P age |1

PROTECTION OF PRIVACY IN CYBERSPACE: A COMPARATIVE

ANALYSIS BETWEEN INDIA AND USA.
*Keyur Tripathi 1

ABSTRACT

In recent years, these concerns have escalated in India, USA and other
economies, particularly due to the rapid commercialization of the Internet and
the development of new and more powerful information technologies.
Cyberspace is shorthand for the web of consumer electronics, computers, and
communication networks that interconnects the world. Privacy is the need of
people to choose freely under what conditions and to what extent they will
expose themselves, their approach and their conduct to others.

There are certain laws in force, which ensures protection to the right to
privacy in cyberspace. The present research paper therefore aims at exploring
the status of Privacy in Cyber Space in India. India needs to work more for
enduring an effective and concrete legislation for data protection.

However, while creating the laws, the legislature has to be well aware for
maintaining a balance between the interests of the common people along with
amicably handling the increasing rate of cybercrime. In continuing the
privacy conversation, we must recognize that a vision protective of
information privacy and data protection in cyberspace will be singularly hard
to maintain.

This paper analyzes the privacy in cyberspace from the perspective of India
and USA. For over two decades, concerns regarding the privacy of the
individual and cross-border movement of personal information have been
reflected in international policy frameworks, such as the OECD (Organization
for Economic Cooperation and Development) Privacy Guidelines.

Key Words: Cyberspace and privacy; Cybercrime; Commercialization; Data

Protection; Information technology.

1
LL.M Student, Galgotias University Greater Noida UP

Electronic copy available at: https://ssrn.com/abstract=3611622

 P age |2

Literature Review

• Greenwald, 2013, The Guardian published a story on how the National Security Agency
(NSA) is collecting the phone records of millions of Verizon customers on a daily basis. The
information came from a document leaked by an NSA contract employee, the now infamous
Edward Snowden.

• Satariano & Strohm, 2014, several public celebrities had their personal photographs stolen
from Apple’s iCloud service. In November 2014, Sony Pictures was hacked and thousands of
confidential documents containing the personal and private information of employees and
celebrities were stolen and posted online.

• Brustein, 2015, RadioShack, an iconic US electronics retail chain, filed for bankruptcy in
February 2015. The data it collected on over 100 million customers was sold via auction.
This sale is being contested by several parties, one claiming that the data does not belong to
RadioShack, several others claiming that the company is violating its own privacy policies.

• Nakashima, 2015, it was disclosed that breaches of databases managed by the US

government’s Office of Personnel Management had exposed the sensitive information of at
least 22.1 million individuals. Later on in July 2015, Ashley Madison – an online dating
website that targets married people – was hacked and personal details on its 37 million users
stolen and in August 2015 these details were re-leased on to the Internet.

• Johnson, Swartz, & della Cava, 2016, the Federal Bureau of Investigation (FBI) obtained
a court order to compel Apple to break into an iPhone belonging to the perpetrator of a mass
shooting. Apple said that the only way this can be done is by creating a special version of
Apple’s iOS operating system that bypasses the phone’s security, and opted to fight the order
in court rather than comply. Ultimately, the FBI withdrew its request after finding a third
party to assist in unlocking the phone, but the issue re-sparked debate about many aspects of
privacy and state surveillance.

• McMillan, 2016 Yahoo revealed that in 2014 hackers penetrated its network and stole
personal data related to more than 500 million accounts. This is believed to be the largest
breach ever publicly disclosed by a company.

Electronic copy available at: https://ssrn.com/abstract=3611622

 P age |3

• Bélanger and Crossler, 2011 first called for the development of tools for successful online
privacy initiatives, this call has largely been answered by computer scientists at the
conceptual (proof of concept) level, as opposed to (Information Systems) IS researchers, who
might enhance the understanding of factors influencing the use of technology by individuals,
and formulate behavioral questions to be explored with respect to effectiveness and
consequences of use.

• Agarwal and Hall, 2013 they discovered that in order to preserve privacy, users needed to
be given a set of mechanisms to limit their exposure to their contacts based on individual
privacy preferences. “Protect My Privacy” uses a crowdsourcing approach to build a
recommendation engine for iOS apps that allows apps to be rated based on different privacy
breaches. New users of iOS apps get information on recommended protection settings for
each particular app.

Privacy and Cyberspace

Cyberspace is shorthand for the web of consumer electronics, computers, and communication
networks that interconnects the world. 2

The Internet users in present scenario are dangerously exposed to the risk of privacy
infringement in cyberspace. With the growing use of internet by the citizens of the country,
the risk of their being exploited and victimized by infringing their privacy over internet is
increasing day by day. This concern is felt more in the case of youth and teenagers who
constitute majority of the internet users and are susceptible in understanding the risk of
exposing themselves to the cyber world. The social networking sites which are now used
extensively for social interactions between the individuals by uploading their personal
content, has further aggravated the issue of ‘internet privacy’. There are several ways in
which, the privacy of the individual could be violated in cyber space.

