individuals around the world. It has revolutionised the way we deal
with static information hitherto confined to paper trapped in manual files. Now, we live
in an era of instantaneous and seamless communication and commerce originating from
a wide variety of communication devices. The ‘killer application’ that transformed the
Internet into a global phenomenon was the World Wide Web. Developed in the late
1980s at the European Center for Nuclear Research (CERN) from research by Tim
Berners-Lee, the Web was initially created to share data on nuclear physics. By using
hyperlinks and graphical browsing technology, the Web greatly simplifies the process
of searching for, accessing, and sharing information on the Internet, making it much
more accessible to a non-technical audience33.
Till recently, this information was held on paper; the sheer volume and a lack of
centralization made it hard to collate with the result that it was very difficult for one
body or person to use this information effectively. In the Internet age, information is so
centralized and so easily accessible that one tap on a button could throw up startling
amounts of information about an individual. This enables public authorities to keep a
closer watch over the individual. When committed to paper and trapped within the
confines of a manual file, the utility of information is markedly limited. Convergence of
technology with communication has blurred the boundaries between activities and
technologies. Communication has undergone a sea change in last three decades with
the new Information and Communication technologies fast outpacing the legal protection
afforded to ‘person’s right to be let alone’. Internet is the latest meeting place for
individuals and a business hub for corporates and merchandisers for selling and 13
Right to Privacy and its promoting their products and services. Recent improvements in digital database-
Legal Framework
storage technologies have changed the ways in which data can be altered, examined,
summarized and restructured to produce new or newly tailored information34.
Increasingly we see people trading and communicating with the help of computers and
the Internet. The ability to communicate and exchange information instantaneously and
seamlessly has given rise to privacy concerns i.e., control over information transmitted
and stored over the Internet, and the control over who can access that information.
Every time we do an online transaction over the internet, or talk over the internet telephony
or even update our personal and financial records on the bank’s website, we leave
behind a string of private information on databases stored on networked servers over
the Internet. It is an increasing security concern to protect privacy of data on networked
servers connected to the Internet. This leads to a paradoxical situation where the
computer and the Internet have accorded privacy and, at the same time, it has allowed
eavesdroppers to intrude into our privacy. Therefore, today, ‘information superhighway’35
is not really the safest place to be. Despite the best of efforts of the software security
professionals to protect privacy of information from unwarranted leaks or unauthorized
intruders or inadvertent leaks, privacy is always at risk. Unit 1 of Block 2 of this course
material examines the security challenges in cyberspace. It discusses how the practices
commonly used on the Internet like, cookies, malware, cyberstalking, phishing, hacking
and spamming leads to the violation of privacy. Unit 2 in the same block examines the
technological vulnerabilities and their exploitation by hackers.

What are the major threats to privacy in the new world of information technology?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
1.13 DIGITAL AND INTERNET PRIVACY

CHALLENGES
Telemarketing calls from credit card, cell phone, and car sales companies are intruding
into the privacy of individuals by accessing the data, without any authority, available to
another vendor with whom the individual has dealt with in the past. Whether one has
the right to do so is a question of law and legal policy, but the medium supplies the
capability’36. The law on privacy has not kept pace with technological development.
Countries across the globe are grappling to come to terms with the new evolving
relationship between data and Internet technologies and the right to privacy with
respect to collection, sharing and use of data. Even today, in no country does the
right to privacy enjoy the status of a specific constitutional right37. There are some
countries which have enacted general comprehensive data protection laws, and sectoral
14 legislations dealing with privacy rights, yet privacy law has primarily evolved through
judicial interventions where the courts have read a right to privacy in the existing The Concept of Privacy
provisions.
The advancement in technology has made it possible to inviolate individual’s privacy
without physically entering into his place or property. Privacy concern has grown manifold
in the recent years and has been causing havoc. It is made possible to infiltrate into
someone’s bank account, read private communications, intercept confidential
communication, disparage people’s reputation and put up individual’s personal details
in a virtual market place. Individuals are at a greater risk to suffer harassment and loose
their peace of mind. Such technological vulnerabilities have necessitated that legal
protection be afforded to protect the privacy, and set out specific rules governing the
collection and handling of personal information. Unit 3 of Block 2 provides a brief
treatise on the Indian and USA’s legal position dealing with technological vulnerabilities.
The last decade of the 20th century presented profound new challenges for the protection
of information privacy, such as rise of the Internet and the increasing use of email in the
mid-1990s. The most imminent threat to privacy comes from the innocuous machine
that we call computer which when networked with other computers can transmit
information from one corner of globe to the other within fraction of seconds. The
computers ability to store and process mass data has put individual’s privacy to greater
insecurity than any other technological advancement in the recent times. A new
jurisprudence on privacy is evolving because of the inherent susceptibility of
individual’s privacy because of the advent of computers, internet and database
management software and systems. It has given rise to the unfair practice of collecting
personal information through unfair and unlawful means. Even where it is necessary to
process personal data of the individuals, scrupulous companies for their commercial
benefit, use the data for other purposes without the consent of the individuals or with
legal authority, or worse sell off the data to other companies. On the other hand, some
of these data warehousing companies do not employ security measures to protect
personal data from unintended or unauthorized disclosure, destruction or modification.
Further, it has often been seen that the individuals whose data has been retained by
companies, are neither informed of, nor given access to the data on them held by these
companies so that they can rectify these data if inaccurate or misleading. In the
technological age that we are living in, where one can have any information available
and processed at a click of a button, it is increasingly becoming difficult to protect the
privacy. However, it is not difficult to protect the fairness, integrity and effectiveness of
data protection technologies safeguarding individual’s privacy. To uphold individual’s
right to privacy, corporations using computer, database management systems and internet
technologies need to put in place privacy risk management programmes to shield them
from exposure as they move on their operations worldwide. Using benchmarking tools,
proven methodologies and diagnostics — a business enterprise needs to mitigate privacy
risks and vulnerabilities.
Let us now summarize the points covered in this unit.
1.14 SUMMARY
● Privacy can be defined as an interest of the human personality that protects the
inviolate personality, independence, dignity and integrity of individuals.
● Privacy is a state which can be lost, whether through the choice of the person in
that state or through the action of another person. There are basically three essential
elements in privacy: secrecy, anonymity and solitude. 15
Right to Privacy and its ● Louis Brandeis in his article ‘The Right to Privacy’ articulated the concept of
Legal Framework
privacy that suggested that it was the individual’s “right to be left alone”38. Brandeis
contented that privacy was the most cherished of freedoms in a democracy, and
he was concerned that it should be reflected in the Constitution.
● It is difficult to define the meaning and scope of privacy. One of the problems is
that the very breadth of the idea, and its tendency, produces a lack of definition
which weakens its force in the political discourse. Nonetheless, privacy can be
said to comprise of four separate nonetheless related aspects
(i) Information privacy, which involves the establishment of rules governing the
collection and handling of personal data such as credit information, and medical
and government records. It is also known as “data protection”;
(ii) Bodily privacy, which concerns the protection of people’s physical selves against
invasive procedures such as genetic tests, drug testing and cavity searches;
(iii) Privacy of communications, which covers the security and privacy of mail,
telephones, e-mail and other forms of communication; and
(iv) Territorial privacy, which concerns the setting of limits on intrusion into the
domestic and other environments such as the workplace or public space. This
includes searches, video surveillance and identity checks.
● Concept of right to privacy has historical, cultural and religious connotations which
reinforce the view that how extensively privacy is valued and preserved in various
cultures.
● Critics dispute that privacy can be accorded as separate right because any interest
protected as private can be equally well explained and protected by other interests
or rights, most notably rights to property and bodily security.
● Prosser codified the principles of privacy law in his article Privacy, 48 Cal.L.Rev.
383 (1960). The four categories of privacy rights having a tortious remedy, as
enumerated by Prosser, are:
(i) Unreasonable intrusion upon the seclusion or solitude of another
(ii) Appropriation of a person’s name or likeness for advantage of other
(iii) Public disclosure of embarrassing private facts
(iv) Publicity placing one in a false light in the public eye.
● History of modern day statutory and legislative framework protecting privacy can
be traced as far back as 1361, where the Justices of the Peace Act in England
provided for the arrest of peeping toms and eavesdroppers. Various countries
developed specific protections for privacy in the centuries that followed.
● Modern privacy jurisprudence developed during the latter half of the 1960’s
which saw a flurry of legislative activities across the globe stimulated by
exponential growth in the area of computational technologies and other forms of
telecom and information system automation, such as audio-video devices and
telecommunications.
● Privacy issues do not only figure in academic discourse or courtroom battles and
this importance can be gauged by the fact that most of the international human
rights treaties include a reference to privacy.
● The recent technological advancement in the way data is stored, transmitted,
extrapolated and used poses an imminent threat to danger to privacy.
16
● The advancement in technology has made it possible to inviolate individual’s privacy The Concept of Privacy
without physically entering into his place or property. In the new global order,
electronic database and Internet are vastly being used to share, collate, transmit
and analyse personal information, individual choices and preferences, financial
and medical history.
● Privacy concern has grown manifold in the recent years and has been causing
havoc. It is made possible to infiltrate into someone’s bank account, read private
communications, intercept confidential communication, disparage people’s
reputation and put up individual’s personal details in a virtual market place.
1.15 TERMINAL QUESTIONS

1. Concern for privacy has grown in recent times. Discuss the evolution of privacy
and the reason for the growing concern.
2. How is privacy related to law and torts?
3. What is the correlation between Right to Privacy and Human rights?
4. Develop a concept of privacy as per your understanding of the issue.
1.16 ANSWERS AND HINTS

Self Assessment Questions
1. A person’s right to privacy entails that such a person should have control over his
or her personal information and should be able to conduct his or her personal
affairs relatively free from unwanted intrusions.
2. Privacy can be defined under six recurrent themes, namely (1) the right to be let
alone; (2) limited access to the self – the ability to shield oneself from unwanted
access by others; (3) secrecy – the concealment of certain matters from others;
(4) control over personal information – the ability to exercise control over information
about oneself; (5) personhood – the protection of one’s personality, individuality,
and dignity; and (6) intimacy – control over, or limited access to, one’s intimate
relationships or aspects of life.
3. The four categories of privacy rights having a tortious remedy, as enumerated by
Prosser, are:
● Unreasonable intrusion upon the seclusion or solitude of another
● Appropriation of a person’s name or likeness for advantage of other
● Public disclosure of embarrassing private facts
● Publicity placing one in a false light in the public eye
4. Cookies, malware, cyberstalking, phishing, hacking and spamming.
Terminal Questions
1. Refer to section 1.4 of the unit.
17
Legal Framework 1.17 REFERENCES AND SUGGESTED READINGS
1. “Privacy as an Aspect of Human Dignity”. New York University Law Review
39 (1964): 971
2. “Privacy and the Limits of Law”. Yale Law Journal 89 (1980): 421–428.
3. Neethling, J. Potgieter, JM and Visser, PJ. Neethling’s law of personality.
Durban: Butterworths, 1996.
4. James Michael. Privacy and Human Rights 1 UNESCO, 1994.
5. Dworkin, Ronald. Taking Rights Seriously. London: Duckworth, 1977.
6. Privacy and Human Rights 2004. An International Survey of Privacy Laws and
Developments. Electronic Privacy Information Center Washington, DC, USA.
Privacy International. London, United Kingdom.
7. Piller C. “Privacy in peril”. Macworld 10.7. (Jul.1993):124-130.
<http://newfirstsearch.oclc.org>.
8. Westin A. Privacy and Freedom. New York Antheum, 1967 as referred to by
Bennett CJ. “What Government Should Know About Privacy: A Foundation
Paper” Presentation prepared for the Information Technology Executive Leadership
Council’s Privacy Conference. 19 June 2001.
9. DeCew Judith. “Privacy”. The Stanford Encyclopedia of Philosophy. Ed. Edward
N. Zalta. summer ed. 2002.
10. Denning, Lord. What next in Law. Butterworths, 1982.
11. South African Law Reform Commission Privacy and Data Protection report page
1 chapter 2. Discussion paper 109. Project 124. Oct. 2005.
12. Supra n. 9.
13. Supra n. 9.
14. Solove, Daniel J. “Conceptualizing Privacy”. California Law Review 90. (2002):
1087.
18
15. Thomas McIntyre Cooley. Treatise of the Law of Torts. 2nd ed. Callaghan, 1888.
29.
16. Adam Carlyle Breckenridge. The Right to Privacy. Lincoln: University of
Nebraska Press, 1971.
17. Supra n. 8.
18. Mathew, K.K., Judge, Supreme Court of India (Retd.). 4 SCC (Jour) 1 (1979).
19. Posner, R. The Economics of Justice. Cambridge: Harvard University Press.
20. 8 Jan. 2007. <http://en.wikipedia.org/wiki/Privacy>.
21. Supra n.15.
22. Samuel Warren and Louis Brandeis. “The Right to Privacy”. Harvard Law Review
4 (1890): 193-220.
23. Supra n. 9.
24. “Privacy”. Cal. L. Rev 48 (1960): 383.
25. Supra n. 6.
26. Jeanne M. Hauch. “Protecting Private Facts in France: The Warren & Brandeis
Tort is Alive and Well and Flourishing in Paris”. Tulane Law Review 68 (May
1994): 1219.
27. Prof. Dr. Juris Jon Bing. “Data Protection in Norway”. 1996. 8 Jan. 2007
<http://www.jus.uio.no/iri/forskning/lib/papers/dp_norway/dp_norway.html>.
28. Marc Rotenberg. “Fair Information Practices and the Architecture of Privacy (What
Larry Doesn’t Get)”. Stan. Tech. L. Rev 1 (2000) : 44.
29. Supra n. 6.
30. Supra n. 6.
31. Bygrave, Lee A. “Data Protection Pursuant to the Right to Privacy in Human
Rights Treaties”. International Journal of Law and Information Technology 6 (1998):
247–284.
19
Legal Framework 32. The Privacy Law Sourcebook: United States Law, International Law and Recent
Developments. Ed. Marc Rotenberg. EPIC, 2003.
33. Gates, Bill. “Shaping the Internet Age”. Internet Policy Institute Dec. 2000.
34. Raymond T. Nimmer & Patricia Ann Krauthaus. “Information as a commodity:
New Imperatives of Commercial Law”. Law & Contemporary problems 55 (1992):
103.
35. S.K. Verma & Raman Mittal. Legal Dimension of Cyber Space. ILI. 2004.
36. Supra n. 34.
37. Divan, Madhavi. “The right to privacy in the age of information and
communications”. SCC (Jour) 4. 12 (2002).
38. Supra n. 15.
20
National Legal Framework
UNIT 2 NATIONAL LEGAL FRAMEWORK for Protecting Privacy
FOR PROTECTING PRIVACY

Structure
2.1 Introduction
2.2 Objectives
2.3 Position under Indian Constitution
2.3.1 Supreme Court on Right to Privacy – 1954 to 2005
2.3.2 Right to Privacy Emanating from ‘Right to Life’ – Article 21 – Indian
Constitution
2.3.3 Right to Privacy versus Freedom of Press
2.3.4 Surveillance versus Right to Privacy
2.3.5 Right to Privacy against Wire-trapping
2.3.6 Privacy Right – Reasonable Restrictions
2.4 Position under Information Technology Act, 2000
2.5 Position under Freedom of Information Act, 2002
2.6 Position under Easements Act, 1882
2.7 Position under Indian Penal Code, 1860
2.8 Privacy under Indecent Representation of Women (Prohibition) Act, 1987
2.9 Privacy under Intellectual Property Rights
2.10 Position under Specific Relief Act, 1983
2.11 Position under Public Financial Institutions Act, 1993
2.12 Summary
2.1 INTRODUCTION
“The privacy, private life, honour and image of persons are inviolable, and the
right to compensation for property or moral damages resulting from their violation
is ensured; the home is the inviolable refuge of the individual, and no one may
enter therein without the consent of the dweller, except in the event of ‘flagrante
delicto’1 or disaster, or to give help, or, during the day, by court order; the secrecy
of correspondence and of telegraphic, data and telephone communications is
inviolable, except, in the latter case, by court order, in the cases and in the manner
prescribed by the law for purposes of criminal investigation or criminal procedural
finding of facts; access to information is ensured to everyone and the
confidentiality of the source shall be safeguarded, whenever necessary to the
professional activity”
21
Right to Privacy and its Article 5 [Equality], provided in Chapter I – Individual and Collective Rights and Duties
Legal Framework
under Title II Fundamental Rights and Guarantees – Constitution of Brazil2.
While privacy issues are now being deliberated upon in the Indian media and have been
of interest amongst academia and jurists, unlike Brazil, the legal safeguards under the
current legal regime in India are limited in nature and scope. Privacy Law in India
comprises a number of central statutes covering particular sectors and activities, and
some constitutional safeguards, which have very occasionally been used in support of
privacy rights through actions for unauthorized surveillance, search and seizures,
disclosure of personal details, DNA testing, matrimonial discord, defamation, trespass
or nuisance.
Majority of countries in the world including India yet do not have a specific data protection
law; a number of them either have general privacy rights, sometimes entrenched in a
constitution, or have sector-specific privacy laws.3 The Constitution of 1950 does not
expressly recognise the right to privacy. However, the Supreme Court first recognised
in 1964 that there is a right of privacy implicit in the Constitution under Article 21 of the
Constitution, which states, “No person shall be deprived of his life or personal liberty
except according to procedure established by law” [Kharak Singh v. State of UP.
ISCR 332 (1964)]. So far the law of privacy has been relegated to a penumbral status
and has never enjoyed the status of a well-defined right. It is necessary to preserve the
tenuous balance between the right of the individual to be let alone and the
fundamental right to free speech, expression and information. In this unit we will
closely examine the legal framework and the judicial trends as they exists in India
for the protection of the right to privacy.
2.2 OBJECTIVES
● familiarize yourself with the position of privacy as under Indian constitutional and
legal framework;
● explain how the Constitution of India addresses the privacy issues;
● appreciate to what extent the Information Technology Act 2000 addresses the
issue of privacy; and
● know the position of right to privacy under various Indian legislations.
2.3 POSITION UNDER INDIAN CONSTITUTION

On a closer scrutiny of the judicial interventions in the area of privacy rights, one can
discern that privacy rights have their genesis in the law of torts and the constitutional
law. In common law, a private action for damages for unlawful intrusion of privacy
is maintainable. Under the constitutional law, the right to privacy is implied in the
fundamental right to life and liberty. The Indian courts have seized the opportunities
whenever they came and tried successfully to bring the privacy right within the purview
of fundamental rights. Even though right to privacy is not enumerated as a fundamental
right in our Constitution it has been inferred from Article 21. This section traces down
the evolution and development of right to privacy as emanating from the ‘right to life’
enumerated under Article 21 of the Constitution of India read with other fundamental
right falling under Part III of Indian Constitution, highlighting development in law in
22 the post constitutional period in India.
2.3.1 Supreme Court on Right to Privacy – 1954 to 2005 National Legal Framework
for Protecting Privacy
The right to privacy against unreasonable search and seizure has been recognised under
the fourth amendment to the US Constitution. As early as 1954, privacy rights came
under the scrutiny of the Supreme Court of India in the case of M.P Sharma v. Satish
Chandra [AIR 1954 SC 300 (Para 18 p. 306)] where the process of search and seizure
was challenged in the light of fourth amendment to the American Constitution. A bench
of eight judges in Para 18 that: “A power of search and seizure is in any system of
jurisprudence an overriding power of the State for the protection of social security and
that power is necessarily regulated by law. When the Constitution makers have thought
fit not to subject such regulation to constitutional limitations by recognition of a
fundamental right to privacy, analogous to the American Fourth Amendment, we have
no justification to import it, into a totally different fundamental right, by some process of
strained construction. Nor is it legitimate to assume that the constitutional protection
under article 20(3) would be defeated by the statutory provisions for searches. It is to
be remembered that searches of the kind we are concerned with are under the authority
of a Magistrate (excepting in the limited class of cases falling under section 165 of the
Criminal Procedure Code). Therefore, issue of a search warrant is normally the judicial
function of the Magistrate. When such judicial function is interposed between the
individual and the officer’s authority for search, no circumvention thereby of the
fundamental right is to be assumed.”
However, a good half a century later, Supreme Court in the case of District Registrar
and Collector vs. Canara Bank [(2005) 1 SSC 496] held that the right to privacy of the
person includes right to freedom from unreasonable, search and seizure. It further said
that the, State cannot have unrestricted access to inspect and seize or make roving
inquiries into all bank records relating to person, without any reliable information before
it prior to such inspection. Documents or copies of documents of the customer which
are in bank must continue to remain confidential vis-à-vis the person, even if they are no
longer at the customer’s house and have been voluntarily sent to a bank. Search, taking
of notes or extracts or seizure of the said documents would amount to breach of
confidentiality and be violative of the privacy rights of the customers of the bank, unless
there is some probable or reasonable cause or basis. Hence disclosure of the private
documents of the customers or copies there of by a bank would therefore be violative
of the privacy rights of its customers.
2.3.2 Right to Privacy Emanating from ‘Right to Life’ –

Article 21 – Indian Constitution
It is evident from various pronouncements of the Supreme Court that right to privacy,
though not a fundamental right has gained constitutional recognition in Indian courts.
The writ courts have carved out a constitutional right to privacy reading it as a part of
‘right to life’ under Article 21 of the Constitution of India, which states that “No person
shall be deprived of his life or personal liberty except according to procedure established
by law”. It can be reasonably inferred that there do exist legal spaces within the
Constitution of India that can be utilized for honouring and upholding the right to privacy.
The judicial interventions by the Supreme Court of India reaffirms this position through
innovative and creative interpretation of ‘Right to Life’ under Article 21 as including
‘Right to Privacy’.
23
Right to Privacy and its 2.3.3 Right to Privacy versus Freedom of Press
Legal Framework
It is only in R. Rajagopal alias Gopal v. State of Tamil Nadu [(1994) 1 SCC 632],
where a question concerning the freedom of press vis-à-vis the right to privacy of the
citizens of their country was raised, that the Supreme Court unequivocally stated that
the right to privacy is implicit in Art. 21. The dispute in this case was over the publication
of the alleged autobiography/life story of Auto Shankar, who was charged and tried for
as many as six murders. It was claimed that the autobiography set out the close nexus
between Auto Shankar and several IAS and IPS and other officers some of whom
were indeed his partners in several crimes. One of the three questions that arose on the
pleadings is ‘whether a citizen of this country can prevent another person from writing
his life story or biography?’
Whether the freedom of expression guaranteed by Art. 19 entitles the Press to publish
such unauthorized account of a citizen’s life and activities and if so, to what extent and
in what circumstances? What are the remedies open to a citizen of this country in a case
of infringement of his right to privacy and further in case such writing amounts to
defamation?” Supreme Court after considering a number of Indian, American and English
cases came to a conclusion that “the right to privacy is implicit in the right to life and
liberty guaranteed to the citizens of this country by Article 21. It is a right ‘to be let
alone’. A citizen has a right to safeguard the privacy of his own, his family, marriage,
procreation, motherhood, childbearing and education among other matters. None can
publish anything concerning the above matters without his consent—whether truthful or
otherwise and whether laudatory or critical. If he does so, he would be violating the
right to privacy of the person concerned and would be liable in an action for damages.The
position may, however, be different, if a person voluntarily thrusts himself into controversy
or voluntarily invites or raises a controversy”.
2.3.4 Surveillance versus Right to Privacy

The earliest cases decided by the Supreme Court of India where the foundations for
the right were laid, concerned the intrusion into the home by the police under State
regulations, by way of ‘domiciliary visits’. Such visits could be conducted any time,
night or day, to keep a tag on persons for finding out suspicious criminal activity, if any,
on their part. The validity of these regulations were challenged in the Court.
One of the first cases where ‘right to privacy’ came under scrutiny of Supreme Court
was the case of Kharak Singh v. state of U.P. [AIR 1963 SC 1295 (Para 20 p. 1303)]
relating to police surveillance, Supreme Court considered the constitutionality of Police
regulation that permitted the police to keep a close watch on would be criminals. Kharak
Singh was a case where the petitioner was put under surveillance as defined in Regulation
236 of the UP Police regulations. It involved secret picketing of the house, domiciliary
visits at night, periodical enquiries by police officers into repute, habits, association,
income or occupations, reporting by police constables on the movements of the person
etc. The regulation was challenged as violative of the fundamental rights guaranteed to
the petitioner.
In the given case the majority observed “The right of privacy is not a guaranteed right
under our Constitution and therefore the attempt to ascertain the movements of an
individual which is merely a manner in which privacy is invaded is not an infringement of
a fundamental right guaranteed by Part III.” However Subha Rao, J., in his minority
judgment dissenting with the majority held that the fundamental right to privacy is part
24 of the right to liberty in Art. 21, part of the right to freedom of speech and expression in
Art. 19(1)(a), and also of the right to movement in Art. 19(1)(d), held that the Regulations National Legal Framework
permitting surveillance violated the fundamental right of privacy AIR 1963 SC 1295
(Para 31 p 1305).
The matter again came up for consideration of the Supreme Court in Govind v.State of
M.P. [(1975) 2 SCC 148 (Para 23-24 p. 156)] which again was a case of surveillance,
this time under MP Police Regulations. The Court had to consider the Constitutional
validity of Regulations 855 and 856 of MP Police Regulations, which provided for
surveillance. Justice Mathew observed that “privacy primarily concerns the individuals.
It therefore relates to and overlaps with the concept of liberty. The most serious advocate
of privacy must confess that there are serious problems of defining the essence and
scope of the right. Privacy interest in autonomy must also be placed in the context of
other rights and values”. Justice Mathew opined that the law of privacy can not be cast
in stone as “in the application of the Constitution our contemplation cannot only be of
what has been but what may be. Time works changes and brings into existence new
conditions. Subtler and far-reaching means of invading privacy will make it possible to
be heard in the street what is whispered in the closet”. Thus one can ascribe that
surveillance, by and large, has been held to be intrusive and an encroachment upon the
right to privacy by the Supreme Court of India [Malak Singh v State of Punjab (1981)
1 SCC 420, Sunil Batra v. Delhi Admn (1978) 4 SCC 494].
2.3.5 Right to Privacy against Wire-trapping

In People’s Union for Civil Liberties v. UOI [(1997) 1 SCC 301 (Para 18 p. 311)].
The Supreme Court held that tapping into telephonic conversations was unconstitutional
unless it has been brought about by a procedure established by law. The issue before
the Supreme Court was the citizen’s right to protect their privacy from being abused by
the authorities. Taking cue from the earlier decisions, in this public interest litigation, the
Supreme Court reiterated its earlier stand that right to privacy is a part of the right to
‘life and personal liberty’ enshrined under Art. 21 of the Constitution and the said right
cannot be curtailed, except according to procedure established by law [(1997) 1 SCC
301. (para 18 p. 311)]. The Court further held that the right to privacy by itself has not
been identified under the Constitution. As a concept it may be too broad and moralistic
to define it judicially. Whether the right to privacy can be claimed or has been infringed
in a given case would depend on the facts of the said case. But the right to hold a
telephone conversation in the privacy of one’s home or office without interference can
certainly be claimed as ‘right to privacy’. Conversations on the telephone are often of
an intimate and confidential character. Telephone conversation is a part of modern
man’s life. It is considered so important that most people carry mobile telephone
instruments in their pockets. Telephone conversation is an important facet of a man’s
life. Right to privacy would certainly include telephone conversation in the privacy of
one’s home or office. Telephone tapping would, thus, be in violation of Article 21 of the
Constitution of India unless it is permitted under the procedure established by the law.
The Court also highlighted the necessity to lay down procedural safeguards for the
exercise of power under section 5(2) of Telegraph Act which permits interception of
telephone messages, so that the right to privacy of a person is protected.
2.3.6 Privacy Right – Reasonable Restrictions

The Supreme Court has categorically stated that the rights to privacy like any of the
fundamental rights, is also subject to reasonable restrictions. Thus in Govind’s case
[(1975) 2 SCC 148 (Para 23-24 p. 156)] the Supreme Court stated that there ‘can be 25
Right to Privacy and its no doubt that privacy-dignity claims deserve to be examined with care and to be denied
Legal Framework
only when an important countervailing interest is shown to be superior. If the Court
does not find that a claimed right is entitled to protection as fundamental privacy right,
a law infringing it must satisfy the compelling state interest test.
From the above observations of the Supreme Court the following principles emerge:
1. Right to privacy is a fundamental right, implicit in Article 21;
2. It is not an absolute right, but subject to reasonable restrictions like any other
fundamental rights; and
3. Right to privacy can be exercised subject to other rights and values and compelling
State and public interest.

Whether the Supreme Court of India recognises the right to privacy as constitutional
right?
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
2.4 POSITION UNDER INFORMATION

TECHNOLOGY ACT, 2000
Information Technology Act, 2000 (the “Act”) was enacted in year 2000 to provide
for a regulatory environment for electronic commerce. The Information Technology
Act, 2000 does not directly deal with the issue of privacy nonetheless a few provisions
of the Act do touch upon some aspects of privacy. The Act deals with issues related to
unauthorized access, damage to computer through computer contaminants, hacking,
breach of privacy and confidentiality and publishing false digital signature certificate for
fraudulent purposes.
Section 72 of the Act entitled ‘Penalty for breach of confidentiality and privacy’ directly
deals with ‘confidentiality’ and ‘privacy’ of individuals. The Section 72 reads:
Save as otherwise provide in this Act or any other law for the time being in force, any
person who, in pursuance of any of the powers conferred under this Act, rules or
regulation made thereunder, has secured assess to any electronic record, book, register,
correspondence, information, document or other material without the consent of the
person concerned discloses such material to any other person shall be punished with
imprisonment for a term which may extend to two years, or with fine which may extend
to one lakh rupees, or with both.
This section is narrow in scope as it is covers only the persons empowered under the
26 Act. It means that provisions of this section apply only to the officials who are authorized
to collect data under this Act. In its application, this section would be extremely limited National Legal Framework
since it covers offences only by the authorities such as Adjudicating Officers, members
of the Cyber Regulations Appellate Tribunal (CRAT) or Certifying Authorities under
the Act. This section does not specify any punitive measures for any service provider or
intermediary who by virtue of any individual availing its services has secured access to
any material or other information relating to such individual, discloses such information
or material to any other person, without the consent of such subscriber.
Under the proposed amendments to Section 72, if any intermediary who by virtue of
any subscriber availing his services has secured access to any material or other information
relating to such subscriber, discloses such information or material to any other person,
without the consent of such subscriber and with intent to cause injury to him, such
intermediary shall be liable to pay damages by way of compensation not exceeding Rs.
2,500,000 to the subscriber so affected. Further the amendments to Section 72 also
propose to make video voyeurism an offence under the Act.
Section 66 of the Act deals with hacking. It states that hacking is committed if some
one, with the intention of causing wrongful loss or damage (or with the knowledge that
such damage or loss is likely to result) to the public/any person, destroys/deletes/alters
any information residing in a computer resource, diminishes its value or utility, or affects
it injuriously by any means. If a person commits hacking, he/she is liable to be punished
with imprisonment up to 3 years, or with a fine, which may go up to Rs. 200,000, or
with both. Section 66 of the Information Technology Act while making unauthorized
access of a computer system an offence, also makes unauthorized downloading/
extraction of data also an offence. Though this provision does not deal with privacy
directly it can be used in cases where personal information has been obtained through
unauthorized access.4
Section 43 of the IT Act entitled “Penalty for damage to computer, computer system,
etc.” deals with unauthorized access to a computer system. It states:
If any person without permission of the owner or any other person who is incharge of a
computer, computer or computer network –
(a) accesses or secures access to such computer, computer system or computer
network;
(b) downloads, copies or extracts any data, computer data base or information from
such computer, computer system or computer network including information or
data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer
virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer
network, data, computer data base or other programmes residing in such computer,
computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer
network;
(f) denies or causes the denial of access to any person authorized to access any
computer, or computer network by any means ;
(g) provides any assistance to any person to facilitate access to a computer, computer
system or computer network in contravention of the provisions of this Act, rules
or regulations made thereunder; and
27
Right to Privacy and its (h) charges the services availed of by a person to the account of another person by
Legal Framework
tampering with or manipulating any computer, computer system, or computer
network.
He shall be liable to pay damages by way of compensation not exceeding one crore
rupees to the person so affected. Any person who unauthorizedly accesses a computer,
extracts data and introduces contaminant is liable under this section.
Section 79 deals with the Network Service Provider’s Liability. It states that: A network
service provider shall be liable for violation of privacy of a third party if he makes
available any third party information or data to a person for the commission of an
offence or contravention. A citizen has a right to safeguard the privacy of his own, his
family, marriage, procreation, motherhood, childbearing and education among other
matters. None can publish anything concerning the above matters without his consent,
whether truthful or otherwise and whether laudatory or critical. If he does so, he would
be violating the right to privacy of the person concerned and would be liable in an
action for damages [(1994) 6 SCC 632]. However, a network service provider will
not be liable if he proves that the offence or contravention was committed without his
knowledge or he had exercised all due diligence to prevent such commission.
Liability of Companies
Where a company infringes the privacy rights of a person, every person who at the time
of contravention was incharge of and was responsible to the company for the conduct
of its business as well as the company shall be guilty of the contravention and liable to
be processed against and punished accordingly. However, as per section 85 of the
Information Technology Act, such person shall not be liable if he proves that the
contravention took place without his knowledge or that he exercised all due diligence
to prevent such contravention. These provisions provide sufficient protection against
privacy violations by private individuals.

Which are the provisions under the Information Technology Act that touch upon the
concept of privacy in the information world?
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
2.5 POSITION UNDER FREEDOM OF

INFORMATION ACT, 2002
Under the Freedom of Information Act, 2002, every citizen can secure access to
information under the control of public authorities consistent with public interest, in
28 order to promote openness, transparency and accountability in administration and in
relations to matters connected therewith or incidental thereto. This right to receive National Legal Framework
information from public authorities, including the judiciary, has the following features:
(i) Section 8(1), subject to section 8(2), exempts from disclosure of information in
certain cases, like where sovereignty and integrity of India may be prejudicially
affected by the disclosure or where public safety and order will be affected by
such disclosure or for the protection of trade or commercial secrets.
(ii) Section 9 empowers a Public Information Officer to reject a request for information
where such a request is too general in nature or when it relates to information that
is contained in published material available to public or where it relates to
information, which would cause unwarranted invasion of the privacy of any person.
2.6 POSITION UNDER EASEMENTS ACT, 1882

Indian Easements Act, 1882 accords statutory recognition to customary right of privacy.
Section 18 of the Act provides that an easement may be acquired in virtue of local
customs, which are called customary easement. Illustration (b) to the above section
more or less settles the contents of the customary right of privacy. It lays down:
By the custom of a certain town no owner or occupier of a house can open a new
window therein so as to substantially to invade his neighbour’s privacy. A builds a
house in the town near B’s house. A thereupon acquires an easement that B shall not
open new window in his house so as to command a view of the portions of A’s house
which are ordinarily excluded from observation, and B acquires a like easement with
respect of A’s house.
In 1888, the case of Gokal Prasad v Radho [ILR 10 All (1888) 358] came before a
Division Bench of Allahabad High Court for decision. The plaintiff alleged that the
defendant had wrongfully built a new house in such a way that certain eaves of that new
house projected over the plaintiff’s land and that a verandah and certain doors of the
house interfered with the privacy of those portions of the plaintiff’s house and premises
which were occupied and used by the females of the plaintiff’s family. Accordingly he
claimed to have the eaves, in question, and the verandah removed and the doors,
complained of, be closed. The female members of the plaintiff’s family were
paradanashin women. The lower court decreed the plaintiff’s claim with costs. On
appeal, the District Judge that an appeal was made and this is how the case came
before the High Court, the Division Bench of the High Court formulated the following
questions.
Does the privacy in fact and substantially exist and has it been and is it in fact enjoyed?
If it were found that no privacy substantially exists or is enjoyed, there would be no
further question in an ordinary case to decide if, on the other hand, it were found that
privacy did substantially exist and enjoyed, the next question would be: was that privacy
substantially or materially interfered with by acts of the defendant done without the
consent or acquiescence of the person seeking relief against those acts.
Chief Justice Edge, who delivered the judgment, arrived at the conclusion after examining
various authorities that a right of privacy exists and has existed in these provinces by
usage or custom and that substantial interference with such a right of privacy, where it
exists, if the interference be without the consent of the owner of the dominant tenement,
afford such a good cause of action. In his concurring judgment Justice Mahmood
pointed out that under conditions of life such as they are in these provinces, the custom
that invasion of privacy is actionable is far from being an unreasonable custom, and the 29
Right to Privacy and its custom itself is so well recognised that Mr.Motilal Nehru, for the respondent, in course
Legal Framework
of his argument stated that it was wholly unnecessary to remand the case for ascertaining
the custom. Thus, the appeal was decreed and the lower court decree was restored.
The Gokal Prasad case is an important decision in several ways. In the first place, the
extensive examination of the cases undertaken by the court illustrates the existence of
the customary right to privacy prior to the present decision.
2.7 POSITION UNDER INDIAN PENAL CODE, 1860

Indian Penal Code (the “IPC”) though not directly dealing with, and carving out any
specific penal provision again the infringement of the right to privacy has given due
weightage to privacy in terms of honouring individual’s right to maintain solitude, peace,
dignity and self respect, and penalizing unsanctioned intrusion in an individual’s life and
affairs.
Section 509 of IPC, comes into effect when there is an intention to insult the modesty of
any woman by the offender by uttering any word, making any sound or gesture or by
exhibiting any object, with the intention that such word or such sound be heard, or that
such gesture or object be seen by such a woman, or by intruding upon the privacy of
such a woman.
Section 209, IPC deals with obscene acts and songs and lays down:
Whoever, to the annoyance of others:
a) does any obscene act in any public place
b) sings, recites or utters any obscene song, ballad or words in or near any public
place, shall be punished with imprisonment of either description for a term, which
may extend to 3 months or with fine or both. (Cognizable, bailable and triable
offences).
Section 354, IPC deals with assault or criminal force to a woman with the intent to
outrage her modesty and lays down that: Whoever assaults or uses criminal force to
any woman, intending to outrage or knowing it to be likely that he will thereby outrage
her modesty, shall be punished with imprisonment of either description for a term which
may extend to two years, or with fine or both.
Sections 405 & 406: Punishment for Criminal Breach of Trust
Anyone who commits a criminal breach of trust may be punished with imprisonment,
which may extend to 3 years, or with a fine, or with both. In case any person, who has
been entrusted with property, or with any power over any property, dishonestly
misappropriates the property, makes wrongful use of the property, dishonestly disposes
off that property, or induces any other person to do so, such a person commits “criminal
breach of trust”.
2.8 PRIVACY UNDER INDECENT

REPRESENTATION OF WOMEN
(PROHIBITION) ACT, 1987
Under the Indecent Representation of Women (Prohibition) Act (1987) if an individual
harasses another with books, photographs, paintings, films, pamphlets, packages, etc.
containing “indecent representation of women”; they are liable for a minimum sentence
30
of 2 years. Further section 7 (Offences by Companies) holds companies where there National Legal Framework
has been “indecent representation of women” (such as the display of pornography) on
the premises guilty of offenses under this act, with a minimum sentence of 2 years.
2.9 PRIVACY UNDER INTELLECTUAL PROPERTY

RIGHTS
India has one of the most modern copyright protection laws in the world. A major
development in the area of copyright was the amendment to the Indian Copyright Act,
1957 in 1999, to make it fully compatible with the provisions of WTO’s Trade-related
Aspects of Intellectual Property Rights (TRIPS) Agreement. The Copyright
(Amendment) Act, 1999, came into force on January 15, 2000. The other important
development during 1999 was the issuance of the International Copyright Order, 1999,
which extended the provisions of the Copyright Act to nationals of all World Trade
Organization (WTO) member countries. Under the Indian law, computer programs
have copyright protection but no patent protection. A software program is an algorithm
and patent law does not protect algorithms per se. As per the provisions of the Indian
Copyright Act, 1957, any person who knowingly makes use of an illegal copy of a
computer program is punishable. According to Section 63B, copyright infringement
attracts a minimum imprisonment of 7 days. The Act further provides for fines, which
are not to be less than Rs. 50,000, but may go up to Rs. 200,000 and a jail term up to
3 years, or both [(1994) 6 SCC 632].
India has not provided statutory protection under its intellectual property right regime
to trade secrets, or valuable business information, which provide an additional benefit
or competitive advantage over competitors. Since globally the right in trade secret
remains so long the owner prevents its disclosure, thus, if properly protected, trade
secrets may last forever. The Supreme Court [P.U.C.L. v U.O.I. (2003)(3) SCALE
263] specified the grounds on which the government can withhold information relating
to various matters, including trade secrets. The Supreme Court observed that “every
right – legal or moral – carries with it a corresponding objection. It is subject to several
exemptions/ exceptions indicated in broad terms. Generally, the exemptions/ exceptions
under those laws entitle the Government to withhold information, including information,
which, if disclosed, would violate the privacy of the individual.

