Data Privacy & Encryption: India vis-à-vis Europe & The U.S
- Nikhil Naren[1]
-Priyanshu Kothari[2]
Abstract
The data privacy consists of three factors, first, secrecy, a person’s right to control access to the processed information on Internet platform to a selective group of audience. Secondly, anonymity, even when the content is open it should not reveal the information regarding publisher and the information regarding the receiver of the information. Finally, autonomy, is the ability to decide freely without any threat or privacy concerns.
A person’s privacy on a digital platform or the privacy of information stored digitally is known as data privacy. The digital era has flourished after the year 2000, giving the internet based services a good push and growth, ultimately resulting in the growth of outsourcing of data processing, business process, call center services, and allied industries globally. India has remained one of the prime destinations for the abovementioned activities and there were no laws serving the purpose.
Due to lack of related laws, India could not match the international standards, which require strict data protection policy before data is transferred. For instance, EU data protection directive makes all data transfers illegal unless, the recipient country ensures an adequate level of prescribed protection. Because of the pressure from domestic and international IT industries, an amendment was made to Information Technology Act, by adding sections 43A and 72A.
Unlike the European Union , India does not have any separate law which is designed exclusively for the data privacy. However, the courts on numeral instances have interpreted "data privacy" within the ambits of "Right to Privacy" as implicit in Article 19 and 21 of the Constitution of India. Apart from this, the laws which are presently dealing with the subject of data privacy are "The Indian Contracts Act" and "The Information Technology Act".
This paper will deal with the Privacy Concerns in accordance with the laws prevalent in India as well as the shortcomings with respect to laws that are prevalent in The United States and The European Union focusing on the following aspects:
· Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
· International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles
· The EU-US Privacy Shield
Keywords: Data Privacy, Data Protection, Encryption, Safe Harbour Privacy Principles, EU-US Privacy Shield, Right to Privacy.
INTRODUCTION:
The treats of the online world come at a cost of privacy. Today, any service provider can easily track down the sites people visit in the internet, for example, the way in which, a person in charge of his employees can track any employees’ emails for keeping a track of almost every activity he is involved in. The technology in recent times has grown to such an extent that any person can virtually gain access to every mouse click of any individual. Before addressing these concerns, an important question, which needs to be addressed, is, are individuals entitled to have a right to privacy of information, which needs to be protected?
For answering this question we need to understand what the nature of the right to privacy is, what is its scope, and then to find out that how this right is recognized in the online world in the form of data protection laws. The Constitution of India, specifically doesn’t guarantee the right of privacy, but, over the years through various judgments and pronouncements of the courts, through interpretations of various rights, the right to privacy came into existence, mainly understood as a part of the Right to life and personal liberty[3].
Right to privacy was recognized to be a right in Kharak Singh v. The State of U.P[4], wherein, the minority judges stretched the right to personal liberty as well as freedom of movement to include right to privacy. Further in Govind v. State of M.P.[5], the honorable Supreme Court of India decided and interpreted the right to privacy as a fundamental right, which was derived out of the right to Freedom of Speech and movement and the right to Life and Personal Liberty.
The data privacy consists of three factors, first, secrecy, a person’s right to control access to the processed information on an Internet platform, so that it is available only to a selected group of people. Secondly, anonymity, even when the available data is an open content, it should not reveal the information regarding publisher and the information regarding the receiver of the information. Finally, autonomy is the ability to decide freely, by one’s own free will, without any fear or concerns regarding one’s privacy.
REGULATIONS OF DATA PROTECTION IN THE US AND EU:
The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 for preventing private enterprises and organizations in the European Union and the United States which accumulate and store customer data and were quite prone to accidentally disclosing or losing personal and sensitive customer information. They were overturned on October 6, 2015 by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and the Swiss citizens. US companies storing customer data were able to self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce created privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.[6]
In 1980, the Organization for Economic Co-operation and Development(OECD) issued recommendations for protection of personal data in the form of seven principles. These were non-binding till 1995, and in 1995, the European Union (EU) enacted a more binding form of legislation, to protect personal data privacy in the form of the Data Protection Directive. On 6 October 2015, the European Court of Justice declared the EC's Safe Harbour Decision to be invalid, because legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications was regarded as “compromising the essence of the fundamental right to respect for private life."[7]
The EU-US Privacy Shield is a framework for trans-Atlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU-US Privacy Shield is a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015.