2
A more official-sounding name is the Global Information Infrastructure (“GII”). See generally The Global
Information Infrastructure: Agenda for Cooperation, 60 Fed. Reg. 10,359 (1995) (setting forth the U.S.
Government’s vision for developing the GII and identifying the policy issues critical to encouraging its
use). The United States is committed to developing its portion of the GII, the National Information
Infrastructure (“NII”). The NII has an expansive meaning, which includes low- and high-tech hardware,
software, network interconnection standards and protocols, information, and the people who make all this
possible.

Electronic copy available at: https://ssrn.com/abstract=3611622

 P age |4

Privacy is an incident of fundamental freedom or liberty. The right to privacy is one of the
basic Human rights. In addition, Courts in India have admitted it a status of fundamental
right, though it is not directly provided in the Constitution of India.

In Justice K.S. Puttaswamy Vs Union of India3, the Apex court unanimously affirming that
the right to privacy is a fundamental right under the Indian Constitution. The verdict brought
to an end a constitutional battle that had begun almost exactly two years ago, on August 11,
2015, when the Attorney-General for India had stood up during the challenge to the Aadhaar
Scheme, and declared that the Constitution did not guarantee any fundamental right to
privacy. 4

Justice D.Y. Chandrachud, while delivering the main judgment, on behalf of the Chief Justice
J.S. Khehar, Justice R.K. Agarwal, himself and Justice S. Abdul Nazeer has held that privacy
is intrinsic to life, liberty, freedom and dignity and therefore, is an inalienable natural right. 5

There are certain laws in force, which ensures protection to the right to privacy. The Right to
Privacy is one of the most cherished right for the human beings given the nature and the
importance of this right. The human beings by their very nature require a space exclusive
from interference of any kind. This is necessary for the development of their individual
personality. The fact that the right to privacy finds a special mention in the ancient texts and
sources signifies its importance to the societies of all times. This right has received
recognition and protection in societies of all times. In modern era, the human rights
movements have considerably affected the concept and jurisprudence of legal rights. The
right to privacy has found explicit mention in all international instruments concerning human
rights. 6 In India, the right to privacy has received highest protection as fundamental right
under the Constitution of India.

The threat to privacy over internet is not a new phenomenon. The developed countries in the
world, where the information technology is firmly rooted amongst the masses, have already
adopted the security measures by which this problem can be redressed effectively to a

3
WRIT PETITION (CIVIL) NO 494 OF 2012
4
http://www.livelaw.in/supreme-courts-right-privacy-judgment-foundations/
5
ANURAG BHASKAR, Key Highlights of Justice Chandrachud’s Judgment in the Right to Privacy Case,
27/08/2017 https://thewire.in/171325/justice-chandrachud-judgment-right-to-privacy/
6
Art.12 of the Universal Declaration of Human Rights and Art.14 and 17 of the International Covenant on Civil
and Political Rights

Electronic copy available at: https://ssrn.com/abstract=3611622

 P age |5

considerable extent. The Internet users of these countries normally observe all these security
measures while navigating in the cyberspace. The latest McAfee study sheds light on
examines the online behavior and social networking habits of Indian tweens and teens.

The study stresses the need for more awareness and focus on online safety for youth, the
majority of internet users in India are young teenagers who do not understand the risks in
exposing themselves to the completely unknown cyber-world 7. They often fail to analyze the
potential threat that they are under while using the internet for social networking or
otherwise. The Privacy concerns in India are thus unaddressed by the internet users and lack
of security and legislative measures in this direction are adding to the gravity of this already
serious issue.

Cybercrime investigations need to take into account privacy concerns while implementing the
procedural provisions of the Convention on Cyber Crime. Cybercrime investigations require
more technical expertise and surveillance than conventional crime but it also needs to be
ensured that here is protection of fundamental privacy principles both in the national and
international law. As basic principles for the protection of privacy there are three
international treaties that are widely recognized as the basis for the protection of privacy and
personal life: Article 12 of the Universal Declaration of Human Rights of 1948, Article 17 of
the International Covenant on Civil and Political Rights (ICCPR). The OECD guidelines on
the Protection of Privacy and Trans border Flow of Data are also of relevance in this aspect. 8

Alan Westin (1967) in ‘Privacy and Freedom’ defined privacy as the “desire of people to
choose freely under what circumstances and to what extent they will expose themselves, their
attitude and their behavior to others.” 9

The absolute protection of privacy on the internet as discussed above is difficult to imagine
and achieve. The evolution of the technology and the law for the same is already on the