What are the Indian legislations which deal with the right to privacy?
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
31
Legal Framework 2.10 POSITION UNDER SPECIFIC RELIEF ACT, 1963
According to Section 39 of the Specific Relief Act, 1963, a person has a right to claim
temporary and permanent injunctions against unauthorized disclosure of confidential
information.
2.11 POSITION UNDER PUBLIC FINANCIAL

INSTITUTIONS ACT, 1993
The Public Financial Institutions Act, 1993 codifies India’s tradition of maintaining
confidentiality in bank transactions.
2.12 SUMMARY
● Legal safeguards under the current legal regime in India are limited in nature and
scope.
● Neither the Indian Constitution nor there are any sector specific Privacy Laws
which comprehensively addresses the privacy concerns.
● The Privacy Laws in India comprises a number of Central statutes covering
particular sectors and activities, and the constitutional safeguards, which have very
occasionally been used in support of privacy rights through actions for unauthorized
surveillance, search and seizures, disclosure of personal details, DNA testing,
matrimonial discord, defamation, trespass or nuisance.
● Majority of countries in the world including India yet do not have a specific data
protection law; a number of them either have general privacy rights, sometimes
entrenched in a constitution, or have sector-specific privacy laws.
● The Constitution of 1950 does not expressly recognise the right to privacy.
● However, the Supreme Court first recognised in 1964 that there is a right of privacy
implicit in the Constitution under Article 21 of the Constitution, which states, “No
person shall be deprived of his life or personal liberty except according to procedure
established by law.”
● Privacy rights have their genesis in the law of torts and the constitutional law.
● The Indian courts have seized the opportunities whenever they came and tried
successfully to bring the privacy right within the purview of fundamental rights.
Even though right to privacy is not enumerated as a fundamental right in our
Constitution it has been inferred from Article 21.
● The Supreme Court has categorically stated that the rights to privacy like any of
the fundamental rights, is also subject to reasonable restrictions. From these
observations of the Supreme Court the following principles emerge:
1. Right to privacy is a fundamental right, implicit in Article 21.
2. It is not an absolute right, but subject to reasonable restrictions like any
other fundamental rights.
3. Right to privacy can be exercised subject to other rights and values and
compelling State and public interest.
● The Information Technology Act, 2000 (the “Act”) does not directly deal with the
issue of privacy nonetheless a few provisions of the Act do touch upon some
32 aspects of privacy.
● The Act deals with issues related to unauthorized access, damage to computer National Legal Framework
through computer contaminants, hacking, breach of privacy and confidentiality
and publishing false digital signature certificate for fraudulent purposes.
● Section 72 of the Act entitled ‘penalty for breach of confidentiality and privacy’
directly deals with ‘confidentiality’ and ‘privacy’ of individuals.
● Section 66 of the Act deals with hacking.
● Section 43 of the IT Act entitled ‘Penalty for damage to computer, computer
system, etc.’ deals with unauthorized access to a computer system.
● Section 79 of the Act provides for Network Service Provider’s Liability for violation
of privacy of a third party if it makes available any third party information or data
to a person for the commission of an offence or contravention.
● Section 9 of the Freedom of Information Act, 2002, empowers a Public Information
Officer to reject a request for information where it relates to information, which
would cause unwarranted invasion of the privacy of any person.
● Indian Easements Act, 1882 accords statutory recognition to customary right of
privacy.
● Indian Penal Code (the “IPC”) though not directly dealing with, and carving out
any specific penal provision again the infringement of the right to privacy has given
due weightage to privacy in terms of honouring individual’s right to maintain solitude,
peace, dignity and self respect, and penalizing unsanctioned intrusion in an
individual’s life and affairs.
● Under the Indecent Representation of Women (Prohibition) Act (1987) if an
individual harasses another with books, photographs, paintings, films, pamphlets,
packages, etc. containing “indecent representation of women”; they are liable for
a minimum sentence of 2 years.
● As per the provisions of the Indian Copyright Act, 1957, any person who knowingly
makes use of an illegal copy of a computer program is punishable.
● According to Section 39 of the Specific Relief Act, 1963, a person has a right to
claim temporary and permanent injunctions against unauthorized disclosure of
confidential information.
● The Public Financial Institutions Act, 1993 codifies India’s tradition of maintaining
confidentiality in bank transactions.

1. How does the Constitution of India address the privacy that should be accorded
to an individual or citizen? Discuss with case laws.
2. Does the Information Technology Act 2000 address the issue of privacy of an
individual?
3. Discuss how the Indian legislations have addressed the issue of privacy?
4. Privacy may be viewed as an Intellectual Property Right. Discuss.
33
Legal Framework 2.14 ANSWERS AND HINTS
1. Yes, under the constitutional law, the right to privacy is implied in the fundamental
right to life and liberty. The Indian courts have seized the opportunities whenever
they came and tried successfully to bring the privacy right within the purview of
fundamental rights. Even though right to privacy is not enumerated as a fundamental
right in our Constitution it has been read in ‘Right to Life’ under Article 21.
2. Section 43, 66, 72 and 79 of the Information Technology Act, 2000 deal with
privacy related aspects.
3. Information Technology Act, 2000, Right to Information Act, 2002, Indian Penal
Code, 1860, Easements Act, 1882 etc. are some of the legislations touching upon
privacy issues.
Terminal Questions
3. Refer to sections 2.3-2.11 of the unit.
2.15 REFERENCES AND SUGGESTED READINGS

1. ‘Flagrante delicto’ is a legal term used to indicate that a criminal has been caught
in the act of committing an offence.
2. The Constitution of Brazil. 1988. 18 Feb. 2007 <http:// www.Oefre.unibe.Ch
law/icl/br 00000_.html>.
3. Mustafa, Faizan. “Privacy issues in data protection: National and International
laws”. PL Webjour 16 (2004).
4. Singh, Sajai. “Privacy, Information Security and Data Protection In India”.
Background paper for Privacy. Seminar Presentation. The Roosevelt Hotel, New
York. 15 Nov. 2005.
34
International Legal
UNIT 3 INTERNATIONAL LEGAL Framework for
Protecting Privacy
FRAMEWORK FOR PROTECTING
PRIVACY
Structure
3.1 Introduction
3.2 Objectives
3.3 The Position in the United States of America
3.4 The Position in the United Kingdom and the European Union
3.5 International Covenant on Civil and Political Rights and other Conventions
3.6 Summary
3.1 INTRODUCTION
The degree of intrusion into the private lives of individuals has been a topic of debate
for years and has also featured prominently in literature for years. Kautilya’s
Arthashastra, an Indian epic dating from approximately 300 B.C. places great emphasis
on the role of knowledge gleaned from spies, both internally in a nation and outside it
and in maintaining a grip on power, the echoes of which can be seen in Machiavelli’s
Prince written hundreds of years later. And as long as surveillance has been a part of
human life so probably has opposition to its excesses. Due to the technology available
a lot of our daily activities are recorded and either monitored in real time by someone
for future reference. When you go to a bank to withdraw money from an ATM, you are
being watched or when you go to a shop or a superstore, you come across a sign that
reads “This store is under surveillance”, so you are forewarned. In Fresno, California,
security measures included, for the first time in a United States airport, use of facial
recognition technology to scan faces for terrorists as passengers entered security
checkpoints. In addition to law enforcement, large companies and businesses use
surveillance for a variety of other purposes. They use technology to monitor employee
productivity, deter theft and fraud, and ensure safety in the workplace. Having seen the
extent of surveillance in our lives it seems to be a given that we need to live with it and
this paper explores the ways by which laws of various jurisdictions seek to achieve “the
preservation of basic human rights” i.e. Privacy. It must be kept in mind that the statutes
and case laws analysed in this paper are indicative and are not exhaustive.
3.2 OBJECTIVES
After studying this unit, you should be able to know:
● the concept of ‘privacy’ in the legal sense;
● the international legal scenario as it stands today, for protection of privacy;
● legal provisions that provide for protection of privacy in US; and
● legal provisions that provide for protection of privacy in EU and UK. 35
Legal Framework 3.3 THE POSITION IN THE UNITED STATES OF
AMERICA
American scholars as far back as the 1800s have debated the existence of the right to
privacy. Samuel Warren and Louis Brandeis were pioneers in authoring ‘The Right to
Privacy’, which became the most important article recognising a right of privacy.
Subsequently, President Woodrow Wilson appointed Brandeis to the United States
Supreme Court in 1916, where he endeavoured to lay a foundation for the future privacy
law.
The United States Supreme Court has found a limited “right to privacy” stemming from
a combination of the First, Third, Fourth, Fifth, Ninth, and Fourteenth Amendments.
The First Amendment provides: “Congress shall make no law respecting an establishment
of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech,
or of the press, or the right of the people peaceably to assemble, and to petition the
Government for a redress of grievances.”
The Third Amendment provides: “No soldier shall, in time of peace be quartered in any
house, without consent of the owner, nor in time of war, but in a manner to be prescribed
by law.”
The Fourth Amendment provides that: “The right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures, shall
not be violated, and no warrants shall issue, but upon probable cause, supported by
oath or affirmation, and particularly describing the place to be searched, and the persons
or things to be seized.”
The Fifth Amendment provides in relevant part that: “No person shall ... be compelled
in any criminal case to be a witness against himself, nor be deprived of life, liberty, or
property, without due process of law....”
The Ninth Amendment ‘retained rights clause’ provides: “The enumeration in the
Constitution, of certain rights, shall not be construed to deny or disparage others retained
by the people.”
The Fourteenth Amendment provides in relevant part: “No State shall make or enforce
any law which shall abridge the privileges or immunities of citizens of the United States;
nor shall any State deprive any person of life, liberty, or property, without due process
of law; nor deny to any person within its jurisdiction the equal protection of the laws.”
In Paul vs. Davis [(1976) 424 U.S. 693], the Court found that no privacy right existed
when the police disclosed that the respondent was arrested on a shoplifting charge. The
Court found that the activities detailed were very different from ordered liberty matters
relating to marriage, procreation, contraception, family relationships, child rearing and
education.
The United States Constitution does not provide an explicit right to privacy but it is
implied in the Fourth Amendment. That it protects people, not places. What a person
knowingly exposes to the public, even in his own home or office, is not a subject of
Fourth Amendment protection. But what he seeks to preserve as private, even in an
area accessible to the public, may be constitutionally protected.
In weighing these competing interests, American judges have expanded the principles
that would guide all three branches of the federal government in the application of the
36 Fourth Amendment to national security electronic surveillance. It has been noted that
national security cases present a particularly prickly situation because of the tremendous International Legal
Framework for
governmental interest and the likelihood of both unreasonable invasions of privacy and Protecting Privacy
jeopardy to free speech rights. Although judges have recognised the vital importance
of protecting the national security, the primary concern is ensuring the sanctity of political
dissent – both public and private – in determining the application of the Fourth Amendment
to national security surveillance. The Fourth Amendment is to serve as “an important
working part of the machinery of government, operating . . . to check the ‘well-
intentioned’ but mistakenly over-zealous executive officers.” This constitutional function
can not be guaranteed when domestic security surveillance is left entirely to the discretion
of the executive: “Unreviewed executive discretion may yield too readily to pressure of
obtaining incriminating evidence and overlook potential invasions of privacy and protected
speech”. Thus, the Courts reiterated their assertion that some interposition of the judiciary
between citizens and law enforcement must exist.
The United States has a large number of narrowly-focused privacy laws consistent
with its traditionally increment approach to legislation. This is in contrast to the trans-
sectoral approach of Europe.
Whether the whole adds up to sufficiently comprehensive privacy protection in the US
is in the eye of the beholder. It is clear that to understand completely US privacy
protections, one must look at the various federal pieces, as well as at the matrix of state
laws that adds to the national protections.
Federal privacy (and privacy-affecting) laws include the following:
● Federal Trade Commission Act (1914)
● Fair Credit Reporting Act (1970)
● Privacy Act (1974)
● Freedom of Information Act (1974)
● Family Educational Rights and Privacy Act (1974)
● Foreign Intelligence Surveillance Act (1978)
● Right to Financial Privacy Act (1978)
● Privacy Protection Act (1980)
● Cable Communications Policy Act (1984)
● Electronic Communications Privacy Act (1986)
● Video Privacy Protection Act (1988)
● Employee Polygraph Protection Act (1988)
● Telephone Consumer Protection Act (1991)
● Driver’s Privacy Protection Act (1994)
● Health Insurance Portability and Accountability Act (1996)
● Telecommunications Act (1996)
● Children’s Online Privacy Protection Act (1998)
● Financial Modernization Services Act (1999)
● USA Patriot Act (2001)
It is clear that the United States provides to its citizens an implied right to privacy
through the Constitution as well through its various legislations. The concept of the
rational test basis would imply that a balance would have to be struck between the
rights of the individual on one hand and societal needs on the other. 37
Right to Privacy and its Please answer the following Self Assessment Question.
Legal Framework

Is the ‘right to privacy’ an explicit right in the USA? What is the test to determine
the same?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
3.4 THE POSITION IN THE UNITED KINGDOM

AND THE EUROPEAN UNION
The European Convention on Human Right, 1950 (Convention) addresses the issue of
privacy as under:
“8(1). Everyone has the right to respect for his private and family life, his home and his
correspondence.
8(2). There shall be no interference by a public authority with the exercise of this right
except if it is in accordance with the law and is necessary in a democratic society
in the interests of national security, public safety or the economic well being of the
country, for the prevention of disorder or crime, for the protection of health or
morals, or for the protection of the rights and freedoms of others.” Article 8 provides
a right to respect for private and family life, subject to the qualification in Art.8 (2)
that interference may occur where it is “in accordance with the law and is necessary
in a democratic society in the interests of”, the prevention of disorder or crime.
The interrelationship between Arts.8 (1) and (2) is not one of balancing the
legitimate interference against the right; the Art.8 (2) qualifications clearly
represent exceptions to Art.8 (1). Article 13 of the Convention provides that
“everyone whose rights and freedoms as set forth in this Convention are
violated shall have an effective remedy before a national authority notwith-
standing that the violation has been committed by persons acting in an official
capacity.” In the face of considerable opposition, this provision was not incor-
porated in the Human Rights Act. In Convention terms, Art.13 requires an “effective
remedy” whenever there is a breach of Art.8. Logically, the effectiveness of the
available remedy must lie in its ability to secure the protection offered by the
Article – in this context a respect for privacy. The fact that the Human Rights Act
does not incorporate Art.13 does not negate domestic obligations to provide an
effective remedy because the Convention must always be read as a whole. In the
United Kingdom, until the passage of the Human Rights Act 1998 the concept of
privacy was one that neither Parliament nor the courts had taken the initiative to
develop. In 1996, in R. v Brown [(1996) 1 All E.R. 545 at 556] Lord Hoffman
stated that, “English common law does not know a general right of privacy and
Parliament has been reluctant to enact one”. The House of Lords later that year in
38 a case concerning covert police surveillance commented upon the “continuing
widespread concern at this apparent failure of the law” [R. v Khan (1997) A.C. International Legal
Framework for
558 at 582]. Such a reluctance to develop the law has partly been a result of the Protecting Privacy
inherent difficulties in defining such a nebulous concept. However, though “privacy”
as a domestic legal term in England might be lacking clear parameters, the right to
respect for private life under Art.8 of the Convention brings with it decades of
developing jurisprudence. The European Court’s jurisprudence lays down a
minimum set of values that must be respected in signatory states, and, even prior
to the Human Rights Act, this had impacted UK law and practice indirectly. The
Human Rights Act has brought about the development of a coherent and
comprehensive system to ensure that all police action that might interfere with
Art.8 is a Convention compliant. It has also ensured that the courts must address
directly the question of when a particular action interferes with the right to respect
for private life. A number of general principles have derived from the
interpretation of the exceptions to the general right. First, if the primary right is
engaged in a particular case, then the restriction upon that right must be “in
accordance with the law”. Regardless of the end to be achieved, no right guaranteed
by the Convention should be interfered with, unless a citizen knows the basis for
the interference through an ascertainable national law. That, law should be
sufficiently clear and accessible to ensure that people can adequately determine
with some degree of certainty when and how their rights might be affected. Secondly,
any interference with the primary right must be directed towards a legitimate aim
as stated in Art.8 (2). The restrictions on the primary right are numerous and
widely drawn and it could be argued that it is not overly burdensome to require
State conduct to remain within such boundaries. However, the list is intended to
be exhaustive and there should be no capacity for the State to add to those
grounds.In addition to being lawful, and for one of the prescribed purposes, the
restriction must also be “necessary in a democratic society”. ‘Necessity’, though
not defined in the Convention itself, has been interpreted by the European Court
as not synonymous with ‘indispensable’ but not as flexible as ‘ordinary, useful,
reasonable’ or ‘desirable’. Instead, what is required is that the interference with
the primary right should be in response to ‘a pressing social need’. The Human
Rights Act has brought the concept of proportionality directly into play in the
United Kingdom. In the context of qualified rights, such as Art.8, proportionality
has a special relevance. In Brown v Stott [(2001) 2 W.L.R. 817], Lord Steyn
commented: “... The fundamental rights of individuals are of supreme
importance but those rights are not unlimited: we live in communities of
(other) individuals who also have rights.” Proportionality is a vital factor that
attempts to find a balance between the interests of the individual and the interest of
the wider community. Despite not explicitly appearing within the text of the
Convention itself, it is said to be a defining characteristic of the way in which the
courts seeks to protect human rights. It is, according to the Court, “inherent in the
whole of the Convention” [Soering v United Kingdom (1989) 11 E.H.R.R. 439 at
para 89]. There are numerous factors to be taken into account when considering
the issue of proportionality. For example, if a measure, which restricts a right,
does so in such a way as to impair the very essence of the right it will almost
certainly be disproportionate. Furthermore, the need to have relevant and sufficient
reasons provided in support of the particular measure has been emphasized: “The
Court will look at the interference complained of in light of the case as a
whole and determine whether the reasons adduced by the national authorities
to justify it are relevant and sufficient and whether the means employed
39
were proportionate to the legitimate aim pursued.” [Jersild v Denmark (1995)
Right to Privacy and its 19 E.H.R.R. 1 at para 31]. It should also be considered if there is a less restrictive
Legal Framework
alternative. A balancing exercise takes place that requires a consideration of whether
the interference with the right is greater than it is necessary to achieve the aim. This
is not an exercise in balancing the right against the interference, but instead balancing
the nature and extent of the interference against the reasons for interfering.A further
factor in the proportionality equation is to assess the adequacy of procedural
fairness in the decision making process. Where a public body has exercised a
discretion that restricts an individual’s Convention rights, the rights of the affected
individual should have been taken into account. For example, the policy should
not be arbitrary but should be based on relevant considerations. The guarantee
against arbitrariness is one that lies at the heart of the Convention provisions.
Proportionality can be more easily established where it could be shown that there
are sufficient safeguards against abuse in place. This was expressed clearly in
Klass vs Germany: “One of the fundamental principles of a democratic society
is the rule of law ... [which] implies, inter alia, that an interference by the
executive authorities with an individual’s rights should be subject to an
effective control...”[(1979-80) 2 E.H.R.R. 214 at para 55]. Given that most
policing actions will have a basis in law and will invariably satisfy the requirement
of being in pursuit of a legitimate objective (principally, the prevention and detection
of crime), the crux of a case will often be the proportionality of the action under
scrutiny. In Ex p. Kebilene, Lord Hope commented: “... the Convention should
be seen as an expression of fundamental principles rather than a set of mere
rules. The questions which the courts will have to decide in the application
of these principles will involve questions of balance between competing
interests and issues of proportionality.” [R v DPP Ex p. Kebilene (1999) 3
W.L.R. 972 at 994]. The European Court has never sought to give a conclusive
definition of privacy, considering it neither necessary nor desirable. However, in
Niemietz v Germany the Court stated: “ Respect for private life must also
comprise to a certain degree the right to establish and develop relationships
with other human beings. There appears, furthermore, to be no reason of
principle why this understanding of the notion of ‘private life’ should be
taken to exclude activities of a professional or business nature since it is,
after all, in the course of their working lives that the majority of people have
a significant, if not the greatest opportunity of developing relationships with
the outside world.” [(1992) 16 E.H.H.R. 97 at para 29].

What are the guiding principles for protection of privacy in the European Union?
How has the concept of ‘privacy’ evolved in the UK?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
40
International Legal
3.5 INTERNATIONAL COVENANT ON CIVIL Framework for
Protecting Privacy
AND POLITICAL RIGHTS AND OTHER
CONVENTIONS
Article17 of ICCPR provides for the ‘right of privacy’. Article12 of the Universal
Declaration of Human Rights, 1948 (UDHR) is almost in similar terms Article 19(1)
and 19(2) of the ICCPR declares that everyone shall have the right to hold opinions
without interference, and everyone shall have the right to freedom of expression, and
this right shall include freedom to seek, receive and impart information of ideas of all
kinds regardless of frontiers, either orally, in writing or in print, in the form of art or
through any other media of his choice. Similarly, Article 19 of UDHR provides that
everyone has the right to freedom of opinion and expression and this right includes
freedom to hold opinion without interference and to seek, receive and impart
information and ideas through any media and regardless of frontiers. India is a
signatory to the International Covenant on Civil and Political Rights, 1966 (ICCPR).
While interpreting the Constitutional provisions dealing with Fundamental Rights,
Indian Courts take into consideration the principles embodied in international conventions
and instruments and as far as possible give effect to the principles contained in those
instruments.
3.6 SUMMARY
● Technology is making it increasingly possible to develop physically non-intrusive
techniques. The use of satellites and other remote monitoring tools have lessened
the need to physically intrude on a persons privacy.
● Technology cuts both ways and jurisprudence needs to keep up with these changes
to ensure that the use of technology does not spread unchecked.
● In areas other than national security, a system must be put in place so that the
authority that wants to undertake surveillance does not also become the authority
that takes a decision on whether the surveillance is permissible or not.
● Periodic reporting requirements to the authority that sanctioned the surveillance
could be put in place so that the sanctioning authority is aware of whether the
original premise under which the sanction was granted was correct or not.
● In the event a person finds out he/she is the subject of surveillance they need to
have recourse to the courts of law if the surveillance is intruding on their privacy.
● The EU,UK and US have already enacted legislations to afford protection to their
citizens.
● There is a need to ensure that the checks on the misuse of the system keep pace
with change and thereby prevent unjustified intrusions on individuals privacy.

1. What is the legislative position on privacy protection in the U.S.? Give examples
of some important legislations which in your opinion are effective.
2. Compare the legislative framework between the U.S. and U.K. and highlight some
major differences in their approach. 41
Legal Framework 3.8 ANSWERS AND HINTS
1. No, it is not. Interpretations would have to be derived from the Constitutional
Amendments.
2. The European Convention on Human Rights. Through inference, interpretation of
the European Convention and influence of European Courts jurisprudence.
Terminal Questions
2. Refer to sections 3.3 and 3.4 of the unit.

1. Carole A. Lane. Naked in Cyberspace: How to find personal information online.
University of Michigan, 2002.
2. Commonwealth Secretariat. Law in Cyberspace. Commonwealth Secretariat,
2001.
3. Guins De Angelis. Cyber Crimes. Chelsea House Publishers, 1999.
4. Serge Gutwirth. Privacy and the information age. Trans. Raf Casert. Rowman and
Littlefield, 2002.
42
Privacy Related Wrongs
UNIT 4 PRIVACY RELATED WRONGS AND and Remedies thereof
REMEDIES THEREOF
Structure
4.1 Introduction
4.2 Objectives
4.3 What are Privacy Related Wrongs?
4.4 Tortious Remedies Available for Protection of Privacy
4.5 IT Act and Damages Available under It
4.6 Summary
4.1 INTRODUCTION
There are a number of issues related to privacy related crimes. From a purely academic
point of view one of the most important problems is that of classification —when it is
privacy related crime and when it is a wrong? This difference is important because it
determines which jurisdiction will be applied to the transgression. For cyber crimes, the
jurisdiction of criminal court will be attracted while cyber wrongs are civil wrongs and
therefore only civil court remedies will be attracted. Since it is relatively new field there
are a number of problems with such a classification. For example, in case of fraud,
existing legislation generally seems to be a powerful enough instrument under which to
prosecute. However problems do arise when trying to apply traditional criminal concepts
to acts involving intangible information.1 This is because of the simple reason that
information is not per se not property; thus when a machine has been deceived to
obtain property then it is theft, but when a machine has been deceived to obtain a
service then it is not a theft2. At this point it would do well to note the general computer
crimes of fraud, criminal damage, obscenity, forgery, unauthorized access, unauthorized
modification of the contents of the computer, etc. are all bogged down by issues of
forensics, evidence and the basics of criminal prosecution like burden of proof. A very
viable alternative will be the usage of tortious remedies.
Whenever tortious remedies are used then they can be no longer be called crimes
instead they will have to go by the nomenclature of ‘wrongs’. In this unit we will basically
look at privacy related cyber wrongs. Tortious remedies are in any case can be
considered more appropriate for most privacy related issues. Defamation, for example,
is punished by awarding of damages. There are certain basic ways in which common
law remedies are available for the enforcement of privacy rights. One of the ways
offered is that statutes may impose a duty to exercise care for the protection of data
from intruders in certain express terms given in the legislation. Such a standard of care
may also be interpreted by the courts in a tortious action, especially when the statute is
silent as regards to the civil liability.3
43
Right to Privacy and its The right of privacy is the government’s tortious remedy that attempts to balance two
Legal Framework
opposing interests, of which one is that all individuals have parts of their lives which
should be rightfully be allowed to be kept free from public view; and on the other side
there is the issue of significant public value which is there in the dissemination of
information and the right to free speech. The contours of existing privacy law are
efforts by courts and the society to define the proper balance between right to be free
from intrusion into private space of an individual and the right of society to obtain
information about issues of public concern.
The common law sources in this regard are basically related to two questions — whether
a tort duty to safeguard the security of computerised personal data exists and how
ordinary tort principles and fiduciary-duty law can be applied to this purpose.4
At this juncture it would be fine to remember that when Warren and Brandeis were
publishing their landmark article which basically established the right of personal
privacy as an independent cause of action in tort, they were reacting to new technology,
mainly mechanical devices which enabled a number of actors, like the press to overstep
in every direction the obvious bounds of propriety and of decency. Presently when we
try to conceptualize action against tort wrongs as regards privacy over the Internet
and cyberspace, it seems that the very same concerns have raised their heads again,
even in a different space and time.
However in India, the constitutional remedies available become more important if
anything for the simple reason, that the enforcement is very simple due the convenience
of writs. The Supreme Court has in the past read the Right to Privacy in the Right to
Life (this has been discussed elsewhere in other Blocks) and that means there exists a
constitutional right, and thus one can immediately approach the High Courts in this
regard. On the other hand, if one wants to use law of torts then he will have to go the
lower civil courts. The enactment of the Information Technology Act ( IT Act ) has
resolved things to a certain extent so that some of the tortious remedies have been
incorporated into the provisions of the Act. These provisions are really important for
the reason that the courts in India are generally wary of awarding high damages in tort
cases. The Section 43 of the IT Act on the other hand allows for the highest amount of
compensation that is available in law in India and the buzz is that this amount might be
raised even further by the legislators while amending the IT Act.
4.2 OBJECTIVES
● differentiate between a privacy related crime and a privacy related wrong;
● define the various kinds of privacy related wrongs; and
● suggest the legal remedies for such privacy related wrongs.
4.3 WHAT ARE PRIVACY RELATED WRONGS?

William Prosser had reviewed the court decisions on privacy cases after the Warren-
Brandeis article on privacy and he had opined that the classes of tort actions in relation
to privacy matters could be broadly be classified into four heads which are all regarded
as different torts. These are –
1. Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs.
44 2. Public disclosure of embarrassing private facts about the plaintiff.
3. Publicity which places the plaintiff in a false light in the public eye. Privacy Related Wrongs
and Remedies thereof
4. Commercial appropriation of the plaintiff’s likeness or name.
A brief study on the application of these torts as applicable in cyberspace is detailed as
below:
● Tort of Intrusion
This tort might happen whenever an individual intentionally pries or intrudes upon another
individual’s private affairs or seclusion in a manner which would strike a reasonable
person to be objectionable in case they were the individuals whose affairs were the
ones being intruded upon. The initial act of intrusion is itself the cause of tort, not what
the person later on does with the information so obtained. Thus in cases of photography/
videotaping there is very little chance of proving that there is an intrusion but in case of
the Internet, the scope is very widespread. This is because the intrusion must be into a
private place or matter as to which a person would have a reasonable expectation of
privacy. Thus this tort consists of three factors—
(i) There was intent to intrude or knowledge that the intrusion would be wrong.
(ii) There was a reasonable expectation of privacy, and
(iii) Intrusion was substantial and highly offensive to a reasonable person.5
With regard to online privacy one finds that there are no strict prohibitions imposed for
using the personal data voluntarily disclosed in an e-mail and other cyberspace
communications. As the channels which are used by ISPs to provide channels of
communication might get tapped, there can be no expectation of privacy in the online
information that the individual volunteers or allows to be accessed unless the individual
is personally using some secure electronic medium.
● Public Disclosure of Private Facts
Whenever there is a public disclosure by an individual of private information about
another individual which would generally be considered objectionable by a reasonable
individual of ordinary sensibilities and information so revealed was not a matter of public
concern can be categorised as a tort in this context. The public disclosure of private
facts requires that the facts must be private and that the communication must be to a
significant portion of the community. Thus facts which were already in public domain or
parted with voluntarily or where consent was obtained will not be attracted by this tort.
● False Light Publicity
Whenever an individual publishes facts about another such that the other individual is
represented falsely in the public domain and such that if the individual who is represented
thus were to be a reasonable individual then he would be offended, then this wrong is
committed. However the exception to this rule laid down by the US Supreme Court is
that where the published matter is in the public interest, the plaintiff cannot recover
unless it is established that the defendant has acted with actual malice. This tort is
generally associated with the tort of defamation and involving making false connections
between an individual and immoral, illegal or embarrassing situations which might result
in an injury to one’s reputation.
● Appropriation
The tort of appropriation occurs when a individual uses another individual’s name or
likeness without authorization and for the individual’s own commercial or business
45
Right to Privacy and its purposes. The appropriation right generally allows for two theories of recovery — one,
Legal Framework
in case of celebrities there is focus on a reasonable value of the usage rights and that the
other individual should not profit from the unauthorized use; two, in cases of a private
individual, damages will be sought on basis of the emotional harm that use of his image
has caused to him.6 This difference exists because in case of a celebrity, the subject’s
likeness has commercial value, whereas a private individual’s does not.
These four are the major wrongs associated with privacy. Other than these there can be
some other tort based actions also for the safeguarding of information. In US there has
been judicial recognition of a database possessor’s duty to safeguard information from
intruders.

(a) What are the four main privacy related wrongs?
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
(b) What is a specific privacy related wrong which has surfaced specifically in the
cyber law context?
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
4.4 TORTIOUS REMEDIES AVAILABLE FOR

PROTECTION OF PRIVACY
The leading case in this regard was Katz v. United States [389 U.S. 347 (1967)] and
when the law laid down in it is used with regard to online privacy one finds that there are
no strict prohibitions imposed for using the personal information we voluntarily disclose
an e-mail and other cyberspace communications. Because the channels which are used
by ISPs to provide channels of communication are easily tapped, there can be no
expectation of privacy in the online information that the user himself volunteers or allows
to be accessed unless the user is himself using some secure system. According to some
the unauthorized or unjustified access by an employer of an employee’s online
communications result in an invasion of privacy, this tort provides probably the best
remedy especially because monitoring telephone or e-mail messages without justification
or consent would probably outrage the conscience of a reasonable person which is an
essential ingredient of this tort. However in Michael A. Smyth v. Pillsbury Company
46
[914 F. supp. 97 (E.D. Pa. 1996)] the court held that no reasonable person would hold Privacy Related Wrongs
such monitoring of e-mail systems, to be highly offensive intrusion upon an employee’s
privacy considering its workplace e-mail and there are other considerations like
company’s own interests like inappropriate or unprofessional comments. See Michael
L. Rustad, Sandra R. Paulsson, Monitoring Employee E-mail and Internet Usage:
Avoiding the Omniscient Electronic Sweatshop: Insights from Europe, 7 U. Pa. J. Lab.
& Emp. L. 829 for further reference.
It is interesting to note that this tort has not been used much for enforcing privacy rights
in cyberspace even though cyber defamation is not unheard of, it is often classified as a
crime rather than a wrong.
In the cyber context this often does not apply to information parted online as in most
instances parties have to click-contract the consent to the ISPs/companies operating
online. This information then remains stored in their online database and can be used for
a number of purposes. See Gerald R. Ferrera et. all, Cyber Law (Ohio: West-Thomson
learning, 2001) page 192 for further reference.
● Appropriation
Now many problems arise in considering online spaces like online newsletters, websites
as news disseminators (news disseminators are allowed under the First amendment,
which states that “…. Congress shall make no law respecting an establishment of
religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or
of the press; or the right of the people peaceably to assemble, and to petition the
government for a redress of grievances”, exception of incidental use to publicize and to
make public their own communications).
In Howard Stern v Delphi Services Corporation [165 Misc. 2d 21, 626 N.Y.S. 2d
694 (N.Y. Sup Ct. 1995)] a very similar problem arose. Stern had announced his
candidature for Governor of the State of New York, and then an ad appeared for
Delphi services online bulletin board which was supposed to discuss this candidature.
Stern contested that the image used for the advertisement was used without taking his
permission. The court held that the online bulletin board is a news disseminator and
usage of the name and photograph of Stern is permitted as it is allowed for them to
inform the public of the nature of their service and therefore it will be covered by the
exception of incidental use.
● Database Possessor’s Duty of Care
In this regard, two landmark cases offer guidance: Palsgraf v Long Island
Railroad Co. [(162 N.E. 99 (NY 1928)] and Kline v 1500 Massachusetts Avenue
Apartment Corp [439 F.2d 477 (D.C. Cir. 1970)]. These cases are the pillars of
American tort law and set down the basic rule of duty— The risk reasonably to be
perceived defines the duty to be obeyed and risk imports in relation associated thereon
it is risk to another or to others within the range of apprehension. The question is
whether, from the standpoint of database possessors, there is a ‘risk reasonably to be
perceived’ to data subjects if data is not protected from unauthorized intrusion. In most
situations (where hackers can access data via the Internet), the answer is yes. The risk
is entirely foreseeable and a threat to the interests of data subjects is ‘within the range of
apprehension’.
47
Right to Privacy and its Therefore the first impression at least seems to state that the basic rule in Palsgraf
Legal Framework
suggests that database possessors should often have a duty to exercise reasonable care
to protect data from intruders. In Palsgraf there was no threat of criminal intimidation.
This situation is covered by court’s decision in Kline where the landlord was supposed
to take precautions and cautions which are available to him in order to take care of the
common areas in a property when there was generally a threat of usage of criminal
force in those areas.
The subjects whose personal information has been collected are in no position to put
protective mechanisms in place to protect the information that has been collected from
them earlier. In fact the possessor of data is the only one in the situation who can adopt
certain safeguards against the risk that the intruders may cause harm, which puts him in
the position of Kline’s landlord. Like the landlord he can charge for the information
from the subjects whose information he is trying to protect. Here the catch is the
relationship which the plaintiff and the defendant share. This is because of the fact that
duty often depends upon more than foresee ability of harm and opportunity to take
precautions—it depends sometimes on a special linkage between the party who
owes the duty and the one who receives its benefit. For liability on basis of a charge
of negligence, there should be a relationship which in law leads to a responsibility
upon the parties. Thus such a duty of care as regards data seems to be very high in
cases in which both parties are in business with each other. So how does this principle
fare in cases in which the privacy of personal information is the main issue not business
secrets.
In the absence of a business relationship, in most situations WHERE a person gets
access to personal information there is a voluntary assumption of duty by the possessor
of such information. For example, in most cases of financial service providers, like
banks, there is a privacy policy which clearly states that such information will be
carefully used and protected and never be used for any purposes than that it was
supplied for in the first instance. The same logic applies for almost all websites which
collect information. All such practices give rise to a reasonable duty of care to be
exercised and in case this duty is not exercised it shall be treated as a wrong against the
person and shall be actionable in law.
In negligence cases whenever an undertaking has been given, the economic losses will
not be compensated according to the Restatement of Torts in the US [Restatement
(Second) of Torts 652A-E (1997)], rather only the losses on the basis of personal
injury or injury to property resulting from the lack of care being exercised shall be
covered. Thus the economic losses from the identity theft cannot be recovered. The
principle of law in this regard is robbed of most of its sting, but then this always has
been a limitation of tort law or law based on wrongs committed. This is the borderline
of tort and contract law; the economic loss rule ensures that a limit is placed on claims
especially in a case in which the wrong committed could have had affected a potentially
economically beneficial contract or similar business. For further details, please refer to
Vincent R. Johnson, Cyber security, Identity Theft, and the Limits of Tort Liability,
57 S.C. L. Rev. 255.
“Hackers and other data intruders are subject to criminal and civil liability. Victims may
sue, sometimes successfully, under a variety of tort theories, including conversion,
trespass to chattels, and intrusion upon private affairs, as well as under the civil liability
provisions of the federal Computer Fraud and Abuse Act.”7 The law of tort wrongs is
the basic law and the fact that it can be metamorphosed to deal with new technologies
48 is a testament to its potency. In fact newer torts are being proposed to deal with new
cyberspace issues. For example, a new tort of negligent enablement which will hold Privacy Related Wrongs
software vendors accountable for defective products and services that pave the way
for third party cyber criminals who exploit known vulnerabilities is being proposed8.
In Patrick v Union State Bank, 681 So. 2d 1364, 1371-72 (Ala. 1996) a variation of
the negligent enablement was defined as “negligent enablement of imposter fraud is a
narrowly framed cause of action that applies when the victim’s identity theft losses
result from a financial institution’s negligence in assisting or furthering an identity thief’s
efforts at stealing the victim’s identity” (The Negligent Enablement of Imposter Fraud:
A Common-Sense Common Law Claim by Heather M. Howard). This tort would
help in providing relief for credit card frauds etc which have become a recurrent nuisance
and cause of great loss both to the individuals and financial organizations. This continual
evolvement makes this law very useful in redressing many of the wrongs which may be
committed in cyberspace especially with respect to privacy as privacy traditionally has
been a sphere where tort law has provided efficacious remedies.

Which privacy related wrongs have been examined and adjudicated upon in a
court of law?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
4.5 IT ACT AND DAMAGES AVAILABLE UNDER IT

Section 43 of the IT Act states that anyone who accesses the computer, computer
system or computer network without permission of its owner or the person/entity in
charge and copies, deletes, downloads, damages, disrupts data or computer system or
network, then the actual damage caused to the victim would be immense and therefore
this provision tries to provide for monetary relief for such aggrieved parties.
Like other torts, some of the actions that are provided in the section also have criminal
liability attached to them. There are eight different conditions in which this section
might get attracted and the most important issue is that in all the situations, the person
must have committed the action without the permission of the owner of the computer
system or network. However, one disadvantage of using this provision is that it is
mostly related to offences which are similar to hacking i.e. unauthorized intrusions
into a computer system. On the other hand the other provisions in the same act deal
with a number of fraudulent transactions and they have severe fines along with
imprisonment provisions, but in those provisions, the affected person does not obtain
any monetary relief as the fines do not provide any financial compensation and therefore
this Section becomes important for proving a civil remedy for wrongs committed under
49
the IT Act.
Right to Privacy and its Please answer the following Self Assessment Question.
Legal Framework

What are the damages available for the privacy related wrongs in India?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
4.6 SUMMARY
● There are a number of issues related to privacy related crimes. From a purely
academic point of view one of the most important problems is that of classification
—when is it a privacy related crime and when is it a wrong?
● For cyber crimes, the jurisdiction of criminal court will be attracted while cyber
wrongs are civil wrongs and therefore only civil court remedies will be attracted.
Since it is relatively new field there are a number of problems with such a
classification.
● There are certain basic ways in which common law remedies are available for the
enforcement of privacy rights. One of the ways offered is that statutes may impose
a duty to exercise care for the protection of data from intruders in certain express
terms given in the legislation.
● Classes of tort actions in relation to privacy matters can be broadly be classified
into four heads:
● Appropriation
● Tort of Intrusion: No strict prohibitions imposed for using the personal information
we voluntarily disclose in an e-mail and other cyberspace communications. This
tort provides probably the best remedy especially because monitoring telephone
or e-mail messages without justification or consent would probably outrage the
conscience of a reasonable person which is an essential ingredient of this tort.
● False Light Publicity: This tort has not been used much for enforcing privacy rights
in cyberspace even though cyber defamation is not unheard of, it is often classified
as a crime rather than a wrong.
● Public Disclosure of Private Facts: It does not apply to information parted online
as in most instances parties have to click-contract the consent to the ISPs/companies
operating online. This information then remains stored in their online databases
50 and can be used for a number of purposes.
● Appropriation: Many problems arise while considering online spaces like online Privacy Related Wrongs
newsletters, websites as news disseminators. In Howard Stern v Delphi Services
Corporation, the court held that the online bulletin board is a news disseminator
and usage of the name and photograph of Stern is permitted as it is allowed for
them to inform the public of the nature of their service and therefore it will be
covered by the exception of incidental use.
● Database Possessor’s Duty of Care: Palsgraf v Long Island Railroad Co. and
Kline v. 1500 Massachusetts Avenue Apartment Corp are the cases which are
the pillars of American tort law and set down the basic rule of duty.
● In negligence cases whenever an undertaking has been given, the economic losses
will not be compensated according to the Restatement of Torts in the US.

1. What is the difference between a wrong and a crime?
2. What are the tort remedies available for protection of privacy?
3. Can tort law be used to ensure protection of information that has been stored in
databases? (Especially when consent has been given when information was
acquired.)
4. How far does the IT act provide viable civil remedy for privacy related wrongs?

