3. Agenda
Concept of Privacy
Right to Privacy in India
Industry Initiative
International initiatives –Right to Privacy
Privacy Rights in U.K ,U.S
Threat to Privacy
The Future
Privacy & Social Network
The Digital Portrait
Concept of Digital Breadcrumbs
Social Media Users
Social Network Data mining & Commerce
Encroachment to Privacy : a classic case
Privacy & Terms of Use and Agreement
Legal Position in India
Duty of Body Corporate to Frame Privacy Policy
Reasonable Security Practices
Liability on Violation of Provisions
Criminal Liability for Disclosure of Information by any Person of
Information Obtained under Contract
Conclusion
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 3
4. The Concept of privacy
Often confused with trade secrets and confidentiality, privacy
refers to the use and disclosure of personal information
and is only applicable to information specific to
individuals.
Since personal information is a manifestation of an
individual personality, the Indian courts including the
Supreme Court of India, have recognised that the right to
privacy is an integral part of the right to life and personal
liberty, which is a fundamental right guaranteed to every
individual under the Constitution of India.
As such, the right to privacy has been given paramount
importance by the Indian judiciary and can only be fettered
with for compelling reasons such as, security of the state
and public interest.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 4
5. Right to Privacy-origin-Right to private property
Louis Brandeis and Samuel Warren in 1890 proposed a new tort
for violation of privacy rights-followed by Roe v wade, Grisworld
v Connecticut
Right of privacy-vis a vis govt, personal, workplace, digital
The right extends over collection, retention, use and disclosure
of personal information.
Internet privacy to facilitate e-commerce
Right to privacy connected with Freedom of Right to speech and
expression
Right to privacy is not absolute
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 5
6. Unreasonable intrusion upon a person’s seclusion
Public disclosure of private facts
Publicity that places a person in false light
Appropriation of a person's name or likeness invoked
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 6
7. Right to Privacy in India: Legal Position
Article 21 of the Constitution of India-Right to life and
personal liberty by necessary implication confers right to
privacy –
Kharak singh v State of U.P AIR 1963 SC 1295
Gobind v State of M.P 1975 SCC 468
PUCL v UOI (1997) 1 SCC 318
R.Rajagopal v State of Tamil Nadu (1994)6 SC 632-
autoshanker case
Article 19-freedom of speech and expression
Article 19(2) –Reasonable restrictions
Indian Penal Code
Copyright Law
Credit Information Companies Regulation Act, 2005(“CICRA”)
One of the restrictions/conditions is National Security
Privacy vs national security balancing competing interests
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 7
8. India and privacy /national security protection
India –Article 21 of the constitution of India
Common law-action for damages for unlawful invasion of
privacy exists -2 exceptions-publication relates to public
record, discharge of official duties by public servant
India-IT Act,2000 Cryptography provisions, Section 69-
power to intercept, Section 72-Breach of confidentiality
and privacy, section 80-power to search, seize ,section 44-
failure to furnish information, etc
India-Tort of defamation –Section 499 I.P.C
The Right to Information Act,2005-national security and
individual privacy concerns see Section 8
Prevention of terrorism Act 2002 chap V –interception of e-
mail communications
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 8
9. Industry Initiative:
The National Association of Service & Software Companies
(“NASSCOM”) is India's national information technology trade
group and has been the driving force behind many private sector
efforts to improve data security.
For example, NASSCOM has created a National Skills Registry
which is a centralized database of employees of the IT services
and BPO companies.
This database is for verification (with independent background
checks) of the human resources within the industry.
Further, a self regulatory organisation has been launched which
will establish, monitor and enforce privacy and data protection
standards for India’s business process outsourcing (“BPO”)
industry.
The organisation has already completed its initial round of
funding and the final rollout phase including industry
membership is underway.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 9
10. Additionally, many BPO service providers in India have engaged in voluntary self-
regulation and adopted stringent security measures to reduce the risks of misuse of
non-public personal data.
To reduce the risks of misuse of non-public personal data, the BPO companies in
India have adopted one or more of the following stringent security measures:
Posting of armed guards outside office premises.
Restricting entry by requiring microchip-embedded swipe cards.
Prohibiting bags and briefcases in the work area.
Making provisions that computers in workstations have no printers or devices for removable
storage.
Banning or restricting agents or visitors from carrying mobile phones to the production
floor.