7
Kul Bhushan, Indian teens and tweens more exposed to online risks, 24 - Oct – 2019,
https://www.digit.in/internet/indian-teens-and-tweens-more-exposed-to-online-risks-24415.html
8
http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.
html
9
Alan F. Westin, Privacy And Freedom, 25 Wash. & Lee L. Rev. 166 (1968) Available at:
http://scholarlycommons.law.wlu.edu/wlulr/vol25/iss1/20

Electronic copy available at: https://ssrn.com/abstract=3611622

 P age |6

move. The self-restraint by the users on his ‘web-habits’ is the basic solution which may yield
positive results in this direction. 10

The Indian Scenario-

In the report ‘Big democracy, big surveillance: India's surveillance state’11 published by Open
Democracy, India’s surveillance programs mostly started following the 2008 Mumbai terror
attacks. That was when the Ministry of Home Affairs first proposed the creation of a
National Intelligence Grid (NATGRID), which will give 11 intelligence and investigative
agencies real-time access to 21 citizen data sources to track terror activities. These citizen
data sources will be provided by various ministries and departments, otherwise called
“provider agencies”, and will include bank account details, telephone records, passport data
and vehicle registration details, among other types of data. NATGRID is far from India's only
data sharing scheme. the Crime and Criminal Tracking Network & Systems (CCTNS),
which would facilitate the sharing of databases among 14,000 police stations across all 35
states and Union Territories of India, excluding 6,000 police offices which are high in the
police hierarchy. Rs. 2,000 crore (around USD 320 million) has been allocated for the
CCTNS, which is being implemented by the National Crime Records Bureau under the
national e-governance scheme. Apparently, sharing data and linking databases is not enough
to track criminals and terrorists.

In September 2013 it was reported that the Indian government has been operating Lawful
Intercept & Monitoring (LIM) systems, widely in secret. In particular, mobile operators in
India have deployed their own LIM systems allowing for the so-called ‘lawful interception’
of calls by the government. And possibly to enable this, mobile operators are required to
provide subscriber verification to the Telecom Enforcement, Resource and Monitoring
(TERM) cells of the Department of Telecommunications.

In the case of the Indian government, the LIM system is deployed at the international
gateways of large ISPs. The functioning of these systems is immune to interception by the
ISPs and are under lock and key so as to be in the complete control of the government.

10
Dr. Pankaj Kakde, Right to Privacy and Its Infringement in Cyberspace,
https://www.academia.edu/5635495/Right_to_Privacy_and_Its_Infringement_in_Cyberspace
11
MARIA XYNOU, Big democracy, big surveillance: India's surveillance state, 10 February 2014,
https://www.opendemocracy.net/opensecurity/maria-xynou/big-democracy-big-surveillance-indias-surveillance-
state

Electronic copy available at: https://ssrn.com/abstract=3611622

 P age |7

Though the government has mandated checks for monitoring and protection of user privacy--
it is largely absent. In effect, all Internet traffic of any user is open to interception at the
international gateway of the bigger ISP from whom the smaller ISPs buy bandwidth.

Since the government controls the LIMs, it directly sends software commands and sucks out
whatever information it needs from the Internet pipe without any intimation and information
to anyone except to those within the government who send the Internet traffic monitoring
commands. This monitoring facility is available to nine security agencies including the IB,
the RAW and the MHA. The governments’ monitoring system which is installed between the
ISPs Internet Edge Router (PE) and the core network has an ‘always live’ link to the entire
traffic which enables the LIM system to have access to 100% of all Internet activity with
broad surveillance capability based not just on IP or e-mail addresses, URL’s, HTTPs,
FHTpc, tele-net or webmail but even through a broad and blind search across all traffic in the
Internet pipe using ‘keywords’ and ‘key phrases. 12

In addition to LIM systems being installed, the Government of India runs the Central
Monitoring System or CMS which is a clandestine mass electronic surveillance program
installed by C-DoT, a government owned telecommunications technology development
center and operated by Telecom Enforcement Resource and Monitoring (TERM) cells 13 .
Rule 419B under Section 5(2) of the Indian Telegraph Act, 1885, allows for the disclosure of
“message related information” Call Data Records (CDR) to Indian authorities. Call Data
Records, otherwise known as Call Detail Records, contain metadata (data about data) that
describe a telecommunication transaction, but not the content of that transaction.

In other words, Call Data Records include data such as the phone numbers of the calling and
called parties, the duration of the call, the time and date of the call, and other such
information, while excluding the content of what was said during such calls. According
to draft Rule 419B, directions for the disclosure of Call Data Records can only be issued on a
national level through orders by the Secretary to the Government of India in the Ministry of
Home Affairs, while on the state level, orders can only be issued by the Secretary to the State
Government in charge of the Home Department.