1. (a) Four main privacy related wrongs are:
(a) Tort of Intrusion
(b) Public Disclosure of Private Facts
(c) False Light Publicity
(d) Appropriation
(b) Database possessor’s duty of care is a specific privacy related wrong which
has surfaced specifically in the cyber law context.
2. Tort of intrusion and appropriation
3. Under section 43 of the IT Act, the monetary relief is provided to the aggrieved
party. However, as is the case with the other torts, some of the actions
provided under this section also attract criminal liability.
Terminal Questions
51
Legal Framework 4.9 REFERENCES AND SUGGESTED READINGS
1. Chris Reed, John Angel. Computer Law. New Delhi: Universal Law Publishing,
2002: 279.
2. Ibid.
3. Vincent R. Johnson. “Cyber Security, Identity Theft, and the Limits of Tort Liabil-
ity”. S.C.L. Rev 57: 255.
4. Ibid.
5. William L. Prosser. “Privacy”. Cal. L. Rev 48 (1960): 393.
6. Joseph Siprut. “Privacy through Anonymity: An Economic Argument for
Expanding the Right of Privacy in Public Places”. Pepp. L. Rev 33 : 311.
7. Supra n 3.
8. Michael L. Rustad, Thomas H. Koenig. “The Tort of Negligent Enablement of
Cybercrime”. Berkeley Tech. L.J 20:1553.
52
The Concept of Security
UNIT 5 THE CONCEPT OF SECURITY IN in Cyberspace
CYBERSPACE
Structure
5.1 Introduction
5.2 Objectives
5.3 Cyberspace – Why is it not Secure?
5.4 Why Should We Secure Cyberspace?
5.5 Security Challenges in Cyberspace
5.5.1 Hacking
5.5.2 Child Pornography
5.5.3 Cyber Stalking
5.5.4 Denial of Service
5.5.5 Dissemination of Malicious Software (Malware)
5.5.6 Phishing
5.5.7 Information Warfare
5.5.8 Data related
5.5.9 Network Related
5.6 The Concept of Cyber Security
5.6.1 Technology’s Answers to Cyber Security
5.6.2 Cyber Security and Law
5.7 Computer Related or Computer Facilitated Crime
5.8 Application of Basic Criminal law Concepts
5.9 Summary
5.1 INTRODUCTION
It will be interesting for us to understand the meaning of ‘cyberspace’ before addressing
issues concerning its security.
The word ‘cyberspace’ was coined by William Gibson, a Canadian science fiction
writer, in 1982 in his novelette ‘Burning Chrome’ in Omni magazine, and was
subsequently popularised in his novel Neuromancer.
Cyberspace should not be confused with ‘internet’. While the internet is the
interconnection between millions of computers located around the world, each of them
independently managed by persons who have chosen to adhere to common
communications protocols, particularly a fundamental protocol suite known as
Transmission Control Protocol or Internet Protocol (TCP/IP), which makes it practical
for computers to share data even if they are far apart and have no direct line of 5
Data Security communication, the term ‘cyberspace’ is often used simply to refer to objects and
identities that exist largely within the computing network itself, so that a web site, for
example, might be metaphorically said to ‘exist in cyberspace’. According to this
interpretation, events taking place on the internet are not therefore happening in the
countries where the participants or the servers are physically located, but ‘in cyberspace’.
When we sit in front of a computer and swsitch it on, something like magic happens
before us; if we are correctly connected we can bring up an environment of hypertext
with a click of the mouse. It feels like that behind the screen, there is a potentially very
huge reservoir of information that is always in the making. Such a reservoir is somewhere,
out there. We are certainly aware that people who generate information, and place
wherein information resides, are not behind the screen or in the hard drive, but we
nevertheless take the computer as a gateway to another place where other people have
done similar things. Conceptually, we tend to envision a nonphysical ‘space’ existing
between here and there, and believe that we can access that ‘space’ by utilizing
computer-based technologies. We send messages to others by e-mail, or talk to others
in a chat room. We play an online interactive game as if our oponent (in the game) is
right before us, though invisible. By participating in an on-line teleconference, we
experience the presence of other conference participants. But where are we? Where
are the others with whom we communicate? We seem to communicate in a medium
that is not defined, there is a sense of spatiality. Usually, we call this medium ‘cyberspace’,
the ‘space’ that seems to open up or shut down as the computer screen is activated or
deactivated.
5.2 OBJECTIVES
● know the meaning of ‘cyberspace’;
● know the reasons for security concerns in cyberspace;
● explain the need to secure cyberspace;
● describe the specific security challenges to cyberspace;
● explain the concept of Cyber Security; and
● know the distinction between computer related and computer facilitated crime.
5.3 CYBERSPACE – WHY IS IT NOT SECURE?

The TCP/IP protocol suite makes the internet possible. Its most important feature is
that it defines a packet–switching network, a method by which data can be broken up
into standardised packets that are then routed to their destinations via an indeterminate
number of intermediaries. Under TCP/IP, as each intermediary receives a packet
intended for a party further away, the packet is forwarded along whatever route is most
convenient at the nanosecond the data arrives. So in simple terms, if you desire to
deliver a package to a friend, instead of sending it as one whole piece, you send parts
of the package through many people who are heading in the direction of the recipient.
If one such person carrying part of the package meets another person who is heading
to meet the recipient, then this person hands over his parts to the other person, eventually
the parts finally reach the recipient. In this model you can see some level of confusion.
The package goes all over space before it reaches its final destination; it also exchanges
6 or moves hands.
Another reason for insecurity associated with cyberspace is its end-to-end design. The The Concept of Security
in Cyberspace
network is designed in a manner that any form of intelligence, including security interfaces
are placed only at the ‘ends’. You may call these interfaces, fire walls, filters, spam
killer, diluter, etc. With end-to-end design, the network has minimal control or intelligence
to intercept the manner of its usage. Computers within the network are only required to
provide the most basic level of service — data transport via the TCP/IP protocols. The
network itself is kept simple, incapable of discrimination. Without intelligence imbedded
in the network all packets that conform to the protocol are transmitted, regardless of
content, regardless of intent, and without any knowledge (or care) of what types of
applications or people are utilizing the packets on the ends of the network.
Further, the Internet is not controlled by a single company or agency. The only
organization that exerts some level of monitoring of the internet is an international, un-
incorporated organization called the Internet Engineering Task Force. A primary
activity of the IETF is internet standard-setting. The Internet Standards Process (ISP)
is concerned with all protocols, procedures, and conventions that are used in or by the
Internet, including the TCP/IP protocol suite.
The technology – packet – switching protocols, the end to end network design and the
impossibility of centralized control make computer networks or cyberspace an anarchic
ethos. The endeavour is to bring sublimity to the confusion and then, over a period of
time, instill control that will assume some checks and provide security to the “network”.

What are the three main reasons for contributing lack of security to cyberspace?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
5.4 WHY SHOULD WE SECURE CYBERSPACE?

Socities are becoming more dependent on computer networks and therefore more
vulnerable to cyber crime and terrorism. Increasing traffic of commerce and trade in
cyberspace is adding to its woes of being a target of creative misuse. Creative misuse,
because each day something new is created, or someone new is creating some software
or intermediary, to vandalise or penetrate into cyberspace to perpetrate fraud, distrupt
the transmission of information and data. Hackers find thrill in penetrating networks and
destroying data, while terrorists could purposely distrupt the critical infrastructures that
are dependent on networked computers. Electronic communication and transmission
of data is still not secure while consumers hesitate from disclosing personal and credit
card data on the internet with security and privacy being their primary concern. Businesses
face loss of proprietary data, intellectual property and online access to customers and
suppliers due to security breaches and intentional service interruptions. In order for 7
Data Security ‘cyberspace’ to contribute to economic growth, human development and
democratisation, it must be trustworthy and secure. Lack of trust and security
jeopardises development goals that could be supported by a trusted cyberspace.
Securing cyberspace is by no means an easy task. Its universal spread, across all nations
without the barriers of soverign controls makes the challenge of monitoring cyberspace
even more difficult. It will be impossible to secure cyberspace through law without the
application of technology and participation of every individual who accesses cyberspace.
The United States Government while implementing its National Strategy to Secure
Cyber observes that cyberspace by its very nature is chaotic and beyond the reach of
any organized or central control.

What are the specific losses that businesses face on account of an unsecure
cyberspace?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
5.5 SECURITY CHALLENGES IN CYBESPACE

As discussed earlier, cyberspace faces constant threat of creative misuse. How does
one ensure to minimize this threat? The best way to begin is by being aware of the kind
of cyber threats and then to use this awareness to find means of controlling the violation.
This process as you will see, that is, identifying the threat and then adequately protecting
against them, is an ongoing process of legislation, technological innovation and co-
operation amongst users, on a micro level amongst users and amongst nations at the
macro user level. Cyber crimes consist of specific crimes dealing with computers and
networks, such as hacking, phishing and the facilitation of traditional crime through the
use of computers (child poronography, hate crimes, telemarketing/internet fraud). In
addition to cyber crime there is also computer supported crime which covers the use of
computers by criminals for communication and data storage. A brief introduction to
some common cyber related violations, or cyber crimes as they are more commonly
referred to are discussed below:
5.5.1 Hacking
Hacking in simple terms means an illegal intrusion into a computer system and/or
network. There is an equivalent term to hacking i.e. cracking, but from Indian legal
perspective there is no difference between the term hacking and cracking. Every act
committed towards breaking into a computer and/or network is hacking. Hackers write
or use ready-made computer programs to attack the target computer. Some hackers
8 hack for personal monetary gains, such as for stealing credit card information or
transferring money from various bank accounts to their own followed by withdrawal of The Concept of Security
in Cyberspace
money. They also induldge in extortion based on information received while hacking a
particular network of computer system.
5.5.2 Child Poronography

The Internet is extensively used for sexual abuse of children. As more homes have
access to internet, more children are accessing it and this enhances their vulnerability of
falling victims to the aggression of paedophiles.
Easy access to pornographic contents readily and freely over the internet lowers the
inhibitions of children. Paedophiles lure the children by distributing pornographic
material and then pursue them for sexual exploitation. Sometimes paedophiles contact
children in chat rooms posing as teenagers or a children of similar age, they win the
confidence of these children, then induce them into sexually provocative discussions.
Then begins the actual exploitation of children.
5.5.3 Cyber Stalking

There is no universally accepted definition of cyberstalking, the term is used to refer to
the use of the internet, e-mail, or other electronic communications devices to stalk
another person. Stalking generally involves harassing or threatening behaviour that an
individual engages in repeatedly, such as following a person, appearing at a person’s
home or place of business, making harassing phone calls, leaving written messages or
objects, or vandalising a person’s property. Most stalking laws require that the perpetrator
make a credible threat of violence against the victim; others include threats against the
victim’s immediate family; and still others require only that the alleged stalker’s course
of conduct constitute an implied threat.
Cyber stalking can be defined as the repeated acts of harassment or threatening behaviour
of the cyber criminal towards the victim by using internet services. The modus operandi
of most stalkers is as follows:
a. Collect personal information about the victim. If the stalker is a stranger to victim,
he collects the information from internet resources such as various profiles the
victim may have filled in while opening a chat or e-mail account or while signing an
account with some website.
b. The stalker may post information on any website related to sex-services or dating
services, posing as if the victim is posting this information and invite the people to
call the victim on her telephone to obtain sexual services.
c. Some stalkers subscribe the e-mail account of the victim to innumerable
pornographic and sex sites, because of which the victim starts receiving indecent
soliciting e-mails.
d. Some stalkers send repeated e-mails asking for various kinds of favours or
threaten the victim.
5.5.4 Denial of Service

This is a technology driven cyber intrusion, where by the influencer floods the bandwidth
or blocks the user’s mails with spam mails depriving the user, access to the Internet and
the services provided therefrom. A DoS Attack (as it is commonly known) can be
perpetrated in a number of ways. There are three basic types of attack:
9
Data Security a. consumption of computational resources, such as bandwidth, disk space, or central
processing unit (CPU) time;
b. disruption of configuration information, such as routing information; and
c. disruption of physical network components.
5.5.5 Dissemination of Malicious Software (Malware)

Malware is defined as a software designed to perform an unwanted illegal act via the
computer network. It is also loosely defined as software with malacious intent. Malware
can be classified based on how they get executed, how they spread, and/or what they
do. Some of them are discussed below.
a) Virus
The term “computer virus” was first termed by Fred Cohen in 1983 in his Ph.D thesis.
A virus is a program that can infect other programs by modifying them to include a
possible evolved copy of itself. A virus can spread throughout a computer or network
using the authorization of every user using it to infect their program. Every program so
infected may also act as a virus and thus the infection grows. Viruses normally affect
program files, but in some cases they also affect data files distrupting the use of data
and destroying them completely.
b) Worms
Worms are also disseminated through computer networks, unlike viruses, computer
worms are malicious programs that copy themselves from system to system, rather
than infiltrating legitimate files. For example , a mass mailing e-mail worm is a worm that
sends copies of itself via e-mail. A network worm, on the other hand makes copies of
itself throughout a network, thus distrupting an entire network.
c) Trojans
Trojan is another form of Malware, trojans do things other than what is expected by the
user. Trojan or trojan horse is a program that generally impairs the security of a system.
The program is usually disguised as something else (a benign program) or is masqueraded
as a legitimate file that the user would expect to see, or want to load, on the system. The
payload of a Trojan is usually delivered as soon as it is opened and usually with devastating
results. Trojans are used to create back-doors (a program that allows outside access
into a secure network) on computers belonging to a secure network so that a hacker
can have access to the secure network. Also, most often trojans are associated with
remote access programs that perform illicit operations such as password stealing or
which allow comporomised machines to be used for targetted denial of service.
d) Hoax
Hoax is an e-mail that warns the user of a certain system that is harming the computer.
The message thereafter instructs the user to run a procedure (most often in the form of
a download) to correct the harming system. When this program is run, it invades the
system and deletes an important file.
e) Spyware
Spyware invades a computer and, as its name implies, monitors a user’s activities without
consent. Spywares are usually forwarded through unsuspecting e-mails with bonafide
e-mail i.ds. Spyware continues to infect millions of computers globally.
10
5.5.6 Phishing The Concept of Security
in Cyberspace
Phishers lure users to a phony web site, usually by sending them an authentic appearing
e-mail. Once at the fake site, users are tricked into divulging a variety of private
information, such as passwords and account numbers.
5.5.7 Information Warfare

Information warfare is a kind of warfare where information and attacks on information
and its system are used as a tool of warfare. Information warfare may include giving the
enemy propaganda to convince them to give up, and denying them information that
might lead to their resistance. Information warfare may also include feeding propaganda
or even disinformation to one’s own population, either to build support for the war
effort or to counter enemy propaganda.
Information warfare may also mean a strategy for undermining an enemy’s data and
information systems, while defending and leveraging one’s own information edge. This
type of war has no front line; potential battlefields are anywhere networked systems
can be accessed-oil and gas pipelines, electric power grids, telephone switching networks,
etc.
Information warfare can take countless forms: trains and planes can be misrouted and
caused to collide, stock exchanges can be sabotaged by electronic “sniffers” which
disrupt international fund-transfer networks, and the signals of television and radio stations
can be jammed and taken over and used for a misinformation campaign.
During the Gulf War, Dutch crackers stole information about U.S. troop movements
from U.S. Defence Department computers and tried to sell it to the Iraqis, who thought
it was a hoax and turned it down. In January 1999, U.S. Air Intelligence computers
were hit by a coordinated attack, part of which appeared to come from Russian cracking.
5.5.8 Data Related

Data interception - Hijacking e-mails, interference of an intermediary in the network,
may be a prelude to another type of computer crime, typically data modification.
Data modification - Usually done in conjunction with data interception, valid data
intended for a recipient is hijacked or intercepted and then is replaced with an erroneous
one. This could also apply to illegal tapping into database and altering its contents.
Basically, any form of alteration without appropriate authorization falls under this
category.
Data theft - outright stealing of most commonly classified or proprietary information
without authorization. This could be the result of data interception. It might also be the
unlawful use or possession of copyrighted works such as songs, pictures, movies or
other works of art.
5.5.9 Network Related

Network interference - any activity that causes the operation of a computer network
to be temporarily disrupted. Interference implies something momentarily such as Denial
of Service Attacks that causes delays in data transmission by using up all available
bandwidth. Distributed denial of service, ping of death and smurf attacks also fall under
this category.
11
Data Security Network sabotage - causing permanent damage to a computer network such as deleting
files or records from storage.

(a) What are the major security challenges in cyberspace?
.................................................................................................................
.................................................................................................................
.................................................................................................................
.................................................................................................................
(b) What are the forms of data related threat in cyberspace?
.................................................................................................................
.................................................................................................................
.................................................................................................................
.................................................................................................................
5.6 THE CONCEPT OF CYBER SECURITY

As discussed above, securing cyberspace and ensuring adequate legal and technological
protection is a collaborative effort between users (including nations) and technology.
Technological innovations focussed at minimizing cyber crimes, should be backed by
substantial legislations. Hence, cyber security rests on two pillars; (i) technological
innovations and its applications by end users; and (ii) legislations against cyber crimes.
Many are of the opinion that technology alone will be sufficient to secure cyberspace,
but in the arena of social engineering, where any criminal act, or even its attempt, requires
to be legally addressed for social stability, having strict legislations in place against
cyber interference is absolutely essential.
5.6.1 Technology’s Answers to Cyber Security

The technology market today is booming with all types of security tools, software,
hardware locks, etc. Innovation is positive. But is technology alone sufficient to secure
cyberspace, without co-operation amongst its users? The answer is no. As discussed
earlier, the internet is based on an end-to-end technology. So maximum control and
observation may be applied at the two ends with a fair amount of control and observation
in the medium. There are four types of technologies that may be applied for cyber
security. When I speak of technologies I am not referring to tools.
i) Unilateral Technology
Unilateral technologies are technologies that each user can decide upon for themselves.
Therefore, neither coordination nor negotiation is needed concerning their use. Important
unilateral technologies for multilateral security are:
● Tools to help even inexperienced users to formulate all their protection goals, if
12 necessary for each and every application or even each and every action;
● (Portable) devices which are secure for their users in order to bootstrap security. The Concept of Security
in Cyberspace
The devices need at minimal physical protection comprising direct input/output
with their users and, if they are multipurpose, an operating system providing fine-
grained access control and administration of rights for applications, adhering to
the principle of least privilege. This is essential to limit the spread of Trojan horses,
and can prevent computer viruses completely;
● Encryption of local storage media to conceal and/or authenticate its contents;
● Hiding of secret data in local multimedia contents or in the local file system using
steganographic techniques, not only to conceal the contents of the secret data, but
also its very existence;
● Watermarking or fingerprinting digital data using steganographic techniques
to help prove authorship or copyright infringements; and
● Using only software whose source code is published and well checked or the
security of which is certified by a trustworthy third party having access to the
complete source code and all tools used for code generation. The best technique
is to combine both approaches with regard to as much of the software as possible.
It is only by using at least one of these two approaches that you can be reasonably
certain that the software you use does not contain Trojan horses. More or less the
same applies to hardware where all sources and tools used for design and
production are needed as well to check for the absence of Trojan horses.
ii) Bilateral Technologies
Bilateral technologies can only be used if the communication partners cooperate. This
means that some coordination and negotiation is needed concerning their use. Bilateral
technologies include tools for negotiating security mechanisms and cryptographic and
steganographic mechanisms for securing content.
Important bilateral technologies for multilateral security are:
● Tools to negotiate bilateral protection goals and security mechanisms.
● Cryptographic mechanisms and steganography mechanisms to secure the
communication content.
iii) Trilateral Technologies
Trilateral technologies can only be used if a third party is involved to fulfill a specific task
for the other participating parties. This means that more coordination and negotiation is
needed concerning their use compared with unilateral – and in most cases as well,
bilateral – technologies. Important trilateral technologies for multilateral security are:
● Tools to negotiate trilateral security mechanisms, e.g. for accountability;
● To provide an access infrastructure, whereby the users use certain access parameters
while transmitting data. Users will have the liberty to change the access tools to
prevent data interception;
● Security gateways provided by third parties are gaining popularity. Security
gateways are provided in the internet to facilitate limited access to participating
users only. This is often used by users for exchange of confidential information at a
pre-determined secured gateway; and
● Mechanisms to provide for digital pseudonyms, i.e. a suitable combination of
anonymity and accountability. In particular, there are mechanisms to securely transfer
signatures between different pseudonyms of the same party. This is called transferring
signatures between pseudonyms. 13
Data Security When pseudonyms are used during accountable value exchange, there are a number of
possibilities for the tasks of the integrated third party:
● Identification of the user in event of fraud (pseudonyms are certified and the
certification authority knows real identities), i.e. privacy of pseudonymous parties
cannot be guaranteed.
● Mandatory deposit of payment with an active trustee to prevent fraud in spite of
completely anonymous pseudonyms, i.e. privacy of the pseudonymous parties
can be guaranteed.
Trilateral security technologies include public key infrastructure techniques which can
use certified public keys, security gateways, and digital pseudonyms.
iv) Multilateral Technologies
Multilateral technologies can only be used if a large number of independent parties
cooperate. This means that coordination and possibly negotiation are needed on a
large scale. Important multilateral technologies for multilateral security are:
● Tools to negotiate multilateral protection goals and security mechanisms, e.g. for
anonymity and unobservability.
● Mechanisms to provide anonymity, unobservability, and unlink ability with regard
to communications, i.e. protect who communicates when to whom and from where
to where.
5.6.2 Cybersecurity and Law

Most countries are still unware of the potential threats of cyber crime and are still to
come up with any guidelines, let alone legislations.
Every nation, as part of the legal framework promoting trust and confidence in cyberspace,
should have basic criminal laws against activities that attack the confidentiality, integrity
or availability of computer data and computer systems.
As seen above, there are numerous forms of cyber crimes, it may be impossible to draft
legislations for each of them, however any form of illegal cyber interference may be
broadly categorised under four heads and appropriate legislations may be drafted to
address each of them. These are discussed below:
Data interception: It should be prohibited to intentionally intercept, without right, by
technical means, non-public transmissions of computer data to, from or within a computer
system. This crime constitutes an essential element of cyber-trust, for it protects the
confidentiality of communications. For example, it makes it illegal to intercept the e-
mail of another person. In some countries interception of telephonic is conversation
(without prior legal sanction by way of a court order) is illegal, similarly the same laws
may be extended to interception of electronic data also.
Data interference: It should be a crime to intentionally damage, delete, degrade, alter
or suppress data in someone else’s computer without right. This provision would cover,
for example, intentionally sending viruses that delete files, or hacking a computer and
changing or deleting data, or hacking a web site and changing its appearance. The
element of intentionality is important, since otherwise producing defective software or
unintentionally forwarding a virus would be a crime.
System interference: It should be a crime to intentionally cause serious hindrance
without right to the functioning of a computer system by inputting, transmitting,
14
damaging, deleting, deteriorating, altering or suppressing computer data. This provision The Concept of Security
in Cyberspace
should cover things like Denial of Service Attacks or introducing viruses into a system
in ways that interfere with its normal usage. It is important that this offence include, as
an element of the offense, the concept that there must be significant harm (e.g., a certain
threshold of monetary loss) in order for an offense to occur; otherwise, ordinary online
behaviour, such as sending one or just a few unsolicited e-mails, would be a crime,
which is not sensible.
Illegal access: This is the crime of intentionally accessing, other’s computer system
without having rights. It can be thought of as the cyberspace equivalent of trespassing.
(Looked at another way, illegal access is an offence against the confidentiality of stored
data and therefore is analogous to illegal interception, which is an offence against the
confidentiality of data in transit.) This crime must be carefully defined, lest it include
common, harmless activity. In the most serious cases, the act of illegal access is part of
another crime covered by the three listed above, such as data interference, or it involves
another crime covered by offline law, such as theft of proprietary data (see below). In
some legal systems, the definition of the crime of illegal access is limited to situations in
which confidential information (medical or financial information) is taken, copied or
viewed or where there is intent to obtain confidential information or where access is
obtained only by defeating security measures.

What are the four main broad heads for classifying illegal cyber interference?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
5.7 COMPUTER RELATED OR COMPUTER

FACILITATED CRIME
Discussions of computer crime often extend into matters that are not crimes against
computers, but are crimes facilitated by the use of computers. For example, theft is a
crime in every legal system, and the criminal law should cover theft whether it occurs
online or offline. Similarly, fraud is a crime, and ordinary fraud statutes will often use
terminology that applies equally well to online conduct as it did to offline conduct.
Other crimes, such as infringement of intellectual property rights or dissemination of
child pornography also are not properly computer crimes—they are crimes that may
be facilitated by the use of a computer. Most computer related crimes may be covered
under existing criminal law provisions by carefully examining existing provisions.
15
Data Security
5.8 APPLICATION OF BASIC CRIMINAL LAW
CONCEPTS
Common concepts of the criminal law such as “aiding and abetting” or “attempt” may
be also applied to Cybercrime. For example, launching a virus with intent to disrupt
service might be a crime under the concept of intent even if the virus didn’t work as
intended. Similarly, if a nation’s law has the concept of aiding and abetting, that
might be applied to cyber-crime, such that one who intentionally produces a virus and
provides it to another knowing or intending that it will be used to destroy data or
interfere with a system may be guilty of data or network interference caused by the
virus even if the virus was introduced into a network by someone else.
Let us now summarize the point covered in this unit.
5.9 SUMMARY
● ‘Cyberspace’ refers to objects and identities that exist — largely within the
computing network and is different from the term ‘internet’.
● There are serious threats associated with cyberspace on account of the technology
– packet – switching protocols, the end-to-end network design and the impossibility
of centralized control.
● There is an urgent widespread requirement to protect and secure cyberspace on
account of it being a target of creative misuse.
● Some of the common cyber related violations or crimes are as follows:
(i) Hacking
(ii) Child pornography
(iii) Cyber stalking
(iv) Denial of service
(v) Malware
(vi) Phishing
(vii) Information warfare
(viii) Data related violations
(ix) Network related violations
● Cyber Security rests upon the two pillars of (a) technological innovations, and its
applications by end users; and (b) legislations against cyber crimes.
● Technology’s answers to cyber security include unilateral, bilateral, trilateral and
multilateral technologies.
● Illegal cyber interference may be on account of (a) data interception (b) data
interference (c) system interference and (d) illegal access.
● Common concepts of criminal law are applicable to cyber crime.

1. What are the reasons that Cyberspace may be viewed as being insecure?
2. In simple terms describe the following cyber threats:
16
● Child Pornography The Concept of Security
in Cyberspace
● Cyber Stalking
● Denial of Service
● Malicious Software
3. What are the kinds of data related and network related cyber threats? Describe in
brief.
4. What are the various technological methodologies to counter cyber threats?
Describe in brief.
5. What are the legal principles that can be used to counter cyber threats? Explain
with examples.

1. The three main reasons contributing to a lack of security in cyberspace are (a)
technology packet switching protocols (b) end to end network design and (c)
impossibility of centralized control.
2. The major losses that businesses face on account of insecurity in cyberspace are
the loss of proprietary data, intellectual property and online access to
customers,suppliers and international service interruptions.
3. (a) The major security challenges in cyberspace are:
● Hacking
● Child pornography
● Cyber Stalking
● Denial of service
● Malware
● Phishing
● Informaton war fare
● Data related challenges and
● Network related challenges
(b) The three major forms of data related threat in cyberspace are:
(a) Data interception
(b) Data modification
(c) Data theft
4. The four major heads for categorising illegal cyber interference are:
(a) Data interception
(b) Data interference
(c) System interference and
(d) Illegal access
17
Data Security Terminal Questions
5. Refer to section 5.6 and 5.8 of the unit.

1. William Gibson. Neuromancer (Remembering Tomorrow) Rebound. Sage Brush
Jan. 2003.
2. Trust and Security In Cyberspace: The Legal And Policy Framework for
Addressing Cyber crime . Global Internet Policy Initiative. Aug. 2002 <http://
internetpolicy.net>.
3. Ekaterina A. Drozdova. Civil Liberties and Security in Cyberspace. Aug. 2000.
4. United States. Department of Homeland Security. The National Strategy to Secure
Cyberspace – Policy note. Feb. 2003. 3 Mar.2007<http://www.dhs.gov/xprevprot
programs/editorial_0329.shtm>.
5. United States. Senate. Committee on Government Affairs. Minority Staff
Permanent Sub committee on Investigations. Hearing on Security in Cyberspace.
Cong.sess.5June.1996. 4Mar.2007<http://www.fas.org/irp/congress/1996_hrs/
s9606052.htm>.
6. Cyber Crime Investigation Cell. 4Mar.2007<http://: www.cybercellmumbai.com>.
18
Technological
UNIT 6 TECHNOLOGICAL Vulnerabilities
VULNERABILITIES
Structure
6.1 Introduction
6.2 Objectives
6.3 Computer Hacking
6.4 Intrusion Techniques
6.5 Vulnerabilities and Exploitation of Vulnerabilities
6.6 Controls against Malicious Software
6.7 Latest Update on Technological Vulnerabilities
6.8 Definition of Common Attacks and Vulnerabilities
6.9 Summary
6.1 INTRODUCTION
Individuals and organizations across the world are increasingly using computers, Internet
and computer networks (collectively hereinafter referred to as “Information Systems”)
in almost all spheres of life from personal use to launch of spacecrafts. This dependence
on Information Systems has made them critical to the very survival of business, economy
and infrastructure of the world. As the criticality of Information Systems increases so
do the vulnerabilities that increasingly face them. Some vulnerabilities are due to human
interference and some others are due to obsolete technology or the usual wear and tear
during usage. This paper aims to provide a basic understanding of some of the more
critical technological vulnerabilities that Information Systems may face today. The paper
also explores some basic concepts of ensuring that Information Systems are protected
from these technological vulnerabilities.
6.2 OBJECTIVES
After studying this unit you should be able to:
● describe technological vulnerabilities of Information Systems;
● know the concept of hacking;
● describe effective security measures that may be implemented to prevent exploitation
of the vulnerabilities of Information Systems;
● know the latest update on technological vulnerabilities; and
● give definitions of common attacks and vulnerabilities.
19
Data Security
6.3 COMPUTER HACKING
In order to understand the technological vulnerabilities of the Information Systems it is
first imperative to understand the information security sphere. Hackers make use of the
vulnerabilities and gain access to Information Systems. Computer hacking is also referred
to technically as “intrusion” which may be defined as an attempt to break into or misuse
a computer system. Misuse of the computer system may be a simple act of sending
prank messages from the user’s e-mail system to a potentially damaging act of stealing
confidential information from the user. Computer hackers are also of many ranges and
types; some hack for intellectual highs while other hack for money. There is no absolute
or foolproof method to prevent hacking or safeguard your computer system against
hacking. However IT professionals need to be aware of the range and risk of hacking
and should take reasonable precautions to safeguard their computer systems.
6.4 INTRUSION TECHNIQUES

The following are some of the most prevalent ways by which hacker can get into a
computer system:
Physical Intrusion: This is the most basic of the techniques- and most often the most
overlooked in information security procedures adopted by IT professionals. If the hacker
has physical access such as access to the console or the keyboard then it is very simple
for him or her to get into the machine and take the machine apart. The disk may be
removed and read/ write on another machine. Data can be transferred from the machine
to a disk or another machine. With the advent of blue tooth and wireless communication,
intrusion has become easier.
System Intrusion: This is common where the hacker has access to the system as a
low privilege user on the computer system and uses his low privilege account to gain
additional administrative privileges. In this scenario the hacker uses security loopholes
if the computer system does not have the latest security patches.
Remote Intrusion: Here, the hacker has no physical or user access to the computer
system and attempts to hack the computer system remotely across the network. The
network may be an internal company intranet or through the Internet.
6.5 VULNERABILITIES AND EXPLOITATION OF

VULNERABILITIES
Hackers do not magically get into the computer system or information systems, they
exploit the technological vulnerabilities present in a computer system, information system
or networks and then gain access to the computer system. The following paragraphs
attempt to provide a brief understanding of the various technological vulnerabilities:
Software bugs are one of the most important ways, which the hackers exploit to gain
access into the computer systems. Software bugs can be broadly classified into buffer
overflows, unexpected combinations and race conditions. A typical example is a
programmer who sets aside 256 characters to hold a login username. However, if an
attacker tries to enter in a false username longer than the actual you might have a
problem. All the attacker has to do is send 300 characters, including code that will be
executed by the server, and thus gain access. Hackers find these bugs in several ways.
20 First, the source code for a lot of services is available on the net. Hackers routinely
look through this code searching for programs that have buffer overflow problems. Technological
Vulnerabilities
Secondly, hackers may look at the programs themselves to see if such a problem exists.
Thirdly, hackers will examine every place the program has input and try to overflow it
with random data. If the program crashes, there is a good chance that carefully
constructed input will allow the attacker to gain access1. Unexpected combinations are
scenarios where hackers send input that is meaningless to one layer, but meaningful to
another layer. The program is usually constructed using many layers of code and therefore
by trial and error method the hacker talks to one of the layers of the software and
setting off a chain reaction in other layers, which provides him with the access. Race
conditions are scenarios where one program accesses data and the same data is accessed
by another program being run by another person which enables the person to access
the data. Race conditions work because most computers are designed to handle more
than one program at a time. In yet another kind of intrusion, the hacker just feeds
random inputs into the system hoping to elicit a response from the system and at times
this works.2
System configuration bugs are security holes, which develop in the system due to
the way the system has been configured for use usually by the administrator. Default
configurations (configurations in which the system is shipped to the customer) in a system
is the most vulnerable and can be hacked in easily. If the administrator fails to set up a
root/administrator password in a system it becomes easy for the hacker to gain access.
Also in systems, which have been interconnected with a pool of other systems, then the
security loopholes in one unsecure system can be used to hop to other systems in the
pool, thereby endangering the entire network.
Internet Browsers and Operating Systems also have security holes, which are
regularly exploited by hackers to install bugs, viruses and trojans or for them to be
downloaded through various infected sources. This includes URL, HTTP, HTML, and
JavaScript, Frames, Java and ActiveX attacks. Regular patches are available which
need to be used in order to plug these loopholes. The section at the end of this paper
provides a list of the most active vulnerabilities, which may be used as a reference. By
sending illegal or strange ICMP or TCP packets, a hacker can identify the OS on the
target system. Standards usually state how machines should respond to legal packets
but omit to instruct the machine how to respond to invalid inputs. Therefore each reply
to an invalid input can be used by the hacker to determine and identify the system OS
and plan the attack.
Password Access is the key to any computer system or in fact networks. Therefore
control over password access is perhaps most crucial in ensuring information security
and also easiest for the hacker to exploit as a vulnerability. The first major flaw in
password access is weak or easy to guess passwords. These passwords are where
people use names of pets, loved ones, nick names as passwords thereby enabling the
hacker to guess the password easily. Too many passwords are easily guessed, especially
if the hacker knows something about their target’s background. It’s not unusual, for
example, for office workers to use the word “password” to enter their office networks.
Other commonly used passwords are the computer user’s first, last or child’s name,
secret, names of sports teams or sports terms, and repeated characters such as
AAAAAA or bbbbbb3. Another method of intrusion exploiting the computer system is
‘dictionary attack’ on the system. The hacker will use a program, which will try every
possible word in the dictionary. Similar to the dictionary attack is the ‘brute force’
attack where the hacker tries combinations of the password characters in order to
break in. A simple five-letter password using English characters may be easy to break 21
Data Security in. Sniffing programs on servers or switched networks may prove to be effective in
tapping into the users password when he/she logs onto the system. There are other
sophisticated methods of gaining password control such as encrypted sniffing and replay
attack.
Another interesting mechanism used to gain access to passwords is through Social
Engineering. ‘Social engineering’ is hackerspeak for conning legitimate computer users
into providing useful information that helps the hacker gain unauthorized access to their
computer system4. Some of the more common social engineering scenarios are5:
1. The attacker pretends to be a legitimate end-user who is new to the system or is
simply not very good with computers. The attacker may call systems administrators
or other end-users for help. This “user” may have lost his password, or simply
can’t get logged into the system and needs to access the system urgently. The
attacker may sound really lost so as to make the systems administrator feel that he
is, for example, helping a damsel in distress. This often makes people go way out
of their way to help.
2. The attacker pretends to be a VIP in the company, screaming at administrators to
get what he wants. In such cases, the administrator (or it could be an end-user)
may feel threatened by the caller’s authority and give in to the demands.
3. The attacker takes advantage of a system problem that has come to his attention,
such as a recently publicized security vulnerability in new software. The attacker
gains the user’s trust by posing as a system administrator or maintenance technician
offering help. Most computer users are under the mistaken impression that it is
okay to reveal their password to computer technicians.
4. The attacker posing as a system administrator or maintenance technician can
sometimes persuade a computer user to type in computer commands that the user
does not understand. Such commands may damage the system or create a hole in
the security system that allows the attacker to enter the system at a later time.
Insecure modems are another gateway for a hacker to gain access to a computer
system. War dialers are used by hackers to identify the modems of a target. A war-
dialer is a computer program that automatically dials phone numbers within a specified
range of numbers and chances are that if an organization has one number, it will have a
few other numbers in same range for all telecommunications. By dialing all numbers
within the targeted range, the war-dialer identifies which numbers are for computer
modems and determines certain characteristics of those modems. The hacker then uses
other tools to attack the modem to gain access to the computer network. Effective
war-dialers can be downloaded from the Internet at no cost. The problem is that a
modem is a means of bypassing the “firewall” that protects your network from outside
intruders. A hacker using a “war-dialer” to identify the modem telephone number and a
password cracker to break one weak password can gain access to the system. Due to
the nature of computer networking, once a hacker connects to that one computer, the
hacker can often connect to just about any other computer in the network6. Of course
it is now possible to incorporate safeguards to prevent easy access through modems,
which is beyond the scope of this paper.
Cookies are another security threat that the user of a computer system faces. A cookie
is a small program that may be placed on a computer. The cookie enables the site that
has deposited the cookie to recognise when the user visits it the next time. It maintains
a database of the users visits to the site and also in some instances other websites.
22 Cookies raise substantial privacy issues, which are again beyond the scope of this
paper. Suffice to say that cookies do raise issues of profiling of individuals, illegal tracking Technological
Vulnerabilities
on the Internet etc. Cookies per se do not damage or hack the system but are often
used by hackers to gain information on a target and his/her Internet surfing habits prior
to hacking. It is possible to ensure that the user’s computer systems do not accept
cookies from any site and settings on the system and special software installation will
achieve this goal.
Denial of Service attacks are another variety of system compromises which are
designed to overload network links, the processing unit of the user system or the disk
of the system thereby crashing the service. The hacker aims to make the computer
system deny providing services to the user. The increased degree of automation in the
recent years has enabled a single hacker to control thousands of compromised systems
for use in the attacks. A simple example may be to flood the user’s (in most case an
entire organization’s) mail inbox with a host of messages thereby making the server to
crash.
In the recent past attacks on Internet Domain Name System (DNS) is on the rise. The
hacker may create a bogus DNS resembling a legitimate Internet site. Therefore
information intended for the legitimate site may flow into the hacker’s site. In some
other cases hackers compromise poorly protected DNS servers which give them the
ability to modify the data passing through the server. By leveraging insecure mechanisms
used by customers to update their domain registration information, attackers can co-
opt the domain registration processes to take control of legitimate domains7. Another
issue which has cropped up recently is web spoofing which is a kind of electronic con
game in which the attacker creates a convincing but false copy of the entire World
Wide Web. The false Web looks just like the real one: it has all the same pages and
links. However, the attacker controls the false Web, so that all network traffic between
the victim’s browser and the Web goes through the attacker. The key to this attack is
for the attacker’s Web server to sit between the victim and the rest of the Web. This
kind of arrangement is called a ‘man in the middle attack’ in the security literature.
Since the attacker can observe or modify any data going from the victim to Web servers,
as well as controlling all return traffic from Web servers to the victim, the attacker has
many possibilities. These include surveillance and tampering8.
Attacks against routers are another vulnerability that may be exploited by hackers to
crash information systems. Intruders use poorly secured routers as platforms for
generating attack traffic at other sites, or for scanning or reconnaissance. Further, routers
are designed to pass large amounts of traffic through them; they often are not capable
of handling the same amount of traffic directed at them. Intruders take advantage of this
characteristic attacking the routers that lead into a network rather than attacking the
systems on the network directly. Another method of intrusion into routers is to exploit
the trust relationships that the routers have. For routers to do their job, they have to
know where to send the traffic they receive. They do this by sharing routing information
between them, which requires the routers to trust the information they receive from
their peers. As a result, it would be relatively easy for an attacker to modify, delete, or
inject routes into the global Internet routing tables to redirect traffic destined for one
network to another, effectively causing a denial of service to both (one because no
traffic is being routed to them, and the other because they’re getting more traffic than
they should). Although the technology has been widely available for some time, many
networks (Internet service providers and large corporations) do not protect themselves
with the strong encryption and authentication features available on the routers9.
23
Data Security Viruses and Trojans are possibly the most damaging vulnerabilities that a computer
system may face today. Viruses and trojans have the ability to damage computer systems
to a great extent. A virus is a small, self-contained piece of computer code hidden
within another computer program. Like a real virus, it can reproduce, infect other
computers, and then lie dormant for months or years before it strikes. A virus is only
one of several types of ‘malicious logic’ that can harm your computer or your entire
network. Worms, logic bombs, and trojan Horses are similar ‘infections’ commonly
grouped with computer viruses. A computer worm spreads like a virus but is an
independent program rather than hidden inside another program. A logic bomb is a
program normally hidden deep in the main computer and set to activate at some point
in the future, destroying data. A trojan horse masquerades as a legitimate software
program. It waits until triggered by some pre-set event or date and then delivers a
payload that may include destroying files or disks10. Through Trojans on the user’s
systems a remote hacker can control the activities of the user’s computer whenever the
user is on the Internet. When you interact with another computer, the virus may
automatically reproduce itself in the other computer. Once a virus infects a single
networked computer, the average time required to infect another workstation in the
same network is from 10 to 20 minutes — meaning a virus can paralyse an entire
organization in a few hours11. Since viruses and Trojans have such a huge potential
adverse impact on an organization’s security, the following paragraphs have been
included to provide a brief overview of the possible controls that an organization
should adopt to counter viruses and Trojans.