These regulations and norms followed by the EU and the US are said to be a standard which must be followed by each and every nation as they are at par with the current technological advancements and developments.
DATA PROTECTION REGULATIONS IN INDIA AND THEIR RAMIFICATIONS:
The term which is more descriptive, when intrusion on someone’s privacy on online platform is concerned is data privacy. Due to lack of legislation, India was not able to assert its capability, as the international standards set by major organizations and nations prescribe the data protection policy to be strict[8] before transferring any data. For instance, European Union Data Protection Directive declares all data transfers to be illegal if the recipient country does not ensure an ‘adequate level of protection.' This was the main cause of the pressure which was faced by government from various IT industries, both, domestic as well as international. Thus the Information Technology Act, 2000 was passed. In the year, 2008, the Information Technology Act was amended by adding S43A[9] and 72A[10]. The data protection concept has taken an important place in today’s world. Slowly, all the nations are recognizing the Data protection concepts to be important and implementing rules, and laws regulating the usage and misuse of sensitive and personal information.[11] The data protection concepts and data privacy are more or less connected with an individual’s right to privacy.
Unlike the United States and the European Union, India hasn’t got any separate legal framework that is designated especially for the prevention and protection of data privacy. But, the various courts on various instances have interpreted "data protection" under the umbrella of one’s "Right to Privacy" which arises from Article 19 and Article 21 of the Indian Constitution. Apart from this, the laws which currently deal in the topic of protection of data are, ‘The Indian Contract Act, 1872’ and ‘The Information Technology Act, 2000’. Section 43 A of the Information technology Act explicitly states that:
"Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected"
Furthermore, Section 72A[12] states that:
"Punishment for disclosure of information in breach of lawful contract. -Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both."
The Indian Contract Act, 1872 is used in today’s times, as majority of the companies rely upon the law of contracts as a necessary tool for protection of their data. Almost all the companies and business firms enter into contracts with their clients and various other parties, including other companies, for protection of their data in the maximum possible ways. Many Contractual agreements which include the likes of non-disclosure, and non circumvention agreements, ‘referral partner’ agreements, agreements of user license, etc. which they enter into. These, specifically contain the clauses of privacy and confidentiality and also the clauses of arbitration and alternate dispute redressal, as they target on speedier resolution of any dispute if it arises. Such contractual agreements provide an aid, or help them in smooth running of their business.
It is important to notice, that the ‘data protection’ and the ‘Information Technology Act’ have their own implication with each other. The objective of the act talks of protecting and recognizing electronic commerce, electronic transactions and preventing computer based crimes. The said Act[13] includes the provisions for preventing the unlawful use of computers, computer systems and data stored within these computers or computer systems. We can find various provisions which have been inserted in the act, and are particularly related to the protection of data. The sections 43A and 72A of the Information Technology Act clearly speak about data protection.
It can be seen that the above mentioned sections don’t deal with data security directly. Before, 2011, the condition of the data protection laws was very ambiguous and vague, as we were not equipped with any law or legal framework which directly and explicitly dealt with issue of data protection. Though, the 2008 Amendment Act was passed, and represents a major step towards combating the increasing numbers of cyber crimes of the current times. The changes which were introduced in the laws relating to data protection in India, finally fulfilled the demands of the global standards as set by countries and organizations such as the US and European Union over the past decade. Therefore, data protection has been given the same status, as a right.