12
Shalini Singh, Govt. violates privacy safeguards to secretly monitor Internet traffic,
http://www.thehindu.com/news/national/govt-violates-privacy-safeguards-to-secretly-monitor-internet
traffic/article5107682.ece
13
https://en.wikipedia.org/wiki/Central_Monitoring_System

Electronic copy available at: https://ssrn.com/abstract=3611622

 P age |8

Other than this draft Rule and the ‘amendment to clause 41.10 of the UAS License
Agreement’ 14 , no law exists which mandates or regulates the Central Monitoring System
(CMS). This mass surveillance system is merely regulated under Section 5(2) of the Indian
Telegraph Act, 1885, which empowers the Indian Government to intercept communications
on the occurrence of any “public emergency” or in the interest of “public safety”, when it is
deemed “necessary or expedient” to do so in the following instances:

• the interests of the sovereignty and integrity of India

• the security of the State
• friendly relations with foreign states
• public order
• for preventing incitement to the commission of an offense

However, Section 5(2) of the Indian Telegraph Act, 1885, appears to be rather broad and
vague, and fails to explicitly regulate the details of how the Central Monitoring System
(CMS) should function. As such, the CMS appears to be inadequately regulated, which raises
many questions with regards to its potential misuse and subsequent violation of Indian's right
to privacy and other human rights. 15

This program also gives security agencies and Indian Income Tax authorities centralized
access to the country’s telecommunications network and the ability to listen in and record
mobile, landline, satellite calls and voice over Internet Protocol (VoIP) and read private e-
mails, sms and mms and track the geographical location of individuals all in real time. It can
also be used to monitor posts shared on social media such as Facebook, LinkedIn and Twitter
and to track user’s search histories on Google without any oversight by the Courts or
Parliament. Tapping is a serious invasion of an individual's privacy as held in “People’s
Union of Civil Liberties ... vs Union of India and Anr” 16.

Senior Internet researchers feel that the CMS is chilling in view of its reckless and
irresponsible use of the sedition and Internet laws. They feel that it may be used to silence
critics, journalists and human rights activists. The right to privacy is guaranteed under the

14
https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment
15
https://cis-india.org/internet-governance/blog/india-central-monitoring-system-something-to-worry-about
16
AIR 1997 SC 568

Electronic copy available at: https://ssrn.com/abstract=3611622

 P age |9

Universal Declaration of Human Rights and the International Covenant on Civil and Political
Rights to which India is a state party. Article 17 of the Covenant provides that:

(i) no one shall be subjected to arbitrarily or unlawful interference neither with his
privacy, family, home or correspondence nor to unlawful attacks on his honor and
reputation;
(ii) Everyone has the right to the protection of the law against such interference or
attacks.” 17

For quite a long time in India there was no law governing cyber laws involving privacy
issues, jurisdiction issues, intellectual property rights and a number of other legal issues. To
optimize benefits of ICTs and secure confidence of user’s information society should be safe
and secured not only through cyber laws per se but also appropriate enforcement
mechanisms. In order to formulate strict statutory laws to regulate the criminal activities in
the cyber world the Indian Parliament passed the ‘’Information Technology Act, 2000” to
protect the fields of e-commerce, e-governance, e-banking as well as penalties and
punishments in the field of cyber-crimes. The Act was further amended in the form of
Information Technology Amendment Act, 2008 (ITAA-2008) 18

The Aadhaar data breach (2018)- Aadhaar, which means 'foundation', is a 12 digit unique-
identity number issued to all Indian residents based on their biometric and demographic data.
The Unique Identification Authority of India (UIDAI), a statutory body that oversees the
world's largest biometric identity card scheme, following a report in The Tribune 19 that
claimed unrestricted access to any Aadaar number for a paltry sum of Rs 500. Biometric data,
unlike the UIDAI's statement, is not the only privacy concern with this breach. The disclosure
of demographic data, such as an individual's name, date of birth, address, PIN, photo, phone
number, e-mail, etc, is not any less of a privacy concern. This data forms the basis of many
cybercrimes, be it phishing or identity theft.