What are some of the most common techniques adopted by hackers to exploit to
vulnerabilities in Information System?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
6.6 CONTROLS AGAINST MALICIOUS SOFTWARE

The detection and prevention controls to protect against malicious software and
appropriate user awareness procedures should be implemented. The protection against
malicious software should be based on security awareness, appropriate system access
and change management controls. To protect the integrity of information and the
information systems from modifications, disclosures or destruction by malicious
software, the following steps should be taken:
1. To establish a virus detection and protection procedure, to be continuously
reviewed and revised, conforming to the emerging requirements and to implement
the same across the organization.
24
2. All software acquired by the organization should be checked by the virus detection Technological
Vulnerabilities
procedure prior to installation and use.
3. To establish the management procedures and responsibilities to deal with the virus
protection on systems, training in their use, reporting and recovering from virus
attacks.
4. To distribute instructions on the detection of viruses to all the users.
5. Evidence such as sluggish performance or mysterious growth of files should alert
the users to a problem that must be reported to the information system security
manager immediately on occurrence thereof.
6. To establish a written policy on downloading, acceptance and use of freeware and
shareware including the flexibility to prohibit this practice, if deemed necessary.
7. To establish a formal policy requiring compliance with software licences and
prohibiting the use of unauthorized software.
8. To authenticate software for highly critical applications using digital signature.
Failure to verify would indicate potential problem/problems and the software
should not be used until the source of the problem is identified and properly
dealt with.
9. To establish a formal policy to protect against risks associated with obtaining files
and software either from or via external networks or on any other medium, indicating
what protective measures should be taken.
10. To install and regularly update the anti-virus detection and repair software to scan
computers and media, either as a precautionary control or on a routine basis.
11. To conduct regular reviews of the software and data content of systems supporting
critical business processes. The presence of any unapproved files or unauthorized
amendments should be formally investigated.
12. To establish a policy and procedure for checking the diskettes and other such
media, brought in from outside the organization’s normal purchasing programme.
To check any files on electronic media of uncertain or unauthorized origin or files
received over untrusted networks for viruses before use.
13. To check any electronic mail attachments and downloads for malicious software
before use. This check may be carried out at different places e.g. at electronic mail
servers, desktop computers or when entering the network of the organization.
14. To establish appropriate business continuity plans for recovering from virus attacks,
including all necessary data and software backup and recovery arrangements.
15. To establish procedures to verify all information relating to malicious software and
ensure that warning bulletins are accurate and informative. The Information Systems
Security Managers should ensure that qualified sources, e.g. reputed journals,
reliable Internet sites or anti-virus software suppliers are used to differentiate
between hoaxes and real viruses. The users of the information systems should be
made aware of the problem of hoaxes and the action to be taken on receipt
thereof.
To ensure recovery of the processing capabilities following a virus infection, the
following steps should be taken:
1. To retain the original back-up copy of all software and hold the same until such
time as the original software is no longer in use; and
2. All data is backed up regularly. 25
Data Security Please answer the following Self Assessment Question.

Can Information Systems be protected against malacius software? What control
measures may be adopted?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
6.7 LATEST UPDATE ON TECHNOLOGICAL

VULNERABILITIES
Four years ago, the SANS Institute and the National Infrastructure Protection Center
(NIPC) at the FBI released a document summarizing the Ten Most Critical Internet
Security Vulnerabilities. The latest list of SANS Top-20 2005 has been released and
contains in addition to Windows and UNIX categories, Cross-Platform Applications
and Networking Products. The list indicates critical vulnerabilities in the past year and
a half and can be an effective tool to check preparedness of Information Systems
against technological vulnerabilities12.
6.8 DEFINITION OF COMMON ATTACKS AND

VULNERABILITIES
Backdoor: A change made to a violated system to make future re-entry easier for the
hacker.
Bacteria: A program that quickly allocates system resources and reproduces instances
of itself to deny service to other processes (also known as hogs).
Buffer overrun: An attack that forces a processor to execute foreign code in privileged
mode by passing a lengthy string parameter containing the code to a subroutine that
does not have the buffer space to receive it.
Compromised system utilities: Common system commands or programs altered by
a hacker so that the systems extend unintended privileges to unauthorized users, provide
a backdoor for later re-entry, or fail to report hacker activities.
DNS hijack: An attack that alters the Domain Name System (DNS) so that a DNS
lookup for a computer name returns an unintended IP address.
E-mail forgery: An attack that constructs e-mail messages to appear as if originating
from another person or source.
26
E-mail relay: An attack that bounces messages into spam-filtering mail system through Technological
Vulnerabilities
an unsuspecting, third-party mail system that is not on the filtering list.
IP spoofing: A form of masquerading in which the sender of an Internet data packet
forges the originating IP address so that the packet appears to have been sent by
another system.
Keystroke monitoring: Using a hardware or software mechanism to capture user
keyboard strokes and report the strokes to a hacker.
Logic bomb: Clandestine code triggered by a certain set of conditions, such as a
particular date or a combination of inputs.
Mail bombing: Overloading an e-mail system by sending large volumes of messages
(also known as e-mail flooding).
Masquerading: Posing as an authorized entity.
Networking scanning: Using standard network protocols to determine topology and
service access points of a target network.
Packet sniffing: Copying data in transit on a network link, usually with a network
transceiver in ‘promiscuous mode’.
Password cracking: Trying words from a dictionary to ascertain a user password.
Ping flooding: Sending a large number of Internet Control Message Protocol (ICMP)
‘echo’ requests to target system, causing it to divert significant resources to handling
them.
Reply attack: An attack in which network transmissions, usually authentication
sequences such as user login information, are recorded (see packet sniffing) and later
re-sent by a masquerader.
Script kiddies: Inexperienced hackers who use prepackages software to conduct
attack against well-known vulnerabilities.
Security audit tools: Software tools that probe systems to discover vulnerabilities so
that attackers can quickly identify easy targets (also used as a defense).
Shell escapes: User input, usually to a web-based forms processor supported by a
Common Gateway Interface (CGI) scripting utility, that contains OS commands to be
executed unintentionally by a command interpreter.
Shoulder surfing: Acquiring data by observing user interaction with computer I/O
devices, such as monitors or touch screens (often accomplished using magnification
devices from a distance).
Smurfing: Combination of IP spoofing and ping flooding in which ICMP echo requests
and the target subnet address are sent to a group of unsuspecting accomplice systems,
which then generate replies to broadcast addresses to the target sub network.
Social engineering: Using human relationship and interactions to obtain unauthorized
access or confidential information.
SYN flooding: Beginning Transmission Control Protocol (TCP) sessions with a target
system by sending initial synchronization requests but not acknowledging responses,
causing the number of open connections on the target system to increase and consume
resources.
27
Data Security Traffic analysis: Observation of network traffic patterns to deduce confidential
information, such as communication habits and frequency (also used as a defense).
Trapdoor: Undocumented program behaviour triggered by a secret input sequence
to give a perpetrator special privileges.
Trojan horse: A software program that is advertised to fulfill a useful function but is
actually malicious.
Van Eck attack: The use of sophisticated reception equipment to capture and decode
electromagnetic signals from computer output devices at a distance.
Virus: Code fragment inserted into a legitimate program (a process called infection) to
steal processor cycles during which new programs are found and infected.
War dialing: Automated dialing of every telephone number on a common exchange
for the purpose of finding numbers that are connected to computer systems.
Worm: A self-replicating program or virus that uses network connections to propagate
to new systems.
6.9 SUMMARY
● Hacking is a serious problem and a consistent one for which no permanent solution
has been derived.
● Back ups are an essential and integral process of securing information.
● The most prevalent ways by which a hacker can get into a computer system are
physical intrusion, system intrusion and remote intrusion:
● Software bugs, system configuration bugs, Internet browsers and operating
Systems, password access, Insecure modems, cookies, Denial of service, Attacks
on Internet Domain Name System, Attacks against routers, Viruses and trojans
are some of vulnerabilities, that are exploited by hackers.
● software bugs can be classified into buffer overflows, unexpected combination
and race conditions.
● System configuration bugs are security holes, which develop in the system due
the manner in which the system has been configured for use usually by the
administrator.
● Internet Browsers and Operating Systems also have security holes, which are
regularly exploited by hackers to install bugs, viruses and trojans or for them to be
downloaded through various infected sources. This includes URL, HTTP, HTML,
and JavaScript, Frames, Java and ActiveX attacks.
● Password Access is the key to any computer system. The first major flaw in
password access is weak or easy to guess passwords.
● Social engineering is also used to gain access to passwords, it is hacker-speak for
conning legitimate computer users into providing useful information that helps the
hacker gain unauthorized access to their computer system.
● A cookie is a small program that may be placed on a computer.
● A virus is a small, self-contained piece of computer code hidden within another
computer program, it can reproduce, infect other computers, and then lie dormant
28
for months or years before it strikes.
● A virus is only one of several types of “malicious logic” that can harm your computer Technological
Vulnerabilities
or your entire network. Worms, logic bombs, and trojan horses are similar
“infections” commonly grouped with computer viruses.
● The detection and prevention controls to protect against malicious software and
appropriate user awareness procedures should be implemented.

1. Explain in simple terms, the concept of hacking and the techniques used for such
hacking?
2. What vulnerabilities usually occur in software, computer systems, Internet Browsers
and operating systems? Explain in brief.
3. Why is Password Access Control a key vulnerability and in what ways can you
improve security of passwords?
4. Define the concept of “Social Engineering” in simple terms?
5. Explain the following security vulnerabilities in brief:
a. Insecure Modems
b. Cookies
c. Man in the Middle Attacks
6. Explain what Malicious Software means and what controls need to be established
to protect computer systems against Malicious Software?

1. Hackers and intrusionists use technological vulnerabilities to hack or intrude
Information Systems through physical intrusion, system intrusion and remote
intrusion techniques.
2. Yes, Information Systems may be prevented from malicious software by
undertaking a series of technological security measures, ongoing awareness and
system audits.
Terminal Questions

1. Zachary Wilson. “Hacking: The Basics”. Giac.org. 4 April. 2001. 4 April. 2006
<http://www.giac.org certified_professionals/practicals/gsec/0608.php>. 29
Data Security
2. Ibid.
3. “Computer Vulnerabilities”. rf-Web.Tamu.edu 8Mar.2007<http://rf-web.tamu.edu/

security SECGUIDE/V1comput/Intra.htm>.
4. Ibid.
5. Erik Guttman, Lorna Forey, & G. Malkin. Users’ Security Handbook. Internet
Engineering Task Force. July. 1998 draft.
6. Ira Winkler. Corporate Espionage: What it is, why its’ Happening in Your Company,
What you Must Do About it. Rocklin, CA: Prima Publishing. 1997.
7. Overview of Attack Trends. CERT.org.2002. Carnegie Mellon University,

8Mar.2007< http://www.cert.org/archive/pdf/attack_ trends.pdf>.
8. Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach. “Web
Spoofing: An Internet Con game”. Dec. 1996. Technical Report. Department of
Computer Science, Princeton University, Feb. 1997: 540-96.
9. Supra n 6.
10. Supra n 1.
11. D. L. Carter & A.J. Katz. “Trends and experiences in computer-related crime:
Findings from a national study”. Paper presented at the Annual Meeting of the
Academy of Criminal Justice Sciences. Las Vegas. NV, 1996.
12. SANS Institute. “The SANS Top 20 Internet Security Vulnerabilities”.
Sans.org.9Mar.2007<http:/ www.sans.org /top20/#w1>.
13. J. Craig Lowery. “Computer System Security: A Primer”. Dell.com. Mar.2002.
9Mar.2007<http:// www1.us.dell.com/content/topics/global.aspx/power/en
pslq_lowery?c=us&1=en&s=gen>.
30
Legal Responses to
UNIT 7 LEGAL RESPONSES TO Technological
Vulnerabilities
TECHNOLOGICAL
VULNERABILITIES
Structure
7.1 Introduction
7.2 Objectives
7.3 India
7.3.1 The Information Technology Act, 2000
7.3.2 RBI Guidelines on Information Security Applicable to Banks in India
7.4 United States of America: The CFAA, DMCA and Case Laws
7.4.1 Computer Fraud and Abuse Act (CFAA)
7.4.2 The Digital Millennium Copyright Act (DMCA)
7.4.3 eBay case in the US
7.4.4 Liability in Torts
7.5 Summary
7.1 INTRODUCTION
The information and the supporting processes, the computer systems and the networks,
used for provision of services by an organization or for the running of the organization
are crucial assets of the organization or the individual using the information systems.
The confidentiality, integrity and availability of information is essential for any
organization to maintain its competitive edge, cash-flow, profitability, legal compliance
and commercial image. It is imperative for each organization to put in place adequate
security controls to ensure data accessibility to all the authorized users, data
inaccessibility to all the unauthorized users, and maintenance of data integrity and
implementation of safeguards against all security threats to guarantee information
and information systems security across the organization.
Information systems and the networks of the organization are increasingly facing security
threats from a wide range of sources including computer-assisted fraud, espionage,
sabotage, vandalism etc. The sources of damage such as the computer viruses, computer
hacking and denial of service attacks have become more common, more ambitious and
increasingly sophisticated in the networked environment. Increasingly across information
systems the interconnection between the public and the private networks and the sharing
of the information assets/ resources will increase the difficulty of ensuring security for
information and the information systems.
Apart from the technical and administrative measures, which need to be put in place by
the organization itself to ensure information security; legal responses to tackle and prevent
31
Data Security such information security breaches are essential to ensure that information systems are
protected legally and there are effective recourses available against offenders and
hackers. Governments across the world are realising the importance of having effective
legal responses to hacking and misuse of information systems and have enacted various
laws in this regard. This paper explores some such legal responses by relevant
Governments. At the outset it is clarified that this paper will not deal with data protection
laws, which is different from information security laws, which will be the subject matter
of this paper.
7.2 OBJECTIVES
● familiarize yourself with the threat to information systems in different jurisdictions;
● know the different legislatures enacted to counter such threats in India; and
● know the different legislatures enacted to counter such threats in US.
7.3 INDIA
7.3.1 The Information Technology Act, 2000
In May 2000, both the houses of the Indian Parliament passed the Information
Technology Bill. The Bill received the assent of the President in August 2000 and came
to be known as the Information Technology Act, 2000. The Act is a first step towards
making e-commerce and e-transactions in India safer and a viable alternative to paper
based transactions. The Act provides various mechanisms which encourage and
recognise information security measures chief amongst them being digital signatures.
Digital Signatures
The Act has adopted the Public Key Infrastructure (PKI) for securing electronic
transactions. As per Section 2(1) (p) of the Act, a digital signature means an authentication
of any electronic record by a subscriber by means of an electronic method or procedure
in accordance with the other provisions of the Act. Thus a subscriber can authenticate
an electronic record by affixing his digital signature. A private key is used to create a
digital signature whereas a public key is used to verify the digital signature and electronic
record. They both are unique for each subscriber and together form a functioning key
pair.
Section 5 provides that when any information or other matter needs to be authenticated
by the signature of a person, the same can be authenticated by means of the digital
signature affixed in a manner prescribed by the Central Government. Under Section
10, the Central Government has powers to make rules prescribing the type of digital
signature, the manner in which it shall be affixed, the procedure to identify the
person affixing the signature, the maintenance of integrity, security and confidentiality
of electronic records or payments and rules regarding any other appropriate matters.
Furthermore, these digital signatures are to be authenticated by Certifying Authorities
(CAs) appointed under the Act. These authorities would inter alia have the license to
issue Digital Signature Certificates (DSCs). The applicant must have a private key that
can create a digital signature. This private key and the public key listed on the DSC
must form the functioning key pair.
32
Once the subscriber has accepted the DSC, he shall generate the key pair by applying Legal Responses to
Technological
the security procedure. Every subscriber is under an obligation to exercise reasonable Vulnerabilities
care and caution to retain control of the private key corresponding to the public key
listed in his DSC. The subscriber must take all precautions not to disclose the private
key to any third party. If however, the private key is compromised, he must communicate
the same to the Certifying Authority (CA) without any delay.
Issuance, Suspension and Revocation of Digital Signature Certificates
As per Section 35, any interested person shall make an application to the CA for a
DSC. The application shall be accompanied by filing fees not exceeding Rs. 25,000
and a certification practice statement, or in the absence of such statement any other
statement containing such particulars as may be prescribed by the regulations. After
scrutinizing the application, the CA may either grant the DSC or reject the application
furnishing reasons in writing for the same.
While issuing the DSC, the CA must inter alia, ensure that the applicant holds a private
key which is capable of creating a digital signature and corresponds to the public key to
be listed on the DSC. Both of them together should form a functioning key pair. The
CA also has the power to suspend the DSC in public interest on the request of the
subscriber listed in the DSC or any person authorized on behalf of the subscriber.
However, the subscriber must be given an opportunity to be heard if the DSC is to be
suspended for a period exceeding fifteen days. The CA shall communicate the
suspension to the subscriber.
There are two cases in which the DSC can be revoked. Firstly, as per Section 38 (1),
it may be revoked either on the request or death of the subscriber or when the subscriber
is a firm or company, on the dissolution of the firm or winding up of the company.
Secondly, according to Section 38(2), the CA may suo moto revoke it if some material
fact in the DSC is false or has been concealed by the subscriber or the requirements for
issue of the DSC are not fulfilled or the subscriber has been declared insolvent or dead
et al. A notice of suspension or revocation of the DSC must be published by the CA in
a repository specified in the DSC.
Computer Crimes
The Act deals with some more computer crimes and provides for penalties for these
offences. Chapters IX and XI of the Act deal with civil liabilities for offences and
criminal offences respectively. Civil liabilities and awarding of compensation or
damages for certain types of computer frauds has been provided for in the Act.
Section 65 punishes tampering with computer source documents with imprisonment up
to three years, or with fine, which may extend up to two lakh rupees, or with both.
Computer source code; is defined as the listing of programmes, computer commands,
design and layout and programme analysis of computer resource in any form.
Section 66 punishes hacking with computer system, with imprisonment up to three
years, or with fine which may extend upto two lakh rupees, or with both.
Section 72 Penalty for breach of confidentiality and privacy, imprisonment for a term
which may extend to two years, or with fine which may extend to one lakh rupees, or
with both.
Acting as an intermediary between various people accessing the net, Internet Service
Providers run the risk of being held liable for information that is transmitted over his
service network. Chapter XII of the Act excludes the Network Service Provider from
any civil or criminal liability under the Act, Rules or Regulations framed thereunder, for 33
Data Security any third party information or data made available by him, if, he proves that the offence
was committed without his knowledge, or that he had exercised all due diligence to
prevent the commissioning of such offence.
Proposed Amendments to the IT Act 2000
In the wake of growing importance of the need to protect information systems the
Government of India has proposed certain amendments in the IT Act 2000 aimed at
achieving this goal. Section 43 of the IT Act is proposed to be amended to say, if any
body corporate, that owns or handles sensitive personal data or information in a computer
resource that it owns or operates, is found to have been negligent in implementing and
maintaining reasonable security practices and procedures, it shall be liable to pay damages
by way of compensation not exceeding Rs. 1 crore to the person so affected. Reasonable
security practices and procedures have been defined as such security practices and
procedures as appropriate to the nature of the information to protect that information
from unauthorized access, damage, use, modification, disclosure or impairment, as may
be prescribed by the Central Government in consultation with the self-regulatory bodies
of the industry, if any.
Section 66 of the IT Act while making unauthorized access of a computer system an
offence, also makes unauthorized downloading/ extraction of data also an offence.
Under the proposed amendments to Section 72 of the IT Act, if any intermediary who
by virtue of any subscriber availing his services has secured access to any material or
other information relating to such subscriber, discloses such information or material to
any other person, without the consent of such subscriber and with intent to cause injury
to him, such intermediary shall be liable to pay damages by way of compensation not
exceeding Rs. 25 lakhs to the subscriber so affected. Further the amendments to Section
72 also propose to make video voyeurism an offence under the Act.
7.3.2 RBI Guidelines on Information Security Applicable to

Banks in India
The Reserve Bank of India, which is the apex authority governing functioning of the
banking sector in India, has given detailed guidelines, which are applicable to all Banks
operating in India regarding information security in the Banks. The Guidelines are
detailed and address almost all issues relating to information security have been
addressed. The guidelines are in time to ensure safety in the banking sector in India.

Is there any protection for Digital Signatures in India? What method has the Act
adopted?
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
34
Legal Responses to
7.4 UNITED STATES OF AMERICA: THE CFAA, Technological
Vulnerabilities
DMCA AND CASE LAWS
7.4.1 Computer Fraud and Abuse Act (CFAA)
The starting point for a discussion of the current United States law of information security
is the Computer Fraud and Abuse Act (18 U.S.C. 1030), (the “CFAA”). The CFAA
imposes both civil and criminal liability for a wide variety of acts that compromise the
security of public and private sector computer systems.1
The core provisions of the CFAA apply to “protected computer[s],” a term that the act
defines in sweeping terms. Under the CFAA, the term “protected computer” means “a
computer –
1. “exclusively for the use of a financial institution or the United States Government,
or, in the case of a computer not exclusively for such use, used by or for a financial
institution or the United States Government and the conduct constituting the offense
affects that use by or for the financial institution or the Government;” or
2. “which is used in interstate or foreign commerce or communication” [18 U.S.C.
1030 (e)(2)].
The CFAA imposes liability on anyone who:
1. Intentionally accesses a protected computer without authorization or in excess of
authority, and by doing so, steals anything of value, other than the use of the
computer itself, where that computer use is worth less than $5,000 in any one year
period [18 U.S.C. 1030 (a)(4)];
2. Knowingly transmits a program, code or instruction, and as a result, intentionally
causes damage, without authorization, to a protected computer [18 U.S.C. 1030
(a)(5)(A)];
3. Intentionally accesses a protected computer without authorization, and as a result,
causes damage, recklessly or otherwise [18 U.S.C. 1030 (a)(5)(B)];
4. Knowingly traffics illegally in passwords or other access credentials that allow
unauthorized access to a computer, if that traffic effects interstate or foreign
commerce or the computer is used by or for the United States government [18
U.S.C. 1030 (a)(6)]; and
5. Threatening to damage a protected computer with intent to extort anything of
value [5]; or
6. Attempts to do any of the above1 [18 U.S.C. 1030(b)].
Private parties ‘who suffer loss or damage’ as the result of a CFAA violation have the
right to sue [18 U.S.C. 1030(g)].
7.4.2 The Digital Millennium Copyright Act (DMCA)

The Digital Millennium Copyright Act (17 U.S.C. 1201- 05), (the “DMCA”), provides
that “no person shall circumvent a technological measure that effectively controls access
to a work protected” under the copyright law of the USA and goes on to prohibit the
“manufacture, import, offer to the public, provide, or otherwise traffic in any technology,
product, service, device, component, or part thereof, that —(A) is primarily designed
or produced for the purpose of circumventing a technological measure that effectively
35
Data Security controls access to a copyrighted work; (B) has only limited commercially significant
purpose or use other than to circumvent a technological measure that effectively controls
access to a copyrighted work; or (C) is marketed by that person or another acting in
concert with that person with that person’s knowledge for use in circumventing a
technological measure that effectively controls access to a copyrighted work.” The
DMCA defines the term “circumvent a technological measure” to mean to descramble
a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass,
remove, deactivate, or impair a technological measure, without the authority of the
copyright owner 17 [U.S.C. 1201 (a)]. This provision of the DMCA assists licensors
of digitized copyrighted works in restricting access to those who obtain access to it
lawfully and are therefore entitled to decrypt the work.
The DMCA contains analogous provisions prohibiting technology that circumvents “the
protection afforded by a technological measure that effectively protects a right of a
copyright owner.” The DMCA also: (a) defines the term “circumvent protection afforded
by a technological measure’’ [to] mean avoiding, bypassing, removing, deactivating, or
otherwise impairing a technological measure; and (b) states that a technological measure
“effectively protects a right of a copyright owner under this title’’ if the measure, in the
ordinary course of its operation, prevents, restricts, or otherwise limits the exercise of a
right of a copyright owner [17 U.S.C. 1201 (b)]. This provision gives copyright owners
legal recourse against anyone who removes technology that limits the use of copyrighted
works to the uses authorized by the owner.
Like the CFAA, the DMCA imposes both criminal and civil liability. With regard to civil
remedies, the DMCA provides for the recovery of actual damages, the violator’s profits,
and statutory damages ranging up to $2,500 per act of circumvention, or per device,
product, component, offer, or performance of service. Damages may be trebled (tripled)
where the injured party proves that the current violation occurred within three (3) years
after the entry of judgment against the defendant for a previous violation. Injunctive
relief and the recovery of attorney’s fees are also available [17 U.S.C. 1203].
It is to be noted that the DMCA looks at circumvention technology designed to
circumvent copyrighted works..
7.4.3 eBay Case in the US

Though the law in India is not very well developed in cases of information security there
are cases in the US which help interpret the broad parameters of the issues involved
and provide us with an understanding of the jurisprudence involved:
In eBay Inc. V. Bidder’s Edge, Inc. [100 F. Supp. 2d 1058 (ND Cal., May 24, 2000)],
eBay, the well known Internet auction service, was confronted by routine, multiple,
recursive searches of its database conducted by Bidder’s Edge, a now defunct
aggregator of auction sites, using software robots that exceeded eBay’s limitations on
robotic access. Negotiations between the parties aimed at providing Bidder’s Edge
with additional authorized robotic access to eBay’s database were unsuccessful, and
Bidder’s Edge continued to conduct searches without eBay’s authorization, depriving
eBay of control of its own system. Ebay sued, seeking an injunction to stop Bidder’s
Edge from conducting such searches, on a trespass to chattels theory. In ruling for
eBay, the court wrote:
“Although there is some dispute as to the percentage of queries on eBay’s site for
which BE [Bidder’s Edge] is responsible, BE admits that it sends some 80,000 to
36 100,000 requests to plaintiff’s computer systems per day. Although eBay does not
claim that this consumption has led to any physical damage to eBay’s computer system, Legal Responses to
Technological
nor does eBay provide any evidence to support the claim that it may have lost revenues Vulnerabilities
or customers based on this use, eBay’s claim is that BE’s use is appropriating eBay’s
personal property by using valuable bandwidth and capacity, and necessarily
compromising eBay’s ability to use that capacity for its own purposes. ...The law
recognises no such right to use another’s personal property. ...If preliminary injunctive
relief were denied, and other aggregators began to crawl the eBay site, there appears
to be little doubt that the load on eBay’s computer system would qualify as a substantial
impairment of condition or value. California law does not require eBay to wait for such
a disaster before applying to this court for relief.” (100 F. Supp. 2d 1058 (ND Cal.,
May 24, 2000).
7.4.4 Liability in Torts

Further case laws in the US have held that if a company or an organization is negligent
in not having adequate technological safeguards which protects information from being
hacked, misused or from being lost, then the company or the organization may be held
liable for negligence. For example, if Internet Explorer has a security flaw and Microsoft
has released a patch for the flaw, which is readily available, and the company fails to
install the patch and is hacked or the systems in the company crash due to such
vulnerability, then the company is liable for any damages. Under tort law, even though
the hacker would be liable in a trespass against the company, the company would be
liable, under negligence, for any injuries the hacker caused a third party. For example,
if the hacker was able to delete a customer’s order from a supplier’s computer file, the
customer could hold the supplier liable for any damages he sustained by not receiving
its order. The negligence theory is based on the fact that the supplier should have installed
the necessary equipment (hardware and software) and shall took reasonable actions to
prevent the hackers from invading his computer system. Also, because the supplier did
not have the necessary protection on its computer system, it should have known that
such an act was likely to occur, and, therefore, guarded against it.2
In such cases the issues that would crop up during any discussion of liability would
essentially be:
1. Did the organization have a duty to protect information, which has been misused,
lost or hacked?
2. What measures did the organization take to protect the information stored on its
computer systems and information networks?
3. Apply the ‘reasonable person’test and see if a reasonable security expert would
have taken any other precautions to protect the information and whether you have
failed to do that?
4. Was the technological vulnerability known or capable of being known to you—
was it known publicly? Would any ‘reasonable person’ have known about the
vulnerability?
5. Was the vulnerability fixable and if so how long had a fix existed? Would a
‘reasonable person’ have installed the fix prior to the time the hack had occurred?
6. Was that type information stored in a location that any ‘reasonable person’ would
have thought to be acceptable?
Essentially the defence available against an action of negligence as specified above
would be to prove that the company has taken all reasonable steps ensure that 37
Data Security information security has been established and any “reasonable person” would do no
more in this respect than what the company has done. The following are factors, which
may be considered while determining whether the company has done everything
reasonably possible to ensure information security. Therefore a company should consider
the following steps3:
1. Establish a budget and staff with time that is dedicated to system security;
2. If you do not already have one in place create a written security policy;
3. As part of your security policy, develop and implement a procedure that tracks
security risks and as they are identified, evaluates their potential risk to your
business, identifies the appropriate fix, and schedules a date for implementation of
that fix. Include follow-ups to ensure that the fix has been completed;
4. Check with your systems/OS vendor and find and implement all suggested lock
down procedures for your OS and Hardware;
5. Install a good firewall. Roughly eighty per cent of all attacks happen from within
the firewall but you still need to protect against the other twenty per cent;
6. Employ some form of Intrusion Detection and monitor it regularly;
7. Keep yourself and your staff educated on the latest in security and vulnerabilities;
8. Review security resources such as Bugtraq, SANS, Securityfocus, virus reports
and other security publications, books and web sites as well as vendors websites
on a regular basis;
9. Perform regular security audits on your systems and networks. These can be done
internally but should also be done on a regular basis by an independent auditing
firm that specializes in security auditing. Read the results of your audits carefully
and act on any holes found in your security, procedures and policy;
10. Make sure your company has a security awareness program for all employees.
Whether through social engineering or leaving sensitive information displayed on
an unattended computer screen, a good security policy does no good if your
employees are unwittingly releasing information to a hacker;
11. Properly destroy all unusable media and printouts. Use a professional information
destruction company or at a minimum run all unusable tape and printouts through
a shredder. When a hard disk drive is upgraded or replaced, the old drive must be
sanitized or destroyed;
12. If you organization which is providing information technology services to
companies outside India, educate your self on applicable laws in jurisdictions
where your contracts will be governed and make sure you lock down your systems
and networks according to such applicable laws;
13. Make sure you understand and abide by any other laws that may cover the types
of information and data being handled on your systems and networks;
14. Use Data Encryption in the transmission and storage of sensitive data; and
15. Do everything you can to maximize security but get insurance. Review your insurance
policies and if your insurance does not cover your business for situations regarding
hacking losses and/or online liabilities, get covered.
38
Please answer the following Self Assessment Question. Legal Responses to
Technological
Vulnerabilities
What is the difference between the CFAA and the DMCA?
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
7.5 SUMMARY
● Information security incidents have been on a rise.
● Organizations and individuals have had to suffer a lot of damage.
● India has inadequate laws to deal with such information security issues.
● The Information technology Act, 2000 provides various mechanisms which
encourage and recognise information security measures.
● The Act has adopted the Public Key Infrastructure (PKI) for securing electronic
transactions.
● The Act deals with some more computer crimes and provides for penalties
for these offences. Chapters IX and XI of the Act deal with civil liabilities for
offences and criminal offences respectively.
● India needs to develop jurisprudence on these laws.
● US and UK laws have evolved but are still facing myriad technological challenges
and are struggling to keep pace with the changes.

1. In the age of information why is it important to protect one’s information systems
against various cyber security threats and vulnerabilities?
2. Explain in brief the legal treatment of Information Security in the Information
Technology Act, 2000.
3. Explain in the brief how the United States of America has addressed the issue
of information security and technological vulnerabilities in its legislations.
4. Critically analyse the case the eBay Inc. V Bides edges Inc. in the Context of
Information Securities and the Legal Principal Programmed.
39
Data Security 5. Analyse and explain the concept of negligence in tort and its relationship to
information security and how liability may be imposed on an individual or an
organization through the concept of negligence.
6. What is the defence available to a charge of negligence in the context of information
security and what processes/policies should an individual/company have in place
to substantiate such defence?

1. Yes. Adoption of Public Key Infrastructure and creation of Certifying Authorities.
2. One is for the protection of computers while the other protects copyrights.
Terminal Questions

1. Steven Robinson. “US Information Security Law”. Security Focus.com.
10Mar.2007<http:// www.securityfocus.com>.
2. Gary Holtz. “System Security and Your responsibilities. Minimizing your Liability”.
Sans.org. 10Mar.2007<http://www.sans.org/rr/whitepapers/legal/46.php>.
3. Ibid.
40
Security Audits
UNIT 8 SECURITY AUDITS
Structure
8.1 Introduction
8.2 Objectives
8.3 Risk Assessment and Classification of Information Systems
8.4 Security Audits
8.4.1 Understanding the Importance of Information to Your Business
8.4.2 Understanding Information Security Related Assets
8.4.3 Understanding How Assets are Used, by Whom and for What Reason
8.4.4 Understanding Security Management
8.4.5 Understanding Your Broader Obligations
8.5 Security Policy, Standards and Procedures
8.5.1 Security Policy
8.5.2 Security Standards
8.5.3 Protection of System Audit Tools
8.5.4 Importance of Audit Trails During Audits
8.5.5 Sensitive System Isolation
8.5.6 Monitoring of System Use – Procedures and Areas of Risk
8.6 Summary
8.1 INTRODUCTION
An organization’s networks and computer systems (“Information Systems”) are the
means, which it uses to communicate and share information with all its users. The
Information Systems during this process may come under attack from both internal as
well as external sources. In order to minimize these attacks and the risks associated
with these attacks, organizations need to do the two most important things, which will
be discussed in this unit and are also the objectives of this unit.
8.2 OBJECTIVES
● know the processes of conducting an assessment of risks against all Information
Systems of the organization;
● explain the concept of security audit;
● discuss various Information Security policies and measures (including technological,
administrative and physical); and
41
Data Security ● appreciate the requirements to conduct regular audits to verify the effectiveness of
the Information Security measures and policies.
8.3 RISK ASSESSMENT AND CLASSIFICATION OF

INFORMATION SYSTEMS
The security controls to be put in place require to be identified by a methodical assessment
of risks. The risk assessment techniques require to be applied to the whole organization
including individual information systems, specific components of such systems or services.
In fact, risk assessment is a systematic consideration of the business hardships, likely to
result from security failure, together with the potential consequences of the loss of
confidentiality, integrity or availability of information and the information assets and
the realistic likelihood of the occurrence of such failure in the light of the prevailing
threats and vulnerabilities vis-à-vis the security controls currently implemented in the
organization.
The results of this assessment will help guide and determine the appropriate management
action, the priorities for managing the information and the information systems security
risks and for implementing security controls, selected to protect the organization against
such risks. The process of assessing the risks and the selection of the security controls
may require to be performed a number of times to cover different parts of the organization
or the individual information systems and services. It is also important to carry out
periodic reviews of the security risks and the implemented security controls in view of
new threats and vulnerabilities and to confirm that the security controls in place are
effective and appropriate. The reviews will require to be performed at different levels
of depth, depending on the results of the previous assessments and the changing levels
of risk, which the management of the organization is prepared to accept. The risk
assessments will require to be carried out first at a high level for prioritizing the
information and the information assets in the areas of high risk and then, at a more
detailed level to address specific risks.
The assessment of the vulnerabilities in the Information Systems and the risks, which
arise therefrom, are an integral part of any Information Systems security and audit
programme. The process of risk assessment is a method for formulating the policies
and selecting the safeguards to protect information and information system assets from
security threats occurring through the vulnerabilities, inherent in the personnel, facilities
and equipment, communications, applications, environmental conditions, operating
systems and applications. The risk assessment should be done by assessing the security
threats relating to the above vulnerabilities and based on the impact of the occurrence,
assigning a high, moderate or low risk to the particular vulnerability. In this way, the
possibility and the magnitude of monetary loss, productivity loss and embarrassment to
the organization can be minimized. It is important that the organization addresses all the
known threats prudently/judiciously. The implementation of the security controls, the
execution of the insurance policy and the recognition and acceptance of the risks are
preferable to ignoring the security threats, existing and the likely future ones. Once the
appropriate security controls have been identified and implemented, the next step is to
conduct an audit of the security contracts.
42
Please answer the following Self Assessment Question. Security Audits

What is the best process for carrying out a risk assessment?
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
8.4 SECURITY AUDITS

There are various kinds of security audits, which may have to be done depending upon
the vulnerabilities that you want to check. SAS 70 audits, SOX compliance audits etc
are a few of the more specific audits. It is also possible to have an all encompassing
audit such as ISO or BS audits which are applicable organization wide. These audits
look at all the relevant security controls and audit the organization on the basis of these
controls. An organization can opt to have an internal audit or an external audit by an
auditing firm, which will lead to a certification that the organization is compliant with a
standard under which it has been audited. Typically it is advisable to conduct an internal
audit to plug all loopholes before opting for an external audit. This will make the process
of certification easier after the external audit. This section outlines the various parameters,
which an information security audit generally looks into.
8.4.1 Understanding the Importance of Information to

Your Business
● How does the information you use in your business relate to your primary business
objectives?
● Have you identified the information that is critical for you to do business?
● What tasks do you perform that involve the creation, processing, storage, use and
transmission of that business-critical information?
● What assets do you use to create process, store and transmit that business-critical
information (for example computers, card-indexes, mobile phones)?
● Do you know what would happen to your business if the confidentiality of those
assets was broken (if, say, a competitor gained access to them)?
● Do you know what would happen to your business if the integrity of those assets
was compromised, and you were unable to trust the information in them?
● Do you know what would happen to your business if those assets were unavailable
to you for a period of an hour, a day, a week or a month?
● Using what you now know about the confidentiality, integrity and availability of
your company’s information assets, can you prioritize them?
Once you have prioritized information assets in order of their importance to your business,
43
Data Security you will be able to ensure that they are given an appropriate degree of protection.
Failing to do this could mean that you will be wasting time and resources on assets that
are not critical to your business, or worse; that business-critical information is not
adequately protected. Subsequent to that is an audit process, which will essentially ask
the following questions:
8.4.2 Understanding Information Security Related Assets

● Do you have a written inventory of your business-critical information assets:
hardware, software and intellectual (such as patents and contracts)?
● Does that inventory tell you where the assets can be found?
● Do you regularly update the inventory and audit it to ensure that it remains
comprehensive and valid?
● Are you aware of the security features in the hardware and software you use, and
do you have appropriate manuals or training materials about these features?
● Has anyone in the office had previous experience with these products or taken
classes on them?
8.4.3 Understanding How Assets are Used, by Whom and for

What Reason
● Who in your company has access to business-critical assets?
● Do your employees use unique passwords to control access to the computer
assets they use?
● Are those passwords kept secure and changed regularly?
● Do you ensure that access is given only for genuine work-related reasons?
● Do you keep the list of who has access to what, and do you regularly update those
lists?
● Do you run a local- or wide-area network? If so, how do you control access to
that network? If passwords are used, are these unique to each user, changed
regularly and kept secure?
● Do you have Internet access? If so, do you have broadband access or dial-up?
● Which computers/devices in the company have network or Internet access, and
do you know who uses these?
● Do employees have remote access to your network (either from home or on the
road?)
● How do employees gain access to your network when they are working remotely?
8.4.4 Understanding Security Management

● Read the following list of security technologies and ask yourself; which are you
aware of, and which do you use:
– firewalls and VPN (Virtual Private Networks),
– access, authorization and authentication controls,
– anti-virus,
– spam filters,
44
– Internet content control, Security Audits
– network- security policy compliance tools,

– vulnerability and threat databases,
– cryptography tools such as SSL, public-key cryptography and hard-disk,
– encryption,
– intrusion detection systems.
● Do you regularly back up your business-critical data?
● Do you test the back-ups, restoring the data from them and making sure it is
usable?
● Do employees using laptops or other computers for remote access have anti-virus
software and firewalls on those computers?
● Do you allow employees to use the company’s computers, systems or network
access for non-business purposes? If so, do you make it clear to them that certain
uses are unacceptable and may result in disciplinary action?
● Do you provide any security education or training for employees who use the
company’s computers or information systems?
● Do you have any policies, standards or procedures related to security?
8.4.5 Understanding Your Broader Obligations

● Are you familiar with legal requirements related to securing certain types of
information (Financial services information, health information, personal data)?
– This may involve privacy legislation as well as sectoral regulation.
– In some cases, especially where personal, sensitive or confidential informa-
tion is involved, you may be required to provide a minimum level of protection
for that information, irrespective of the size of your company.
● Are you familiar with the rights of employees in the workplace?
– Some laws may limit your access to certain types of employee information
and communications, or require notice or consent before you are able to
access real or virtual information held in an employees’ workspace.
● Are you aware of your role regarding the security of others?
– The security of information systems is complex because businesses are
connected to each other directly and through the Internet, creating
interdependencies and spreading risk. Failing to properly secure your system
may not just compromise and potentially harm your business; it can increase
the risk of other systems to which you are connected. Greater risk could
result from virus programs using your contact lists to spread further, or from
malicious programs using your unsecured networked computer to attack or
send spam to other systems or computers.
– Do your employees understand what is appropriate behaviour on the Internet?
This goes beyond not downloading or posting illegal, inappropriate or
offensive material, and includes general conduct that is in keeping with the
values and ethical practices of your business.
45
Data Security Please answer the following Self Assessment Question.