Forbidding phone calls to and from either family or friends in employee workstations.
Disallowing image capturing devices like cell phones, scanners or photocopiers.
Restricting or prohibiting internet and e-mail access at workstations and inside most BPO
companies.
Encryption of key information, such as passwords and, thus, s unseen by employees.
Monitoring employees via closed-circuit television.
The aforesaid protections to tighten security are an attempt by the Indian industry to ease
customer concerns over theft of private information.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 10
11. International initiatives
Universal Declaration of Human Rights,1948- Article 12 recognizes
right of privacy
Article 17 of the International Covenant on Civil and Political
Rights,1996-Right to privacy
Article 8 of the European Convention on Human rights-Right to
privacy
Council of Europe Convention on human right in securing privacy
protection in the context of information technology came into force in
1985-now 20 states ratified convention
Basic principles for data protection, trans border flow of information
,establish consultation committee and procedure for future
amendment of convention
European Union Data protection directive 1998-reaffirms principles
introduced in the EU Convention
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 11
12. Guidelines –OECD -1980-On protection of privacy and
trans border flow of personal info
Collection of personal data with consent
Relevance of data to subject under investigation
Specify purpose of collection
No further use except with consent +legal use
Safeguards to prevent leakage
Accountability is high of persons collecting info
A Person’s Right of access, rectification
Collection Limitation
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 12
13. PERSONAL DATA PRIVACY in U.K & U.S
UK- Data Protection Act 1998
Processing of data legitimate if person gives consent, legal obligation,
public sector interest
Sensitive personal data not processed till granted express consent
Section 13-Right to compensation if data controller contravenes any
provisions of the Act
US
Children’s online privacy protection-U.S-in force since 2000.
U.S Freedom of Information Act, The privacy Act of 1974-Department
of justice v reporters committee for freedom of press
U.S-Electronic communication privacy Act-prohibits unauthorised
interception, disclosure of electronic comm- violation subject to civil,
criminal liabilities ,applies to govt, private persons both
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 13
14. Threats to privacy
Hacking
Cookies
HTTP
Information provided voluntarily
Browsers
E-mail
Websites
Spam
Softwares to check employee behavior
Satellite vigilance
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 14
15. The future?
Without privacy protection
“freedom will diminish in such an unnoticed way as
clean water and air have ”
(László Sólyom)
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 15
17. “Never before in the history of the planet have so many
people - on their own - had the ability to find so much
information about so many things and about so many
other people” — Thomas L. Friedman
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 17
18. Social networking sites have put a totally different spin on
Internet privacy.
These sites are meant to encourage interaction among
Internet users.
These sites allow users to both express their individuality
and meet people with similar interests.
However, it is burdened with potential threats to privacy
such as identity theft and disclosure of sensitive
information.
However, many users still are not aware of these threats
and the privacy settings provided by these sites.
The sensitive personal information which socialnetworking
sites receive from their users puts them in a responsible
position as this Information has an intrinsic value,
particularly to commercial organisations, and misuse of
information is a real risk for individuals.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 18
19. There has been a growing recognition that socialnetworking sites need
to consider more closely their use of user data particularly related to
sensitive personal information.
Personal information has become a commodity with immense
pecuniary value.
The rise of the data aggregators with data mining tools who provide
services on the basis of collected personal data have once again
unsettled the position settled by the guide of data protection and
privacy laws.
This presentation concentrates firstly on the concept of data and the
accumulation of personal data stored in the social networking
sites, then it flows into the privacy threats these social networking sites
possess to the bastion of privacy rights.
The presentation ends with discussion of data protection laws in India
including the Information Technology Act and ancillary Rules and
Guidelines and the how far the Indian Legislature has succeeded to
protect one of the foremost rights of mankind.
India has strengthened its data protection laws by the help of many
guidelines which were promulgated April-2011.
However it is still left to see how much teeth these laws have in
victimizing its perpetrators.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 19
20. THE DIGITAL PORTRAIT
Since the advent of Internet, digital identity had remained one of the most
controversial realms of academic study.
Countless scholars have pondered the composition, construction and meaning
of identity for as long as history has been remembered.
Regardless of specific definitions of the perplexing abstraction, which can even
only be spoken about because it is given dubitable, emergent form by dynamic,
contingent recognition, identity remains at the core of our understandings of
self and existence as human beings.
