Concern for
Privacy Rights Vs National Security
The first version of the amendments to
ITA 2000 culminating in the passing of the Information Technology
Amendment act 2008 on Dec 22/23 in the Indian Parliament was the
recommendation of the "Expert Committee" (ITAA 2005). Published on
August 29, 2005, it created a huge backlash amongst those who were
concerned about Cyber Crimes. Naavi was in the forefront of a volatile
campaign against the proposals in very strong terms. The toned down
version which was introduced as the next version of the proposed
amendments was Information Technology Amendment bill 2006 (ITAA 2006).
While ITAA 2006 was an improvement over ITAA 2005 and had
removed some ridiculous suggestions contained there in, it continued
to be heavily slanted in favour of Intermediaries and ignored the
needs of the Police and National Security. The timely intervention of
the Parliamentary Standing Committee seems to have worked wonders and
the slant in the final version (ITA 2008) now passed by the Parliament
has swung drastically to the other extreme where sweeping powers have
been provided for Interception, Monitoring, Blocking of websites etc.
This has naturally raised some criticisms from the Privacy supporters
and this article tries to analyse the provisions of ITA 2008 in this
regard. ..... Naavi
Comments of Naavi on the Amendments Proposed to
ITA-2000 vide ITAA 2008 Regarding Privacy Concerns
(This is Part III of the Article : Part I and Part II)
ITA 2008 has been passed
when the Bill called "Personal Data Protection Bill 2006" is still under
consideration of the Parliament. Since this has not been passed in the
current Parliament which is likely to be dissolved without further
working sessions, we may consider that the Personal Data Protection Bill
2006 may be allowed to lapse. Hence India will continue under a regime that
there will be no separate "Privacy Act" or "Data Protection Act" . ITA
2008 will therefore have to serve the requirements of such legislations
also.
The Principles requirements of a "Privacy or Data
Protection Act" are the definition of what information is considered as
"Private information" and "what is the responsibility of the data handlers"
and "What are the punishments for breach of privacy". As a part of the
implementation system there may be a need to set up a control organization (eg:
Data Commissioner), a grievance redressal mechanism etc.
ITA 2008 has two direct sections (43 A and
72 A) which address the data protection requirements. It also has a few
other sections (65, 66, 66 E and 43) which indirectly penalize or provide
compensation for infringement of privacy by way of unauthorized access to
information.
Additionally, the three sections 69, 69
A and 69 B provide certain powers to some authorities of the Government
which would restrict or infringe the Privacy rights of the individuals.
Data Protection Provisions
The first section
we explore in ITA 2008 on Data Protection is Section 43 A.
It states as
under:
43 A: Compensation for failure to
protect data (Inserted vide ITAA 2006)
Where a body corporate, possessing, dealing or handling any
sensitive personal data or information in a computer resource which it owns,
controls or operates, is negligent in implementing and maintaining
reasonable
security practices and procedures and thereby causes wrongful loss or wrongful
gain to any person, such body corporate shall be liable to pay damages by way of
compensation, , to the person so affected.
Explanation: For the purposes of this section
(i) "body corporate" means any company and includes a firm,
sole proprietorship or other association of individuals engaged in commercial
or professional activities
(ii) "reasonable security practices and procedures" means
security practices and procedures designed to protect such information from
unauthorised access, damage, use, modification, disclosure or impairment, as
may be specified in an agreement between the parties or as may be specified in
any law for the time being in force and in the absence of such agreement or any
law, such reasonable security practices and procedures, as may be prescribed by
the Central Government in consultation with such professional bodies or
associations as it may deem fit.
(iii) "sensitive personal data or information" means such
personal information as may be prescribed by the Central Government in
consultation with such professional bodies or associations as it may deem fit.
This section provides scope for introducing the definition of "Sensitive
Personal Data or Information" (subject to notification), and also imposes
a responsibility for "Reasonable Security Practice" to be followed by the
data handlers. The victim of a breach of privacy is provided a remedy to
claim compensation from the body corporate who has been negligent. There is no upper limit for the compensation to be claimed
which may even be in excess of Rs 5 crores.