Name a few of the standard security audit processes used in the industry.
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
8.5 SECURITY POLICY, STANDARDS AND

PROCEDURES
Subsequent to an audit, which answers all the above questions, you will be able to
formulate strategies of information security to put in place to plug in the loopholes,
which the audit has revealed. This is mainly done through adopting a security policy,
which lay down the parameters of information security across the organization.
8.5.1 Security Policy

The policy should include the following:
● Information is vital to our business.
● We protect the confidentiality, integrity and availability of our business-critical
information.
● We have standards that help us to do this – including:
– physical security
– personnel security
– access controls
– security technology
– security response and recovery, and
– security audits.
● We have procedures that help us to meet our standards.
● Employees should be familiar with the procedures relevant to their roles and
responsibilities.
● We take disciplinary measures against employees who persistently or deliberately
flout these information security policies, standards and procedures.
The policy should say where details of the standards and procedures can be found.
8.5.2 Security Standards

The standards listed in the security policy section above are examined in more detail
46 in this section.
● Physical security Security Audits
– Fit appropriate locks or other physical controls to the doors and windows of
rooms where you keep your computers.
– Physically secure lap tops when they are unattended (for example, by locking
them in a drawer overnight).
– Ensure that you control and secure all removable media, such as removable
hard-drives, CDs, floppy disks and USB drives, attached to your business-
critical assets.
– Make sure that you destroy or remove all business-critical information from
media such as CDs and floppy disks before disposing of them.
– Make sure that all business-critical information is removed from the hard
drives of any used computers before you dispose of them.
– Store back-ups of your business-critical information either off-site or in a
fire- and water-proof container.
● Access controls
– Use unique passwords, that are not obvious (not birth dates or easily found
or guessed information) and change them regularly, preferably every three
months.
– Use passwords that contain letters in both upper and lower case, numbers
and special keys, and are six or more characters in length. It helps if you
consider your password as a memorable sentence, rather than a single word.
For example, the sentence: “at forty-two I’m a star!” could be translated
into an eight-character password that looks like this: @42Ima*!
– Don’t write your password down, and never share it with anyone. If you do
have to share it, make sure you change it as soon as possible — no matter
how well you trust the person you shared it with!
● Security technology
– All computers used in your business should have anti-virus software installed,
and the virus definitions must be updated at least once a week (many providers
have a one-click update). All incoming and outgoing traffic should be scanned
for viruses, as should any disk or CD that is used, even if it is from a ‘trusted’
source. At least once a month, computers should be scanned for viruses.
– If your computers are connected to the Internet, and especially if you use a
broadband connection, you must deploy a software firewall. This will help to
prevent malicious code from entering your computer and potentially
compromising the confidentiality, integrity and availability of your network. It
will also help to stop your system being used to attack other systems without
your knowledge. Software firewalls for use by non-professionals are readily
available at a reasonable cost. Your operating system, virus control software
or ISP may also offer a firewall. Consumer and popular trade magazines
compare firewall functions and features of well-known products, and so are
a good source of information. Free shareware firewalls are available, but
these usually require expert knowledge for correct use.
– If your business has a small network that is connected to the Internet, you
should consider deploying an ‘all-in-one’ hardware box that contains a firewall,
anti-virus program and an intrusion detection system. This will greatly simplify
your use and maintenance of essential Internet security technology. 47
Data Security ● Personnel
– Perform integrity checks on all new employees to make sure that they have
not lied about their background, experience or qualifications.
– Give all new employees a simple introduction to information security, and
make sure that they read and understand your information security policy.
Make sure they know where to find details of the information security standards
and procedures relevant to their role and responsibilities.
– Ensure that employees have access only to the information assets they need
to do their jobs. If they change jobs, make sure that they do not retain their
access to the assets they needed for their old job. When dismissing employees,
ensure that they do not take with them any business-critical information.
– Make sure that no ex-employees have access rights to your systems.
– Make sure your employees know about the common methods that can be
used to compromise your system. These include e-mail messages that contain
viruses and ‘social engineering’ ploys used by hackers to exploit employees’
helpfulness to gain information that will give them access to your system.
Examples of ‘social engineering’ include a hacker using the telephone to pose
as a systems maintenance engineer or pretending to be a new employee.
● Security Incident/Response
– A security incident is any event that can damage or compromise the
confidentiality, integrity or availability of your business-critical information or
systems.
– It is important to make your staff aware of telltale signs of security incidents.
These could include:
- strange phone requests, especially for information
- unusual visitors
- strange patterns of computer activity
- unusual appearance of computer screens
- computers taking longer than usual to perform routine tasks.
– Your staff should understand that it is always better to notify the right person
if they observe anything that might be a telltale sign of a security incident.
– If a security incident happens, employees should know who to contact and
how.
– You should have in place a plan to assure business continuity in the event of a
serious security incident. The plan should specify: Designated people involved
in the response, External contacts, including law enforcement, fire and possibly
technical experts. Contingency plans for foreseeable incidents such as:
- Power loss
- Natural disasters and serious accidents
- Data compromise
- No access to premises
- Loss of essential employees
- Equipment failure.
48
– Your plan should be issued to all employees and should be tested at least Security Audits
once a year, even if you haven’t had a security incident.
After every incident when the plan is used, and after every test, the plan should be re-
examined and updated as necessary using the lessons learned.
After this exercise of setting in place appropriate information security policies and
processes you will be ready for an external audit. Again the external audit will ask the
same questions you asked yourself in the internal audit. Only now, all the loopholes will
have been plugged due to the implementation of the Information Security policies and
processes and certification becomes easier.
8.5.3 Protection of System Audit Tools

There should be controls to safeguard operational systems and audit tools during system
audits to maximize the effectiveness of and to minimize interference to/ from the system
audit process. Protection is also required to safeguard the integrity of the information
systems and prevent misuse of the audit tools. Audit requirements and the activities
involving checks on operational systems should be carefully planned and agreed to
minimize the risk of disruption to the business processes. The following should be
observed:
(a) Audit requirements should be agreed with the appropriate management.
(b) The scope of the checks should be agreed and controlled.
(c) The checks should be limited to read-only access to software and data.
(d) Access other than read-only should only be allowed for isolated copies of system
files, which should be erased when the audit is completed.
(e) IT resources for performing the checks should be explicitly identified and made
available.
(f) Requirements for special or additional processing should be identified and agreed.
(g) All accesses should be monitored and logged to produce a reference trail.
(h) All procedures, requirements and responsibilities should be documented.
Access to system audit tools i.e. software or data files, should be protected to prevent
any possible misuse or compromise. Such tools should be separated from development
and operational systems and not held in tape libraries or user areas, unless given an
appropriate level of additional protection.
8.5.4 Importance of Audit Trails During Audits

Audit trails are records of activity, used to provide a means for restructuring events and
establishing accountability. The audit trail information is essential for investigation of the
incidents/problems. The controls, useful in the audit trail process, are described hereunder.
To deter and provide early detection of unauthorized activity, the following steps should
be implemented:
(a) To provide an audit trail for the computer systems and manual operations when:
i) SENSITIVE or HIGHLY SENSITIVE information is accessed;
ii) network services are accessed; and
iii) special privileges or authorities such as the security administration commands,
emergency USERIDs, supervisory functions etc., overriding the normal
processing flow, are used. 49
Data Security (b) To include in the audit trail as much of the following as is practical:
i) user identification ;
ii) functions, resources and information used or changed ;
iii) date and time stamp (including time zone) ;
iv) work-station address and network connectivity path ; and
v) specific transaction or program executed.
(c) To provide an additional real time alarm of significant security-related events for
all computer systems having on-line capabilities for enquiry or update, containing
information as under :
i) access attempts that violate the access control rules ;
ii) attempts to access functions or information not authorized ;
iii) concurrent log-on attempts ; and
iv) security profile changes.
(d) To investigate and report suspicious activity immediately.
(e) To ensure that management reviews the audit trail information on a timely basis,
usually daily.
(f) To investigate and report security exceptions/violations and unusual occurrences.
(g) To preserve the audit trail information for an appropriate period of time for business
requirements.
(h) To protect the audit trail information from deletion, modifications, fabrications or
re-sequencing by use of digital signature.
8.5.5 Sensitive System Isolation

Sensitive systems might require a dedicated (isolated) computing environment. Some
application systems are sufficiently sensitive to potential loss and they require special
handling. The sensitivity/criticality may be such that the application system requires to
run on a dedicated computer system or that it should share resources with other trusted
application systems only. The following may be considered for addressing such
requirements:
(a) The sensitivity of an application system should be explicitly identified and
documented by the application owner.
(b) When a sensitive application is to run in a shared environment, the other application
system(s) with which it will share resources should be identified and agreed with
the owner of the sensitive application.
8.5.6 Monitoring of System Use – Procedures and Areas of Risk

Procedures for monitoring the use of information processing facilities should be
established. Such procedures are necessary to ensure that the users perform only those
activities, for which they have been authorized. The level of monitoring required for
individual facilities should be determined by a risk assessment, which should include the
following :
(a) Authorized Access including details as under :
● the user ID;
50 ● the date and time of key events;
● the types of events ; Security Audits
● the files accessed; and

● the program/utilities used.
(b) All Privileged Operations as under :
● use of supervisor account;
● system start-up and stop; and
● I/O device attachment/detachment.
(c) Unauthorized Access Attempts as under :
● failed attempts;
● access policy violations and notifications for network gateways and firewalls;
and
● alerts from proprietary intrusion detection systems.
(d) System Alerts or Failure as under :
● console alerts or messages;
● system log exceptions; and
● network management alarms.
Risk Factors
The result of the system monitoring activities should be reviewed regularly. The frequency
of the review should depend on the risks involved. The risk factors, as under, should be
considered in this regard:
(a) the criticality of the application processes ;
(b) the value, sensitivity or criticality of the information involved ;
(c) the past experience of system infiltration and misuse; and
(d) the extent of system interconnection (particularly public networks).
Operator logs
Operational staff should maintain a log of their activities. Logs should include the
following:
(a) system starting and finishing times;
(b) system errors and corrective action taken;
(c) confirmation of the correct handling of data files and computer output; and
(d) the name of the person making the log entry.
Operator logs should be subject to regular, independent checks against operating
procedures.
Fault Logging
Faults should be reported and corrective action taken. Faults, reported by the users
regarding the problems with the information processing or communication systems,
should be logged. There should be established rules and procedures for handling the
reported faults, which, among others, should include:
(a) review of the fault logs to ensure that faults have been satisfactorily resolved;
(b) review of corrective measures to ensure that controls have not been compromised
51
and that the action taken is fully authorized.
Data Security Logging and Reviewing of Events
A log review involves understanding the security threats faced by the information systems
and the manner in which such threats may arise. System logs often contain a large
volume of information, much of which is extraneous to security monitoring. There should
be a documented plan for the volumes of information to be logged, rotation of log files,
back-up archival of log files, encryption of log files and retention/disposal of log data.
To help identify significant events for security monitoring purposes, the copying of
appropriate message types automatically to a second log, and/or the use of suitable
system utilities or audit tools to perform file interrogation should be considered. When
allocating the responsibility for log review, a separation of roles should be considered
between the person(s) undertaking the review and those whose activities are being
monitored. Particular attention should be given to the security of the logging facility
because any susceptibility to tampering thereof i.e. modifications, fabrications etc., can
lead to a false sense of security. Security controls should aim to protect the logging
facilities against unauthorized changes and operational problems including:
(a) the logging facility being de-activated:
(b) alterations to the message types that are recorded;
(c) log files being edited or deleted; and
(d) log file media becoming exhausted and either failing to record events or overwriting
itself.
System Clock Synchronization
The correct setting of computer clocks is important to ensure the accuracy of audit
logs, which may be required for investigations or as evidence in legal or disciplinary
cases. Inaccurate audit logs may hinder such investigations and damage the credibility
of such evidence. Where a computer or communications device has the capability to
operate a real-time clock, it should be set to an agreed standard, e.g. Universal
coordinated Time (UCT) or local standard time. As some clocks are known to drift
with time, there should be a procedure that checks for and corrects any significant
variation.

Should there be audit trials during the audit process? If, yes, why?
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
52
Security Audits
8.6 SUMMARY
● Regular Security Audits are a must for all organizations.
● The audits can be both internal and external.
● The audits reveal the loopholes in the information security system.
● There are various kinds of security audits, which may have to be done depending
upon the vulnerabilities that you want to check. SAS 70 audits, SOX compliance
audits etc are a few of the more specific audits.
● Based on the audits, adequate measures and systems have to be adopted by
organizations. This is mainly done through adopting a security policy.
● Security policy has certain standards to protect the confidentiality and integrity of
information vital to any business. This includes:
– physical security,
– personnel security,
– access controls,
– security technology,
– security response and recovery, and
– security audits.
● There should be controls to safeguard operational systems and audit tools during
system audits to maximize the effectiveness of and to minimize interference to/
from the system audit process.
● Audit trail are the records of activity, used to provide means for restructuring
events and establishing accountability. Therefore, they are very important during
audits for investigation of problems.
● Sensitive systems which are sensitive to potential laws require a special, dedicated
(isolated) computing environment.
● For monitoring the use of information processing facilities, a procedure should be
established to ensure that the user performs only those activities for which they
have been authorized.
● The level of monitoring required for individual information processing facilities
should be determined by risk assessment.

1. What do you mean by Risk Assessment and Classification of Information Systems
and why is it important to an organization intending to conduct a Security Audit?
2. What factors need to be considered while analysing the importance of information
and information systems to an organization and its functioning? Explain with
examples.
3. What are the key factors in an organization, which need to be audited as a part of
the Information Security Audit? Explain in detail.
4. Describe in brief the various components and parameters of an Information Security
Policy, which addresses the various issues identified in the audit.
53
Data Security 5. Why is protection of system audit tools important and what are the broad processes
to ensure that such tools are well protected?
6. What are audit trails and why is it important to have audit trails?
7. What special measures need to be adopted to ensure security of sensitive systems
and information?

1. First at a high level for prioritising the information and the information assets in the
areas of high risk and then, at a more detailed level to address specific risks.
2. SAS 70 audits and SOX.
3. Yes, because the audit trail information is essential for investigation of incidents/
problems.
Terminal Questions

1. Banking and related Financial Services – Information Security Guidelines. Technical
Report. ISO TR 13569:2005.
2. Information Security Management - Code of Practice for Information Security
Management Systems. BS 7799-1:1999. Withdrawn and replaced by BS ISO
IEC 17799:200, ISO/IEC 17799.
3. Information Technology Security Guidelines. Infocomm Development Authority
of Singapore. Sept. 1999.
4. COBIT – Control Objectives. IT Governance Institute (ITGI). July. 2000.
5. COBIT – Management Guidelines. IT Governance Institute (ITGI). July. 2000.
6. Information Technology Act. 2000.
54 7. Information Technology (Certifying Authorities) Rules. 2000.

Introduction to Data
UNIT 9 INTRODUCTION TO DATA
Structure
9.1 Introduction
9.2 Objectives
9.3 Meaning of ‘Data’
9.4 Need for Regulation of Data Protection
9.5 Regulation of Data Protection
9.5.1 European Union
9.5.2 OECD Guidelines
9.5.3 EU Directive
9.5.4 United Kingdom
9.5.5 United States
9.5.6 Asia Pacific
9.5.7 India
9.6 Monitoring of Data Protection
9.7 Summary
9.8 Terminal Question
9.1 INTRODUCTION
The transmission and storage of data has undergone a radical change due to advances
in technology and technological processes. The information technology revolution has
made the personal computer as common as a fountain pen and the individual more and
more dependent on a number of public and private services for example, banking,
credit, social security, insurance, employment, direct marketing, statistics, police,
telecommunications etc. that operate with automated administrations. Owing to the
relatively much faster transmissibility and easier storage of data in today’s scenario, it
has become imperative to both prevent and shield data from unauthorized access and
usage. The increased usage of the automated form of processing personal data over the
past few decades has in particular enhanced the risk of illegal use of personal data by
facilitating its transfer between countries with great differences in the level of protection
provided to personal data.
The concept of data protection has thus gained critical importance to ensure that personal
data is not processed in a manner that is likely to infringe or invade personal integrity
and privacy. The concept of protecting data, though in its early stages of practice,
promises on one hand, rapid growth over the coming years to secure for every individual,
whatever the nationality or residence, respect for such individual’s rights and fundamental
freedoms, and in particular the right to privacy, with regard to the automatic processing
of personal data relating to such individual. However, on the other hand, to be able to
5
Data Protection ensure that the right to privacy, and the protection of personal data in particular, are
respected in the electronic superhighways capable of transferring a vast amount of
personal information worldwide in real time at very high speed shall be a pertinent
challenge. Data protection has thus become a topical subject, with an ever-increasing
number of evolving practical questions getting attached to it.1
Before, we study the concept and the measures taken to regulate data protection in
detail, let us first understand what is meant by “data”.
9.2 OBJECTIVES
After studying this unit, you should be able to :
● explain the meaning of the term ‘data’;
● explain the concept of data protection;
● comprehend the need to regulate data protection;
● enlist the measures taken by UK, US and India to regulate data protection; and
● explain the current status of data protection regulation in India.
9.3 MEANING OF ‘DATA’

The Oxford English Dictionary defines the term “data” to connote things given or granted;
things known or assumed as facts and made the basis of reasoning or calculation; facts
collected together for reference or information; quantities, characters or symbols on
which operations are performed by computers and other automatic equipment, and
which may be stored and transmitted in the form of electrical signals, records on magnetic,
optical or mechanical recording media, etc.
Further, the term “data” has been defined in a number of legislations worldwide, which
signifies its importance in today’s day and age. It may be relevant to look at some of
these definitions.
Section 2 (1) (o) of the (Indian) Information Technology Act, 2000 (Act) defines “data”
to mean a representation of information, knowledge, facts, concepts or instructions
which are being prepared or have been prepared in a formalised manner, and is intended
to be processed, is being processed or has been processed in a computer system or
computer network, and may be in any form (including computer printouts, magnetic or
optical storage media, punched cards, punched tapes) or stored internally in the memory
of the computer.
The United Kingdom Data Protection Act, 1998 (UK Act) defines data as information
which-
(a) is being processed by means of equipment operating automatically in response to
instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such
equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should
form part of a relevant filing system, or
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record.
The UK Act further defines “personal data” as data, which relates to a living individual
6 who can be identified
(a) from the data, or Introduction to Data
(b) from the data and other information which is in the possession of, or is likely to
come into the possession of, the data controller,
(c) and includes any expression of opinion about the individual and any indication of
the intentions of the data controller or any other person in respect of the individual.
In view of the information revolution, which has resulted from the coupling of computer
techniques, telecommunications, multimedia and the lightning development of the Internet,
the legislations have also therefore laid stress and emphasis on the computer- processed
and computer stored forms of data.

Can data under the UK Act be information that does not form part of an accessible
record?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
............................................................................................................................
..............................................................................................................................
..............................................................................................................................
9.4 NEED FOR REGULATION OF DATA

PROTECTION
It is well understood that the free flow of information has contributed to the globalisation
and virtualisation of society and thus has raised concerns about security, respect of
fundamental rights and privacy. The keeping of records on individuals for various
purposes and the risks of infringement of privacy, by both public and private
sectors, have never been easier than today, through the use of new technologies and the
convergence of their application. One example of such infringement of privacy is often
reflected in a number of unidentified calls received by consumers today from a number
of companies selling their products on telephone and through e-mails on the basis of the
data collected by them through sources which are not disclosed to consumers. Therefore,
an active policy and awareness by and on behalf of citizens is constantly a necessity.
A core problem in this respect concerns what forms of regulation actually benefits
citizens and how their interests can be determined. Further, as data protection is in the
interest of the citizen this regulation must, as a starting point be acceptable. However,
there are several conflicting interests that are active within this field and it is a constant
battle to ensure that these interests are balanced and that those of citizens are sufficiently
protected. In view of this, it is further important to look at the efforts made for regulation
and protection of data internationally.
7
Data Protection
Provide an example for a common infringement of privacy today?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
9.5 REGULATION OF DATA PROTECTION

9.5.1 European Union
In the European Union (EU), the protection of personal information became widespread
after the Second World War. The explosion of information power brought about by
computing established fears that the usage of the new machines might weaken or
undermine individual human rights which surfaced quite early in mainland Europe.
Europe had only established its Human Rights Commission in the 1950s after the
European Convention for the Protection of Rights and Fundamental Freedoms was
adopted in 1950. The suggestion that data movements might be curtailed or controlled
on human rights grounds gave rise, in its turn, to reservations of a different kind; such
as trade being fettered if information could not flow freely. The development of
standards for the use and dissemination of personal data, or data protection standards,
proved to be the response to these apprehensions. The standards laid by the European
Union are seen embodied in enforceable laws throughout Europe and in many other
parts of the world.
9.5.2 OECD Guidelines

It was in the year 1980 that an international team of experts convened by the Organization
of Economic Co-operation and Development (OECD), developed a set of privacy
guidelines, consisting of a total of eight “privacy principles” and enforcement approaches.
The OECD Guidelines were intended to offer harmonised protection of individual
privacy rights while simultaneously being flexible enough to apply across a variety of
social, legal, and economic circumstances. The 1980 OECD Guidelines have had an
enormous influence in finding their way into a variety of legislative and self-regulatory
adaptations. The following are the eight broad principles pertaining to privacy laid down
by OECD:
1. Collection limitation: There should be limits on data collection, and data should
be obtained by fair and lawful means and, where appropriate, with the knowledge
or consent of the data subject.
2. Data quality: Data should be relevant to the purpose for which it is collected and
should be accurate, complete, and up to date.
3. Purpose specification and notice: The purpose for which data are collected
should be provided to the data subject not later than at the time of collection; the
subsequent use of data should be limited to those and other “not incompatible”
8 purposes.
4. Use limitation: Data should not be disclosed or used except for purposes specified Introduction to Data
in the notice unless the data subject consents or the law requires disclosure.
5. Security: Requires “reasonable” safeguards for personal data.
6. Openness: Requires openness about practices and policies regarding personal
data; it should be made easy to identify a data controller, how to reach it, the kinds
of data it collects and the main purposes of that collection.
7. Access: Requires “reasonable” access by a person to data collected, or information
about that data, and right to challenge, including requiring erasure of inaccurate
data.
8. Accountability: The data “controller” should be accountable for complying with
the protections and should be liable for harm.
The data protection principles and legislations in general have thus been founded upon
the Guidelines on the Protection of Privacy and Trans border Flows of Personal Data
issued in 1980 by the OECD. The OECD Guidelines will be studied in greater detail in
the next unit.
9.5.3 EU Directive
In 1995, the EU adopted its data protection directive (95/46/EC), and established a
detailed privacy regulatory structure for prospective and intended adoption into national
law by EU member states. The directive adopted the OECD concepts on data protection
in its directive. However, the directive made several important changes or additions to
the OECD Guidelines such as the creation of a “legitimacy” principle which prohibits
any data to be processed that does not have a legitimate purpose. It further interpreted
the openness principle to require national registration of databases and data controllers
and promoted the free flow of information only between and amongst the EU member
states. The cross border transfer to other countries was prohibited unless the other
country provided an “adequate” level of protection, although the same was made subject
to certain exceptions. Lastly the directive specifically stated that the member states
should encourage the use of codes of conduct thereby providing a means to limit the
possible discretionary exercise of authority and also obtaining flexible means to
update national interpretations.
The EU member states have a tradition of industry- government dialogue and the use of
industry codes of conduct. The EU directive explicitly encourages the use of such “self-
regulatory” measures; thereby making the impact of the directive less burdensome. In
other words, these codes allow regulatory measures to be flexible in order to keep
pace with technological developments and with evolving industry practices. These codes
further assist in avoiding unnecessary regulatory barriers and limiting the discretionary
exercise of regulatory authority.
This directive was thus an important initiative to protect personal information by
prohibiting the transfer of such personal data to those countries, which did not conform
to the privacy protection requirements of the EU2.
9.5.4 United Kingdom

UK enacted the UK Data Protection Act, 1984 as amended by the UK Data Protection
Act, 1998 (DPA). The 1984 Act drew on both the OECD and Council of Europe
principles. It sets out eight principles for data handling, largely drawn from the two
international instruments and state that the personal data should be: 9
Data Protection (a) lawfully processed;
(b) lawfully obtained;
(c) adequate and relevant;
(d) accurate and upto date;
(e) stored for a specific purpose and a reasonable duration;
(f) processed in accordance with the rights of the owners of such data;
(g) appropriate technical and organizational measures should protect against
unauthorized use of such data and provide overall protection; and
(h) transborder flow of information between countries with similar levels of protection.
The DPA provides a fairly detailed route map wherein various measures of protecting
personal information / individual privacy are set out. These eight principles provide
legal, technical and contractual protection to personal data and further also state the
parameters within which personal data is to be processed, obtained, stored and used in
the public domain. These principles also govern data exchange beyond the national
level to protect information crossing the local borders. Indeed a comprehensive protection
is put forth within these principles for personal data. Any contravention of the rights of
the individual owning personal data is subject to compensation for the extent of damage.
9.5.5 United States

In the United States however, privacy protection is implanted in a much longer historical
development path as the same was developed in a fragmented manner commencing
from the basic principles of tort law and as a by- product of industry-specific legislation,
such as the Fair Credit Reporting Act.
The US currently has no legislation specific to consumer data privacy protection, relying
instead upon the industry self-regulation approach to the OECD Guidelines. Having
stated that however, due to immense pressure to strengthen consumer data protection
owing to the looming threat of the requirements of the EU data directive, the Federal
Trade Commission (FTC) has taken a more proactive approach in protecting consumer
data, acting pursuant to its authority to prevent unfair and deceptive trade practices in
accordance with the FTC Act3.
9.5.6 Asia Pacific

In November 2004, the Asia-Pacific Economic Cooperation (APEC), a forum
established in 1989 for facilitating economic growth, co-operation, trade and
investment in the Asia Pacific Region endorsed a privacy framework which is based
on the principle structure and import upon the core fundamentals of the OECD
Guidelines. The same recognises “reasonable expectation” of privacy and gives due
emphasis to the benefits of participation in a global information economy. It specifically
endorses “proportionality” in terms of national regulation so that regulation and remedy
are proportional to the likelihood and significance of causing harm to an individual
subject. The framework further focuses upon the “core fundamentals” of the OECD
Guidelines and on the use of the internet to provide notice, consent, and control.
It may be noted that like the OECD, the APEC is only a inter governmental grouping
and operates on the basis of non-binding commitments, open dialogue and equal respect
for the views of all participants4.
10
9.5.7 India Introduction to Data
Currently there are no specific “data protection” specific laws in India. However, in the
absence of specific laws, the Indian judicial system offers a few stand-in laws and other
indirect safeguards e.g. Information Technology Act, 2000 and the Indian Penal Code,
1860, all of which are discussed in detail in the succeeding units.
However, recognising the need for data protection in the technological environment,
the Central Government has taken several initiatives for the furtherance of data
protection. Some of the initiatives taken by the Ministry of Information Technology in
India may be mentioned:
● Standardisation, Testing and Quality Certification (STQC) Directorate
Due to the international demand that Indian firms should have an international security
standard accreditation, the Indian government has set up the Standardisation, Testing
and Quality Certification (STQC) Directorate (under the Department of Information
Technology (DIT)). The Directorate has been able to launch an independent third-
party certification scheme for the Information Security Management System, as per BS
7799 Part 2, and has achieved international recognition in the form of accreditation
from the RvA, Netherlands.
● Computer Emergency Response Team (CERT)
The Indian Computer Emergency Response Team (CERT) was established by the DIT
to be a part of the international CERT community. CERT was set up to protect India’s
IT assets against viruses and other security threats.
● Information Security Technology Development Council (ISTDC)
The Ministry has recently set up the Information Security Technology Development
Council (ISTDC). The main objective of this program is to facilitate, coordinate and
promote technological advancements, and to respond to information security incidents,
threats and attacks at the national level (Check Regulations in India - http://
www.nasscom.org).

What are the principles for data handing set out in the DPA?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
9.6 MONITORING OF DATA PROTECTION

The whole issue of data protection in the digital context probably hinges on the contention
of the interests of the individual versus the state, market and technology developments.
11
Data Protection Organizations require to look now at how they collect, store and use personal data and
comply with existing laws and in absence of such laws, ask themselves whether they
are adhering to the ethical norms or not. It is therefore obligatory, both legally and
morally, for the persons possessing and handling data to monitor data protection
processes holistically and in real time. It is expected that this will help in achieving
improved reliability and faster problem resolution.
Data protection monitoring and tuning work will not only include the help of advanced
system information processing and monitoring devises and software but also the human
factor, which is more critical. It cannot be denied that the sheer amount of data is
growing rapidly, and storage, replicating and transmitting technologies are advancing
quickly. This makes it imperative to design the storage infrastructure for the future, as
well as for meeting present needs. The infrastructure also needs to scale and adapt, as
data protection needs change.

State the two critical factors that seek to assist in monitoring of data protection?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
9.7 SUMMARY
● Faster transmissibility and easier storage of data has increased the requirement to
prevent and shield data from unauthorized access and usage.
● Data protection while securing respect for and individual’s rights raises the question
as to whether the protection it seeks to offer shall merit respect and
acknowledgement in the practical scenario of information transmissibility.
● Data is a representation of information and knowledge intended to be processed
by means of equipment and is recorded in varying forms.
● Regulation of data protection is necessary on account of the free flow of information
that has raised concerns about security, privacy and respect of fundamental rights.
● The European Union initiated data protection laying standards embodied in various
legislation subsequent thereto across the world.
● OECD has set down 8 principles pertaining to privacy
– Collection limitation
– Data Quality
– Purpose specification and notice
12
– Use limitation Introduction to Data
– Security
– Openness
– Access
– Accountability
● The EU Data Protection directive adopted the OCED concepts however, made
alterations such as creation of “legitimacy” principles and requiring transferee
countries to provide adequate protection in case of cross border transfer of data.
● The UK has set out 8 principles for data handling
(i) lawfully processed
(ii) lawfully obtained
(iii) adequate and relevant
(iv) accurate and up to date
(v) stored for specific purpose and reasonable duration
(vi) processed in accordance with owners rights
(vii) stress on technical and organizational measures
(viii) transborder flow between countries
● The US relies on industry self regulatory approach to the OCED Guidelines having
no specific legislation of its own. The FTC imposes a proactive approach.
● APEC endorses a privacy framework based on the core fundamentals of the
OECD Guidelines.
● India has no data protection laws however, the central government has taken
several initiatives such as setting up the STQC Directorate, the CERT and the
ISTDC.
● Data protection monitoring requires both advanced system information processing
and human intervention.

1. Explain the term ‘data’ with reference to various Acts?
2. What is the requirement for regulation of Data Protection? Explain briefly keeping
in mind the EU Directive and the UK Data Protection Act.
3. How have the OECD guidelines helped in harmonising protection of individual
privacy?
4. What is the current status of ‘data protection’ laws in India?
5. Summarize the concept of ‘data protection’?

1. No ‘Data’ under the provisions of the UK Act, cannot be an information that
does not form part of an accessible record.
2. An example of common infringement of privacy is reflected in a number of
unidentified calls received from consumers today by number of companies selling 13
Data Protection their products on telephone and through e-mails on the basis of the data collected
by them through sources which are not disclosed to consumers.
3. The eight principles set out under the DPA for data handling are:
(a) Lawfully processed
(b) Lawfully obtained
(c) Adequate and relevant
(d) Accurate and up to date
(e) Stored for specific purpose and reasonable duration
(f) Processed in accordance with the rights of owners of such data
(g) Appropriate technical and organizational measures should protect against
unauthorized use of such data and provide overall protection
(h) Transborder flow of information between countries with similar levels of pro-
tection.
4. The two critical factors are advanced system information processing and monitoring
devices and software and the human factor.
Terminal Questions

1. Blume, P. “The Citizen’s Data Protection”. The Journal of Information, Law and
Technology (JILT). 1 (1998). 10 Mar. 2007 <http://www2.warwick.ac.uk/fa soc/
law/elj /jilt/1998_1/ blume/>.
2. Legal Site Check. 10 Mar. 2007<http://www.legalsitecheck.com
dataprotection.html>.
3. Ibid.
4. Supra n.2.
14
OECD Principles
UNIT 10 OECD PRINCIPLES
Structure
10.1 Introduction
10.2 Objectives
10.3 OECD Guidelines on the Protection of Privacy and Trans Border Flows of
Personal Data
10.3.1 Basis for the OECD Guidelines
10.3.2 Scope of the OECD Guidelines
10.4 OECD Guidelines: Basic Principles of National Application
10.5 OECD Guidelines: Basic Principles of International Application
10.6 Summary
10.1 INTRODUCTION
The Organization for Economic Co-operation and Development (OECD) was originally
established as the inter-governmental Organization for European Economic Co-operation
(OEEC) with support from the United States and Canada to co-ordinate the economic
reconstruction of Europe after World War II. The OECD formally took over from the
OEEC in 1961 and has its headquarter in Paris.
As an economic alliance, the mission of the OECD has been to help member country
governments achieve sustainable economic growth in the form of creation of employment
opportunities and higher standards of living while maintaining financial stability and
thereby contributing to the overall development of the world economy. The OECD
purports to assist sound economic expansion in member countries and other countries
in the process of economic development and thereby contributes to growth in world
trade on a multilateral and non-discriminatory basis.
The OECD produces internationally agreed instruments, decisions and
recommendations with the constituent elements of dialogue, consensus and peer review
in order to promote directives in areas where multilateral agreements may be required
for the economic progress of individual countries in an increasingly global and
competitive economy.
The OECD currently consists of about 30 member countries including the United States,
the United Kingdom, Germany, France, Japan and Korea. The governing body of the
OECD (Council) comprises of representatives from its member countries. In addition
to the member countries, the OECD maintains active relationships with about 70 other
non-member countries including India and with various non-governmental organizations,
offering its analytical expertise and accumulated experience to such countries and
organizations.
15
Data Protection
10.2 OBJECTIVES
● explain the background of the OECD;
● describe the basis for the OECD Guidelines;
● describe the scope of the OECD Guidelines;
● explain the principles for national application; and
● explain the principles for international application.
10.3 OECD GUIDELINES ON THE PROTECTION

OF PRIVACY AND TRANS BORDER FLOWS
OF PERSONAL DATA
The OECD Guidelines on the protection of privacy and transborder flows of personal
data have been framed to address issues pertaining to requirement of protecting personal
data privacy in the light of the widespread dissemination of cross-border personal data.
10.3.1 Basis for the OECD Guidelines

There has been an increasingly widespread trans-jurisdictional flow of personal data
across international frontiers in the past few decades owing to the rapid advancement in
data transmission technology and technological processes and leading to emerging issues
in the areas of unlawful storage of personal data, storage of inaccurate personal data
and the unauthorized disclosure or onward transmission of such data leading to the
abuse of personal data privacy.
A need to protect personal data privacy has been recognised by various countries in
the form of legislations, regulations and policy guidelines formulated by them in this
regard. However there has also been a parallel recognition that any disparities in such
sometimes diverging legislations, regulations and policy guidelines across countries could
disrupt the free trans border flow of necessary personal data and further that such
disruptions could impart serious damage to critical sectors of the economy such as
banking and insurance.
Recognising the above issues, the OECD member countries decided that it would be
imperative to formulate comprehensive guidelines to harmonise the various national
privacy legislations, regulations and policy guidelines in order to develop a dual
framework of upholding privacy protection of personal data as well preventing
interruptions in the trans border flow of such data. The OECD Guidelines on the
Protection of Privacy and Trans Border Flows of Personal Data (Guidelines) were
framed as a result of the above recognition in the form of recommendations made by
the Council. The Guidelines were formally adopted with effect from September 23,
1980 and represent a consensus on basic principles that can either be built into existing
national legislations, regulations and policy guidelines of member countries or
alternatively, serve as a basis for legislations in member countries that do not have the
same in the form and manner set out as follows:
● Member countries take into account in their domestic legislations the principles
concerning the protection of privacy and individual liberties set forth in the
16 Guidelines;
● Member countries endeavour to remove (if created) or avoid creating unjustified OECD Principles
obstacles to trans border flows of personal data in the name of privacy protection;
● Member countries co-operate with one another towards the comprehensive
implementation of the Guidelines; and
● Member countries agree at the earliest on specific procedures of consultation and
co-operation for the application of the Guidelines.
10.3.2 Scope of the OECD Guidelines

The Guidelines have general application to the personal form of data i.e. information
that can be related to identified or identifiable individuals, whether in the public or
private sectors. Such form of data poses a critical danger to issues in respect of privacy
and individual liberties owing to its inherent nature cum context and the manner in which
it is processed.
The Guidelines however do not purport to constitute a set of general privacy protection
principles — for instance, the invasion of privacy by candid photography, physical
maltreatment or defamation are outside the scope of the Guidelines unless such acts are
in any way associated with the handling of personal data.
The broad scope of the Guidelines is as follows:

1. The Guidelines permit the application of different measures of data protection
to different categories of personal data on the basis of the nature and the
context in which such categories of data are collected, stored, processed or
disseminated;
2. The Guidelines cover personal data that does not purportedly contain any risk to
privacy or individual liberties i.e. simple and factual data if used in a context where
the same may become offensive to the subject of such data shall be included in the
scope. However, data collections of an obviously innocent nature such as personal
notebooks are excluded;
3. The Guidelines in their application extend to both forms of processing of personal
data i.e. the automated form of processing personal data and the non-automated
form;
4. The Guidelines permit the exceptions contained therein including those relating to
national sovereignty, national security and public policy subject to such exceptions
being restricted to as few as possible and further subject to the same being made
known to the public at large;
5. The Guidelines permit their comprehensive observance in the particular context of
federal country jurisdictions to be affected by the division of powers in such
jurisdictions; and
6. The Guidelines purport to be construed as minimum standards that are flexible to
and capable of being supplemented by any additional measures adopted for the
protection of privacy and individual liberties.
17
Data Protection
What are the various ways in which OECD Guidelines can serve as a basis for
legislation?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
10.4 OECD GUIDELINES: BASIC PRINCIPLES OF