From Facebook’s use of tracking cookies to monitor users to Carrier IQ key
logging software for “smart phones”; companies and governments are using
digital surveillance.
To some writers, the internet’s freedom is giving away to a darker possibility
that authoritarian states will use the internet for control and repression.
Yet the deeper concern may be what governments do on our behalf with our
tacit consent.
The particular danger from the loss of privacy is that the open data and
transparency agenda can encourage digital discrimination such as “weblining.”
Identity is the key to linking records and multiple identities are the key to
maintaining social functioning with appropriate anonymity, while retaining
accountability.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 20
21. Concept of digital breadcrumbs
Almost all online activities, such as sending e-mails, filing tax
declarations, managing bank accounts, buying goods, playing
games, connecting to a company Intranet, and meeting people in a
virtual world, require identity information to be given from one party
to another.
Informational self-determination has become a challenging concept to
promote and protect in a world of unlimited information passing from
individuals to organizations, and from organizations to each
other, often described as “Web 2.0.”
Our digital footprints and shadows are being gathered together, bit by
bit, megabyte by megabyte, terabyte by terabyte, into personas and
profiles and avatars – virtual representations of us, in a hundred
thousand simultaneous locations.
These are used to provide us with extraordinary new services, new
conveniences, new efficiencies, and benefits undreamt.
Web2.0 is the logical evolution of the Internet to permit the connecting
of people to each other and to permit individual control over their
interaction;
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 21
22. Counting the Internet cookies and IP addresses as personal
information, then Internet users have left behind
personally identifiable information everywhere they’ve
been.
They have left “digital bread crumbs” throughout
cyberspace.
Social networking sites do carry a great deal of personal
information, and the unwary or uninformed user may
easily give away a great deal more information than they
had intended.
Personal information which people legitimately place on
the web may have been uploaded to be shared amongst
friends, but may be exploited by others in various ways.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 22
23. Social Media Users
The ubiquitous use of the Internet and the posting of
personal information have created a “privacy paradox”:
users of social networking websites tend to disclose a high
degree of personal information online, yet retain an
expectation of privacy.
Privacy is more than simple legal and regulatory
compliance for social networking sites.
As shown by the Facebook case, privacy does matter to
users.
Cell phones leave a data trail, and it's becoming standard
for major police departments and agencies to use this data
A survey by the Pew Research Center's Internet Project &
American Life provides new data about the privacy settings
people choose for their social networking profiles, and the
specific steps users take to control the flow of information
to different people within their networks.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 23
24. About two-thirds (63%) of adults say they currently maintain a
profile on a social networking site.
Nearly six-in-ten (58%), say their main profile is set to be private
so that only friends can see it;
another 19% set their profiles to partially private so that friends
of friends or networks can view them;
20% say their main profile is completely public.
About two-thirds of internet users use social networking sites
(SNS) and all the major metrics for profile management are up,
compared to 2009:
63% of them have deleted people from their “friends” lists, up
from 56% in 2009;
44% have deleted comments made by others on their profile;
and 37% have removed their names from photos that were
tagged to identify them.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 24
27. Some 67% of women who maintain a profile say they
have deleted people from their network, compared
with 58% of men.
Likewise, young adults are more active “Unfrienders”
when compared with older users.
Two-thirds of adult internet users (65%) now say they
use a social networking site like MySpace, Facebook or
LinkedIn, up from 61% one year ago.
That’s more than double the percentage that reported
social networking site usage in 2008 (29%).
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 27
28. Out of all the “daily” online activities that we ask
about, only email (which 61% of internet users access
on a typical day) and search engines (which 59% use
on a typical day) are used more frequently than social
networking tools.
Social Networking Sites are used by all age group from
18 years to 65 years and above. The most social
network active being falling in
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 28
31. the age group of 18-29 years. With the growth of social
networks, it's becoming harder to effectively monitor
and protect site users and their activity because the
tasks of security programmers become increasingly
spread out.
Lets imagine, if a prison whose inmate count jumped
from a few dozen to 250 million in less than five years
only employed 300 guards (in the case of MySpace).
The reason social network security and privacy lapses
exist results simply from the astronomical amounts of
information the sites process each and every day that
end up making it that much easier to exploit a single
flaw in the system.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 31
32. On any given day 61% of people in the age group of 18-29 use
social networking websites like facebook, MySpace, LinkedIn.