In 2011, post European Union enactment of stringent and strict laws for data protection, the Indian Government also felt the need for the same in our country and formed a new set of rules known as the "Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011" came into existence. These rules have governing provisions for three categories of entities- Body Incorporates, Information Providers (Data Subjects) and the Government. The key features of the Rules are as follows-
· Rule 3: Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to—
(i) password;
(ii) financial information such as Bank account or credit card or debit card or
other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and
(viii) any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise.[14]
· Rule 4 states that, “Body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for—
(i) Clear and easily accessible statements of its practices and policies;
(ii) type of personal or sensitive personal data or information collected under rule 3”[15]
· “Rule 5 states various provisions which govern the collection of information by the Body Corporate. The main clauses are as follows
i) Body Corporate shall not collect sensitive personal data without obtaining consent in writing or by fax or e-mail form the provider regarding the purpose for which the data is being collected.
ii) Any personal information or sensitive data shall not be collected unless and until it is for a lawful purpose and the collection is necessary for the fulfillment of that particular purpose.
iii) The provider shall be made aware of the facts as to the information collected, its purpose, its recipients and the agencies that are collecting and retaining the information.
iv) The information collected shall be used only for the purpose for which it is collected and shall not be retained for a period longer than which is required.
v) However, the Body Incorporate shall not be responsible for the authenticity and reliability of any personal data or sensitive information.
vi) The provider shall be given an option to opt out of providing such information along with an option to withdraw his consent to the collection at any later stage as well.
vii) The Body Corporate shall keep the data secured and it shall designate a grievance redressing body for any discrepancies arising in future.”[16]
· Rule 6 requires that the Body Corporate shall seek the consent of the concerned provider before disclosing the sensitive data to a third party, unless such disclosure was agreed by the parties through any contract. However, such information can be shared without any prior consent with government agencies mandated under law or any other third party by an order under the law, who shall be under a duty not to disclose it further.[17]
· Rule 8 clarifies that a body corporate shall be considered to have complied with reasonable security practices if they have implemented and documented the standards of these security practices. Rule 8 (2) mentions the name of one such ISO security standard for data protection. However, any person or agency that are following any code of best practice other than that mentioned in rule 8(2) shall get their code duly approved by the Central Government. Body Corporate and agencies who have implemented either ISO standards or any other standard duly approved by the central government shall be considered to have implemented security measures provided that such codes have been audited on a yearly basis by independent auditors approved by the government.[18]
The main tool used by any government to ensure data protection and its privacy, is through setting encryption norms. Encrypting the Data has been one of the most useful means to protect privacy. Data encryption changes the form of the data, into a code, so that it is accessible only ,to the people who have an access to a secret key, which is, formally also known a decryption key or a password. Data in an encrypted form is commonly known as cipher text, and data which is not encrypted, is called plaintext. At present, encryption is one of the most widely used, popular and an effective method for securing data, which is used by most of the organizations, government bodies and corporate houses. Mainly two types of data encryption exist, which are - asymmetric encryption, which is also called public-key encryption, and symmetric encryption.[19]
Unlike the global trends, we don’t have any dedicated law on encryption in India. Although, numerous sectorial norms and regulations, which include regulations in the finance, telecommunications and banking industries, which specify various aspects such as the minimum encryption standard, which is to be used for Securing transactions. Section 84A of the Information Technology Act, 2000, empowers the Central Government to prescribe the encryption standards and the modes and methods of securing electronic communications, and to promote the development and growth of e governance & e commerce. The problem regarding data security arises from this regulation, as the encryption regulation is completely under government’s control. And, because of this, if the encryption is beyond the prescribed level, the concerned authority needs to take permission from the government regarding the encryption and submit the encryption keys to the relevant government authority[20]. Due to this norm, the situation gets complicated.
