Privacy in The Digital Age – Legal Scenario (With specific reference to India)

The Presentation inside:

Slide 0

Privacy in The Digital Age – Legal Scenario (With specific reference to India)

Slide 1

Agenda Privacy Data Privacy Different categories/types of Private data Indian Legal scenario on Privacy Some of the global laws Mom’s gyan

Slide 2

Privacy To separate/seclude from the rest Types – Personal privacy Informational Organizational

Slide 3

We’ll expect reasonable privacy in life…..but then…! ….and so many other ways by which we’re being tracked…!

Slide 4

information/data privacy Attitude of an organization or individual to determine what data in a computer system can be shared with third parties Private data is known as – Personally Identifiable Information (PII) Personal data Sensitive Personal Data/Information

Slide 5

Personally Identifiable Information US Privacy Laws Information that can be used on its own or with other information to identify, contact, or locate a person, or to identify an individual in context

Slide 6

PERSONAL DATA AND SENSITIVE PERSONAL DATA Data Protection Act – UK Personal data - Data relating to a living individual which helps in his identification and includes any expression of opinion him Sensitive personal data - Personal data consisting of information as to – the racial or ethnic origin of the data subject, his political opinions, his religious/spiritual beliefs His professional associations, his physical or mental health or condition, his sexual life, the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Slide 7

SENSITIVE PERSONAL DATA/INFORMATION The Information Technology Act, 2000 (Amd. 2008) – India Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Slide 8

India on privacy Constitution of India Art. 19 - Freedom of Speech and Expression Art. 21 – Right to Life and Personal Liberty IT Act, 2000 (Amd. 2008) Data privacy Personal privacy Powers of Government Liability of Intermediary

Slide 9

Key Issues Liability of Company (Sec. 85) Data protection – Concern for outsourcing industry Privacy – Individual’s concern Increasing Government control/interference

Slide 10

Preamble of the IT Act Purpose behind enacting IT Act – To provide legal recognition to e-commerce To facilitate e-governance To provide remedy to cyber crimes To provide legal recognition to digital evidence Preamble doesn’t specify that the Act aims @ establishing IT Security framework in India

Slide 11

Section 43 – Unauthorised access Unauthorised Access Remedy – Damages by the way of compensation Amount – Unlimited What needs to be proved – Amount of damages suffered Adjudication – For claims upto Rs. 5 Crores – Adjudicating Officer (IT Secretary of State) For claims above Rs. 5 Crores – Civil courts

Slide 12

Slide 13

Cases decided u/Sec. 43 Thomas Raju vs. ICICI Bank Ramdas Pawar vs. ICICI Bank Saurabh Jain vs. Idea Cellular Fraudulent transfer of money from petitioners account Duplicate SIM cards made without document verification Court is of opinion that bank/cellular company has failed to establish a due diligence and in providing adequate checks and safeguards to prevent unauthorised access Bank has not adhered to the RBI circular of July 2010 for 'guidelines on information security, electronic banking and cyber frauds Idea has issued a SIM based on a fake license and police FIR

Slide 14

Sec. 43a – compensation for failure to protect data If a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person Liability – Damages by the way of Compensation – Unlimited damages

Slide 15

Who is liable?

Slide 16

Issues What is Sensitive Personal data or Information? What are Reasonable Security Practices and Procedures?

Slide 17

solution The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 Enforceable from 11th April, 11 To be read with Sec. 43A

Slide 18

Sensitive Personal data Or information Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Slide 19

Reasonable Security Practices Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Slide 20

Auditing Necessary to get the codes or procedure certified or audited on regular basis Needs to be done by the Government Certified Auditor who will be known as “Govt. Certified IT Auditor” Not appointed yet

Slide 21

Compliance Policies

Slide 22

Collection of Information About obtaining consent of the information provider Consent in writing through letter/fax/email from the provider of the SPDI regarding purpose of usage before collection of such information Need to specify – Fact that SPDI is being collected What type of SPDI is collected? How long SPDI will be held? Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Slide 23

Collection of Information Provider should know – Purpose of collection Intended recipients Details of the agency collecting the information and agency retaining the information Body Corporate not to retain information longer than required Option should be given to withdraw the information provided SPDI shall be used only for the purpose for which it has been collected Shall appoint “Grievance Officer” to address any discrepancies and grievances about information in a timely manner – Max. time – One month