Additionally, obtaining biometric data is getting simpler, such as the extraction

of fingerprints from photographs or the spoofing of iris scans. Obtaining biometric data will
be a huge target for cybercriminals, because of the potential of combining it with the troves

17
Article 17, UDHR, http://www.un.org/en/universal-declaration-human-rights/
18
http://www.cyberlawtimes.com/category/cyber-laws/
19
Rachna Khaira, Tribune News Service , Jan 4, 2018, http://www.tribuneindia.com/news/nation/rs-500-10-
minutes-and-you-have-access-to-billion-aadhaar-details/523361.html

Electronic copy available at: https://ssrn.com/abstract=3611622

 P a g e | 10

of other information already illegally available. It is extremely dangerous, therefore, to

underestimate the value of the data disclosed in this breach, simply because it did not include
biometric data,

A data 'breach' is not defined under the Indian Information Technology Act, 2000 or the
Aadhaar Act, 2016. However, a data 'breach' is not limited to a technical breach like hacking
the security systems of the Central Identities Data Repository (CIDR), as is commonly
understood. Gaining unauthorized access to a database – in this case, possibly the CIDR – is
very much a data breach and a violation of privacy.

It is the seriousness of this act of gaining unauthorized access to the Aadhaar database, which
makes it punishable not only under Section 43 of the IT Act but also under Section 38 of the
Aadhaar Act itself.

It is a relief that the breach did not involve a large amount of data being downloaded and
stolen, as was seen in the Equifax data breach, where their grievance redressal system was
hacked. Nevertheless, each individual whose number has been entered into the system and
details extracted in this case has had his privacy violated. The potential of this breach is much
greater, with almost any Aadhaar holder's information being accessible this way.
20
American whistleblower Edward Snowden delivered a firm reproof to the Indian
government for "destroying the privacy" of its citizens and spoke out in support of the
reporter who broke the Aadhaar data breach.

Government of India has recently decided to introduce an exhaustive law on privacy, which
will soon be introduced before the parliament. This law provides for stringent punishment,
including revocation of licenses of telecom service providers, for illegally intercepting
telephone calls and making their content public. After the Supreme Court declared privacy a
fundamental right, it is left to Parliament to define what constitutes privacy under the ambit
of right to life and personal liberty.

Parliament will also have to define reasonable restrictions in the case of right to privacy as it
involves, already pointed out by intelligence agencies, the issues of national security.

20
Edward Snowden is an American computer professional who initially worked with the Central Intelligence
Agency and then the National Security Agency before being charged with leaking information about United
States Surveillance program to the media.

Electronic copy available at: https://ssrn.com/abstract=3611622

 P a g e | 11

With these restrictions, defining privacy is going to be big challenge for the parliamentarians.

You cannot define right to privacy in absolute terms. Codification of right to privacy right
will be a big problem. It will be a challenge for Parliament to accurately define what
constitutes privacy, 21

Another significant step taken by the government of India for ensuring cyber security and
controlling cyber-attacks in India is the National Cyber Security Policy 2013, unfortunately
the reactions of cyber experts over the policy in terms of privacy protection are not
encouraging. The need of incorporating stringent provision in this policy to deal with privacy
infringement effectively is expressed by the individuals concerned.

Importance of Data Protection and Privacy in India

Many developed countries have taken a lead in data protection and privacy. India has
emerged as a top choice for global outsourcing (Clutch, 2015). India has clearly benefitted
from outsourcing. In a survey conducted by Statistic Brain Research Institute (2015), 26% of
Chief Financial Officers (CFOs) favor India for their company’s outsourcing needs. The
surveyed companies have cited economic, political, and cultural incentives for choosing
India. Companies have also been impressed with India’s pro-business and entrepreneurial
climate.

India’s historical trade ties to the United Kingdom and United States also play an important
role (George and Gaut, 2006). India also possesses low-cost and highly qualified workforce
with English speaking capabilities and advance educational standards. India’s steady
democratic government, independent institutions, advances in Information Technology as
well as convenient geography which is suitable for around the clock work makes it possible
for companies to seek outsourcing to India as a preferred destination (Chandra and
Narsimhan, 2005).

However, it is important to note that the global competition for outsourcing is increasing.
Countries like Indonesia, Estonia, Singapore, Indonesia, Bulgaria, Philippines etc. are giving
a tough competition to India. Moreover, countries in Europe and United States consider
privacy a fundamental right. So, it is a need of the hour that India should toughen its data

21
Prabhash K Dutta, August 24 2017, http://indiatoday.intoday.in/story/right-to-privacy-fundamental-right-
parliament/1/1032794.html

Electronic copy available at: https://ssrn.com/abstract=3611622

 P a g e | 12

protection and privacy laws. It is also important that India should encourage the companies to
self-regulate. India needs to address the loopholes in its data protection and privacy laws to
address the concerns of American and European companies about their data protection and
privacy. India needs to assure its outsourcing clients that cost-effectiveness of outsourcing
would not be diluted by the additional costs of handling customer data privacy apprehensions,
in case of a breach.