Features that invite user participation -- messages, invitations,
photos, open platform applications, etc. are often the avenues
used to gain access to private information, especially in the case
of Facebook.
Adrienne Felt, a Ph.D. candidate at Berkeley, made small
headlines last year when she exposed a potentially devastating
hole in the framework of Facebook's third-party application
programming interface (API) which allows for easy theft of
private information.
Felt and her co-researchers found that third-party platform
applications for Facebook gave developers access to far more
information (addresses, pictures, interests, etc.) than needed to
run the app.
In December of 2009 Facebook made one of the most
controversial changes to their privacy policy. The nearly invisible
account option was removed, this nearly invisible account allows
only those whom one wants in by default.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 32
33. SOCIAL NETWORK DATA MINING AND COMMERCE
First, there is online stalking by companies like
Spokeo, Pipl and CVGadget.
As an example, Spokeo can take an e-mail address and
locate people in social networks like Facebook and
MySpace.
For a small fee you can download your e-mail address
book to Spokeo, and learn the habits of friends,
relatives and complete strangers.
Unfortunately, both of the major social networking
websites in the United States today
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 33
34. Facebook and MySpace, are motivated by profit. This can be a
problem, because their profits are dependent on the free flow of
personal information about their customers.
Facebook offers members a plentitude of privacy options. At the
time of writing this presentation 43 settings that can be
tweaked, not including a bunch for limiting information that can
be seen by software applications installed by one’s Facebook
friends.
Facebook’s default settings for new accounts protect users in
some ways.
For instance, the information in one’s profile is restricted to
friends and other people in one’s school, workplace or
geographic networks; it is not accessible to friends of friends.
But Facebook sets few restrictions by default on what third-party
software can see in a network of friends.
Members are not likely aware that unless they change the default
privacy settings, an application installed by a friend can vacuum
up and store many categories of a member’s personal
information. Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 34
35. Computer scientists and policy experts say that such seemingly
innocuous bits of self-revelation can increasingly be collected
and reassembled by computers to help create a picture of a
person’s identity, sometimes down to the Social Security
number.
“Technology has rendered the conventional definition of
personally identifiable information obsolete,” said Maneesha
Mithal, associate director of the Federal Trade Commission’s
privacy division. “You can find out who an individual is without
it.”
In its latest privacy blunder, the social networking site was
forced to confirm that it has been constantly tracking its
750million users, even when they are using other sites.
This was done mainly to know the user behavior and to provide
customized advertisement on the basis of user preference.
The social networking giant responded the huge privacy breach
was simply a mistake - that software automatically downloaded
to users' computers when they logged in to Facebook
'inadvertently' sent information to the company, whether or not
they were logged in at the time.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 35
36. Australian technology blogger NikCubrilovic has uncovered
Facebook's practices of tracking users when they are offline.
Most social networking sites are free of charge; however, they
depend on third-party affiliates to generate income.
Many social networking sites collect and sell user information in
the form of marketing profiles.
One example of this is the targeted ads used by Facebook.
Security and privacy related to social networking sites are
fundamentally behavioral issues, not technology issues.
The more information a person posts, the more information
becomes available for a potential compromise by those with
malicious intentions.
People who provide private, sensitive or confidential information
about themselves or other people, whether wittingly or
unwittingly, pose a higher risk to themselves and others.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 36
37. ENCROACHMENT TO PRIVACY:A CLASSIC CASE
On September 5, 2006, Facebook unveiled its “news feed”
and “mini feed” features.
These new features served to aggregate the activities of a
user and post them on the user's page as well as broadcast
them to the user's friends.
Less than a day after introducing the new features,
Facebook received thousands of emails from users claiming
the feature invaded privacy.
On November 6, 2007, Facebook launched its Beacon
program.
Facebook described Beacon as a “core element of the
Facebook Ads system for connecting businesses with users
and targeting advertising to the audiences they want.”
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 37
38. The program reported information about Facebook
users' activities on third party sites back to Facebook
and posted details of a user's activities on that user's
profile.
Users specifically objected to the automatic sharing of
details regarding user purchases on other sites
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 38
39. As a response to the harsh user reaction, Facebook changed its
Beacon program from opt-out (meaning users would have to
proactively un-register themselves from it) to opt-in (meaning
that users would have to confirm to Facebook, on each individual
instance, whether or not they wanted their information from
third party sites to be broadcast on Facebook).
