SHORT ARTICLES

INTRODUCTION

The Internet has become part and parcel of everyone’s lifestyle. The world is like a village where everyone connects over the internet and shares information despite being in different parts of the world. With the emergence of internet services in the late 1980’s, cyberspace has become the fifth largest domain of human activity and has led to an increase in the usage of the internet worldwide. The Internet is not only an essential tool for the delivery of services such as education and healthcare, but also, offers innumerable opportunities for women’s empowerment and environmental sustainability.

The third world countries, such as India, have witnessedtremendous rise in internet usage and cyberspace activities. Moreover, India is one of the major IT destinations in the world and has the third largest internet users after the USA and China.[i]

However, with myriad benefits comes the peril of the internet; privacy concerns and cyber-crimes.The anonymity in cyberspace adds to the vulnerability and creates potential threat to the users and might cause damage and mischief. Cyber fraud, cyberterrorism, hacking, espionage and financial fraud are some of the activities which are carried on by the criminals and terrorists.It is, therefore, one of the major concerns of the government and administrations.

STATEMENT OF PROBLEM

With the advancement in the arena of technology, there has been a rise in complexities with respect to technicalities in usage and understanding of the cyber world. The developing nations are still struggling to adapt proper cyber securities and their laws are lagging behind as compared to developed nations such as Europe’s GDPR and USA’s stringent data protection laws. There is a lack of specialized personnel who can effectively deal with advanced computer crime.[ii] Third world countries such as India, Africa, Bangladesh, Afghanistan are facing a serious threat due to the rise in cyber related crimes and increase in privacy breach and data thefts. This threat lurks around the national security as weak cyber security might debilitate a nation and give rise to cyber terrorism. 

ISSUES RAISED

These are the following issues which needs to be addressed :

1.     Why are developing nations more affected than the developed ones?

2.     How the trends in the cyber world are hampering the privacy and data of individuals?

3.     Are the present laws in India sufficient to tackle the privacy issue?

1.    EMERGING FIELD OF “CYBER-SECURITY” AND ITS IMPORTANCE 

In the ongoing era of technological advancement, cyber security plays an imperative role. National security and economic advancement lies within the domain of cyber security. It is incumbent upon the governments to frame policies inculcating the nuances of cyber security and protecting the privacy of citizens. Cyber-crimes are a result of the debilitated security system of a nation and deterring the same becomes an integral component of national cyber security and protection strategy[iii]. The challenges posed by cyber security are global and far reaching, thus, it needs to be addressed by a coherent redressal mechanism and strategy.

At the advent of computers, little did the software developers know about the security concerns and the need for creating security programmes was not much given importance. However, in the late 1980’s[iv], the need was felt and there were major developments done in the system such as encryption in the system, which provided privacy to the users.

2.    DEVELOPING NATIONS ARE MORE CHALLENGED BY THE THREAT OF CYBER WORLD THAN DEVELOPED NATIONS

The developing nations lack proper planning for the application of new technologies and communication advancements. The hackers often use high tech skills to interlude in someone’s network in order to steal data or  for other fraudulent purposes. In these nations, the cyber-crimes occur at a higher rate due to factors such as high unemployment, wage issues, rapid broadband width and other economic and institutional factors.[v]

With increase in technological and broadband access, the developing nations are becoming a fertile ground for hackers. With the expansion in broadband networks, the China facing a rise in cyber-crimes. Recently, China has set up the world's largest optic fiber network and mobile broadband network and the total length of optical cable is around 59.58 million kms[vi]. In India, as of March 2021, there were 22.8 million wired broadband connections in India and the growth rate in March was around 2.2%, according to the data of TRAI[vii].

Spamming has become one amongst many forms of cyber-crimes. With the cheap email services and mobile communication, there has been a rise in spamming activities. In various reports it has been observed that spam mails account for more than 50% of all mail sent globally, with nearly 26.5% of those being used for fraudulent financial gains.[viii]

Moreover, due to the expansion of the internet, the cyber-crimes have become more complex to solve by the police force. The Investigation Authorities lack adequate training forces in the domain of cyber-crimes, and consequently am investigation relted to such crimes yields little to no result.[ix]Their permissive regulatory regimes make them vulnerable to hackers. In developed countries like Europe, there are laws such as the General Data Protection Regulation (GDPR) which is considered as the toughest privacy and security law in the world. It imposes obligations onto the organizations anywhere around the globe so long as they collect the data of EU citizens.[x] On the other side of the coin, Third world nations such as India, and Africa which lack proper regulatory bodies to effectively deal with this issue.