Law Enforcement in USA

In order for law enforcement officials to gain access to subscriber transactional records,
authorities usually must obtain a court order demonstrating that the records are relevant to an
ongoing criminal investigation. Some of the legislation used by US authorities for the
enforcement which impact on privacy over the cyberspace area as follows;

(a) Fair Credit Reporting Act, 1970 22 (FCRA)- This Act places limits on the use of
consumer reports, that is, “information by consumer reporting agency bearing on a
consumer’s credit worthiness, credit standing, credit capacity, character, general reputation,
personal characteristics or mode of living” where the information is for, among other things,
credit , insurance, or employment purposes. Businesses creating, distributing or using
consumer reports must comply with FCRA.

(b) Electronic Communications Privacy Act, 1986 23 (ECPA)- The ECPA has been used ,
with varying success, in a number of internet related cases. The law became effective many
years before the rise of the internet as a popular communications medium, but it is probably
the one preexisting law that has the greatest applicability to online privacy today. In general,
the ECPA governs the interception of “wire, oral or electronic communications.” Although
ECPA does not refer to the internet, a number of lawyers believe the Act’s reference to
‘electronic communications’ applies to certain online activities. The ECPA defines
‘electronic communications’ as “any transfer of signs, signals, writing, sounds, data or
intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic,
photo electronic or photo optical system that affects interstate or foreign commerce”.

22
The Fair Credit Reporting Act (FCRA) is an American federal law (codified at 15 U.S.C. § 1681
et seq.) that regulates the collection, dissemination, and use of consumer credit information. It, along
with the Fair Debt Collection Practices Act (FDCPA), forms the base of consumer credit rights in the
United States.

23
The Electronic Communications Privacy Act of 1986 (ECPA Pub. L. 99-508, Oct. 21, 1986, 100
Stat. 1848, 18 U.S.C. § 2510) was enacted by the U.S. Congress to extend government restrictions on
wire taps from telephone calls to include transmissions of electronic data by computer

Electronic copy available at: https://ssrn.com/abstract=3611622

 P a g e | 13

(c) Health Insurance Portability and Accountability Act, 1996 (HIPPA) – Along with
financial information, health care information is probably the most strongly protected and
personal data that exists. Therefore, it’s no surprise that the US Congress has passed laws that
specifically protect certain health related information, HIPPA in 1996. As per the provisions
of the Act, health providers are required to give clear written explanations of their privacy
practices; the Act limits the disclosure of health information for non-health related purposes;
compels the appointment of privacy officer; and sets civil and criminal penalties for violating
privacy604.

(d) Gramm-Leach-Bliley, 1999 (GLB)- This law limits the instances in which financial
institutions may disclose nonpublic personal information about a consumer to nonaffiliated
third parties and requires then to disclose privacy policies to all of its customers.

(e) Cybersecurity Information Sharing Act (CISA) - Its objective is to improve

cybersecurity in the United States through enhanced sharing of information about
cybersecurity threats, and for other purposes. The law allows the sharing of Internet traffic
information between the U.S. government and technology and manufacturing companies. The
bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate October 27,
2015

(f) Cybersecurity Enhancement Act of 2014: It was signed into law December 18, 2014. It
provides an ongoing, voluntary public-private partnership to improve cybersecurity and
strengthen cybersecurity research and development, workforce development and education
and public awareness and preparedness.

(g) Federal Exchange Data Breach Notification Act of 2015: This bill requires a health
insurance exchange to notify each individual whose personal information is known to have
been acquired or accessed as a result of a breach of security of any system maintained by the
exchange as soon as possible but not later than 60 days after discovery of the breach.

(h) National Cybersecurity Protection Advancement Act of 2015: This law amends the
Homeland Security Act of 2002 to allow the Department of Homeland Security's (DHS's)
national cyber security and communications integration center (NCCIC) to include tribal
governments, information sharing, and analysis centers, and private entities among its non-
federal representatives.

Electronic copy available at: https://ssrn.com/abstract=3611622

 P a g e | 14

The Lack of Privacy in Cyberspace

In cyberspace, as in today's real world, there seems to be confusion in regard to what privacy
is and what it is not. One scholar, Ruth Granson highlights recent efforts to fully comprehend
privacy: "the concept of privacy is a central one in most discussions of modern Western life,
yet only recently have there been serious efforts to analyze just what is meant by privacy."
Over the years, the conception of the nature and extent of privacy has been severely bent out
of shape. The definitions and concepts of privacy are as varied as those in the legal and
academic circles who explore privacy.

Another scholar, Judith DeCew, examines the diversity of privacy conceptions: "the idea of
privacy which is employed by various legal scholars is not always the same. Privacy may
refer to the separation of spheres of activity, limits on governmental authority, forbidden
knowledge and experience, limited access, and ideas of group membership consequently
privacy is commonly taken to incorporate different clusters of interest." 24

At one time, privacy implied that individuals could be secluded, but that has radically
changed. Logistical barriers created by geography once protected a person. This too, though,
has radically changed. The geographical wall of protection, which incidentally was not
created by our legal system, has been removed by the development of the Internet, and more
recently, by the World Wide Web. The loss of these once formidable barriers has not been
accounted for in the scholarship available today25.