There are no laws or regulations that directly address how
privacy on socialnetworks should be implemented or revised.
Moreover, there is no preventative protection of the privacy
interests of the users of online socialnetworking sites that would
stop massive policy changes from quickly occurring.
Once a socialnetworking site decides to change its privacy policy,
there is nothing requiring advance notice of the change or
transparency in the process.
Because of the lack of any comprehensive information privacy
law, people concerned with their privacy on socialnetworks
appear to be attempting to form piecemeal protection utilizing
existing laws to address their concerns.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 39
40. Contractually there was no barrier to Facebook doing
this as it has the right to unilaterally amend its user
terms at any time and users automatically accept the
revised terms by their continued use.
However, the perceived effect of widening the already
broad license of use for Facebook to extend beyond
termination raised concerns.
The significance of the change was that, with the
relevant wording deleted, it would give Facebook the
rights to continue using a user's data even where they
have left the site.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 40
41. Just a few short years ago, consumer-oriented businesses were
stuck in the world of static “focus groups” and paper-based
surveys. But not even the most forward-looking of these
organizations could have dreamed of the present-day
scenario, where newly forged nuggets of data about consumer
behavior and preferences wait to be mined by state-of-the-art BI
computing infrastructure.
For many social media sites, the Terms of Service (TOS) are
explicitly clear and to the point:
If you post content to the site you essentially grant the site
permission to use the content for any purpose they deem
appropriate.
While each site is different in their irrevocable and perpetual
right to reproduce the information found in your posts, it is wise
to err on the side of caution.
No matter how private you deem the content, privacy controls
usually only go so far - the demarcation between private and
public information remains fuzzy at best.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 41
42. PRIVACY AND TERMS OF USE AND AGREEMENTS
In Social Networking Sites users provide vast amounts of data
about themselves to these websites.
The extent of control that users retain over that information and
the right to sell, use, and transmit that personal information is
typically addressed in the terms to which users agree before
accessing the website and handing over their information to the
social network.
A terms of use agreement is a set of promises proposed by a
website and agreed to by the user of the website.
Accordingly, the terms of use agreement delineates the legal
responsibilities of both parties and what each party is allowed to
do with the information of the other party.
Crafting a comprehensive terms of use agreement, therefore, is a
crucial aspect of beginning a social networking website as courts
will refer to the terms of use agreement to determine any claims
that may arise between the two parties.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 42
43. Browsewrap agreements are terms of use agreements the user
may not read at all;
the user, however, consents to the terms of use by using the
website.
Browsewrap agreements are typically included on a website and
accessed by clicking a link which often appears on the bottom of
the page.
Social networking websites exist in a strange tension with their
users.
Networks like Facebook.com, Loopt.com, and YingYang.com
require users to contribute to their websites in order to be a
“value added” service.
The term “value added” means that as more users contribute to
the site with pictures, information, and applications used
exclusively by the site and its users, the site becomes more
valuable, and, in turn, more used, visited, and profitable.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 43
44. The concept is referred to as “sticky” content because
content generated by social networking users that is
exclusive to that site sticks to the site and is what draws
more users to use the site.
Social networking websites challenge traditional notions of
ownership and consumer-owner relationships.
Socialnetworks challenge this understanding of ownership
because users are constantly creating, adding to, and
producing content on socialnetworkingwebsites, yet they
do not own the material or a portion of the site.
Rather, the site, by the terms of agreement, co-opts the
information and declares ownership of it.
Accordingly, users add value to the website; indeed, user-
generated content on sites such as Facebook is what makes
the site attractive for other users and yet, users never own
anything they add to the site.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 44
45. Legal Position in India
Information Technology Amendment Act, 2008 had been
passed when the Bill called "Personal Data Protection Bill
2006" was still under consideration of the Parliament.
Since this has not been passed it may be considered that
the Personal Data Protection Bill 2006 may be allowed to
lapse.
Hence India will continue under a regime that there will be
no separate "Privacy Act" or "Data Protection Act".
Information Technology Act, 2008 will therefore have to
serve the requirements of such legislations also.
The data protection provisions do not extend beyond the
territories of India.
Within the territory of India, Sections 43A and 72A of the
Information Technology Act, 2000 provides protection for
data. Even data which is outsourced to India gets
protection under these Sections.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 45
46. However, when data is sent outside the territories of
India, one cannot seek protection under these
Sections, neither there is no obligation cast on the
countries to which India sends sensitive personal
information for processing to have an acceptable data
protection mechanism.