NATIONAL APPLICATION
The Guidelines are primarily an embodiment of eight comprehensive principles regarding
the collection and use of personal data and are termed as the Basic Principles of National
Application (Principles). Prior to setting out and for the purpose of understanding the
nature and meaning of the Principles, it shall be relevant to understand the following
terms in their context:
a) “data controller” means a party who, according to domestic law, is competent to
decide about the contents and use of personal data regardless of whether or not
such data is collected, stored, processed or disseminated by that party or by an
agent on its behalf.
The above definition of a data controller attempts to define a subject who, under
applicable domestic law, should carry ultimate responsibility for activities concerned
with the processing of personal data. Such data controller may be a legal or natural
person, public authority, agency or any other body.
The definition excludes at least four categories that may be involved in the processing of
data, namely
(i) licensing authorities and similar bodies which exist in some member countries and
which authorize the processing of data but are not entitled to decide what activities
should be carried out and for what purposes;
(ii) data processing service bureaus which carry out data processing on behalf of
others;
(iii) telecommunication authorities and similar bodies which act as mere conduits; and
lastly
(iv) “dependent users” who may have access to data but who are not authorized to
decide inter alia, what data should be stored and who should be able to use such
data.
The above definition of data controller provides a benchmark threshold for the member
countries of the OECD to define the roles and responsibilities of a data controller.
Further, in the implementation of the Guidelines, member countries may develop more
complex schemes of levels and types of responsibilities.
18
b) “personal data” means any information relating to an identified or identifiable indi- OECD Principles
vidual (data subject).
The terms “personal data” and “data subject” clarify that the applicability of the Guidelines
is confined only to physical persons. The Guidelines therefore do not take into account
the misuse of non-identifiable anonymous data.
c) “trans border flows of personal data” means movements of personal data across
national borders.
The above definition restricts the application of certain provisions of the Guidelines to
international data flows and omits the data flow problems particular to a federal
jurisdictional set-up. Further, the Guidelines recognise that though movements of data
often take place through electronic transmission, however other means of data
communication are not excluded including the transmission of data by satellite.
The Principles are set out herein below as follows:
1. Collection Limitation Principle
There should be limits to the collection of personal data and any such data should be
obtained by lawful and fair means and where appropriate, with the knowledge or consent
of the data subject.
This principle deals with the basic issue that it is desirable to recognise the categories of
data, which could be per se sensitive, and therefore the collection of such sensitive data
should be restricted or even prohibited. For example, sensitive data relating to an individual
could be regarding an individual’s health, race, religion and criminal records the use of
which could be detrimental or discriminatory in relation to an individual and hence
should not be without the knowledge or consent of the data subject. This forms the
basis for the privacy legislation of countries such as the United States. Though it may be
difficult to universally specify as to what constitutes “sensitivity”, however the following
limits have been recognised in the collection and processing of data, which could be
considered sensitive:
● data quality aspects i.e. to be able to derive information of sufficiently high quality
from the data collected and that the data should be collected in a proper information
framework;
● limits associated with the purpose of data processing i.e. only certain categories of
data ought to be collected and that data collection should be restricted to the
minimum to fulfill the specified purpose;
● “earmarking” of especially sensitive data according to traditions and attitudes in
each member country;
● limits to data collection activities of certain data controllers;
● civil rights’ concerns.
This principle is further directed against practices that involve, for instance, the use of
hidden data registration devices such as tape recorders, or deceiving data subjects to
make them supply information. The knowledge or consent of the data subject is a
minimum critical requirement. However, there is an exception in respect of situations
where for practical or policy reasons, the knowledge of the data subject is not considered
necessary. Criminal investigation activities and the routine up dating of mailing lists are
examples in this regard. Further, the principle does not also exclude the possibility of a
data subject being represented by another party, for instance in the case of minors and
mentally disabled persons. 19
Data Protection 2. Data Quality Principle
Personal data should be relevant to the purposes for which they are to be used, and, to
the extent necessary for those purposes, should be accurate, complete and kept up-to-
date.
The principle deals with the accuracy, completeness and up-to-datedness of data, which
are all important elements of the data quality concept. The requirements in this respect
are linked to the purposes of data i.e. they are not intended to be more far-reaching
than is necessary for the purposes for which the data are used. Thus, historical data
may often have to be collected or retained; cases in point are social research, involving
so-called longitudinal studies of developments in society, historical research, and the
activities of archives.
3. Purpose Specification Principle
The purposes for which personal data are collected should be specified not later than at
the time of data collection and the subsequent use limited to the fulfillment of those
purposes or such others as are not incompatible with those purposes and as are specified
on each occasion of change of purpose.
The principle is closely associated with the two surrounding principles, i.e. the Data
Quality Principle (supra) and the Use Limitation Principle (below). It implies that prior
to, and in any case not later than at the time of data collection, it should be possible to
identify the purposes for which these data are to be used and that any later changes of
purposes should likewise be specified. Such specification of purposes can be made in
a number of alternative or complementary ways, e.g. by public declarations, information
to data subjects, legislation, administrative decrees, and licences provided by supervisory
bodies. New purposes should not be introduced arbitrarily and the freedom to make
changes should imply compatibility with the original purposes. Finally, when data no
longer serve a purpose, and if it is practicable, it may be necessary to have them
destroyed or given an anonymous form. The reason is that control over data may be
lost when data are no longer of interest; this may lead to risks of theft, unauthorized
copying or the like.
4. Use Limitation Principle
Personal data should not be disclosed, made available or otherwise used for purposes
other than those specified in accordance with the Purpose Specification Principle except:
a) with the consent of the data subject; or b) by the authority of law.
The principle deals with uses of different kinds, including disclosure, which involve
deviations from specified purposes. For instance, data may be transmitted from one
computer to another where they can be used for unauthorized purposes without being
inspected and thus disclosed in the proper sense of the word. Therefore, the initially or
subsequently specified purposes should be decisive for the uses to which the concerned
data can be put. The two exceptions, as stated above are the consent of the data
subject (or his representative) and the authority of law (including, for example, licences
granted by supervisory bodies). For instance, it may be provided that data, which have
been collected for purposes of administrative decision-making, may be made available
for research, statistics and social planning.
5. Security Safeguards Principle
Personal data should be protected by reasonable security safeguards against such risks
20
as loss or unauthorized access, destruction, use, modification or disclosure of data.
This principle highlights that while security and privacy issues may not be identical OECD Principles
however, security safeguards should reinforce limitations on data use and disclosure.
Further, such safeguards shall include physical measures (locked doors and identification
cards, for instance), organizational measures (such as authority levels with regard to
access to data and obligations for data processing personnel to maintain confidentiality)
and, particularly in computer systems, informational measures (such as enciphering and
threat monitoring of unusual activities and responses to them).
Under this principle, “loss” of data purports to encompass such cases as accidental
erasure of data, destruction of data storage media (and thus destruction of data) and
theft of data storage media while “modified” is construed to cover unauthorized input of
data, and “use” to cover unauthorized copying.
6. Openness Principle
There should be a general policy of openness about developments, practices and policies
with respect to personal data. Means of establishing the existence and nature of personal
data, and the main purposes of their use, as well as the identity and usual residence of
the data controller should be readily available.
This principle may be viewed as a prerequisite for the Individual Participation Principle;
for the latter principle to be effective, it must be possible in practice to acquire information
about the collection, storage or use of personal data. Regular information from data
controllers on a voluntary basis, publication in official registers of descriptions of activities
concerned with the processing of personal data, and registration with public bodies are
some, though not all, of the ways by which this may be brought about. The reference to
means, which are “readily available” implies that individuals should be able to obtain
information without unreasonable effort as to time, advance knowledge, travelling, and
so forth, and without unreasonable cost.
7. Individual Participation Principle
Under the provisions of this principle, an individual should have the right:
a) to obtain from a data controller (or otherwise) a confirmation of whether or not
the data controller has data relating to him; and
b) to have communicated to him, data relating to him
– within a reasonable time;
– at a charge, if any, that is not excessive;
– in a reasonable manner; and
– in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied,
and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to have the data
erased, rectified, completed or amended.
The right of individuals to access and challenge personal data is generally regarded as
the most important privacy protection safeguard. The right to access should be part of
the day-to-day activities of the data controller or his representative and should not
involve any legal process or such similar measures.
In some cases it may be appropriate to provide for intermediate access to data; for
example, in the medical field, a medical practitioner can serve as a go-between. In
21
Data Protection some countries supervisory organs, such as data inspection authorities, may provide
similar services. Further, the requirement that data be communicated within reasonable
time may be satisfied in different ways. For instance, a data controller who provides
information to data subjects at regular intervals may be exempted from obligations to
respond at once to individual requests.
Communication of such data “in a reasonable manner” is construed to mean that
problems of geographical distance should be given due attention. Moreover, if intervals
are prescribed between the times when requests for access must be met, such intervals
should be reasonable. The extent to which data subjects should be able to obtain copies
of data relating to them is a matter of implementation, which as per the interpretation of
this principle must be left to the decision of each member country.
The right to be given reasons is narrow in the sense that it is limited to situations where
requests for information have been refused. The right to challenge in (c) and (d) purports
to be broad in scope and includes first instance challenges to data controllers as well as
subsequent challenges in courts, administrative bodies, professional organs or other
institutions according to domestic rules of procedure. The right to challenge also does
not imply that the data subject can decide what remedy or relief is available (rectification,
annotation that data are in dispute, etc.). Such matters are the subject of domestic law
and legal procedures.
8. Accountability Principle
A data controller should be accountable for complying with measures that give effect to
the principles stated above.
This principle is structured on the premise that since the data controller takes decisions
in respect of both data and data processing activities; it is for his benefit that the processing
of data is carried out. Accordingly, it becomes essential that accountability for complying
with privacy protection rules and decisions should be placed onto the data controller
irrespective of the processing of data being carried out by another party such as a
service bureau. On the other hand however, the Guidelines do not prevent service
bureau personnel, “dependent users” and others from also being held accountable. For
instance, sanctions against breaches of confidentiality obligations may be directed against
all parties entrusted with the handling of personal information. Accountability refers to
accountability supported by legal sanctions, as well as to accountability established by
codes of conduct, for instance.

What is the relationship of the purpose specification principles with the data quality
principle and the use limitation principle?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
22
OECD Principles
10.5 OECD GUIDELINES: BASIC PRINCIPLES OF
INTERNATIONAL APPLICATION
The Guidelines also deal with the Basic Principles of International Application
(International Principles), i.e. principles that are chiefly concerned with relationships
between member countries. The International Principles are:
● Member countries should take into consideration the implications of domestic
processing and re-export of personal data for other member countries;
● Member countries should take all reasonable and appropriate steps to ensure that
trans border flows of personal data (including transit through a member country)
are uninterrupted and secure;
● Member countries should refrain from restricting trans border flows of personal
data between themselves and other member countries except where the latter
does not yet substantially observe the Guidelines or where the re-export of such
data would circumvent its domestic privacy legislation. Member countries may
also impose restrictions in respect of certain categories of personal data for which
their domestic privacy legislation includes specific regulations in view of the nature
of those data and for which the other member country provides no equivalent
protection.
● Member countries should avoid developing laws, policies and practices in the
name of the protection of privacy and individual liberties, which would create
obstacles to trans border flows of personal data that would exceed requirements
for such protection. (OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data available at http://www.oecd.org).

Under what circumstances should countries NOT refrain from restricting transborder
flows of data between themselves?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
10.6 SUMMARY
● OECD seeks to assist member countries by providing internationally agreed upon
instruments, decisions and recommendations.
● OECD framed Guidelines on protection of privacy and transborder flaws of
personal data on recognition that a critical need to protect personal data privacy
has arisen due to increasingly widespread trans- jurisdiction flow of personal data. 23
Data Protection ● The Guidelines permit application of different measures of data protection, extend
to both automated and non-automated forms of processing personal data, provide
for security and policy based exceptions and seek to be construed as minimum
standards capable of adaptation.
● The Guidelines provide 8 basic principles of national application:
(i) Collection Limitation
(ii) Data Quality
(iii) Purpose Specification
(iv) Use Limitation
(v) Security Safeguards
(vi) Openness
(vii) Individual Participation
(viii) Accountability
● OECD Guidelines lay down principles for international application.
(i) Implication of domestic process and re-export
(ii) Transborder flows to be uninterrupted and secure
(iii) Refrain from restricting transborder flows except under specific exemptions
(iv) Avoid developing law and policies that create obstacles to transborder flows.

1. What is the background of the OECD Guidelines?
2. What are the emerging issues with regard to unlawful storage and transmission of
personal data?
3. Broadly define the scope of the OECD Guidelines?
4. What are the eight principles set out in the OECD Guidelines?
5. What are the basic international principles of the OECD Guidelines?

Self Assessment Question
1. OECD Guidelines may serve as a basis for legislation in countries by such countries
(a) taking into account in their domestic legislation, the OECD principles;
(b) endeavouring to remove or avoid creation of unjustified obstacles to
transborder flows of personal data;
(c) co-operating with one another towards the comprehensive implementation
of OECD Guidelines;
(d) agreeing on specific procedures of consultation and cooperation for
application of guidelines.
2. The Purpose Specification Principle (PSP) provides that
(a) Specifying of the purposes for personal data is collected not later than at the
24 time of data collection itself; and
(b) Restricting the subsequent use of such collected data to the fulfillment of the OECD Principles
said purpose. It is closely associated with Data Quality principle on account
of the stress it lays upon the accuracy, completeness and up to datedness of
the data collected to be linked to the purpose for which such data is collected.
Further, it is closely associated with use limitation principle as it seeks to
emphasize that personal data should not be disclosed for purposes other
than those clearly specified at the time of collection.
3. Member countries should restrict transborder flows of personal data when other
countries to where data transmission is intended, do not substantially deserve the
guidelines or where the re-export of such data would circumvent its domestic
privacy legislation.
Terminal Questions
25
Data Protection
UNIT 11 DATA PROTECTION POSITION
IN INDIA, EU AND US
Structure
11.1 Introduction
11.2 Objectives
11.3 Scenario in India
11.4 EU Data Protection Directive
11.5 Privacy Policy in the United States
11.5.1 International Safe Harbour Privacy Principles and FTC
11.5.2 U.S. Safe Harbor Framework
11.6 United Kingdom
11.7 Summary
11.1 INTRODUCTION
This unit seeks to discuss the data protection regimes across the European Union, the
United States and India. It purports to highlight the individual stages of their evolution
while drawing out a comparative analysis between the same.
Information, particularly digital information which can be stored, searched and
manipulated so easily, is a fundamental economic resource, but also a powerful weapon
which, in the wrong hands, can do incalculable damage to individuals. Just as technology
does not stand still, data protection rules must also continually evolve if they are to be
effective in a world where the collection and exploitation of personal data is becoming
forever easier and more convenient.
In the past, the overwhelming amount of effort involved in accessing information held
on paper files in a multitude of different locations was a real limitation that hindered the
mass collection and processing of personal data. Now, new technologies that enable
companies and governments to engage in the mass collection and processing of personal
data bring with them new risks.
11.2 OBJECTIVES
● describe the data protection scenario in India;
● explain the data protection regime in the EU;
● describe the privacy policy in the United States;
● familiarize yourself with the safe harbour framework between the US and EU; and
● explain the data protection regulation in the UK.
26
Data Protection Position in
11.3 SCENARIO IN INDIA India, EU and US
There is no separate data protection legislation in our country, the National Task Force
on Information Technology and Software Development had submitted an ‘Information
Technology Action Plan’ to the Government in July 1998.
In May 2000, the Information Technology Act of 2000 was passed by the Legislature
providing for a comprehensive regulatory environment for e-commerce.
Section 2(1) (o) of the IT Act defines ‘data’ as a ‘representation of information,
knowledge, facts, concepts or instructions which are being prepared or have been
prepared in a formalised manner, and is intended to be processed, is being processed
or has been processed in a computer system or computer network, and may be in any
form (including computer printouts magnetic or optical storage media, punched cards,
punched tapes) or stored internally in the memory of the computer’
Section 43 Explanation (ii) defines ‘computer database’ as ‘a representation of
information, knowledge, facts, concepts or instructions in text, image, audio, video that
are being prepared or have been prepared in a formalised manner or have been produced
by a computer, computer system or computer network and are intended for use in a
computer, computer system or computer network’.
The IT Act also provides for civil and criminal liabilities for violation of data protection
couched in the term ‘cyber contravention’ as section 43 carries an exhaustive list of
penalty for damage to computer, computer system etc. S/s. (b) stipulates that if any
person downloads copies or extracts any data, computer database or information from
such computer, computer system or computer network including information or data
held or stored in any removable storage medium. Section 72 deals with the issue of
breach of confidentiality and privacy. It provides that a person who has access to
confidential information under the powers conferred on him under the Act and discloses
such information can be punished with imprisonment for upto two years or a fine of
Rs. 1 lakh or both. The scope of the section is limited as interception of confidential
information has been left untouched.
The Indian government is well aware of this issue and in an attempt to overcome the
problem; the Indian Department of Information Technology announced in June 2003 its
plans to pass a Data Protection Act in line with the EU requirements. A bill is being
drafted jointly by the Department of Information Technology and the National Association
for Software Service Companies (NASSCOM), which is India’s main trade association
for the IT industry.
The aim is to allow India to be officially designated by the European Commission as a
country that can be assumed to ensure an adequate level of protection. This would
clear the path for any data processing operations involving personal data originated in
the EU to be carried out by India-established companies, as they would have to meet
the same requirements as EU-based companies. However, the procedure to determine
whether a third country is safe from a data protection perspective is rather cumbersome
and bureaucratic.
EU law in particular restricts businesses transferring data to countries with weak privacy
protection, and with Indian IT wage costs rising – albeit still far behind those in the US
and Europe – India wants to eliminate reasons for potential customers to outsource
elsewhere. European firms are severely restricted in terms of the Data Protection Directive
of 1995 as to what data can be transferred or stored in countries without equivalent 27
Data Protection rules and enforcement procedures. At present, India has no such regulations, and relies
on individual contracts negotiated between the main company and the Indian outsourcing
contractor to address the data protection issues.
Please answer the follwoing Self Assessment Question.

Which bodies are drafting the bill pertaining to data protection?
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
11.4 EU DATA PROTECTION DIRECTIVE

In Europe, data protection laws have been in existence in some countries for over
twenty years. In an effort to harmonise all of the EU Member States’ data protection
laws and encourage the enactment of these laws in Member States lacking data protection
legislation, the Council of European Union adopted Council Directive of 24 July 1995
on the Protection of Individuals with Regard to the processing of Personal Data and on
the Free Movement of Such Data. The Directive took effect in October 1998.
The Directive identifies two main objectives: protection of the right of privacy and
prevention of obstacles to the free flow of information within the EU. Article 1(1) states
that, “...Member States shall protect the fundamental rights and freedoms of natural
persons, and in particular their right to privacy with respect to the processing of personal
data.” Article 1(2) states that, “Member States shall neither restrict nor prohibit the free
flow of personal data between Member States”.
Under the terms of the Directive, there is an obligation to collect data only for specified
and legitimate purposes. The term processing includes collecting, recording, altering,
and making data available in any form. Therefore, either the person concerned has the
consent for processing, or processing is necessary to carry out a contract to which the
person involved is a party, or to carry out pre-contractual measures undertaken at the
request of the person. Processing can also occur where it is necessary for compliance
with legal obligations. Finally, where the activity involved is an assignment of public
interest, processing may be allowed where it does not involve an infringement of
fundamental rights and freedoms.
The Directive covers the private and public sectors, but does not apply to data processed
for national security, defense, and public security purposes.
Any company from outside the EU that wishes to transfer personal information about
an EU citizen outside the EU must either: 1) take the data to a country whose privacy
regime is judged to have “adequate” data protection, based on the EU ideals or, 2) the
company demonstrates in other ways that its operations meet the EU’s Data Protection
standards.
28
Articles 25 and 26 of the Directive clearly state that, as a rule, the receiving third Data Protection Position in
India, EU and US
country has to ensure an adequate level of protection. The adequacy of the level of
protection shall be assessed in light of all the circumstances surrounding a data transfer
operation; particular consideration shall be given to the rules of law in force in the third
country in question.
Member States with strong data protection traditions have established powerful
governmental agencies to oversee these issues and protect subjects’ rights. The agencies
require businesses to register, report – and even justify – the kind of personal data they
are collecting on employees and customers and how they intend to use it. The EU
Directive encourages the establishment of these enforcement agencies in third countries,
as well, as a means of providing the “adequate” protection needed to receive data from
the EU.
Short of creating a national commission, the European Directive sets out two other
ways of satisfying the record safeguard requirements. One is an industry wide code
protecting the release of data for a specific sector — such as telecommunications or
banking. The other is a system of individual contracts between the company seeking to
transfer the data and the data protection commission of the European country.

What are the three steps that a non-EU Company must take in order to transfer
personal information about an EU citizen outside the EU?
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
11.5 PRIVACY POLICY IN THE UNITED STATES

There is no single law in the United States that provides a comprehensive treatment of
data protection or privacy issues. In addition to the constitutional interpretations provided
by the courts and the international agreements mentioned above, there have been a
number of laws and executive orders dealing specifically with the concept of data
protection. The most important and broad based of these laws are the Privacy Act of
1974 and the Computer Security Act of 1987.
The Privacy Act (PL 93-579) is a companion to and extension of the Freedom of
Information Act (FOIA) of 1966. FOIA was primarily intended to provide access to
government information. It did exempt the disclosure of personal and medical files that
would constitute “a clearly unwarranted invasion of personal privacy”. This provision
was initially used to deny access to people requesting their own records. So the Privacy
Act was also adopted both to protect personal information in federal databases and to
provide individuals with certain rights over information contained in those databases.
The act has been characterised as “the centerpiece of U.S. privacy law affecting
government record-keeping”. The act was developed explicitly to address the problems
posed by electronic technologies and personal records systems and covers the vast 29
Data Protection majority of personal records systems maintained by the federal government. The act
set forth some basic principles of “fair information practice,” and provided individuals
with the right of access to information about themselves and the right to challenge the
contents of records. It requires that personal information may only be disclosed with
the individual’s consent or for purposes announced in advance. The act also requires
federal agencies to publish an annual list of systems maintained by the agency that
contain personal information.
Matching and Privacy Act. These laws deal exclusively with personal information
held by the federal government and do not have any authority over the collection and
use of personal information held by other private and public sector entities. This act
amended the Privacy Act by adding new provisions regulating the use of computer
matching. Computer matching is the computerised comparison of information about an
individual for the purpose of determining eligibility for Federal benefit programs, or for
the purpose of recouping payments or delinquent debts under such programs.
In general, matching programs involving Federal records must be conducted under an
agreement between the source and recipient agencies. This agreement describes the
purpose and procedures for the matching and establishes protections for the matched
records and is reviewed by a Data Integrity Board and each agency involved in matching
activities must establish such a board. While the law provides no special access rights
to individuals; agencies must notify individuals of any findings based upon a computer
matching program before taking any adverse actions, and individuals must be given the
opportunity to contest such findings.
Further, the Computer Security Act of 1987 (PL 100-235) also deals with personal
information in federal record systems. It protects the security of sensitive personal
information in federal computer systems. The Act establishes governmentwide standards
for computer security and assigns responsibility for those standards to the National
Institute of Standards. The law also requires federal agencies to identify systems
containing sensitive personal information and to develop security plans for those systems.
In the U.S. there is an assortment of federal and state constitutional, statutory, and case
law which provide informational privacy protections. Congress has responded to the
need for informational privacy and security protections by enacting statutes in a piecemeal
fashion to address specific privacy needs. For example, the Privacy Act regulates federal
government record-keeping, and there are statutes which regulate specific personal
data, such as credit reports, bank records, and videotape rental records. Several bills
addressing privacy issues have been introduced in the 105th Congress, but there has
been no action on them.

Briefly enumerate the US laws that deal exclusively with information held by the
federal government and in federal record systems.
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
30
11.5.1 International Safe Harbour Privacy Principles and FTC Data Protection Position in
India, EU and US
There is substantial interest in data privacy issues, on the part of the government, private
industry, privacy advocates, and individuals. In 1997 alone, four separate federal
government bodies issued lengthy reports on data privacy issues after extensive research.
The Federal Trade Commission (FTC) also held a four-day public hearing, in which
privacy advocates and representatives of the information industry and of technology
companies presented their views on the best means for protecting privacy. Some proposed
technological privacy protection measures have been endorsed both by industry groups
and by some privacy advocates, but these parties disagree on the most effective means
for protecting privacy. In general, the information industry favours the use of self-regulatory
measures for data privacy protection, which privacy advocates recognise as valuable
components of privacy protection, but insufficient without some sort of enforcement
mechanism.
A number of information industry groups have issued voluntary codes of conduct and
guidelines for fair information collection by their members. Mandatory codes of conduct
have recently been adopted by some industry groups. For example, in December 1997,
mandatory guidelines were issued by the Individual Reference Services Group (IRSG
Group), which includes companies, such as LEXIS-NEXIS, which sell personal data
via their online services; the three credit reporting companies—Equifax, Experian, and
Trans Union; and other companies which sell personal information. The IRSG guidelines
require that annual compliance audits be conducted by independent third parties, and
the guidelines prohibit members that are information suppliers from selling data to those
found violating the guidelines.
In July 1997, the Clinton Administration issued A Framework for Global Electronic
Commerce which generally favors a laissez-faire, market-driven approach to regulating
the Internet in an effort to stimulate economic commerce. The Administration indicated
that it currently supports the use of self-regulatory codes of conduct by industry along
with technological privacy protection measures as the preferred means for privacy
protection. The officials of the Administration state that they will look for codes of
conduct that are backed up by an enforcement mechanism which might take the form
of a dispute resolution mechanism such as an arbitration process included in the code of
conduct, or an audit system to verify compliance with codes. The official also suggested
that the Federal Trade Commission might have a role in enforcing codes of conduct, for
example, by instituting unfair trade practice actions against companies that fraudulently
claim to follow a code.
The FTC has announced that it shall institute such actions under the Federal Trade
Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting
commerce. . . .” The FTC is also taking steps toward ensuring that U.S. Web sites
follow fair information practices when collecting personal data. In March 1998, the
FTC would have conducted a comprehensive survey of U.S. commercial Web sites to
determine how many provide privacy statements on their Web sites, and to evaluate the
quality of the privacy statements. In evaluating quality, the FTC used factors such as
how prominently the privacy statement is posted, and whether Web site visitors can
“opt-out” of any aspects of the information collection and handling process. This follows
a short survey of 126 child-oriented Web sites which the FTC conducted in October
1997, where the FTC found that most of those sites collect personally identifiable
information from children without seeking parental permission and without providing a
privacy policy statement. In its report regarding the study, the FTC indicated that it
31
Data Protection would notify the owners of the offending sites that their data collection practices may
constitute deceptive or unfair practices, in that it is a deceptive practice to misrepresent
the purpose for which information is being collected from children, and that it is likely to
be an unfair practice to collect the information “and sell or otherwise disclose that
information to third parties without providing parents with notice and the opportunity to
control the collection and use of the information”.
In the U.S., the Federal Trade Commission have enforced Fair Credit Reporting Act
(FCRA) provisions and they have unofficially assumed the role of privacy watchdog.
However, there should also be an alternate means of redress for aggrieved individuals,
such as the private right of action which is provided by the FCRA in addition to the
FTC administrative enforcement procedures. This is because the FTC does not act on
behalf of individuals but rather takes action against a company or industry when it has
received a sufficient number of complaints. Also, whether it is the FTC which is designated
as privacy watchdog for the U.S., or it is another existing agency or one created
specifically to address privacy concerns, that agency should be given responsibility for
government as well as private-sector information handling so that U.S. data protection
policy is comprehensive.
Federal laws providing comprehensive information privacy protections would no doubt
meet the EU privacy directive’s “adequate protection” requirements. A comprehensive
law would require that all entities handle personal information in accordance with fair
information practices, which includes giving data subjects notice regarding the collection
of personal information. A comprehensive law would also provide an enforcement
mechanism, which would provide sanctions against violators as well as redress for
aggrieved individuals. Although data transfers may be permitted only to government
entities covered by the federal privacy acts and to industries, such as the credit industry,
which are regulated by legislation. For example, the EU would seem willing to accept a
privacy policy based on codes of conduct as long as there is a regulatory body responsible
for data privacy matters, which would oversee enforcement of the codes, provide
aggrieved individuals with an opportunity for redress of privacy violations, and act as a
liaison to the EU.
As a result of these differences in basic philosophy and legal development, US
organizations collecting or using personal information about individuals in Europe
have been very concerned about the impact of the adequacy standard as applied to
types of data they receive from Europe. If such data is found not to be subject to an
adequate level of protection once it has been transferred to the US from Europe, the
US organizations face the prospect of interruptions in data flows, or enforcement action
taken by European data protection officials.
As the world becomes “smaller” and as the EU begins to flex its muscles as an economic
and political power, the United States will find itself facing the same message it has sent
to other countries in the past — “play our way, or don’t play at all”. It is time that
congress and business realises that, in order to move information out of Europe they
are going to have to play the EU way.
32
Data Protection Position in
Self Assessment Question 4 Spend 2 Min. India, EU and US
In the US which Act provides for private right of action in matters relating to data
privacy?
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
11.5.2 U.S. Safe Harbor Framework

The Safe Harbor Framework negotiated between the U.S. and EU specifies that a
company seeking the benefits of the Safe Harbor must be subject to the jurisdiction of
a governmental body which is empowered to investigate complaints and to obtain relief
against unfair and deceptive practices in case of noncompliance. Currently, the Federal
Trade Commission and the Department of Transportation are the only U.S. “governmental
bodies” that have been recognised by the European Commission. Therefore, only
employers subject to the jurisdiction of these two agencies are eligible to join the Safe
Harbor. Financial services institutions subject to the jurisdiction of banking agencies
and telecommunications carriers subject to the jurisdiction of the Federal
Communications Commission are not eligible to join the Safe Harbor at this time.
An eligible organization must publicly declare in its privacy policy statement that it
adheres to the Safe Harbor in order to participate. Further, the employer must also
self-certify to the U.S. Department of Commerce (“DOC”) that it complies with the
principles of the Safe Harbor which apply to both consumer and employee information.

Which are the two bodies of the US recognised by the EU in case of the safe harbor
framework?
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
11.6 UNITED KINGDOM

The first legislation in the UK concerning data protection was the Data Protection Act
1984. This followed the principles of the OECD Guidelines of 1980, and the Council
of Europe Convention of 1981. The Act only applied to data stored on a computer. 33
Data Protection The Conservative government in the UK was unreceptive to the idea of a Data Protection
Directive, arguing that there was no need for one. The UK thus had little influence on
the final text of the Directive, agreed after protracted negotiations in 1995. However,
the Labour government that was elected in 1997 placed Data Protection on its agenda
as a part of its wider concerns for human rights.
The Data Protection Act, implementing Directive 95/46/EC was passed on 16 July
1998. The Act faithfully transposes the provisions of the EC directive into UK law.
However much of the detail was left to secondary legislation; 17 Statutory Instruments
were needed before commencement. More have been introduced subsequently. The
Act eventually entered into force on 1 March 2000. Minor modifications were made
under the Freedom of Information Act 2000.
The Act creates new rights of access to information. It is intended to supersede the
Code of Practice on Access to Government Information. The Act amends the Data
Protection Act 1998 and the Public Records Act 1958.
The Code of Practice on Access to Government Information is a non-statutory scheme
which requires Government Departments and other public authorities under the
jurisdiction of the Parliamentary Commissioner for Administration to make certain
information available to the public and to release information in response to specific
requests. The Act creates a statutory right of access, provides for a more extensive
scheme for making information publicly available and covers a much wider range of
public authorities including: local government, National Health Service bodies, schools
and colleges, the police and other public bodies and offices.
The Public Records Act 1958 reorganized the arrangements for the preservation of
public records. It places a duty on the Keeper of the Public Record Office to provide
reasonable facilities for inspecting and obtaining copies of such records. The statutory
rights under the Act and the Information Commissioner’s regulatory powers will be
extended to information contained in these records.
The Data Protection Act of 1998, like that of 1984, is based on a set of Principles. The
Act is designed to protect the interests of the data subject. It is concerned with personal
data and the manner in which it is processed. Data users are personally responsible for
complying with the provisions of the 1998 Act. It introduces a number of important
changes and extends the provisions of the 1984 Act.
The Data Protection Act states that where an organization cannot comply with an access
request without disclosing information relating to another individual who can be identified
from that information, it is not obliged to comply with the request unless:
● the other individual has consented to the disclosure of the information to the person
making the request; or
● it is reasonable in all the circumstances to comply with the request without the
consent of the other individual.
Thereby meaning that at least one of these conditions shall be met:
● The data subject must have given his consent to the processing.
● The processing is necessary for the performance of a contract involving the data
subject, for other legal reasons, or for “any other functions of a public nature
exercised in the public interest”.
● The processing is necessary in order to protect the vital interests of the data subject.
34
From a security standpoint, the Data Protection Act also deals with Sensitive Personal Data Protection Position in
India, EU and US
Data, which means information related to such things as racial or ethnic origin, political
opinions, religious beliefs, trade union membership, health, sexual life and criminal
convictions. Therefore, for processing such information, they need to satisfy one of the
conditions as mentioned hereinabove.

What is “sensitive personal data” as per the UK Act?
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
................................................................................................................................
11.7 SUMMARY
● The EU Directive has two main objectives (i) protection of right of privacy and (ii)
prevention of obstacles to free flow of information within the EU.
● The EU Directives covers both private and public sectors and requires a receiving
country to have an adequate level of protection.
● The EU directives sets out an industry wide code protecting release of sector
specific data and a system of individual contracts between the transferring entity
and the data protection Commission of the EU country.
● There is no single law in the US for data protection. The various acts include the
Matching and Privacy Act and the Computer Security Act.
● The FTC enforces data protection administrative enforcement procedures along
with the FCRA.
● The UK follows the DPA based on a set of 8 principles. The DPA also deals with
sensitive personal data.
● In India, there has been no separate data protection legislation and the Information
Technology Act, 2000 regulates issues pertaining to data protection.

1. Briefly explain the EU directive on data protection. Also state whether the EU
directive is self sufficient to address all the issues?
2. Explain the US Safe Harbor Framework.
3. Give a comparative analysis between data protection legislation in EU and US.
4. Do you think there is sufficient data protection in India? Compare the position in
relation to the US and the UK. 35
Data Protection
1. The Department of Information Technology and the National Association for Soft-
ware Service Companies (NASSCOM).
2. It must either (i) take the data to a country whose privacy regime is adjudged to
have ‘adequate’ data protection or (ii) the company demonstrates in other ways
that its operations meet the EU standards.
3. The Matching and Privacy Act and the Computer Security Act of 1987 deal with
personal information held by the federal government and such information in federal
record systems.
4. The Fair Credit Reporting Act (FCRA) provides for alternate means of redress
for aggrieved individuals such as the private right of action.
5. The two bodies recognised are the (i) Federal Trade Commission (FTC) and (ii)
the Department of Transportation.
6. ‘Sensitive Personal Data’ means information related to such things as racial or
ethnic origin, political opinions, religious beliefs, trade union membership, health
sexual life and criminal convictions.
Terminal Questions
4. Refer to sections 11.3, 11.5 and 11.6 of the unit.
36
Privacy Policy
UNIT 12 PRIVACY POLICY
Structure
12.1 Introduction
12.2 Objectives
12.3 Information Privacy – Legal Approaches to its Protection
12.3.1 Indian Scenario
12.3.2 Judicial Trends in India Relating to the Concept of Individual Privacy
12.3.3 Privacy in Tort Law
12.3.4 Privacy under Contract Law
12.3.5 EU Privacy Directive
12.4 Information Privacy in E-commerce
12.4.1 Introduction
12.4.2 Privacy Concerns
12.5 Data Protection and Employee’s Privacy
12.6 Requirement of Privacy Statute
12.6.1 Need for a Privacy Statute
12.7 Summary
12.1 INTRODUCTION
Privacy is a fundamental human right and a cornerstone of a democratic society. It lies
at the foundation of the rule of law, the secret ballot, doctor-patient confidentiality,
lawyer-client privilege, the notion of private property, and the value our society places
on the autonomy of the individual1.
The concept of information privacy is distinct from other aspects of privacy such as
physical intrusion and surveillance. Information privacy means the claim of individuals
to determine for themselves when, how and to what extent information about them is or
may be communicated to others. It may also be defined as the individual’s ability to
control the circulation of information relating to him or her. Many people are unaware
that when they go online, they leave an electronic record of their movements and
unwittingly provide personal information to people and organizations that track such
data.
Globalisation and the growth of electronic technologies have challenged the ability of
states to ensure the privacy rights of their citizens. Many countries concerned about the
protection of their citizen’s personal information have adopted privacy laws and fair
information practices. Information privacy initially emerged as a value that could not be
taken or misused by government without due process of law. This concept was later
developed into a set of best practice principles, both in the US and in the European 37
Data Protection Union for ensuring fair processing, minimal intrusion and limited purposes in respect of
the use of personal data.
Information privacy was most profoundly affected by the rapid developments in
information technology such as the increased use of computers and the setting up of
national databanks wherein the choice of the individual is seen as central to the
concept of privacy both in allowing physical intrusion and the sharing of information. It
is almost ironic that privacy is being threatened over Internet, as initially, Internet was
perceived as a technology that would afford its users a considerable level of anonymity
and also provide a forum which would encourage and foster freedom of individual
expression.
12.2 OBJECTIVES
● appreciate the judicial trends in India relating to information privacy;
● know the distinction between privacy in tort law and contract law;
● familiarize yourself with the concepts of information privacy in e-commerce;
● appreciate that information privacy is most greatly affected by rapid developments
in information technology; and
● know the three types of legal approaches to information privacy.
12.3 INFORMATION PRIVACY – LEGAL

APPROACHES TO ITS PROTECTION
There are various different legal approaches concerned with the protection of information
privacy such as the Nordic, Civil and Common law approaches. The Nordic approach
for instance is defined as a combination of legal remedy available to the individual
through rights of access and the administrative regulation of computerised records. This
approach pioneered information legislation.
The Civil law approach differs from the Nordic approach in as much as it relies upon
statements of general principle. Its clear influence has been seen on two significant
doctrines in the development of privacy law namely, the US Constitution to protect
certain types of behaviour including a right to privacy from government surveillance into
an area where a person had a ‘reasonable expectation of privacy and matters relating
to marriage, procreation, child-rearing and education. The second significant doctrine
was developed through the European Convention of Human Rights (ECHR), a
codification of international human rights law.
The Common law approach seeks to apply privacy protection principles through the
medium of individual cases. In the UK for instance, the emphasis had been on particular
legal remedies against particular infringements. Judges often developed such rights without
reference to Parliament. However, following the implementation of the first Data
Protection Act in 1984, this trend has been somewhat eclipsed, with the UK establishing
a supervisory body to police the legislation.
38
Privacy Policy
What are the three main legal approaches to protection of information privacy?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
12.3.1 Indian Scenario

In the Indian context, the rapidly growing services sector has resulted in both Indian
and trans-national corporate entities building up vast, exhaustive and detailed customer
databases with a view to providing personalised services such as insurance, personal
banking, credit cards etc. These databases contain confidential personal information
and may be used by corporates for their own purposes or for that of their affiliates.
Also, these databases form a valuable corporate asset, which finds many takers in the
market for individual information.
In this regard, any use, disclosure and retention of such information need to be strictly
regulated, through an established privacy enforcement regime. Any prospective Indian
privacy law would need to incorporate several facets of the above model, which,
comprehensively deals with the collection, and use of personal information. With the
emergence of an increasingly uniform set of norms governing commercial legal issues
across the globe, it becomes imperative for Indian law makers and the legislature to
take note of the void that prevails in the critical area of individual privacy protection.
12.3.2 Judicial Trends in India Relating to the Concept of

Individual Privacy
In the Indian context, although there is no statutory enactment expressly guaranteeing a
general right of privacy to individuals in India, elements of this right, as traditionally
contained in the common law and in criminal law, are recognised by Indian courts.
These include the principles of nuisance, trespass, harassment, defamation, malicious
falsehood and breach of confidence. In addition, several pieces of discrete legislation
also recognise this right: for example, the Children Act 1960, which prohibits the
publication of names and other particulars of children involved in proceedings under the
Act; the Hindu Marriage Act 1955, which imposes similar restrictions on the publication
of reports concerning proceedings of matrimonial disputes; and the Copyright Act 1957,
which prohibits the unauthorized publication of certain documents, photographs, etc.
The Code of Criminal Procedure, 1973, also permits restrictions to be imposed on the
publication of reports concerning certain legal proceedings, e.g. rape trials.
Under the Indian Constitution, Article 21 of the Indian Constitution is a fairly innocuous
provision in itself i.e. “No person shall be deprived of his life or personal liberty except
according to procedure established by law”. However, the above provision has been
deemed to include within it’s ambit, inter-alia, the Right to Privacy — “The Right to be
left alone”. 39
Data Protection Please answer the following Self Assessment Question.

Which provision of the Indian Constitution seeks to protect information privacy?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
12.3.3 Privacy in Tort Law

The Right to Privacy is further encompassed in the field of Torts. The tort of Defamation
involves the right of every person to have his reputation preserved inviolate. It protects
an individual’s estimation in the view of the society and its defenses are ‘truth’ and
‘privilege’, which protect the competing right of freedom of speech. Essentially, under
the law of torts, defamation involves a balance of competing interests. The only
concession for an action, which involves infringement of right to privacy, would be for
reasons of, prevention of crime, disorder, or protection of health and morals or protection
of rights and freedom of others.
12.3.4 Privacy under Contract Law

There exist certain other means by which parties may agree to regulate the collating and
use of personal information gathered, viz. by means of a “privacy clause” or through a
“confidentiality clause”. Accordingly, parties to a contract may agree to the use or
disclosure of an individual’s personal information, with the due permission and consent
of the individual, in an agreed manner and/or for agreed purposes. Under Indian laws,
the governing legislation for contractual terms and agreements is the Indian Contract
Act. Therefore, in a contract which includes a “confidentiality clause” i.e. where an
organization/company agrees to maintain the confidentiality of information relating to an
individual, any unauthorized disclosure of information, against the express terms of the
agreement would amount to a breach of contract inviting an action for damages as a
consequence of any default in observance of the terms of the contract6.
For example, in the case of an insurance contract, globally, contracts of Insurance are
contracts of “Utmost good faith” (Uberrimae Fidei) and the contract is voidable where
all material facts are not disclosed. However, the duty of utmost good faith is reciprocal
and the insurance company has a corresponding duty to disclose clearly the terms of its
offer and duly abide by them. Therefore an insurance proposal, which contains a
confidentiality clause regarding personal information provided by the customer, cannot
be disclosed without his prior consent. Any breach of such term would invite an action
for breach of contractual terms by the insurer-customer.
In regard to a customer-insurance company relationship, an insurance company may,
solicit personal information about an individual wherein details could be sought, relating
to an individual’s family, cultural background, ethnic origin, caste, childhood, education,
medical history, information regarding one’s immediate family, their age, profession etc.
40 or, in case of data processing companies, there may be queries with regard to an
individuals’ professional pursuits, income, investment decisions, preferences, spending Privacy Policy
patterns and so on. Despite an express authorization from their customers, with regard
to sharing of personal information by corporate entities, there may still be instances
where disclosure of certain sensitive and embarrassing information could invite legal
action from an individual, claiming that the actions of a company which made an
unauthorized disclosure resulted in causing such mental agony, anguish, and social
stigma, which he would not have otherwise had to bear or face.2
12.3.5 EU Privacy Directive

The EU privacy directive is an important foundation for workplace privacy in Europe.
The directive applies to the processing of personal data wholly or in part by automatic
means. It establishes common rules for the EU to encourage freer flow of personal data
within the union, thus furthering a unified European market and protecting citizens right
to privacy.
The privacy directive applies to the processing of “personal data”, defined as information
relating to an identified or identifiable natural person. An identifiable person is “one who
can be identified, directly or indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical, physiological, mental, economic,
cultural or social identity”.3
The issue of maintaining privacy and consequent protection of such confidential
information of an individual was first set out under the Organization for Economic
Cooperation and Development (OECD) Guidelines. The guidelines concentrated on
the issue of safe and sound exchange of data travelling from one country to another,
since has become very important as more and more businesses rely on e-commerce.
This Directive was an important initiative to protect personal information by prohibiting
the transfer of such personal data to those countries, which did not conform to the
privacy protection requirements of the EU. However to promote e-commerce to and
from the EU it was essential that the gap in privacy protection norms be bridged. Keeping
this goal in mind the U.S. Department of Commerce and the European Commission
conferred at length and evolved a “safe harbor” structure. This “safe harbor” structure
was accepted and approved by the EU in 2000. This safe harbor structure was based
on certain principles wherein the individual sharing personal information was to be duly
notified and given a choice whether such information was to be shared or not with
third parties. He was also to be informed about further transfer of such information and
who would access the same and for what purpose. Adequate protection measures
were put into place for securing the information and the accuracy of the information
was also to be maintained. Finally a regulatory infrastructure was to be provided to
address any transgressions and violations of privacy.