This section
provides a remedy to the "person affected" when "Wrongful loss" is caused to
him or "Wrongful gain" is caused to another person at the expense of
the affected person. There is no limit for the compensation.
At the same time, there is also the section 72A which provides punishment by
way of imprisonment in certain cases of breac of Privacy.
Section 72 A,
states...
Save as otherwise provided in this Act
or any other law for the time being in force, any person including an
intermediary who, while providing services under the terms of lawful contract,
has secured access to any material containing personal information about another
person, with the intent to cause or knowing that he is likely to cause wrongful
loss or wrongful gain discloses, without the consent of the person concerned, or
in breach of a lawful contract, such material to any other person shall be
punished with imprisonment for a term which may extend to three years, or with a
fine which may extend to five lakh rupees, or with both.
This section however is embedded with too many conditions
and is unlikely to be available to any individual as a remedy except in
cases of a fraud. (Which is any way covered by other laws). The reason is
that this section is applicable only when the unauthorized disclosure of
information occurs with "Intent to cause" or "Knowing" that the loss is
likely to occur.
Additionally, Section 66(E) as well as Section 72 uses the word
"Privacy" but we must understand that these two sections apply to different
offences under the domain of "Obscenity" and "Responsibility of Police and
Certifying Authorities".
For example, Section 66 (E) addresses the issue of Video Voyeurism and
states
66E: Punishment for
violation of privacy. Whoever, intentionally or knowingly captures, publishes or transmits the image
of a private area of any person without his or her consent, under circumstances
violating the privacy of that person, shall be punished with imprisonment which
may extend to three years or with fine not exceeding two lakh rupees, or with
both
Explanation.-
For the purposes of
this section--
(a) “transmit” means to electronically send a visual image with the intent that
it be viewed by a person or persons;
(b) “capture”, with respect
to an image, means to videotape, photograph, film or record by any means;
(c) “private area” means the naked or undergarment clad genitals, pubic area,
buttocks or female breast;
(d) “publishes” means reproduction in the printed or electronic form and making
it available for public;
(e) “under circumstances
violating privacy” means circumstances in which a person can have a reasonable
expectation that--
(i) he or she could disrobe
in privacy, without being concerned that an image of his private area was
being captured; or
(ii) any part of his or her
private area would not be visible to the public, regardless of whether that
person is in a public or private place.
This section applies for obscene photography and extends even to "Non
Digital Photography" where the picture of a private part of an individual is
captured without consent express or implied.
Section 72 states
72: Breach of confidentiality and privacy: Save as otherwise provided in this Act or any other law
for the time being in force, any person who, in pursuant of any of the powers
conferred under this Act, rules or regulations made there under, has secured
access to any electronic record, book, register, correspondence, information,
document or other material without the consent of the person concerned discloses
such electronic record, book, register, correspondence, information, document or
other material to any other person shall be punished with imprisonment for a
term which may extend to two years, or with fine which may extend to one lakh
rupees, or with both.
This section applies where the breach is of information
that has been secured "in pursuant of any powers conferred under thsi Act".
Powers have been conferred under this Act to various agencies including the
Police, Certifying Authorities and officers authorised by specific
notification. In the ITA 2008, the Indian Computer Emergency Team and
probably some other agencies may be conferred some powers for collection of
data. Section 72 may be interpreted as applicable only to these agencies.
We may also interpret this section as a built in
safeguard to prevent abuse of powers conferred under other provisions of the
Act. In the previous part of this article, there was a mention about the
need to set up a "National Netizen's Rights Commission" (NNRC).
This agency can be given powers to interpret the
application of this section 72 with or without the power of prosecution.
This would be serving the long felt need for an agency to prevent cyber
abuse. Let us all direct our efforts towards setting of such an agency
rather than criticizing the powers assumed by the Government under Sections
69, 69A and 69 B which are required for national security.
(This is
the continuation of part I of the article)
Naavi
December 30, 2008
Related Article:
Why USPATRIOT ACT is Required in India-2
Why US PATRIOT Act is required in India? ..1
Unified approach key to National Cyber security
IT Act Amendments and Cyber Terrorism
5 Key Steps to Cyber Security
National
Seminar on Privacy Rights and Data Protection in Cyber Space
Other Articles on ITA 2008