IT Act, 2008 has two direct sections viz. 43 A and 72 A
which address the data protection requirements.
Along with it other sections like 65, 66, 66 E and 43
indirectly penalize or provide compensation for
infringement of privacy by way of unauthorized access
to information.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 46
47. The newly inserted section 43A makes a start at introducing a
mandatory data protection regime in Indian law.
The section obliges corporate bodies who ‘possess, deal or
handle’ any ‘sensitive personal data’ to implement and maintain
‘reasonable’ security practices, failing which they would be liable
to compensate those affected by any negligence attributable to
this failure.
It is only the narrowly-defined ‘body corporates’ engaged in
‘commercial or professional activities’ who are the targets of this
section.
Thus government agencies and non-profit organisations are
entirely excluded from the ambit of this section.
“Sensitive personal data or information” is any information that
has been defined under S. 3 of the Information Technology
(Reasonable Security Practices and Procedures and Sensitive
Personal Information) Rules, 2011
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 47
48. It provides an inclusive definition and provides that the following
types of information as ‘sensitive personal information’:
password;
user details as provided at the time of registration or thereafter;
information related to financial information such as Bank account
/ credit card / debit card / other payment instrument details of
the users;
physiological and mental health condition;
medical records and history;
Biometric information;
information received by body corporate for processing, stored or
processed under lawful contract or otherwise;
call data records;
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 48
49. But it does not apply to “any information that is freely
available or accessible in public domain or accessible under
the Right to Information Act, 2005”.
The import of the phrase “any information that is freely available
or accessible in public domain” has not been defined.
This section can be used by Social Networking Websites to
escape liability.
As it can be interpreted that whatever information that we
provide in the social networking websites like email ids, phone
numbers, address, photos, sexual orientation or any kind of
updates that includes mention about our consumer preferences
and brands can be used by social networking website to provide
information to its business partners as all those data is freely
available or accessible in public domain.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 49
50. Duty of body corporate to frame privacy policy
Rule 4 of the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal
Information) Rules, 2011 enjoins a body corporate or its
representative who “collects, receives, possess, stores, deals
or handles” data to provide a privacy policy “for handling of
or dealing in user information including sensitive personal
information”.
This policy is to be made available for view by such
“providers of information”
The policy must provide details of: Type of personal or
sensitive information collected under sub-rule (ii) of rule 3;
Purpose, means and modes of usage of such information;
Disclosure of information as provided in Rule 6 ( Prior
permission is required if data is shared with a third party)
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 50
51. issue of prior consent and limitation on use of data
Rule 5 (1) of the said Rules states that the body corporate must shall
obtain consent from the provider of information regarding purpose of
the information before collection.
Rule 5 ( 3)states that In addition to the restrictions on collecting
sensitive personal information, body corporate must obtain prior
consent from the “provider of information” regarding “purpose,
means and modes of use of the information”.
The body corporate is required to “take such steps as are, in the
circumstances, reasonable” to ensure that the individual from whom
data is collected is aware of :
the fact that the information is being collected; and
the purpose for which the information is being collected; and
the intended recipients of the information; and
the name and address of :
the agency that is collecting the information; and
the agency that will hold the information.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 51
52. During data collection, body corporates are required to give
individuals the option to opt-in or opt-out from data collection
in accordance with Rule 5 (7).
Along with it they must also permit individuals to review and
modify the information they provide "wherever necessary".
Also the provider of information can at any time withdraw
consent.
The information collected should be used only for the purpose
for which the sensitive personal information is collected
according to Rule 5(5).
The information collected must be kept secure by the body
corporate as mandated by Rule 5(8).
However, Unlike "sensitive personal information" there is
no obligation to retain information only for as long as is it
is required for the purpose collected.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 52
53. REASONABLE SECURITY PRACTICES
Rule 8 stipulates that a body corporate shall be
deemed to have complied with reasonable security
practices if it has implemented security practices
and standards which require:
a comprehensive documented information security
program; and
information security policies that contain
managerial, technical, operational and physical
security control measures that are commensurate
with the information assets being protected.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 53
54. In case of an information security breach, such body
corporate will be
“required to demonstrate, as and when called upon to do so by
the agency mandated under the law, that they have
implemented security control measures as per their
documented information security program and information
security policies”.