What is the concept of ‘personal data’ under the EU privacy directive?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
.............................................................................................................................. 41
Data Protection
12.4 INFORMATION PRIVACY IN E-COMMERCE
12.4.1 Introduction
Internet is an important medium helping trade and commerce increase throughout the
globe. The reason for this is simple, as the Internet promises reduced costs, higher
margins, more efficient operations and higher profits, and all of this at a comparatively
much higher speed, as it would take in the real world. It is useful to both producers and
consumers in developed and developing countries as it helps them overcome the
traditional barriers of distance from markets and lack of information about market
opportunities. Producers and traders no longer need to maintain physical establishments
requiring large capital outlays. Virtual shops and contact points on the Internet may
enable storage close to the production site and distribution can be made directly to the
consumer. Increased advertising possibilities worldwide may help small and medium
industries and businesses in developing countries that traditionally find it difficult to
reach the customer abroad. It may also enable such firms to eliminate middlemen while
trying to sell their products abroad.
Implicit in the use of this medium for trade and commerce is the enormous amount of
data flowing through it and the fact that everyday more data is being generated. A
substantial portion of this data is not for public use or viewing. This type of data
includes personal information of the individuals residing in any country, confidential and
privileged information of the business houses, confidential government information. In
this chapter, we look specifically at the legal issues arising out of the privacy accorded
to and the privacy that ought to be accorded to the data used and generated for trade
and commerce over the internet, commonly known as e-commerce.
Infringing data pertaining to consumers; circulating in the cyberspace has its impact on
the trade and commerce. Three specific implications where determines how the consumer
privacy concerns impact the sales of goods and services may be listed as follows, first,
consumers whose privacy concerns have not been addressed will tend to delay their
purchases or even forgo them. Second, some concerned consumers want to use more
traditional ways of purchasing. Third, consumers who use the Internet for making
purchases have to pay also the privacy costs caused by other consumers’ privacy
concerns. In other words, to maximize the potential of e-commerce, it seems critical to
accurately understand online consumers’ concerns for privacy. At the very outset it
maybe clarified that ‘Consumers’ is not to be confused with individuals or households
only. It can include governments, companies, societies etc.
Privacy issues have drawn considerable attention in the discipline of law. However,
developing countries and many developed countries still lack literature on privacy
concerns related to cyberspace. When we talk about dealing with Internet privacy, it
implies ‘information privacy’. Invasion in the privacy occurs when the information of a
consumer is not used for the purpose for which it was procured. This may be in the
form of circulation of information without authorization to do the same, to use the
information for purposes other than that for which it was obtained, modification of
information without knowledge of the consumer etc. Information privacy in e-commerce
has three main elements — Consumers, Vendors and Technology. Consumers are
individuals who want to buy goods or services who are willing to use the systems of e-
commerce. Vendors sell products via the Internet and it is needed for buying online.
42
Privacy Policy
State implications of consumer privacy concerns impacting sales of goods and
services?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
12.4.2 Privacy Concerns

The main privacy concern is that a consumer is prompted to enter personal information
like e-mail address, and this information can be packaged into a cookie and sent to the
consumer’s hard drive, which stores it for later identification.
Four particular issues for consumer privacy concerns maybe summed up as: (1) visits
to websites will be tracked secretly, (2) e-mail addresses and other personal information
will be captured and used for marketing or other purposes without permission, (3)
personal information will be sold to third parties without permission, (4) credit card
information will be stolen.4
12.5 DATA PROTECTION AND EMPLOYEE’S

PRIVACY
The Information age has radically altered the traditional legal and organizational
framework of work by blurring the once clear boundaries between an employee’s
personal and professional lives. Employee’s experience increased autonomy and flexibility
both at work and at home with the increase in telecommuting and “mobile” working.
These advances are aptly facilitated by appropriate information systems and tools
supplied by employers. However, these same systems and tools facilitate the intrusion
of professional life into personal sphere, and sometimes the intrusion of the employer
into the private lives of its employees.
Workers of the world are exposed to many types of privacy-invasive monitoring while
earning a living. These include drug testing, closed-circuit video monitoring, Internet
monitoring and filtering, e-mail monitoring, instant message monitoring, phone
monitoring, location monitoring, personality and psychological testing, and keystroke
logging. Employers do have an interest in monitoring in order to address security risks,
sexual harassment, and to ensure the acceptable performance of employees. However,
these activities may diminish employee morale and dignity, and significantly erode
employee’s privacy rights.5
The term electronic monitoring encompasses three different concepts. First, it includes
an employer’s use of electronic devices to review and evaluate the performance of
employee. For example, an employer may use a computer to retrieve and review an
employee’s mail messages sent to and from customers in order to evaluate the
employee’s performance as a customer service representative. Second, it includes 43
Data Protection “electronic surveillance” in the form of an employer’s use of an electronic device to
observe the action of the employees, while employees are not directly performing the
work task, or for a reason other than to measure their work performance. For example,
an employer may electronically review an employee’s e-mail messages as part of an
investigation of a sexual harassment complaint. Electronic surveillance by an employer
also includes compliance with a government search warrant seeking an employee’s
voice mail or e-mail communications on the employer’s system. Third, electronic
monitoring includes an employer’s use of computer forensics, the recovery and
reconstruction of electronic data after deletion, concealment, or attempted destruction
of the data. For example, an employer may use specialised software to retrieve e-mail
messages related to an investigation of alleged theft of its trade secrets by retrieving
e-mail messages sent by an employee to someone outside the company.

What are the different concepts that form electronic monitoring?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
Advancing technologies enhance employer capability to monitor employee use of

computer networks and the Internet within the workplace. Software enables employers
to secretly, and in real time, monitors employees’ use of networked computers including
individual monitoring of each connected computer. Software enables employers to
capture the images from an employee’s computer screen at random intervals and then
compress those images to provide documentation of all computer work. Software may
also reveal the online activities off all employee’s, including web sites visited, the length
of the employee visits, and whether those sites are productive or unproductive. Software
enables employers to monitor employees use of chat rooms, programs run, games
played, files used, bytes transferred or downloaded, time spent downloading, and
e-mail sent or received.
These electronic monitoring practices have significantly eroded employee privacy rights.
However employers assert there are many good business reasons to electronically
monitor employees in the workplace, including (a) to monitor employee productivity in
the workplace (b) to maximize productive use of the employer’s computer system
when employees use computers on job (c) to monitor employee compliance with
employer workplace policies related to use of its computer systems, e-mail systems,
and internet access (d) to investigate complaints of employees misconduct, including
harassment and discrimination complaints.(e) to prevent or detect industrial espionage,
such as theft of trade secrets and other proprietary information, copyright infringement,
patent infringement, or trademark infringement by employees and third parties.6
The privacy directive has a direct and immediate effect on the human resource operations
44 of employers. Many employment records involve processing personal data covered by
the Directive, including application forms and work references; payroll and tax Privacy Policy
information; social benefits information; sickness records; annual leave records; unpaid
leave/special leave records; annual appraisal/assessment records; records relating to
promotions, transfers, training, and disciplinary matters; and records related to workplace
accidents. Such data can be very sensitive, as can be the manner in which it is processed
by the employer.
In the United States and many third-world countries, workers have very few privacy
protections in law. There are few situations where an employee has a due process right
to access, inspect, or challenge information collected or held by the employer. There
are patchworks of state and federal laws that grant employees limited rights. For instance,
under federal law, private-sector employees cannot be required to submit to a polygraph
examination. However, there are no general protections of workplace privacy except
where an employer acts tortuously — where the employer violates the employee’s
reasonable expectation of privacy.
European employers are bound by comprehensive data protection acts that limit and
regulate the collection of personal information on workers. These laws specifically call
for purpose and collection limitations, accuracy of data, limits on retention of data,
security, and protections against the transfer of data to countries with weaker protections.
These protections place employees on a more equal footing while allowing employers
to monitor for legitimate reasons.
In 1996, the International Labour Organization (ILO) adopted a code of practice on
the protection of workers’ personal data. The ILO code is regarded as the standard
among privacy advocates for protection of workers’ privacy rights. The code specifies
that workers’ data should be collected and used consistently with Fair Information
Practices (FIPs).7
Pursuant to the privacy directive, employees have a number of rights with respect to
collection of their personal information by employers, including the rights to be informed
generally about information collection practices; to access and correct personal
information held by the employer; and, in some cases, to actually withhold consent to
the collection and processing of data by the employer. If an employee believes his or
her rights are being violated, he or she may appeal to the appropriate supervisory
authority for relief, or may seek damages in a judicial proceeding. Under the privacy
directive, employers are liable for monetary compensation to employees whose privacy
rights are violated. They are also liable for any additional sanctions under relevant
national data protection law.

What are few rights available to employees under the privacy directive?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
45
Data Protection
12.6 REQUIREMENT OF A PRIVACY STATUTE
12.6.1 Need for a Privacy Statute
There exists in India an impending need to frame a model statute which safeguards the
Right to Privacy of an individual, especially given the emergence of customer-service
corporate entities which gather extensive personal information relating to it’s customers.
It’s evident that despite the presence of adequate non-mandatory, ethical arguments
and precedents established by the Supreme Court of India; in the absence of an explicit
privacy statute, the right to privacy remains a de facto right, enforced through a circuitous
mode of reasoning and derived from an expansive interpretation of either Constitutional
law or Tort law.
The urgency for such a statute is augmented by the absence of any existing regulation
which monitors the handling of customer information databases, or safeguards the Right
to Privacy of individuals who have disclosed personal information under specific customer
contracts viz. contracts of insurance, credit card companies or the like. The need for a
globally compatible Indian privacy law cannot be understated, given that trans-national
businesses in the services sector, find it strategically advantageous to position their
establishments in India and across Asia. For instance, India is set to emerge as a global
hub for the setting up and operation of call centers, which serve clients across the
world. Extensive databases have already been collated by such corporates, and the
consequences of their unregulated operations could lead to a no-win situation for
customers in India who are not protected by any privacy statute, which sufficiently
guards their interests. Even within the present liberal global regulatory paradigm, most
governments would be uncomfortable with a legal regime, which furthers commercial
interests at the cost of domestic concerns.
Issues that would need to be addressed by any prospective privacy legislation in India
are:
(i) Limited Purpose: The particular purpose for gathering information by an organi-
zation must be specified at or before the time the information is collected.
(ii) Safeguards: In the case of insurance companies or other customer service-re-
lated or data processing companies, the gathering and collation of personal infor-
mation on individuals would need to be conserved and secured by a regulated
data security system.
(iii) Accountability: Corporates would need to establish a system whereby all infor-
mation disclosure systems are duly audited/accounted and monitored, keeping in
view the rationale/occasion for every disclosure made.
(iv) Prior Consent: Corporates could include express clauses in their agreements,
which include an express authorization from the individual allowing the
companies to use/disclose personal information for it’s own internal purposes or
that of it’s affiliates or group companies.
(v) Limits to Use, Disclosure and Retention: Any information sharing with other
members of the insurance industry or with other corporate entities should be made
only after seeking an express authorization from the customer.
(vi) Information-Sharing: The confidentiality and sensitivity of such information makes
it necessary for corporates to avoid any data sharing arrangement or customer
information disclosure agreements without the prior consent of the individuals.8
46 Please answer the following Self Assessment Question.
Privacy Policy
Name some of the issues that privacy legislation in India would require to address?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
12.7 SUMMARY
● Information Privacy is distinct from other aspects of privacy. It is the claim of
individuals to determine when, how and to what extent information may be
communicated to others.
● There are three broad legal approaches to information privacy — Nordic, Civil
and Common.
● India has no statutory enactment guaranteeing a right of privacy but elements in
relation thereto are recognised by Indian Courts. The Indian Constitution also
provides for this right under Article 21.
● The Right to privacy is further present in the law of torts and law of contract.
● The EU privacy directive provides the foundation for workplace privacy in Europe
establishing common rules to encourage free flow of personal data.
● Consumer privacy concerns impact sales of goods and services in e-commerce.
● Issues of consumer privacy concerns include tracking of visits to websites, capture
of e-mail addresses, sales of personal information to third parties and credit card
information risks.
● Employee’s privacy is threatened by many types of privacy invasive monitoring.
● Electronic monitoring practices have eroded employee privacy rights; however
employers assert good business reasons.
● India requires a privacy statute to address numerous issues of concern.

1. What do you understand by ‘Information Privacy’?
2. Capturing the position in the Indian scenario, elaborate the legal approach in respect
of protection of information privacy.
3. Explain how information privacy and e-commerce are two sides of the same coin.
4. How are employers responsible to a large extent in diminishing the morale and
dignity of employees? Comment.
5. Is there an imminent need to frame a statute in India which would safeguard the
Privacy Right of an individual? 47
Data Protection
1. The three main legal approaches are the Nordic, Civil and Common law
approaches. The Nordic approach consists of legal remedy through rights of access
and administrative regulation of computerised records. The Civil approach relies
on statements of general principle while the common law approach seeks to apply
privacy protection principles through individual cases.
2. Article 29 of the Indian Constitution has been deemed to include the right to
privacy, the right to be left alone.
3. Under the EU privacy directive, “personal data” is defined as information related
to an identified or identifiable natural person. An identifiable person is one who
can be identified, directly or indirectly, in particular by reference to an identity
number or more factors specific to his identity.
4. Three specific implications are (a) consumers whose privacy concerns have not
been addressed will tend to delay or forgo their purchases (b) some may wish to
use more traditional ways of purchasing (c) consumers who use the intent have to
pay the privacy costs caused by other consumers’ privacy concerns.
5. Three different concepts include electronic monitoring –
(i) Employer’s use of electronic devices to review and evaluate employee’s
performance.
(ii) “Electronic Surveillance” to observe the actions of employees while employees
are not directly performing work.
(iii) Employers’ use of computer forensics.
6. Some of the rights include the right to be informed about information collection
practices: to access and correct personal information, to withhold consent to the
collection and processing of data.
7. Some of the issues would be
(a) Limited purpose
(b) Safeguards
(c) Accountability
(d) Prior consent
(e) Limits to use, disclosure and retention
(f) Information sharing
Terminal Questions
48
Privacy Policy
1. Media Awareness Network. 10 Feb.2007<www.media-awareness.ca>.
2. “Privacy Laws in India – Big Brother”s Watching You – (and you can [acute
accent] do a thing about it!)”. Mondaq Business Briefing. Mondaq.com. 27 Mar.
2002. 10 Mar. 2007<http://www.mondaq.com/article.asp?articleid=15723>.
3. Gail Lasprogata, Nancy J. King and Sukanya Pillay. “Regulation of Electronic
Employee Monitoring: Identifying Fundamental Principles of Employee Privacy
through a Comparative Study of Data Privacy Legislation in the European Union,
United States and Canada”. Stanford Technology Law Reveiew 4(2004). 11 Mar.
2 0 0 7 < h t t p : / / s t l r. s t a n f o r d . e d u / S T L R / A r t i c l e s / 0 4 _ S T L R _ 4 > .
4. Kaapu, T. “The Concept of Information Privacy in E-Commerce: A
Phenomenographical Analysis of Consumers’ Views”. Proceedings of the 28th
Information Systems Research Seminar in Scandinavia, Kristiansand, Norway,
6.8-9.8(2005): 16. Plenary paper. 12 Mar. 2007 <http:/www.hia.no/iris28/files/
paper_session.htm>.
5. “Workplace Privacy”. Electronic Privacy Information Centre. EPIC.org. 7 Feb.
2007<http:/epic.org/ privacy/workplace/>.
6. Supra n 3.
7. Supra n 5.
8. Supra n 2.
49
BPOs and the Legal
UNIT 13 BPOs AND THE LEGAL REGIME Regime in India
IN INDIA
Structure
13.1 Introduction
13.2 Objectives
13.3 Legal Formalities for Setting Up a BPO in India
13.3.1 Compliance Issues in the BPO Sector
13.4 BPO Taxation
13.5 Data Protection and Privacy Issues in the BPO Industry
13.6 Current Methods – Service Contracts
13.7 Data Protection Law in India
13.7.1 Exploring the Options for a Data Protection Law
13.7.2 Some Proposed Amendments
13.8 Summary
13.1 INTRODUCTION
Business Process Outsourcing (“BPO”) has emerged as the most challenging sector
that has not only generated employment potential in India, but has also brought huge
inflow of foreign exchange into the country. Today, India is home to some of the world’s
leading BPO companies. In this context, it is becoming increasingly important to study
and examine the legal regime in India pertaining to BPOs and to undertake an examination
of data protection laws in the light of the growing concern that data transferred to India
may not be adequately protected. The purpose is to identify the deficiencies in Indian
law, if any, examine the well known global regulations that impact the Indian BPO
industry and suggest amendments to the existing laws in India, to bring them in conformity
with the international standards.
A BPO takes within its fold various elements such as finance and accounting, customer
relationship management, human resources, business process, transcription, and so on.
A parent company instead of performing these operations delegates them to a BPO. It
may be an in house operation or a different company may be engaged to perform a
particular task. It may be in the same country or in a different country. The BPO sector
in India has an extremely advantageous position because of its low cost structure and
large pool of skilled manpower. The foreign companies gain significant advantages due
to cost savings as regards the price of production, and also the ability to concentrate on
its core business, instead of having to bother with the back office operations.
There are various statutory, legal, regulatory and contractual requirements in the area of
Business Process Outsourcing. These include certain tax complications that may arise
as the activity may have originated in one country and profits may have been in another
country. The nature of the outsourced work holds a certain value and profits of the 5
Emerging Issues in Data parent company may be attributed to these operations making it difficult to segregate
Protection and Privacy
the costs and profit, thus making the rules for the calculation of tax for BPOs becomes
very complicated. However, it still continues to be a sunshine sector for the Indian
economy, and, as a result certain tax exemptions have been provided as an incentive to
foreign companies to outsource their work. BPOs are privy to confidential information
of the outsourcing companies. This is an important concern due to some of the recent
scandals that have in some measure deterred the potential clients from outsourcing their
work to India.
The Data Protection provisions are written into the service contracts between the Indian
and the foreign parties. These agreements govern a number of issues ranging from the
services that should be provided and provisions relating to the termination of contract,
detailed provisions as regards “escrow” of the source code of software which guards
the companies against the breakdown of business relationships. The seat of arbitration
in case of an infringement could be in a European Union (“EU”), therefore these service
contracts may also be governed by the EU laws. In this context, the provisions of the
Service Contracts assume great significance.
13.2 OBJECTIVES
● explain the legal process of setting up a BPO in India;
● list the issues related to data protection in the BPO industry;
● discuss legal remedies as available in India to address issues related to data
protection; and
● discuss the possibility of exploring available options for creating and strengthening
existing legal framework of data protection.
13.3 LEGAL FORMALITIES FOR SETTING UP A

BPO IN INDIA
In order to set up a call center in India, certain guidelines stipulated by DoT have to be
followed:
● The call centers are permitted to be Indian registered companies on a non-exclusive
basis.
● The call centers are registered under the ‘other service provider’ category as
defined in the National Telecom Policy, 1999.
● The validity of this permission is up to 20 years from the date of issue of the
permission letter.
● 100% Foreign Direct Investment is permitted in call centers.
● The call centers have to ensure that no change in the Indian or Foreign promoters/
partners or their equity participation is made without prior approval of competent
authority or as per prevailing regulations.
● The call centers can utilize resources of any authorized service provider i.e IPLC
from the authorized International Long Distance operators and local leased line
from any authorized Service Provider.
6
● The service providers would examine the network diagram and grant resources to BPOs and the Legal
Regime in India
the other service providers as per terms and condition of the govt. approval and
the prevailing guidelines and policy for the service from where the resources are
being taken. Both service provider and the OSP will be responsible for any violation
in the use of the resources.
● The domestic call centers are set up using separate infrastructure. However, the
request of the domestic call center to run on the existing private networks is evaluated
on a case-by-case basis.
There are many incentives that have been provided by the Central and state Governments
to ensure the growth of BPOs and have aimed at providing an enabling environment,
which helps BPOs to grow with minimal interference. Special provisions have been
provided for the setting up of BPO units in Software Technology Parks (STPs), Software
Export Zones (SEZs), Free Trade Zones (FTZs) or Electric Hardware Technology
Parks (EHTPs).
However, in spite of all these measures, there still exist many hurdles in the formation
and operation of BPOs in India. Some of the problems that need to be addressed
expeditiously are below.
13.3.1 Compliance Issues in the BPO Sector

Operational issues such as planning, facility, design or site location are not given much
attention by BPOs. While deciding on a location, the future capacity requirements must
be kept in mind. Ideally, there should be a large enough area, where there is sufficient
scope for expansion because getting clearances and establishing even basic infrastructure
pose a major challenge, as there are multiple agencies involved. Before setting up, a
DoT license needs to be obtained, which can take anywhere between 4 to 12 weeks.
Further the telecom sector is not fully liberalized in India, call centers depend on the
DoT for providing a connection to the IPLC (International Private Leased Circuit).
This is not a very reliable link, especially for a business like call centers that need to run
on a 24x7 basis. To operationalise a call center, multiplexers between India and the
other country where the IPLC terminates are required. RBI clearance is another
requirement, which can take anywhere between four to eight weeks or more.
As the focus shifts towards IT-enabled services such as call centers, it becomes essential
to create a favourable growth environment. Industry bodies such as Nasscom and CII
have been putting forth suggestions pertaining to areas where action is required.
Highlights
● Need to appoint a single, national level, licensing and monitoring authority for the
IT-enabled services (ITeS) industry that can provide approvals for multi-facility
operations all at once.
● Provision for sharing of bandwidth within the same entities and group companies
in India.
● Approval for each new customer with DoT to be removed.
● Allowing IPLC connectivity on the same Local Area Network.
● Removal of bandwidth licenses.
● Declare ITeS as an ISP and allow owning their satellite gateways.
● Introduce the option to buy, sell and reserve bandwidth.
7
Emerging Issues in Data ● Need to categorise ITeS as a special service under labour laws to allow 24x7
operations including night and shift operations.

What are the important legal steps for setting up a BPO in India?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
13.4 BPO TAXATION

The taxation of BPOs is governed mainly by the interpretation of two circulars that
have been issued by the Central Board of Direct Taxes and also by section 10A and
10B of the Income Tax Act. Greater details are provided in the Block which discusses
taxation as a separate Unit.
13.5 DATA PROTECTION AND PRIVACY ISSUES IN

THE BPO INDUSTRY
It is increasingly being realised that it is necessary to create appropriate confidence
among investors and foreign companies, to the effect that the data they send to India for
back-office operations is indeed safe, and that there are appropriate statutory
mechanisms in place, should a breach of data take place.
While most Indian IT and ITES-BPO companies have come to be recognised for their
high quality processes and information security orientation, in the wake of recent scandals
and the loss of lucrative contracts in key segments for Indian companies, it has become
almost mandatory for Indian BPO firms to create strong data privacy and information
security strategies to still the existing criticism and skepticism associated with outsourcing.
The shift from low-end services such as customer support and medical transcription
towards high-end services such as medical insurance processing and media services,
engineering design and legal research, will naturally require the BPO outfits to comply
with several regulations, particularly where the outsourced work is in Intellectual Property
Rights – intensive areas.
However, while the absence of data protection laws in India is a serious deterrent,
Indian BPO’S are trying to deal with the issue by attempting to adhere to major US and
European regulations. According to NASSCOM, the Indian outsourcing industry can
be broadly categorised into two segments — in-house or captive centers and third
party providers. In the former, outsourcing is done by a subsidiary of the parent
organization, and the central unit itself takes care of, and enforces all the regulatory
issues that the offshore center is subject to. In the latter however, the service providers
8 have the responsibility of protecting the crucial organizational data.
By adopting world-class privacy-norms and complying with security and privacy BPOs and the Legal
Regime in India
regulations, Indian service providers can ensure that they remain the preferred option
for worldwide customers when it comes to offshore outsourcing. Many BPO outfits
today have certifications that comply with regulations, though the number still remains
miniscule. Until a tighter data protection legal regime is in place, foreign customers are
relying upon contractual obligations to impose obligations for protecting and preserving
data.
The principal regulations that affect Indian BPOs are:
● US-EU Safe Harbor Agreement;
● UK Data Protection Act, 1998;
● The Sarbanes-Oxley Act;
● Gramm-Leach-Bliley Act (GLBA);
● Healthcare Insurance Portability and Accountability Act (HIPPA);
● USA Patriot Act, 2001;
● Homeland Security Act;
● Children’s Online Privacy Protection Act (COPPA);
● CAN SPAM Act, 2003.
The US approach to the protection of personal privacy differs from that of the EU, in
that the US has a number of statutory protections which are specific to sectors or
particular problems and there is no single law that provides a comprehensive treatment
of data protection on privacy issues, while the EU has a universally applicable law —
the Data Protection Act of 1998.
The Directive on Processing of Personal Data and the Protection of Privacy in the
Electronic Communications Sector Directive 2002/58/EC is part of the new European
regulatory framework for electronic communications networks and services. The
underlying purpose of the new directive is to protect fundamental rights and freedoms
of the individual.
The EU directive on data protection is particular to ensure that transfer of personal data
only takes place to a third country, which has an adequate level of protection. However
it is also significant to note that the EU directive does not define adequacy, but rather
provides that it will be determined on a case-by-case basis.
Clearly, the EU data protection regime is much more rigid than that of the US. In order
to bridge these different privacy approaches and provide a streamlined means for US
organizations to comply with the Directive, the US Department of Commerce in
consultation with the European Commission developed a “Safe Harbor” framework.
The Safe Harbor approved by the EU in July of 2000 is an important way for U.S.
companies to avoid experiencing interruptions in their business dealings with the EU.
Certifying to the Safe Harbor would assure that EU organizations know that the
company provides “adequate” privacy protection, as defined by the Directive.
The decision by U.S. organizations to enter the safe harbor is entirely voluntary.
Organizations that decide to participate in the safe harbor must comply with the safe
harbor’s requirements and publicly declare that they do so.
Interestingly, though the US and particularly the UK have created a framework to
protect individual’s personal information from misuse and abuse, such a protection
9
Emerging Issues in Data would be very fragile if the protection afforded by it were to fall apart as soon as the
information left the boundaries of the countries subject to the data protection laws. It
has therefore become imperative for companies to take appropriate due diligence
measures on the service providers in addition to the inclusion of clauses in their contracts
ensuring compliance by service providers with international data protection standards.
Quite evidently, data protection in the outsourcing space remains dependant on the
structure and enforceability of agreements between foreign companies and Indian service
providers.

(a) What is the main legislation which provides for data protection in the EU
concerning the data travelling to US?
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
(b) What are the various foreign legislations which affect BPOs in India?
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
13.6 CURRENT METHODS – SERVICE

CONTRACTS
Currently, data-protection provisions are written into the service contracts between
Indian and foreign businesses. These service contracts are governed by the EU laws
with the seat of arbitration in case of infringement of the law, being an EU country. Most
BPO contracts provide for stringent obligations on service providers to protect personal
data of the clients of outsourcers and for tough penalties on misuse. UK, for one, seems
to find this adequate. While the industry is for self-regulation, there are several problems
with the current state of affairs. It may be necessary to enact firm legislation in order to
bring about uniformity of regulation in this area, and to ensure data privacy and internal
checks within businesses. Some form of state regulation would also have the effect of
marking India as a safe destination for outsourcing activities. This would certainly help
in building customer confidence and support the growth of the BPO industry.
10
Answer the following Self Assessment Question. BPOs and the Legal
Regime in India
What are service contracts?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
13.7 DATA PROTECTION LAW IN INDIA

It must be submitted at the outset that the Indian Constitution does not expressly recognise
the right to privacy as a fundamental right. However, the Supreme Court has held that
there is a right of privacy implicit in Article 21 of the Constitution. There is no clear law
(i.e. general date protection law) regarding privacy of personal information and details
etc.
An important issue is whether the legislation on data protection militates against the
right to information. The Indian Supreme Court has held that access to government
information was an essential part of the fundamental rights to freedom of speech and
expression. Following this, several states have passed Acts recognising this right to
information.
It is submitted that there is no absolute right to information recognised by the Indian
Supreme Court. It is a qualified right, subject to reasonable qualifications. Since the
right to privacy is also subject to restrictions such as national security and public interest,
this would imply that there is no conflict between these two seemingly opposing concepts.
Both the Safe Harbor Principles and the EU directive allow disclosure of personal
data, if it threatens national safety, aids terrorism, is against public interest etc.
13.7.1 Exploring the Options for a Data Protection Law

Three broad options are available for creating and strengthening the existing legal
framework relating to data protection.
Firstly, like the European Union, India could enact a new legislation to deal with data
protection.
Secondly, India may opt for amending an existing law, such as the Information Technology
Act that already contains some provisions relating to revealing of electronic information.
The IT Act 2000 is aimed at providing a comprehensive regulatory environment for
electronic commerce. The advantage of such a move is that existing administrative
mechanisms which have been contemplated under the Information Technology Act can
be used to administer data protection as well.
Thirdly, India may also choose to enter into bilateral or multilateral agreements, like the
US ‘Safe Harbor’ regulations, with countries that are its major business partners in the
field of outsourcing. 11
Emerging Issues in Data The first method seems to have found favour with the Indian government. In fact a law
on data privacy has been in the offing for quite some time. In June 2000 the National
Association of Software and Service Companies (NASSCOM) urged the government
to pass a data protection law to ensure the privacy of information supplied over computer
networks and to meet European data protection standards. The UK Data Protection
Act was examined as a model and several cyber laws were recommended including
ones on privacy and encryption. In May of 2000, the Government passed the
Information Technology Act, intended to provide a comprehensive regulatory
environment for electronic commerce.
Following the enactment of the IT Act the Ministry of Information Technology adopted
the Information Technology (Certifying Authorities) Rules in October 2000 to regulate
the application of digital signatures and to provide guidelines for Certifying Authorities.
In March 2000 the Central Bureau of Investigation set up the Cyber Crime Investigation
Cell (CCIC) to investigate offences under the IT Act and other high-tech crimes.
However, rather than have a separate law to deal with data security and privacy issues,
the present government is considering an amendment to its Information Technology Act
of 2000. An Expert Committee has been set-up, with an objective to review the
Information Technology Act, 2000, in the light of the latest developments nationally and
internationally particularly with regard to provisions related to data protection and privacy
in the context of BPO operations, liabilities of network service providers, computer
related offences and regulation of cyber cafes. The committee recently submitted its
proposal for amendments to the Indian Information Technology Act 2000.
13.7.2 Some Proposed Amendments

In this report, the existing Sections (viz. 43, 65, 66 and 72) have been revisited and
some amendments have been provided for. There is a proposal to add Sec. 43(2)
related to handling of sensitive personal data or information with reasonable security
practices and procedures thereto. According to provisions of section 43 (2), If any
body corporate, that owns or handles sensitive personal data or information in a computer
resource that it owns or operates, is found to have been negligent in implementing and
maintaining reasonable security practices and procedures, it shall be liable to pay damages
by way of compensation not exceeding Rs. 1 crore approx. $220,000, to the person
so affected. Also a gradation has been made of severity of computer related offences
committed dishonestly or fraudulently and punishment thereof under Section 66.
Further, with the intent to protect the privacy of the individual subscribers, there is also
a proposal for inserting an additional Section 72 (2) that deals with breach of
confidentiality with intent to cause injury to a subscriber. According to this section, “if
any intermediary who by virtue of any subscriber availing his services has secured
access to any material or other information relating to such subscriber, discloses such
information or material to any other person, without the consent of such subscriber and
with intent to cause injury to him, such intermediary shall be liable to pay damages by
way of compensation not exceeding Rs. 25 lakhs to the subscriber so affected.”
The proposed amendments add a paragraph to the IT Act which states, “Whoever
intentionally captures or broadcasts an image of an individual without consent, and
knowingly does so under circumstances violating the privacy of that individual, shall be
held liable.” This is the first time that a right to privacy has so expressly found its way
into the statute books in India.
12
The Act also recommends a compensation of Rs 25 lakh to the person whose privacy BPOs and the Legal
Regime in India
has been infringed. The offender can also be jailed for one year with a fine of Rs 2 lakh.
The proposal for the insertion of new clauses in the law, is currently being reviewed by
the government, so as to meet the regulatory requirements of major customers of the
Indian BPO industry. The Information Technology Act of 2000 at present covers only
unauthorized access and data theft from computers and networks, with a maximum
penalty of about $220,000, and does not have specific provisions relating to privacy of
data. The new clauses are likely to enable the Act to conform to the so-called adequacy
norms of the European Union’s (EU) Data Protection Directive and the Safe Harbor
privacy principles of the U.S.
It is also relevant to address the issues that arise due to the trans-border nature of data
transfers in the outsourcing space, as well as the rights and liabilities of the various
parties involved in the process and the steps which can be taken to curb future misuse
of sensitive personal data of offshore clients.

What are the legislative provisions for data protection available in India?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
13.8 SUMMARY
● Clearly, as the trend towards outsourcing steps up further, Information Security
will become an even more critical element of the customer strategies of service
providers.
● There is strict legislation governing privacy in all developed countries, but this is
the first time these issues have been addressed in India.
● The law on privacy in India, as it stands today, is limited to the right enshrined
under Article 21 of the Constitution, case law on the subject. However, like other
fundamental rights, it is not absolute, and is subject to reasonable restrictions
imposed by the state.
● At present the IT Act is the only substantive safeguard for companies outsourcing
work to India, which cannot be considered adequate for providing stringent security
measures so India may emerge as a viable offshore destination.
● Given the situation, global customers will continue to feel insecure about the issue
of outsourcing which can severely hinder the growth of the Indian BPO industry.
13
Emerging Issues in Data ● The increasing trend of outsourcing, and the concerns of losing customers to
competing countries, makes it almost obligatory for India to put in place stringent
data protection law.
● With the growth of the BPO space legal complications will only increase
necessitating a comprehensive and rigid legal regime.

1. What are the salient features of a BPO?
2. What are the issues which affect the functioning of BPOs?
3. What are proposed legislative changes to the IT Act which address the data security
requirement of the BPOs?

1. A BPO can be set up in India only by getting a license from the DoT. The DoT
have stipulated certain steps/guidelines which must be followed:
● The call centers are permitted to be Indian registered companies on a non-
exclusive basis.
● The call centers are registered under the ‘other service provider’ category as
defined in the National Telecom Policy, 1999.
● The call centers have to ensure that no change in the Indian or Foreign
promoters/partners or their equity participation is made without prior approval
of competent authority or as per prevailing regulations.
● The call centers can utilize resources of any authorized service provider i.e
IPLC from the authorized International Long Distance operators and local
leased line from any authorized Service Provider.
● The service providers would examine the network diagram and grant
resources to the other service providers as per terms and condition of the
govt. approval and the prevailing guidelines and policy for the service from
where the resources are being taken. Both service provider and the OSP will
be responsible for any violation in the use of the resources.
● The domestic call centers are set up using separate infrastructure. However,
the request of the domestic call center to run on the existing private networks
is evaluated on a case-by-case basis.
2. (a) The Safe Harbor approved by the EU in July 2000 is the main legislation
which provides for data protection in the EU concerning the data travelling
to the US. Certifying to the Safe Harbor would assure that EU organizations
know that the company provides “adequate” privacy protection as defined
by the EU Directive.
(b) The various foreign regulations/legislations which affect BPOs in India are:
● US-EU Safe Harbor Agreement;
● UK Data Protection Act, 1998;
14 ● The Sarbanes-Oxley Act;
● Gramm-Leach-Bliley Act (GLBA); BPOs and the Legal
Regime in India
● Healthcare Insurance Portability and Accountability Act (HIPPA);
● USA Patriot Act, 2001;
● Homeland Security Act;
● Children’s Online Privacy Protection Act (COPPA);
● CAN SPAM Act, 2003.
3. Service contracts are those contracts which are entered into by Indian and foreign
companies and include amongst other things provisions for data protection. These
service contracts are governed by the EU laws with the seat of arbitration in case
of infringement of the law, being an EU country.
4. There is as such no specific Act enacted to deal with data protection. However,
Article 21 of the Constitution of India, which deals with the protection of personal
life and liberty, includes the right to privacy also
Terminal Questions
15
Emerging Issues in Data
Protection and Privacy UNIT 14 PROTECTING KIDS’ PRIVACY
ONLINE
Structure
14.1 Introduction
14.2 Objectives
14.3 Internet Crimes against Minors
14.3.1 Types of Cyber Crime
14.3.2 Characteristics of Cyber Crime
14.4 Legislative Response by Different Countries
14.4.1 Position in the U.S.
14.4.2 Position in the U.K.
14.4.3 Position in India
14.5 Judicial Precedents
14.5.1 U.S. v. Fabiano
14.5.2 U.S. v. Upham
14.5.3 Federal Trade Commission v. Liberty Financial
14.5.4 Federal Trade Commission v. Toysmart.com
14.5.5 Federal Trade Commission v. Monarch Services, Inc., Girls’ Life, Inc.,
Bigmailbox.com and Looksmart Ltd.
14.5.6 Federal Trade Commission v. Lisa Frank, Inc.
14.6 Measures to Protect Minors from Internet Crimes
14.6.1 Non-legislative Measures
14.6.2 Technological Safeguards
14.6.3 Enforcement Measures
14.6.4 Self-disciplinary Measures
14.7 Summary
14.1 INTRODUCTION
Internet has become a popular source of entertainment today. It offers minors tremendous
opportunities to:
– Explore new ideas
– Increase their knowledge base in a cost and time effective manner by acting as a
surrogate teacher and guide
– Visit and explore indirectly foreign lands and customs and
16 – Offers minors opportunities to participate in challenging mental games.
Many minors, (the most recent survey on this issue revealed that in fact 90% of school Protecting Kids’
Privacy Online
children) are skilled navigators of the Internet. They are comfortable using computers
and are irresistibly drawn towards the information and images that can be explored at
the click of a mouse. However, certain aspects of the virtual world can be dangerous
and harmful to minors. This unit endeavours to analyse the increasing trend of online
crime against minors and the legislative response towards it by certain countries.
14.2 OBJECTIVES
After studying this unit you should be able to:
● enlist types and related characteristics of Internet crimes against miners;
● explore the legislative responses put into place by a set of representative countries
i.e. U.S., U.K., and India;
● know some of the judicial precedents on the related issues; and
● describe some of the measures which can be implemented for shielding the minors
from these heinous crimes.
14.3 INTERNET CRIMES AGAINST MINORS

Increasingly, law enforcement agencies and service providers are facing the challenge
of saving child victims from Internet crimes, and in the process, considering the best
way to respond to their needs and those of their families. According to cyber statistics
revealed at the Federation of American scientists, there are 75 million minors and
teenagers online today.
14.3.1 Types of Cyber Crime

Minors/teenagers are contacted through the Internet by criminals who:
● Produce, manufacture, and distribute child pornography.
● Expose them to child pornography and encourage them to exchange pornography.
● Entice them for the purpose of online sexual acts.
● Exploit them for sexual tourism for commercial gain and or personal gratification.
14.3.2 Characteristics of Cyber Crime

● Physical contact between the child and the perpetrator is not required.
● Repeated, long-term exposure may occur without the minor’s knowledge, such
as in the case when a minor’s sexually explicit photograph is displayed on the
Internet indefinitely.
● Minors who are victims of Internet crimes do not disclose out of fear and shame.
● Minors may not realise that they have been victimized due to lack of knowledge.
● Harassment including threats or other offensive content.
● Aggressive sexual solicitation involving offline contact.
17
Protection and Privacy Self Assessment Question 1 Spend 3 Min.
What are some of the types of crime that can be committed against minors?
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
14.4 LEGISLATIVE RESPONSE BY DIFFERENT

COUNTRIES
14.4.1 Position in the U.S.
There are basically three primary U.S. legislations, which specifically deal with kids
protection online. The Communications Decency Act (hereinafter the “CDA”), which
was enacted as part of the Telecommunication Act of 1996, was the first attempt to
make Internet safe for minors. The U.S. Congress made two renewed attempts to
regulate minors’ exposure to Internet indecency since the US Supreme Court overturned
the CDA. A court injunction blocked enforcement of the first, which was the Children’s
Online Protection Act (hereinafter the “COPA”), immediately after its notification in
1998. However, the second legislation, Children’s Internet Protection Act (hereinafter
the “CIPA”) was held constitutional by the Supreme Court in 2004.
(a) Communications Decency Act
The CDA sought to protect minors from harmful material online by criminalizing Internet
transmission of indecent materials to minors. Title V Section 203 declared that operators
of Internet services were not to be construed as publishers and thus legally liable for the
words of third parties who use their services. However it was struck down by the U.S.
Supreme Court in Reno v. American Civil Liberties Union1, stating that the portion
intended to protect minors from indecent speech is too broad and is an unconstitutional
abridgement of the first amendment and right to free speech.
(b) Children’s Online Protection Act
COPA was enacted to protect minors from exposure to sexually explicit materials on
the Internet, 47 U.S.C. 231, which among other things, imposes a $ 50,000 fine and 6
months in prison “for the knowing posting, for commercial purposes”, of world wide
web content that is harmful to minors.
COPA requires that web sites and online services directed to minors under age 13
must:
● Post a clearly written privacy policy with links to the notice provided on the home
page and at each area where the site or online service collects personal information
from minors.
● Explain how the web site operator uses the personal information (marketing to the
18 child? Notifying contest members?) and whether it is disclosed to third parties.
● Obtain parental consent before collecting, using or disclosing personal information Protecting Kids’
Privacy Online
about a child.
● Provide parents with the ability to review, correct, and delete information about
their children collected by such services.
● Maintain reasonable procedures “to protect the confidentiality, security, and integrity
of personal information collected from minors”.
However, on 29 June 2004, COPA was struck down by the US Supreme Court in
Aschcroft v. American Civil Liberties Union2 on the ground that COPA was not the
least restrictive means available for the government to serve the interest of preventing
minors from using the Internet to gain access to harmful materials.
Another criticism which can be levied on COPA is that it does not protect the
privacy of teenagers who are also minors since it is clearly applicable to minors under
the age of 13.
(c) Children’s Internet Protection Act
The US Congress then passed the CIPA in 2000, which required the schools and
libraries to install filters on computers used by minors and adults or lose federal funds.
Under CIPA, no school or library may receive discounts on Internet connectivity unless
it certified that it has taken adequate steps of Internet safety. To receive the discounts,
libraries must use filtering or blocking technology to shield minors from “inappropriate
material on the Internet” and prevent the unauthorized disclosure, use and dissemination
of personal identification information regarding minors.
However, CIPA allows the filtering technology to be disabled to “enable access for
bona fide research or other purposes”, including a request by an adult. To be compliant
with the law, libraries must certify that they have filtering technology in place as well as
a procedure to remove the filter/blocking mechanism.
(d) CAN-SPAM Act
The CAN-SPAM Act which became effective from January 2004 was enacted to also
address issues arising from sexually explicit e-mails. This Act requires that any e-mail
messages containing sexually explicit materials must declare the contents in the subject
matter itself of such e-mails. E-mails found to be in violation of this requirement can be
subject to civil penalties upto USD 500,000 and also criminal consequences leading to
imprisonment upto five years. Apart from labeling the sexually explicit e-mails, an option
for not receiving any more e-mails with a legitimate and actual address of the sender of
such e-mails has to be set out on the opening page of such e-mails. This CAN-SPAM
Act would also seem to be a step in the direction of trying to address the issue of
unsolicited emails to minors which contain undesirable sexual content.
14.4.2 Position in the U.K.