Furthermore, due to various government bodies prescribing different levels of encryption and these are applicable to different types of organizations and businesses which fall under such laws, which make it a complicated and a risky job for companies and organizations of various types to conduct their regular operations. There are various encryption norms prescribed by various laws and regulations. For instance, the Securities and Exchange Board of India (SEBI), has issued a mandate for use of encryption technology for security reasons. But it allows for 64 bit/ 128 bit encryption as a standard for network security[21]. The Reserve Bank of India, in its guidelines provides for 128 bit SSL encryption[22]. 128 bit encryption in today’s world of technology where everything is dependent on software and hardware is very outdated. The international organizations use a higher level of encryption, due to which they face problems in India while conducting their operations. For example, Blackberry mobile, a subsidiary of the RIM, was at loggerheads with the government of India for not allowing its data to flow at 256 Advanced Encryption Standards (AES), as regulations required all service providers to accept weaker encryption of up to 40 Bit[23].
Similar situation was faced by online messaging giant WhatsApp, when some organizations filed a petition with the Supreme Court of India, against the strong encryption which the application uses for its operation in business. On 29th June, 2016, The Supreme Court of India refused to entertain a petition. The said petition stated that if such stringent standards of encryption are employed, they may render a threat to the national security as it would not be possible for various law enforcement bodies and agencies to dig out communications which take place among parties, who could be potential terrorists or criminals, that may pose a great threat for the national security of the country. WhatsApp, which is an online messaging application, popular among most of the people, enabled a default 256 bit end to end encryption, quite recently in April, 2016. This act of Whatsapp was surrounded by a lots of talks about its legal position on encryption under the present Indian legal framework.
These international corporations use such high end encryption for security reasons, as the encryption allowed under various Indian laws are Stone Age in terms of current technology. The encryption limits, as prescribed by the numerous laws or guidelines in India are very easy to crack into, through unauthorized means. This makes the protection of personal or sensitive data very tough.
Moreover, the main regulation or law used in our country to prevent data security breach, the Information Technology Act, 2000, further complicates the issue, as the act was never meant for governing data security. It was made for regulating e commerce business and electronic transactions as mentioned in the preamble of the said act[24]. This act which was basically designed to regulate e commerce and was broadened in scope to cover the whole gambit of technology related crimes which included both, cyber-crimes as well as e commerce. This has led to basic problems, though we have had several amendments to the legislation, we were never able to cover the problems. One of these issues being the encryption issues, which arose due to the inadequate regulations within this act.
ANALYSIS:
To address the above mentioned problems government should take necessary steps, as it is high time we adopt a new law related to data protection and cyber security issues, since the laws in terms of technology have almost become obsolete, which threatens our data protection systems. This affects our economy, as global investors are reluctant to invest in our country due to security reasons, it effects our position on global scale in terms of ease of doing business, these problems make it difficult to for us to protect our right to privacy against various online threats, such as hacking, cracking, and malwares, as everything, today is processed through computers and internet. These problems are the root cause for our slow pace of development towards e governance. People in our country have no faith on electronic transactions[25] due to the problems arising out of these issues, which in turn proves to be very bad for our economy as the money, so earned by people is not spent directly through banking systems and becomes tough to trace when people stash money with themselves. This ultimately gives push and encouragement to corruption and hoarding of black money. On a micro level also, the scenario is very problematic, as the security systems established through these age old norms of encryption are not sufficient enough to keep a check on modern day cyber criminals. Today, when each and every information of ours is connected to our Adhaar numbers, which store our personal and highly sensitive data, such as finger prints, retina patterns, photograph, and other identification attributes. These can be misused by anyone if fall in wrong hands, while the increasing risk of cyber terrorism knocks our doors. It has become common to hear that government websites get hacked on a regular basis. How can we proceed towards a technologically advanced form of governance when even government websites are not safe?