The Rule further stipulates that by adopting the
International Standard IS/ISO/IEC 27001 on
“Information Technology – Security Techniques –
Information Security Management System – Requirements”, a
body corporate will be deemed to have complied with
reasonable security practices and procedures.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 54
55. The rule further permits “industry associations or an entity ” who
are following standards other than IS/ISO/IEC 27001.
ISO/IEC 27001 specifies the requirements for
establishing, implementing, operating, monitoring, reviewing, m
aintaining and improving a documented Information Security
Management System within the context of the organization's
overall business risks.
It specifies requirements for the implementation of security
controls customized to the needs of individual organizations or
parts thereof.
ISO/IEC 27001 is designed to ensure the selection of adequate
and proportionate security controls that protect information
assets and give confidence to interested parties.
In every case nevertheless correspond to the requirements of
sub-rule 8(1), to obtain approval for these codes from the
government.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 55
56. Once this approval has been sought and obtained, the
observance of these standards by a body corporate
would deem them to have complied with the
reasonable security practice requirements of section
43A.
However, it is to be noted that section 69 of the Act, which
is an exception to the general rule of maintenance of
privacy and secrecy of the information, provides that
where the Government is satisfied that it is necessary in the
interest of:
the sovereignty or integrity of India,
defense of India,
security of the State,
friendly relations with foreign States or
public order or
for preventing incitement to the commission of any
cognizable offence relating to above or
for investigation of any offence,
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 56
57. it may by order, direct any agency of the appropriate Government to
intercept,
monitor or
decrypt or
cause to be intercepted or
monitored or
decrypted any information generated,
transmitted,
received or
stored in any computer resource.
This section empowers the Government to intercept, monitor or
decrypt any information including information of personal nature in
any computer resource.
Where the information is such that it ought to be divulged in public
interest, the Government may require disclosure of such information.
Information relating to anti-national activities which are against
national security, breaches of the law or statutory duty or fraud may
come under this category.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 57
58. LIABILITIES ON VIOLATION OF PROVISIONS
Section 72 of the Information Technology Act, 2000 provides for those
situations where breach of confidentiality and privacy clause is there.
It mentions that any person who in use of any of the powers provided in this Act,
Rules and Regulations had secured access to
any electronic record,
book,
register,
correspondence,
information, document or
other material
without the consent of the person concerned discloses
such electronic record,
book,
register,
correspondence,
information,
document or
other material to any other person
shall be punished with imprisonment or should pay fine. The Keyword in the section is
“secured in pursuant of any powers conferred under this Act Powers have been conferred
under this Act to various agencies including the Police, Certifying Authorities and
officers authorised by specific notification. In the Information Technology Amendment
Act, 2008 the Indian Computer Emergency Team and probably some other agencies
may be conferred some powers for collection of data. Section 72 may be interpreted as
applicable only to these agencies. 58
59. Criminal Liability for unauthorized disclosure of
information by any person of information
obtained under contract
Section 72A of the IT Act imposes a penalty on any person
(including an intermediary) who
has obtained personal information while providing services
under a lawful contract and
discloses the personal information without consent of the
person,
with the intent to
cause, or
knowing it is likely to cause
wrongful gain or
wrongful loss
Such unauthorised disclosure to a third person is punishable
with imprisonment up to three years or with fine up to Rs. five
lakh, or both.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 59
60. CONCLUSION
Given the relatively new emergence of social networking websites, this
issue is just beginning to be addressed by courts.
While courts have been slow to integrate new technologies into privacy
law.
In the social networking world and in the Web 3.0 paradigm in general,
innovation often comes at a cost to privacy.
An intrusion of a virtual space should be assessed based on whether the
defendant learned of the plaintiff's private affairs or matters through a
type of surveillance.
It is also to be seen that an expectation of seclusion or solitude on social
networking websites--should be evaluated not by the number of people
who have access to the profile or group, but rather by the privacy settings
the plaintiff has implemented to restrict access to his or her information.
For Businesses that are focused on data mining the information on
Facebook, Twitter, Linked In, My Space, etc, although it is confounding
for those of us that use social networks on a regular basis and live by the
mantra:
“What happens in the Network, stays in the Network”.
Dr. Tabrez Ahmad
http://technolexindia.blogspot.in 60