3. THE CYBER WORLD AND THE NEED FOR PRIORITIZATION OF PRIVACY AND DATA PROTECTION OF NETIZENS

“Privacy is a human right” these were the words enumerating in the Universal Declaration of Human Rights (UDHR) and reverberating from the session of the General Assembly in 1948.[xi]The Internet and emerging technologies have adversely generated the capacity of manipulation and sharing of humongous chunks of data which has ultimately led to spawn in trading of data. It is said that personal information is a new currency in the new millennium.[xii]The companies are putting up with high stakes for collection of data of customers and which is leading to commodification of data. The legal experts are, however, precarious of treating personal information as a "property" might lead to compromising with the informational privacy of individuals.[xiii]

As George Orwell, in his book “Nineteen Eighty Four”, wrote "There was of course no way whether you were being watched at any given moment.... live - did live, from habit that became instinct - in that every sound you made was overheard, and, except every moment scrutinized." [xiv]

In the case study of "wOZNet", a wearable identification device, it was observed that once the data gets commercialised, the whole life will get regulated by that single chip. For example, if a user sets parameters for notification, the wOzNet can generate alerts, by phone or by email, that let the owner know about the same.[xv] The OZ’s  wireless chips permit extensive and continuous collection of personal data by assigning a Unique Identification code to that individual which keeps a track of that person’s position.

Let us assume a hypothetical situation in a shopping expedition relating to the consequences of these wearable chips. George, a citizen of Wall Maria, went to an Apple store and therein the store’s computer detected the chip’s network and formulated George’s whole purchase history and record of previous transactions. It also tracked his area of interests with regard to the purchase of mobile phones. Generally, he might get more attention than other customers, in case, his purchase history shows him as a heavy spender. But, if he does not, then his whole market profile might hamper his future purchases as the data is shared amongst all other companies as well. Therefore, it raises significant privacy concerns and the need for data protection of citizens. Balancing cyber security, cyber-crime and right to privacy is majorly a complex task because of the nature of the cyberspace which is borderless.[xvi]

In developing countries like India, Bangladesh and Africa, privacy concerns are more prominent as the citizens, usually, are not aware about their data being misused or do not bother to enquire about the same. For instance, in India, the Constitution does not explicitly recognize right to privacy as a fundamental right but under the veil of Article 21 i.e. Right to personal liberty.[xvii] The judgement on the implementation of "Aadhar" was widely criticized by notable luminaries as being violative of individual’s privacy. Aadhar is a 12 digit unique identity number and it was made mandatory upon the residents to submit their biometric data including scanning of fingerprint and retina and the database was stored in a centralized bases by the UIDAI.[xviii] It can be implied that as the low-income families are the ones mainly on the radar of welfare schemes of the States, there are high chances of vulnerability to harm through misuse of the system.

In Bangladesh, the Constitution does have the provision to safeguard communication privacy under Article 43(B)[xix]but, sadly, such protection does not usually extend to the breach of privacy caused by a private entity or caused through peer-to-peer data-sharing.[xx] The ICT Act, 2006 includes legal provisions for digital signature, electronic records but again it does not have any provision for privacy or data protection. However, with the enactment of the Digital Security Act, 2018, the country has stepped into the domain of data protection and safeguarding the privacy of individuals. Section 26 of the abovementioned Act explicitly prohibits selling, collecting, preserving, supplying of identity information of individuals without their explicit consent.[xxi] In this manner, the nation has put efforts to protect its citizen's data and ensure the protection of  their privacy.

Analysing the condition of African nations, it is somewhat similar to other third world nations. Around137 out of 194 countries had put in place legislation to secure the protection of data and privacy. However, Africa and Asia show different level of adoption with 61 and 57 per cent of countries having adopted such legislations respectively. The share in the least developed countries is only 48 per cent.[xxii] In these nations, there is prevalence of noncomprehensive data protection and privacy laws which makes the enforcement difficult and create loopholes for data controllers leading to exploitation and, ultimately, jeopardizing the goal of enacting the laws.[xxiii]

Another issue with these nations is autonomy of the data protection authorities. Almost all the data protection laws mandate one agency with authority to impose the laws which further reports it to the minsters or to the executive arm of the State. Due to this, there arises higher chances of political influence and regulatory capture. The relevant framework would be to report to the Parliament which grants such autonomy to the agency.

In sum, these abovementioned nations have acknowledged and responded to the need of modern data protection and privacy laws to provide adequate protection to the citizens. However, these laws need to be revised and amended to be at par with the GDPR and make them suitable to the changing dimensions of the digital market.

4.    THE TRAJECTORY OF DATA PROTECTION, CYBER SECURITY AND PRIVACY IN INDIA

India is one of the most vulnerable nations in terms of weak cyber security and unregulated data protection laws. She was amongst the top three nations alongside Japan and Australia, in terms of most attacked countries in Asia.[xxiv] Though there is the right to privacy which is implicitly recognized by the Constitution of India under Article 21 as a part of personal liberty, there is no particular law or article specifically dealing with cyber security and privacy as an explicit constitutional right.