Some big reforms are required for countering the problems arising out of the inappropriate laws. First, a new law must be framed and enacted to make sure that all regulations related to data protection and privacy come under one umbrella. Secondly, if our security forces are not competent enough to crack into any level of encryption, they need to be updated about these technicalities, as they may require the knowhow about these technologies in this technologically advanced world. Thirdly, the penalty for breaching data security must be stringent and should be included under the gambit of criminal penalizing. Fourthly, research and development must be conducted and resources must be allocated for such research on this issue. As we move towards e governance, and electronic monetary transactions, we need to be careful regarding data security as it should be an issue of utmost importance. This is an issue which needs to be addressed as soon as possible. When compared to the EU and the US data protection norms, our regulations seem to be of Stone Age governance in terms of technology. The regulations followed by EU and US are said to be at par with the global standards, in fact they set the world standard. We need to work more on our regulations to make it up to the mark with world standards. This would make our data security and data protection very strong.
CONCLUSION:
In the beginning there were no laws regulating the e-commerce transactions and data protection in our country. Then in the year 2000, the Information Technology Act was enacted to regulate and protect e-commerce transactions. This law fell short of the latest requirements of the time. So, subsequently two amendments were made to the act to add some teeth to the regulation so provided by the law. Though, these regulations made the law more stringent, but still the data security is facing a lot of troubles due to various encryption norms, that are outdated in terms of technological requirements of current times. These regulations affect our economy and personal life and keep our personal and sensitive information in a threatening situation.
This situation needs to be controlled. A new law must be enacted for a better protection of data to take place, for a better business environment to be created, and cybercrimes and terrorism to be controlled. The security officials, for the protection of cyber laws and data must be trained and equipped to combat any form of problem, even if the encryption based security is of military grade. People need to be educated about what is wrong and what is right, to be done in cyberspace as many data security breach is made by people.
Though, India is still lagging much behind the Global Standards as set by the United States or The European Union. Thus, we need to make stronger and stricter laws which will definitely help us to prosper as an economy, and protect the citizen’s rights as a great nation, based on the roots of democracy and republic form of government, which guarantees its citizens, protection of their rights under constitutional mandate.
………………………………………….******……………………………………………
[1] Author, 4th Year Learner, Symbiosis Law School, NOIDA.
[2] Co-Author, 3rd year Learner, Symbiosis Law School, NOIDA.
[3] Indian Const. art..XXI.
[4] (1963) A.I.R 1295 (India).
[5] (1975) A.I.R 1378 (India).
[6] Court of Justice of The European Union, International Safe Harbor Privacy Principles ( May 11, 2017 4:30 PM), https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf
[7] Id.
[8] Directive 95/46/EC of The European Parliament and of The Council, 24 October (1995).
[9]Information Technology Act, (2000).
[10] Id.
[11] Information Technology Act, § 2(o) (2008) provides "Data" means ‘a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, and punched tapes) or stored internally in the memory of the computer”.
[12] Supra note 7.
[13] Information and Technology (Amendment) Act, (2008).
[14] Ministry of Communications and Information Technology, General Statutory Rules 313(E), (June 10, 2017, 7:00 PM), https://meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf.
[15] Id.
[16]Pandey Vaibhavi, Data Protection Laws in India: The Road Ahead, (August 18, 2017, 7:55 PM) https://www.mondaq.com/india/x/408602/data+protection/DATA+PROTECTION+LAWS+IN+INDIA+THE+ROAD+AHEAD.
[17] Id.
[18] Id.
[19] Nate Lord, What is Data Encryption, (May 11, 2017, 1:30 PM), https://digitalguardian.com/blog/what-data-encryption.
[20] Clause 1.10.1, schedule C, security consideration, License Agreement for Provision of Internet Service (including internet telephony), Government of India, Ministry of Communications and Information Technology, Department of Telecommunications, Telecom Commission.
[21]The Securities and Exchange Board of India guidelines on Internet Based Trading Services.
[22] Internet Banking in India Guidelines, Reserve Bank of India, June 14 (2001).
[23] Supra note 18.
[24]Supra note 7.
[25]D Sampath Kumar, In cash, not plastic, we trust, ( July 25, 2017, 3:30 PM), https://www.thehindubusinessline.com/opinion/columns/d-sampath-kumar/in-cash-not-plastic-we-trust/article7364108.ece.