In the U.K., there is no specific Act, which specifically addresses the issue of online
protection of minors from Internet crimes which includes but is not limited to taking,
distributing, showing or publishing an indecent photograph of a child. However, certain
legislations have related provisions for the such crime which can be invoked both in
offline or online transgressions. These are as follows:
(a) Obscene Publications Acts, 1959 and 1964
The test for ‘obscenity’ is set out in the Obscene Publication Acts, 1959 and 1964
respectively in section 1(1) and it is defined as material which tends to ‘deprave and 19
Emerging Issues in Data corrupt’ those who are likely, with regard to all relevant circumstances, to read, see or
hear it.
Storage and transmission of material which is considered obscene whether for a gain or
not is a criminal offence under the Obscene Publications Acts 1959 and 1964.
(b) Protection of Children Act, 1978
Section 1 of Protection of Children Act, 1978 penalizes taking, making and distributing
indecent pseudo-photographs of minors with imprisonment for three years or with fine
not exceeding 20,000.
(c) Criminal Justice Act, 1988
The Criminal Justice Act, 1988 makes it an offence for a person to have any indecent
photographs of a child in his/ her possession as stated in section 160 of the aforesaid
act, on top of the pre-existing offences of taking, distributing, showing or publishing
such a photograph.
(d) Criminal Justice Public Order Act, 1994
The Obscene Publications Acts were further elaborated and strengthened in the Criminal
Justice Public Order Act, 1994 (ss.84-87) which deals specifically with ‘Obscene
Publication and indecent photos of minors’.
There is no specific enactment in the UK on issues related to minors protection vis-à-
vis the obscene information and related problems thrown up by the Internet. However,
the existing enactments have a number of provisions which can be relied upon in the
event of crime related to minors on the Internet.
14.4.3 Position in India

India also does not have a legislation, which specifically provides for online protection
of minors. However a related provision in the Indian Penal Code (IPC), does provide
for a minor’s protection from obscene material. Section 293 of the IPC penalizes
whosoever sells, lets to hire, distributes, exhibits or circulates to any person under the
age of 20 years any obscene object, with imprisonment for three years or with a fine of
Rs.5000.

(a) What are the legislations which are applicable to crime against minors in the US?
...................................................................................................................
...................................................................................................................
...................................................................................................................
...................................................................................................................
(b) What are the legislations which are applicable to crime against minors in the UK?
...................................................................................................................
...................................................................................................................
...................................................................................................................
...................................................................................................................
20
Protecting Kids’
(c) What is the legal protection available for crime against minors in India? Privacy Online
...................................................................................................................
...................................................................................................................
...................................................................................................................
...................................................................................................................
14.5 JUDICIAL PRECEDENTS

There are very few judicial precedents on this issue of online crime affecting minors.
However in the U.S. there have been a cross sections of judgments which throw some
light on the effectiveness of the legislative measures enacted in the U.S. against this
problem.
14.5.1 U.S. v. Fabiano3

Defendant John Fabiano was convicted for knowingly receiving child pornography, in
violation of 18 U.S.C. § 2252(a)(2). Defendant was charged in a fifteen-count indictment
with transporting, receiving and possessing child pornography in violation of 18 U.S.C.
§§ 2252(a)(1), (a)(2) and (a)(4)(B). A jury convicted him on two counts of knowingly
receiving visual depictions of child pornography, in violation of § 2252(a)(2), and
acquitted him on the remaining thirteen counts. The district court sentenced Defendant
to 24-months imprisonment and three years of supervised release.
14.5.2 U.S. v. Upham4

In February 1997, U.S. Customs agents who were monitoring a “chat room” on the
Internet, while engaged in an undercover investigation, received in Buffalo, New York
a number of images depicting child pornography. Records of the Internet service provider
showed that the computer from which the images had been sent was owned by Kathi
Morrissey at an address in Costigan, Maine. Acting pursuant to a warrant, the agents
conducted a search of Morrissey’s home on March 21, 1997.
Among the items seized and taken from the house were Morrissey’s computer and a
number of diskettes. Using a computer utilities program and the “undelete” function, the
government was able to recover from the computer’s hard disk and the diskettes some
1,400 previously deleted images of minors engaged in sexually explicit conduct. These
images included the relatively small number of images that the agents had received in
Buffalo in February 1997 from Morrissey’s computer.
As set forth in a superceding indictment, the grand jury charged Defendant with four
counts of transporting in interstate commerce computer graphic images of minors
engaged in sexually explicit conduct, the production of which involved the use of minors
engaged in such conduct; each count related to transmissions on a different date in
February 1997. (See 18 U.S.C. § 2252(a)(1)). The fifth count charged Defendant
with possession, on “a date uncertain” but between about February 7, 1997, and March
21, 1997, of the 1,400 images of minors engaged in sexually explicit conduct, the
production of which involved the use of minors engaged in such conduct. See 18 U.S.C.
§ 2252(a)(4)(B).
21
14.5.3 Federal Trade Commission (FTC) v. Liberty Financial 5
Before the COPPA Rule was implemented, the FTC addressed children’s privacy in a
lawsuit against Liberty Financial Companies, Inc., the operator of the Young Investor
Web site. The FTC alleged that the Web site falsely represented that personal information
collected from children in a survey would be maintained anonymously. The FTC alleged
that the Liberty Financial Companies did not maintain the information it collected
via the survey anonymously and that it maintained information about the child and
the family’s finances in an identifiable manner.
14.5.4 Federal Trade Commission (FTC) v. Toysmart.com6

Following enactment of COPA, the FTC settled a case against Toysmart.com.
Toysmart.com was an online toy retailer that collected family profiles, including the
names and birth dates of children, which triggered application of COPA. Toysmart.com
promised in its privacy statement to never share information collected from consumers
with a third party. However, the company subsequently filed a motion in a bankruptcy
court seeking to sell its assets, including its database of personal information.
The FTC charged that selling the database would constitute a violation of COPA because
Toysmart.com collected names, e-mail addresses, and ages of children under thirteen
without notifying parents or obtaining parental consent. The FTC demanded that
Toysmart.com be prohibited from selling the database as a stand-alone asset, but agreed
to allow its sale within one year to a “qualified buyer” that agrees to the terms of the
original privacy policy.
14.5.5 Federal Trade Commission (FTC) v. Monarch

Services, Inc., Girls’ Life, Inc., Bigmailbox.com and
Looksmart Ltd.
In April 2001, the FTC announced settlements with three Web site operators charged
with violations of COPA. The FTC charged Monarch Services, Inc. and Girls’ Life,
Inc., operators of www.girlslife.com, Bigmailbox.com, operator of www.bigmailbox.com
and Looksmart Ltd., operator of www.insidetheweb.com, with collecting personally
identifiable data from children under the age of 13 without parental consent. As part of
the settlements, the companies were required to pay a total of $100,000 in civil penalties,
comply with COPA in connection with any future online collection of personally
identifiable data from children under the age of 13 and delete all personally identifiable
data collected online from children since the effective date of COPA.
14.5.6 Federal Trade Commission (FTC) v. Lisa Frank, Inc.

In October 2001, the FTC announced a settlement with Lisa Frank, Inc., maker of
popular girls’ toys and school supplies that the company advertised and sold at the
Web site www.lisafrank.com. In its complaint, the FTC alleged that the company failed:
(1) to provide notice to parents that it wished to collect information from their children
(2) to obtain parental consent for the collection of their children’s information and (3) to
accurately disclose in its privacy policy the company’s information collection, use and
disclosure practices. As part of the settlement, Lisa Frank, Inc. was required to pay a
civil penalty of $30,000 and is prohibited from violating the provisions of COPA.
22
Protecting Kids’
Self Assessment Question 3 Spend 3 Min. Privacy Online
Give two examples of judicial precedents which were related to crime against minors
in the U.S.
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
14.6 MEASURES TO PROTECT MINORS FROM

INTERNET CRIMES
Law enforcement agencies and service providers are hard pressed to find effective
solutions for preventing minors from becoming victims of Internet crimes. The problems
range from the fact that there exists no single legislation in various jurisdictions, which
specifically provides for addressing the issues arising from such Internet crimes.
Even in the US, which is a highly developed jurisdiction, legislations like COPA which
protects minors from exposure to sexually explicit materials on the Internet and penalizes
the use of such material for commercial purposes have been struck down.
Legislations which are enforceable like CIPA are not of much help as they only lay
down certain guidelines like filtering etc for the schools and libraries and therefore do
not cover Internet crimes which actually take place and need to be punishable so that
prospective criminals are prevented from committing such crimes. Then, the issue of
deciding on the way forward on this extremely sensitive and topical matter. Given the
grave societal concerns on this matter, there are certain steps which have been taken at
various levels. Some of these are elucidated hereunder.
14.6.1 Non-legislative Measures

(a) The world bodies have gathered together and tried to come up with some effective
solutions which are being globally implemented by different countries who are
signatories to certain conventions of these world bodies. For instance the Council
of Europe has adopted the Convention on Cybercrime, which particularly deals
with infringement of copyright, computer related fraud, child pornography and
violations of network security. This Convention also contains a series of powerful
procedures such as the search of computer networks and interception. The main
objection is “to pursue a common criminal policy aimed at the protection of society
against Cybercrime, especially by adopting appropriate legislation and fostering
international co-operation”.
(b) Protocol to Prevent, Suppress and Punish Trafficking in Persons, Especially Women
and Children, supplementing the United Nations Convention against Transnational
Organized Crime (w.e.f. December 25, 2003)
UNICEF estimates that cross-border smuggling in West and Central Africa
enslaves more than 200,000 children. The children are often “sold” by unsuspecting 23
Emerging Issues in Data parents who believe their children are going to be looked after, learn a trade or be
educated. Hence the aforesaid protocol on human trafficking is extremely topical
specially since it lays particular emphasis on women and children who are indeed
the most vulnerable to this sort of victimization.7
(c) Convention on the Rights of the Child (w.e.f. September 02, 1990)
The Convention on the Rights of the Child is the first legally binding international
instrument to incorporate the full range of human rights — civil, cultural, economic,
political and social rights. The Convention sets out these rights in 54 articles and
two Optional Protocols.8
The relevant Optional Protocol to the Convention on the Rights of the Child is the
one on the sale of children, child prostitution and child pornography which became
effective from January 18, 2002.
The need of the hour is to try and extend the provisions of all the non legislative
measures with the legislative frameworks of various countries and to make these
safeguards the rule of the law on a global scale. This would help to guarantee the
protection of the child from the sale of children, child prostitution and child
pornography.9
14.6.2 Technological Safeguards

Further, technology which has created this monster has also thrown up certain solutions
which include the following measures:
(a) The Internet service providers have adopted various safeguard mechanisms by
laying down certain guidelines for the parents to protect their children from exposure
to sexual materials. British Telecom, the largest Internet Service Provider whose
subscribers are BT yahoo and BT Internet have blocked child porn sites.
(b) TRUSTe is another technology created for allaying privacy fears. TRUSTe is a
mark of approval and confirms that an organization has privacy practices which
are monitored by third party auditors. The TRUSTe online privacy guide is available
for parents and teachers to address the issues and reduce the exposure of minors
to unsavoury and obscene content.10
14.6.3 Enforcement Measures

(a) Operation Ore launched in Britain in May 2002 is on its way out. It has details of
7300 alleged British subscribers to a child porn gateway. About 1300 people
engaged in online child pornography have been arrested which included teachers,
care workers, social workers, soldiers, surgeons and 50 police officers. Almost
40 minors, 28 in London are now under protective care. The investigation has
focused on anyone with access to minors and in positions of authority, such as the
police or magistrates.
14.6.4 Self-disciplinary Measures

Apart from legislative, non-legislative, technical and enforcement steps, in this particular
instance, the parents at home and the teachers in schools have an important role to play
in preventing such online crime. It would be a good idea to encourage parents and
teachers to give proper guidance regarding the use of the Internet to the children and
apprise them of the pitfalls which might arise during such use and result in serious
24 transgressions. Some of the probable online crimes can be explained in simplistic terms
to the children which would help and go a long way in protecting children by simply Protecting Kids’
Privacy Online
having the children self-discipline themselves while using this important information tool.
Some of the do’s and don’ts which can be imparted in a straightforward and easy to
understand manner to the children can include the following:
(a) access only the good educational websites;
(b) do not access the bad/deceptive websites;
(c) read the fine print on the home page of each site before proceeding to the next
page of that site;
(d) do not pretend to be someone else since that can create a wrong impression and
result in serious consequences;
(e) do not accept any freebies on the Internet, since those can be an inducement for
luring the child into a dangerous situation;
(f) do not chat/speak with strangers without asking the parents to verify the details of
such people. There have been examples of 60 year old pedophiles pretending to
be young children;
(g) do not misuse the Internet to threaten or mislead others since that can have a
boomerang effect.
Having explored the various threats to minors which have crept in through the Internet,
it is extremely important to realise that this is one of the most savage online/offline
crimes since the victims are unable to defend themselves through conventional means.
Further this being more in the nature of a societal problem, apart from the legislative
measures an amalgam of various technological and familial safeguards also need to be
relied upon for addressing this problem. Often just by some alert parenting, exposure
to this kind of crime can be easily avoided.

(a) Give examples of two technological measures to protect minors from cyber crime?
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
(b) Give examples of four self disciplinary measures to protect minors from
cyber crime.
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................
....................................................................................................................

25
Protection and Privacy 14.7 SUMMARY
● Child pornography has emerged as the major crime against minor which took
place through the internet.
● The children are exposed to child pornography and are enticed by the criminals
for the purpose of online sexual acts.
● The primary U.S. legislations which deals with protecting kids privacy online are
the Communications Decency Act, the Children’s Online Protection Act, the
Children’s Internet Protection Act and the CAN-SPAM Act.
● In U.K., there is no specific act, which specifically addresses the issue of online
protection of minors, however, there are certain legislations which address this
issue. These are:
– Obscene Publications Acts, 1959 and 1964
– Protection of Children Act, 1978
– Criminal Justice Act, 1988
– Criminal Justice Public Order Act, 1994
● India also does not have a specific legislation, however, section 293 of the IPC
provides for minor’s protection from obscene material.
● Measures to protect minors from Internet crimes can be divided into following
categories:
– Non-legislative measures in the form of various conventions and protocols
to deal with the issues.
– Technological safeguards to be used by ISPs.
– Enforcement measures.
– Self-disciplinary measures.

1. What makes crime against minors distinct from other conventional crimes?
2. Compare the legislative positions of all three representative jurisdictions and state
which is the most effective and why?
3. How can legislative measures be improved to address this problem?
4. What in your opinion is the most important non regulative measure for controlling
this menace affecting minors?

1. Some of the types of crime that can be committed against minors are to:
● produce, manufacture, and distribute child pornography.
● expose them to child pornography and encourage them to exchange
pornography.
● entice them for the purpose of online sexual acts.
26
● exploit them for sexual tourism for commercial gain and or personal Protecting Kids’
Privacy Online
gratification.
2. (a) The legislations applicable in the USA are:
● Children’s Internet Protection Act
● CAN-SPAM Act
(b) The legislations which are applicable to crime against minors in the UK are:
● Obscene Publications Acts, 1959 and 1964
● Protection of Children Act, 1978
● Criminal Justice Act, 1988
● Criminal Justice Public Order Act, 1994
(c) No specific Act has been enacted to protect minors from such crime in the
India. However, section 293 of the IPC provides for a minor’s protection
from obscene material.
3. Two judicial precedents are:
● US v. Fabiano
● US v. Upham
4. (a) Two technological measures to protect minors against crime are:
● Safeguard mechanisms from the Internet service providers
● TRUSTe
(b) Four disciplinary measures to protect minors against crime are:
(a) access only the good educational websites;
(b) do not access the bad/deceptive websites;
(c) read the fine print on the home page of each site before proceeding to
the next page of that site; and
(d) do not pretend to be someone else since that can create a wrong
impression and result in serious consequences.
Terminal Questions

1. US Supreme Court. 26 June. 1997. 12 Apr. 2007 <http:
supct.law.cornell.edusupct/html/96-511.ZS.html>.
2. US Supreme Court. 29 June. 2004. 12 Apr. 2007 <http://www.cdt.org/speech/
copa/20040629copadecision.pdf>.
3. 10th Cir. 05. Mar. 1999. 12 Apr. 2007 <http://www.kscourts.org/ca10/cases/
1999/03/98-1048.htm>. 27
Protection and Privacy 4. 1st Cir. 12 Feb. 1999. 8 May. 2007 <http://caselaw.lp.findlaw.com/scripts/
getcase.pl?court =1standnavby=caseandno=981121>.
5. Federal Trade Commission (FTC) v. Liberty Financial. File No. 982-3522. FTC
6 May. 1999.
6. FTC v. Toysmart. Civ Action 00-11341-RGS (DMass).
7. 8 May. 2007 <http://www.unodc.org/unodc/en/trafficking_victim_consents.html>.
8. 8 May. 2007 <http://www.unicef.org/crc/>.
9. 9 May. 2007 <http://www.unhchr.ch/html/menu2/dopchild.htm>.
10 TRUSTe online privacy guide. 10 May. 2007 <http://www.truste.org/pdf/
Parents_Teachers_Online _Privacy_Guide.pdf>.
28
Evolving Trends in
UNIT 15 EVOLVING TRENDS IN DATA Data Protection and
Information Security
PROTECTION AND
INFORMATION SECURITY
Structure
15.1 Introduction
15.2 Objectives
15.3 Privacy
15.4 E-governance
15.5 Information Warfare
15.6 Legal Issues with Retention of Electronic Records by the Government and
other Private Agencies
15.7 Data Transfer Regime
15.8 Summary
15.1 INTRODUCTION
With the coming of age of the Internet and information systems, the legal systems which
deal with them, have been forced to evolve rapidly. Though the changes in law have
had to deal with a number of issues in the broad area of cyber laws, the most vibrant of
those have been concerned with privacy, information security, information warfare, e-
governance, e-commerce and crimes on the Internet. The fact that the laws in this
regard are presently evolving along with the fact that there are differences in approach
between most national legal systems lends to the colourful mosaic that the province of
law seems to be bathed in. For example, while in the US, the regime regarding information
gathering by websites is more geared towards self-regulation, in Europe, the EU has
led the way with a number of quite compulsory policies in this regard.1
15.2 OBJECTIVES
● explain the issues that have spawned debate in the area of privacy;
● know the meaning and underlying framework requirements in respect of e-
governance;
● describe the issues in respect of grave threat to national security of countries on
account of information warfare;
● explain the legal issues in respect of retention of electronic records; and
● describe the working in general of data transfer regimes.
29
Protection and Privacy 15.3 PRIVACY
Two major issues which have spawned considerable debate and even some laws in the
area of privacy, especially in the context of growing internet use are unsolicited
commercial e-mail and ‘cookies’ and other technological features that web site operators
sometime use to track visitors to their sites or to may be build a profile of the specific
Internet user.
In a string of decisions2, unsolicited e-mail has been deemed to be trespassing to personal
property and even permanent injunctions have been issued prohibiting commercial
mailers from mailing subscribers of some providers. Here the mailer’s first amendment
rights to free speech have generally not been allowed as the other party is not the
government. The Controlling the Assault of Non-Solicited Pornography and Marketing
Act of 2003 though have been quite effective in getting control of this problem. This
Act is directed at decreasing the number of spam e-mails3. It basically requires mass
marketers to provide an opt out provision in their e-mail lists and also fixes liability and
also requires them to provide a physical address. This structure is in fact very similar to
the do not call lists which exist for telemarketers4.
However in India, such legislation has not yet been brought into effect. In the news is a
case dealing with unsolicited telemarketing has made headlines. Dr. Harsh Pathak Public
Interest Litigation (PIL), is seeking a direction to be issued by the Supreme Court to
banks and telephone service providers to stop making unsolicited telemarketing calls.
On February 7, 2005 the Supreme Court issued notices to the Union of India, which
has also been made a party to the suit based on the argument that it is the duty of the
state to prevent violation of the rights of citizens and the state so far has failed to do so,
and a host of mobile phone service providers and banks, pursuant to the PIL.
As alleged that the defendants currently use mobile communication links to market their
services and products by making unsolicited calls or “cold calls” and such unsolicited
calls violate the Right to Privacy of the user, the suit also throws up several interesting
points of discussion. Do unsolicited calls by themselves violate privacy, since they do
not in an unauthorized manner interfere in any personal conversation or disclose
personal information to any unauthorized person? Or is the objection based on the
sharing of phone numbers, of users, between commercial entities? Would such sharing
of phone numbers, and their usage for cold calls, be violative of any privacy related
law? Would the Supreme Court read such a prohibition as a measure to safeguard the
Right to Life and Liberty of consumers in Article 21? These are questions which will go
a long way in determining the right to Privacy on the Internet as well since the principles
are the same.
However when the issue turns to cookies and other tracking features of websites, there
are very few legislative provisions which govern these in US or in Europe. Rather the
focus is on industry self regulation and thus the setting of industry standards and policies.
These systems are designed to both preserve the privacy of users and also garner
information for webmasters and online marketers for information about current/potential
customers. In this regard the Open Profiling Standard (OPS) and World Wide Web
Consortium’s Platform for Privacy Preferences Project (P3P) were standards which
were supposed to give users control over the amount of information that they reveal
over the Net. This shows how the information industry can have an important role in the
safeguarding of private individual’s information on the Internet. The importance of this
lies in the speed with which the companies comply with the industry guidelines and
30
respond to the pressures of the marketplace. Besides newer systems especially those Evolving Trends in
Data Protection and
under the Uniform Computer Information Transactions Act (UCITA) talk about licensing Information Security
of personal information to websites. An advantage of this contractual approach to
protecting information privacy is that multiple interests of people can be accom-
modated and the idea of consent with regard to use of personal data is also satisfied.5
As far as the US and Europe are concerned they have basic and in some cases stringent
laws which protect the privacy of all individuals in their geographies. These laws lay
down the basic principles of protection of privacy and the means and methods to protect
them. However as technology evolves, these privacy laws will find it difficult to keep up
in pace with the new implications of technology. For example, biometrics has become
an area of technological innovation, which is a growing trend, and there are privacy
implications of the use of biometrics. “Biometric” means a fingerprint, retina or hand
scan of a person which is stored in information systems and this information can be
accessed to validate the person for identification purposes. Biometrics is mostly being
used by Government Authorities who can access further personal information stored
on the information systems to confirm the identity of the person. However this process
of validation using biometrics can be undertaken on the street, in airports, schools,
banks, swimming pools or office buildings. Therefore this process of validation can be
very invasive and the Government and even private entities may be able to maintain
huge amounts of information about individuals in their data banks. Effective legislations
controlling the use of biometrics will be another trend to watch out for in the coming
years.

What are some of the common universal standards pertaining to cookies and other
tracking features of websites?
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
15.4 E-GOVERNANCE
E-governance represents the application of information technology for the improvement
of administration. Basically it means that the Government of a country will interact with
its citizens wherever possible through the Internet and information systems. Further the
Government will use information technology and systems in the day to day running of
the various departments ranging from passport and land revenue departments to the
judiciary. In order to enable this process of e-governance it is essential to ensure that
there is an effective legal framework which guides and nurtures e-governance. While in
the US and in Europe there have been sufficient number of guidelines and legislations in
this regard, in India this is yet to happen. Therefore one trend of legislations, which we
31
Emerging Issues in Data can expect in the near future, is that relating to e-governance. While the Information
Technology Act, 2000 does set the context for e-governance and enables various
transactions in the e-governance sphere a lot more needs to be done in this area. An
effective legal framework ensures that governments have the opportunity to keep pace
with the new era of global communication and efficiently provide citizens with valuable
services. This framework should identify and address the various transactions, which
happen in the e-governance model such electronic payments, electronic contracting
and also disputes which arise during e-transactions. There should also be a regulator
similar to the Telecom Regulatory Authority of India to ensure that transactions in the e-
governance space are smooth and in accordance with applicable law.
Please answer the followings Self Assessment Question.

What should an effective legal framework seek to achieve in the area of
E-governance?
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
15.5 INFORMATION WARFARE

The growing dependence of countries on information systems means that critical
infrastructure and even defensive and offensive capabilities of countries depend upon
information systems. These information systems are vulnerable to the growing attacks
in cyberspace. Computer-based information operations akin to hacking, could provide
adversaries of a country with an asymmetric response to that country’s military superiority
by giving them the potential to cripple critical infrastructure and even defense capabilities
of the country6. Therefore, it does not matter if the conventional military forces of a
country are strong, a small country with negligible military presence can hack into the
ballistic missile control systems of the enemy and disable it. Further, it can hack into and
cripple the public transport system of its enemy, thereby causing immense loss of life
and property without dropping a single bomb on the enemy. The complexity of computer
networks is growing faster than the ability to understand and protect them by identifying
critical nodes, verifying security, and monitoring activity. Attacks on a country’s military,
economic, or telecommunications infrastructure can be launched from anywhere in the
world. Weapons of “mass effect,” such as denial-of-service attacks, are likely to
proliferate in the coming decade. Viruses and worms are likely to become more
controllable, precise, and predictable—making them more suitable for weaponization7.
Therefore countries are looking to adopt stronger penalties for hacking and attacks
such as denial of service attacks. National governments are also strengthening laws,
which oblige companies and organizations handling information systems to protect such
information systems. This is especially because most IT systems of critical infrastructure
32 and even some defence installations are outsourced to private companies and therefore
the risk of a compromise is higher in such cases. Growing threat to the national security Evolving Trends in
Data Protection and
of countries through information warfare would mean that countries will adopt more Information Security
stringent laws relating to information security.
15.6 LEGAL ISSUES WITH RETENTION OF

ELECTRONIC RECORDS BY THE
GOVERNMENT AND OTHER PRIVATE
AGENCIES
With more and more electronic records being kept on the net or otherwise, issues of
security and privacy have come up to the fore in this regard as electronic data can be
easily manipulated. The problems arise with regard to how much information is being
recorded, to what purpose it is being recorded and what the security provisions are as
regards the prevention of misuse of this information. The consent of the person whose
information has been so collected as well as the scope for him/her to change such
information which has been collected are also relevant issues.
A very relevant example will be the way in which health information is stored and used
according to law especially in light of the fact that health services are the sector in which
a lot of outsourcing happens and thus a lot of client information is shared. The Health
Insurance Portability and Accountability Act of 1996, called the HIPAA is a part of a
new breed of legislations which address privacy and security issues in quite specific
fields like electronic healthcare transactions. The HIPAA governs health plans, health
care providers who transmit any health information in electronic form in connection
with a transaction covered by HIPAA and also health care clearinghouses. The ambit
of HIPAA though extends, importantly to outsourcers also, as the Act requires the
covered entities to impose HIPAA obligations on entities which are the business
associates, who deal with the covered entity and do a function/service which involves
the use of individually available health information of the covered entities and which
receive health information. The HIPAA provides for two kinds of standards—privacy
standards and security standards. The privacy rule prevents the disclosure or use of
protected health information (information about health which can be used to identify an
individual) unless specifically authorized by the individual or under the law. The security
rule is a subset of the former and comes into effect when the protected health information
is either transmitted by electronic media or kept in electronic media. The security rule
and the privacy rule set a number of procedures which have to be diligently followed by
the covered entities when handling confidential information. These standards not only
include risk analysis and risk management but assessment systems to be in place. The
standards for security rule are similar and tougher compared to those of the privacy
rule.The business associates of the entities have these procedures in their contracts thus
completing a very careful system as regards confidentiality. Thus HIPAA shows how
sector specific laws have been evolving in the light of new practices, which have emerged
after the large scale adoption of practices which are based on electronic retention of
data and high speed data communication.8
Interestingly, governmental records of individuals are a very big problem especially
when the security systems of most government networks are suspect and susceptible to
hacker attacks. The problem here is that the government acquires a huge amount of
personal information about each person in its different departments. To safeguard this
information in US, there is the Privacy Act of 1974, 5 U.S.C. § 552a et seq. which
33
Emerging Issues in Data prohibits the disclosure of a record without the consent of the subject of the record.
These records can only be used to accomplish a stated agency purpose. However
what is relevant is that whenever such governmental records are involved, the usage of
such records for law enforcement, tax collection, disciplinary or counter-intelligence
purposes is prohibited. But after the 9/11 attacks, the issue of data retention has acquired
a different dimension. The US Patriot Act and the EC directives recently give much
wider powers for blanket retention of personal data. For example, in the UK the Anti-
terrorism, Crime and Security Act 2001(which bases itself on the EC directives) contains
provisions which allow communications service providers to retain data about their
customers for national security purposes. This usage of ISPs to store data for the
government (supposedly voluntarily) is quite odd, but even worse is the fact that the
UK government acknowledges that this data retained might be used for the purposes
which are not related to national security. Such a contention flies straight in the face of
a fundamental tenet of Data Protection regimes — that the information retained may
not be used for purposes other than what it is retained for.9 These new developments in
data retention cause concern, as not only are they dis-proportional to the threats faced,
thus are also quite purposeless in that the objective will not be served by any blanket
retention of data.

What does the HIPAA stand for and what does it seek to address?
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
15.7 DATA TRANSFER REGIME

The data transfer regimes need to be studied because in their zeal to protect the
processing of personal data of Europeans outside of Europe. The European Union
issued Data Protection Directive 95/46/EC of the European Parliament which requires
that in case personal information needs to be transmitted outside the EU to a country
then it can be done only to countries which ensure an adequate level of protection for
the subject of data. An adequate level of protection will only be when the country has
specific legislation with regard to the informational privacy of individuals with a formal
enforcement mechanism10. As a result quite a few countries were not able to reach the
standards that were required by EU. Therefore to get around it, the EU allows the data
exporter to ensure that adequate safeguards are in place where the data is to be
transferred and in that case such transfer of data will be allowed. This is a cumbersome
process as the contract clauses have to be tailored to suit this. Therefore presently in
EU there have been efforts get together certain binding corporate rules, which will
allow corporates to establish adequate safeguards without introducing them into the
34 contracts. Though as of now regulatory approval has to be sought in each country for
the binding rules, there are plans to have one stop approval for authorization from all Evolving Trends in
Data Protection and
countries for the rules. Enforcement mechanisms suggested for these binding rules vary Information Security
from self regulation to flexible regulatory frameworks. This concept of binding corporate
rules is a new approach and can just hold the key in quicker establishment of uniform
data protection norms all over the world, especially since the initiative will rest with the
companies in this situation.11
These are only a few trends in the growing and dynamic world of information technology
or cyberlaws which need to be addressed in the coming years in order to make
cyberspace a safe and secure place for transactions.

What are the concepts of adequate level of protection and adequate safeguards as
per the EU Directive?
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
...............................................................................................................................
15.8 SUMMARY
● Laws have been forced to evolve rapidly with increasing use of information
systems.
● Two major issues in privacy are unsolicited commercial email and cookies and
such other tracking devices
● The US and EU have basic and sometimes stringent laws to protect the privacy of
all individuals in their geographies.
● India still lacks E-governance guidelines and an effective legal framework to ensure
that governments provide citizens with valuable services.
● Information Warfare is about computer based information operations that could
provide adversaries of a country with an asymmetric response to that country’s
military superiority.
● Legal issues are increasingly arising in respect of retention of electronic records in
terms of how much information is being recorded, for what purpose and how the
security provisions are faring in respect of the same.
● The EU Data Protection Directive provides for data export only where adequate
levels of protection are present or adequate safeguards can be insured.
35
Protection and Privacy 15.9 TERMINAL QUESTIONS
1. What is your opinion on the changing and dynamic technology and the struggle of
policy and law to keep pace with this technology?
2. What are the evolving trends in privacy laws in India and the rest of the world and
what measures do you think India should take in order to keep up with the changing
technology?
3. How is increasing electronic retention of records becoming an issue for both
protection of privacy and information security?
4. What measures need to be taken by India to ensure that an effective e-governance
regime is established?
5. What is your understanding of the concept of information warfare and what counter
measures must be taken?

1. Some of the common universal standards pertaining to cookies and other tracking
features are the Open Profiling Standard (OPS) and the World Wide Web
Consortium’s Platform for Privacy Preferences Project (P3P).
2. An effective legal framework in respect of e-governance should ensure that
governments have the opportunity to keep pace with the new era of global
communication and efficiently provide citizens with valuable services.
3. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
It addresses privacy and security issues in specific fields like electronic healthcare
transactions.
4. The EU data protection directive sets out that in case personal information needs
to be transmitted out side the EU, and then it can only be to countries which
ensure an adequate level of protection for the subject of data. The EU however,
also alternatively permits the transmission of such information if the data exporter
can ensure that adequate safeguards are in place for the same.
Terminal Questions

1. Susan E. Gindin. “Lost and Found in Cyberspace”. San Diego Law Review
34(1997):1153.
36
Evolving Trends in
2. Cyber Promotions. Inc. v. American Online 948 F.Supp. 456, 459(E.D. Pa.1996). Data Protection and
Information Security
CompuServe Inc. v. Cyber Promotions Inc. 962 F. Supp. 1015 (S.D. Ohio 1997)
and Concentric Network Corp. v. Wallace. 24 Mar. 2007 <http://www.jmls.edu
cyber/casesconcent1.html>.
3. Alison Fortescue. “Data Protection and Marketing for Global Organisations”.
Privacy and Data Protection Journal. 4. 5. (June 2003).
4. Charles H. Kennedy. “FTC Opens New CAN-SPAM Act Proceeding”.
Morrison-Foerster Legal updates and News. May 2005. 24 Mar. 2007 <http://
www.mofo.com/news/updates/files/update02026.html>.
5. Pamela Samuelson. “Privacy as Intellectual Property”. Stan L. Rev. 52 (2000):
1125.
6. Cyber Threat Trends and US Network Security. 1 Apr. 2007 <http://www.cia.gov/
nic/testimony_cyberthreat.html>.
7. Ibid.
8. Randall E. Colson. HIPAA and Outsourcing: The Impact of Business Associate
Rules under the Final Privacy and Security Standards. Negotiating Technology
Outsourcing Agreements Law Seminars International. Seattle: Washington. 2003.
9. Rowland, “Data Retention and the War Against Terrorism – A Considered and
Proportionate Response?”. The Journal of Information, Law and Technology 3
(2004). 2 Apr. 2007 <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2004_3/
Rowland/>.
10. Susan Grindin. “As the Cyber-World Turns: The European Union’s Data Protec-
tion Directive and Trans-border Flows of Personal Data”. 24 Jan 1998. 2 Apr.
2007 <http://www.info-law.com/eupriv.html>.
11. Karin Retzer. “Land in Sight: The Latest Developments Concerning Data
Transfers from the EU”. Morrison-Foerster Legal Updates and News. Feb. 2005.
4 Apr. 2007 <http:/www.mofo.com/news/updates/files/update1428.html>.

37

MIR-014 Privacy and Data Protection

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MIR-014 Privacy and Data Protection

Uploaded by

Copyright:

Available Formats

The Concept of Privacy

UNIT 1 THE CONCEPT OF PRIVACY

1.3 CONCEPT OF PRIVACY

Self Assessment Question 1 Spend 2 Min.

1.4 PRIVACY – HISTORICAL AND CULTURAL

Self Assessment Question 2 Spend 3 Min.

1.7 RIGHT TO PRIVACY - LOUIS BRANDEIS AND

1.8 MODERN PRINCIPLES OF PRIVACY LAW

Self Assessment Question 3 Spend 3 Min.

1.9 LEGAL REGIMES FOR PROTECTING

1.10 PRIVACY AS A LEGAL RIGHT

1.11 PRIVACY – THE HUMAN RIGHTS ANGLE

1.12 THREATS TO PRIVACY IN NEW

Self Assessment Question 4 Spend 3 Min.

1.13 DIGITAL AND INTERNET PRIVACY

1.15 TERMINAL QUESTIONS

1.16 ANSWERS AND HINTS

3. Neethling, J. Potgieter, JM and Visser, PJ. Neethling’s law of personality.

Durban: Butterworths, 1996.

4. James Michael. Privacy and Human Rights 1 UNESCO, 1994.

5. Dworkin, Ronald. Taking Rights Seriously. London: Duckworth, 1977.

Developments. Electronic Privacy Information Center Washington, DC, USA.

Privacy International. London, United Kingdom.

7. Piller C. “Privacy in peril”. Macworld 10.7. (Jul.1993):124-130.

8. Westin A. Privacy and Freedom. New York Antheum, 1967 as referred to by

Bennett CJ. “What Government Should Know About Privacy: A Foundation

Paper” Presentation prepared for the Information Technology Executive Leadership

Council’s Privacy Conference. 19 June 2001.

9. DeCew Judith. “Privacy”. The Stanford Encyclopedia of Philosophy. Ed. Edward

N. Zalta. summer ed. 2002.

10. Denning, Lord. What next in Law. Butterworths, 1982.

1 chapter 2. Discussion paper 109. Project 124. Oct. 2005.

16. Adam Carlyle Breckenridge. The Right to Privacy. Lincoln: University of

Nebraska Press, 1971.

19. Posner, R. The Economics of Justice. Cambridge: Harvard University Press.

20. 8 Jan. 2007. <http://en.wikipedia.org/wiki/Privacy>.

21. Supra n.15.

24. “Privacy”. Cal. L. Rev 48 (1960): 383.

Larry Doesn’t Get)”. Stan. Tech. L. Rev 1 (2000) : 44.

Rights Treaties”. International Journal of Law and Information Technology 6 (1998):

Developments. Ed. Marc Rotenberg. EPIC, 2003.

34. Raymond T. Nimmer & Patricia Ann Krauthaus. “Information as a commodity:

New Imperatives of Commercial Law”. Law & Contemporary problems 55 (1992):

36. Supra n. 34.

communications”. SCC (Jour) 4. 12 (2002).

38. Supra n. 15.

FOR PROTECTING PRIVACY

2.3 POSITION UNDER INDIAN CONSTITUTION

2.3.2 Right to Privacy Emanating from ‘Right to Life’ –

2.3.4 Surveillance versus Right to Privacy

2.3.5 Right to Privacy against Wire-trapping

2.3.6 Privacy Right – Reasonable Restrictions

Self Assessment Question 1 Spend 3 Min.

2.4 POSITION UNDER INFORMATION

Self Assessment Question 2 Spend 3 Min.

2.5 POSITION UNDER FREEDOM OF

2.6 POSITION UNDER EASEMENTS ACT, 1882

2.7 POSITION UNDER INDIAN PENAL CODE, 1860

2.8 PRIVACY UNDER INDECENT

2.9 PRIVACY UNDER INTELLECTUAL PROPERTY

Self Assessment Question 3 Spend 3 Min.

2.11 POSITION UNDER PUBLIC FINANCIAL

2.13 TERMINAL QUESTIONS

2.15 REFERENCES AND SUGGESTED READINGS