For today, "effective protection of personal data and privacy is developing into an essential
precondition for social acceptance of the new digital networks and services." Privacy can no
longer be assumed, even in the security of one's own home. Instead, privacy is a condition
that is much easier to violate, and thus, is much more difficult to establish and protect.

The way in which we continue to view privacy has not significantly changed across time, and
in some cases, change has been actively resisted. Yet somehow, privacy has evolved from a
small single function business into a complex conglomerate. A basic paradigm shift in the
way we conceptualize privacy is in order. For at this instance, "privacy" should be viewed as

24
Robert A. Reilly, Conceptual Foundations of Privacy: Looking Backward Before Stepping
Forward, 6 RICH. J.L. & TECH. 6 (Fall 1999) , available at
http://www.richmond.edu/jolt/v6i2/article1.html.
25
ibid

Electronic copy available at: https://ssrn.com/abstract=3611622

 P a g e | 15

a foundational concept in the same manner that life, liberty, and the pursuit of happiness are
foundational concepts in our society. In order to begin to accomplish this paradigm shift, it is
first necessary to revisit the cultural evolution of "privacy" so that we can fully analyze the
ramifications and impact of emerging technologies 26.

Conclusion

India has made the progress in data protection and privacy by putting in place various legal
and policy measures. The main findings from this research regarding data protection and
privacy in India are:

• Privacy and property rights conferred under the Indian legal-policy framework
provides a certain amount of data protection and privacy.
• There are multitude of laws in India which protects certain aspects of data protection
and privacy. These laws include the Constitution of India; Information Technology
Act, 2000; Indian Contract Act, 1872; Copyright Act, 1957; and Indian Penal Code,
1860.
• India has also developed privacy rules for business entities to manage personal data.
• There is not a single comprehensive legal-policy framework in India to address data
protection and privacy.
• The penalties prescribed under the existing Indian laws are not enough to deter the
cyber-criminals.
• The existing Indian laws mostly applies to state and state owned enterprises.
• The existing Indian law does not address finer details of data protection and privacy.
For example, lack of distinction between data protection and database protection
under Copyright Act, 1957.

The importance of right to privacy for the maintenance of dignity of an individual is beyond
explanation. The legislative measures are adopted in India in this regard though seem to be
enough on paper but when it comes to implementation, lack of awareness amongst the users,
the internet habits of the users in India and lack of expertise amongst the enforcement
agencies are presenting serious challenges ahead.

26
Cronin P Kevin & Weikers N Ronald, Data Security and Privacy Law: Combating Cyberthreats,
Thomson-West, New York, 2004 at 1-49

Electronic copy available at: https://ssrn.com/abstract=3611622

 P a g e | 16

India needs to work more for enduring an effective and concrete legislation for data
protection. However, while creating the laws, the legislature has to be well aware for
maintaining a balance between the interests of the common people along with amicably
handling the increasing rate of cybercrimes. Technological advancements such as micro
cameras and video surveillance has had a profound effect on personal privacy.

Everyone, be it an individual or an organization has a right to protect and preserve their

personal, sensitive and commercial data and information. India at the moment needs a
dedicated law protecting the data and personal privacy of an individual. A national privacy
policy is still missing in India. The laws should be made keeping both genders in mind rather
than protecting only female rights because in the cyber space both males and females are
equal victims. A gender neutral law is as crucial as a technological neutral legislation.

Protecting the privacy rights of individuals requires a re-conceptualization on both personal

as well as professional grounds keeping in mind human privacy in the context of Information
and Communication Technologies. For privacy intactness, proper training and awareness,
monitoring and auditing, and incident response is required Expression through speech is one
of the basic need provided by civil society.

Variance in the scope of freedom of expression, combined with more online communication,
has produced concerns about censorship in cyberspace. Freedom of opinion and expression
should be free from any kind of political, commercial or any other influences. It should be
applied in non-discriminatory and non-arbitrary manner, also, should be supported by
applying safeguards against any kind of abuse, hate speeches, religion biasing etc.

References
• Anderson, K. B., Durbin, E., & Salinger, M. A. (2008). Identity theft. The Journal of
Economic Perspec-tives, 22(2), 171–192.
• Armstrong, M., & Zhou, J. (2010). Conditioning prices on search behaviour (ELSE
Working Paper No. 351). London, UK: ESRC Centre for Economic Learning and
Social Evolution. Retrieved from http://eprints.ucl.ac.uk/19447/
• Awad, N. F., & Krishnan, M. S. (2006). The personalization privacy paradox: An
empirical evaluation of information transparency and the willingness to be profiled
online for personalization. MIS Quarterly, 30(1), 13–28.