Slide 24

Privacy policy Policy about handling of SPDI Shall be published on website or should be available to view/inspect @ any time Shall provide for – Type of SPDI collected Purpose of collection and usage Clear and easily accessible statements of IT Sec. practices and policies Statement that the reasonable security practices and procedures as provided under rule 8 have been complied Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Slide 25

Disclosure of Information Disclosure – Prior permission of provider necessary before disclosure to third party OR Disclosure clause needs to be specified in the original contract OR Must be necessary by law Third party receiving SPDI shall not disclose it further Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Slide 26

Transfer of information Transfer to be made only if it is necessary for performance of lawful contract Disclosure clause should be a part of Privacy and Disclosure Policy Transferee to ensure same level of data protection is adhered while and after transfer Details of transferee should be given to provider Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Slide 27

Sec 72(A) (Criminal offence) Punishment for Disclosure of information in breach of lawful contract - Knowingly or intentionally disclosing “Personal Information" in breach of lawful contract IMP – Follow contract Punishment - Imprisonment upto 3 years or fine up to 5 lakh or with both (Cognizable but Bailable)

Slide 28

Other provisions u/it act Section 66E – Punishment for Violation of personal privacy Popularly known as Voyeurism Covers acts like hiding cameras in changing rooms, hotel rooms, etc. Punishment –imprisonment upto 3 years or fine upto Rs. 2 lakh or both Section 67C – Preservation and retention of information by intermediaries Section 69 – Power to issue directions for interception or monitoring or decryption of any information through any computer resources. Section 69A – Power to issue directions for blocking public access to any information through any computer resource Section 69B – Power to authorize to monitor and collect traffic data or information through any computer resource for cyber security Section 79 – Intermediary not liable in certain circumstances

Slide 29

Some of the Global laws

Slide 30

Gramm–Leach–Bliley Act (GLBA, USA) Focuses on finance Safeguards Rule - Disclosure of Nonpublic Personal Information It requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. This plan must include – Denoting at least one employee to manage the safeguards, Constructing a thorough risk analysis on each department handling the nonpublic information, Develop, monitor and test a program to secure the information, and Change the safeguards as needed with the changes in how information is collected, stored and used

Slide 31

The Federal Information Security Management Act of 2002 (FISMA, USA) Focus on economic and national security interests of the United States Emphasized on “risk-based policy for cost-effective security” Responsibility attached to federal agencies, NIST and the Office of Management and Budget (OMB) to strengthen information system security Not mandatory No penalty for non-compliance

Slide 32

Data Protection Directive (EU) European Union directive regulating the processing of personal data within the EU Protection of individual’s personal data and its free movement Coming soon - European Data Protection Regulation Not mandatory No penalty for non-compliance

Slide 33

Other laws in the US Children's Internet Protection Act of 2001 (CIPA) Children's Online Privacy Protection Act of 1998 (COPPA) Driver's Privacy Protection Act of 1994 Telephone Consumer Protection Act of 1991 (TCPA) Video Privacy Protection Act of 1988 Electronic Communications Privacy Act of 1986 (ECPA) Privacy Protection Act of 1980 (PPA) Right to Financial Privacy Act of 1978 (RFPA) Family Education Rights and Privacy Act of 1974 Privacy Act of 1974

Slide 34

Mom’s gyan

Slide 35

Protect your own privacy Understand – the type of personal information you disclose Always ask – WHY they want it ? HOW will they use it ? WHO will it will be shared with ? Will YOU get access to it ? Know your rights Question if you are in doubt

Slide 36

If you are a company Am I complying with Law? Do you manage (have, use, access, store, obtain, etc.) personal information ? Am I collecting only the what is REALLY needed and not more ? Have I differentiated between Sensitive Personal Information and other information? Do I protect information even during Transit/Process ? How are you making sure all employees know their responsibilities and rights ? How will you extend the data privacy protection to your third-parties, vendors ? What will you do if there is a privacy breach ? Do you in-house competences to conduct basic investigations ?

Slide 37

Slide 38

Slide 39

GET In Touch Phone +919623444448 Email [email protected]