Electronic copy available at: https://ssrn.com/abstract=3611622

 P a g e | 17

• Brandom, R. (2014, November 24). Hackers shut down Sony Pictures’ computers and
are blackmailing the studio. Retrieved March 5, 2015, from
http://www.theverge.com/2014/11/24/7277451/sony-pictures-paralyzed-by-massive-
security-compromise
• Brustein, J. (2015, March 24). RadioShack’s bankruptcy could give your customer
data to the highest bid-der. Retrieved April 24, 2015, from
http://www.bloomberg.com/news/articles/2015-03-24/radioshack-s-bankruptcy-could-
give-your-customer-data-to-the-highest-bidder
• Bryant, K., & Campbell, J. (2006). User behaviours associated with password security
and management. Australasian Journal of Information Systems, 14(1), 81–100.
• Burdon, M., Lane, B., & Von Nessen, P. (2012). Data breach notification law in the
EU and Australia–Where to now? Computer Law & Security Review, 28(3), 296–307.
• Conger, S., Pratt, J. H., & Loch, K. D. (2013). Personal information privacy and
emerging technologies. Information Systems Journal, 23(5), 401–417.
• Culnan, M. J., & Armstrong, P. K. (1999). Information privacy concerns, procedural
fairness, and imper-sonal trust: An empirical investigation. Organization Science,
10(1), 104–115.
• de Hert, P., & Papakonstantinou, V. (2016). The new General Data Protection
Regulation: Still a sound system for the protection of individuals? Computer Law &
Security Review, 32(2), 179–194.
• Johnson, K., Swartz, J., & della Cava, M. (2016, March 29). FBI hacks into terrorist’s
iPhone without Ap-ple. USA Today. Retrieved from
http://www.usatoday.com/story/news/nation/2016/03/28/apple-justice-department-
farook/82354040/
• King, N. J., & Raja, V. T. (2012). Protecting the privacy and security of sensitive
customer data in the cloud. Computer Law & Security Review, 28(3), 308–319.
http://doi.org/10.1016/j.clsr.2012.03.003
• Kosinski, M., Stillwell, D., & Graepel, T. (2013). Private traits and attributes are
predictable from digital records of human behavior. Proceedings of the National
Academy of Sciences, 110(15), 5802–5805.
• Malhotra, N. K., Kim, S. S., & Agarwal, J. (2004). Internet users’ information privacy
concerns (IUIPC): The construct, the scale, and a causal model. Information Systems
Research, 15(4), 336–355.

Electronic copy available at: https://ssrn.com/abstract=3611622

 P a g e | 18

• Manworren, N., Letwat, J., & Daily, O. (2016). Why you should care about the Target
data breach. Busi-ness Horizons, 59(3), 257–266.
• Peters, R. M. (2014). So you’ve been notified, now what: The problem with current
data-breach notifica-tion laws. Arizona Law Review, 56, 1171–1202.
• Ponemon Institute. (2015). 2015 cost of cybercrime study: Global (Research Report).
Traverse City, MI: Ponemon Institute.
• Rubinstein, I. S. (2013). Big data: The end of privacy or a new beginning?
International Data Privacy Law. Retrieved from
http://idpl.oxfordjournals.org/content/early/2013/01/24/idpl.ips036.abstract
• Satariano, A., & Strohm, C. (2014, September 2). Apple says iCloud not breached for
hacked actors’ pho-tos. Retrieved March 26, 2015, from
http://www.bloomberg.com/news/articles/2014-09-02/apple-says-icloud-not-
breached-for-hacked-actors-photos
• Schreft, S. L. (2007). Risks of identity theft: Can the market protect the payment
system? Economic Re-view-Federal Reserve Bank of Kansas City, 92(4), 5.
• Trepte, S., & Reinecke, L. (Eds.). (2011). Privacy online: Perspectives on privacy and
self-disclosure in the social web. Berlin, Germany: Springer Science+Business Media.
• Tsai, J. Y., Egelman, S., Cranor, L., & Acquisti, A. (2011). The effect of online
privacy information on purchasing behavior: An experimental study. Information
Systems Research, 22(2), 254–268.
• Verizon. (2016b). Data breach digest (Research Report). New York, NY: Verizon.
• Warren, S. D., & Brandeis, L. D. (1890). The right to privacy. Harvard Law Review,
4(5), 193–220.
• Webster, J., & Watson, R. T. (2002). Analyzing the past to prepare for the future:
Writing a literature re-view. MIS Quarterly, 26(2), 3.

Electronic copy available at: https://ssrn.com/abstract=3611622