However, the Judiciary has played an active role in recognition of this right to privacy. In Kharak Singh v. State of UP[xxv]it was observed by Justice K. Subba Rao in minority opinion “It is true our Constitution does not expressly declare a right to privacy as a fundamental right, but the said right is an essential ingredient of personal liberty.” In Govind v. State of MP[xxvi], Justice Mathew asserted that right to privacy is itself a fundamental right, but subject to restrictions on the basis of public interest. In People’s Union for Civil Liberties v. Union of India[xxvii], the division bench held “It is no doubt correct that every government, howsoever democratic, exercises some degree of sub rosa operation as a part of intelligence outfit but at the same time citizen’s right to privacy has to be protected from being abused by the authorities of the day.”  In K.S Puttaswamy v. Union of India[xxviii], Justice D Y Chandrachud in a dissenting opinion held “the right to privacy cannot be denied, even if there is a miniscule fraction of the population which is affected. The majoritarian concept does not apply to constitutional rights and the courts are often called upon to take what may be categorized as a non- majoritarian view, in check and balance of power envisaged under the Constitution.” In Unni Krishnan, J.P  v. State of Andhra Pradesh[xxix] it was held “ several unenumerated rights fall within Article 21 since personal liberty is of widest amplitude which also includes right to privacy.” In another landmark case of Navtej Singh Johar v. Union of India[xxx], Justice Indu Malhotra concurring held that "It is declared insofar as Section 377[xxxi] criminalizes consensual sexual acts of adults (i.e. persons above the age of 18 yrs. who are competent to consent) is private, is violative of  Article 14, 15, 19 and 21." In Vinit Kumar v. The Central Bureau of Investigation[xxxii] it was observed that “The proposition that illegal tapping of telephone conversation violates right to privacy is now accepted and reinforced as guaranteed fundamental right under Article 21 of the Constitution of India.”

Apart from judicial pronouncements, committees such as B.N Sri Krishna Committee analysed the issue and submitted its report on 27 July 2018 titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians”, along with a draft Data Protection Bill, to the Ministry of Electronics and Information Technology.[xxxiii]However, the draft data protection bill is still a hanging fire and yet to be enforced. According to Human Rights Watch[xxxiv], “India’s proposed data protection law undermines everyone’s, including children’s, fundamental rights to privacy and security by enhancing the power of the state to conduct surveillance.” There is a sudden rise in the state surveillance exacerbating the issue of privacy by the enforcement of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules are antithetical to privacy and freedom of expression, as they allow greater governmental control over online content and threaten to weaken encryption.[xxxv]

During 2021-2023, there have been a series of data breaches by Air India, Domino’s, Facebook, alleged to have compromised the personal data of crores of Indian people and highlighting the need for India to modernise its cyber security standards.[xxxvi] Till date, there is only a single law i.e. The Information Technology Act, 2000 which covers the key issues such as data privacy, protection albeit not exclusively and in depth.[xxxvii] In 2023, the government  proposed the Digital India Bill to succeed the IT Act, 2000, which is a laudable step. Therefore, there is dire need for proper legislation dedicated only towards protection of data and privacy with proper enforcement and regulatory bodies.

5.    COMPARISON OF THE GDPR WITH OTHER LAWS

It is well known that The General Data Protection Regulation (GDPR) is the strongest privacy law formulated till date. There are certain comparisons with other laws that need to be focused while dealing with the issue of privacy :

1. Autonomy: In almost all other developing nations laws, there is lack of autonomy to the regulating body. However, in GDPR, the right to autonomy is deeply entrenched in its principles.[xxxviii]

2. Consent: The GDPR mandates the organizations to get consent before processing most types of personal data. While laws such as, Protection of Information Act (POPI)[xxxix] in South Africa, does not do so.

3. Penalty: In case of serious infringements of the General Data Protection Regulation, the fines can extend upto €20 million or 4% of the company’s total worldwide annual turnover, whichever is higher.[xl] While, as per the Privacy Act, it is AU $ 2.1 million in case of non-compliance with the law.[xli]

4. Right: The GDPR exclusively and significantly recognises the use of words “rights’ as in right to access information, to limit or to object. While, in India’s IT Act, 2000 there is a lack of specific reference to some significant rights as in GDPR[xlii].

CONCLUSION

In sum, privacy plays a pivotal role in the development of a democratic nation. In this connected world, it is impossible to prevent information from escaping onto the public platform. The cyber- crimes are looming large and without any proper legislations, the developing nations are under serious threat. The enforcement procedures need to be revised and reviewed accordingly. There is a need to establish regulatory bodies to censor the service providers. The way forward for the developing nations would be to strengthen their laws and lay special emphasis on data protection regulatory authorities. The developing nations must try to impose greater penalties in case of breach by the companies. The consent of individuals must be taken before dealing with their private information. Declaration of specific digital rights in the laws of the land is a call of action much needed. The lack of comprehensive data protection laws is a matter of concern. The nations must try to incorporate provisions from stringent laws such as EU’s GDPR, Australian Federal Privacy Act, 1988 etc for a better version of their existing laws.

ENDNOTES-

[i]“India is now world’s third largest Internet user after U.S., China,” Thehindu.com, 2013available at: https://www.thehindu.com/sci-tech/technology/internet/india-is-now-worlds-third-largest-internet-user-after-us-china/article5053115.ece (last visited May 15, 2023).

[ii]Muli David Tovi and Mutua Nicholas Muthama et.al., “Addressing the Challenges of Data Protection in Developing Countries ”, 1 European Journal of Computer Science and Information Technology 1- 9 (2013).

[iii]Manoj Jakhar, Cyber Crime An Introduction 182 (Random Publications, New Delhi, 2019).

[iv]Thomas A. Johnson (ed.), Cyber Security - Protecting Critical Infrastructure from Cyber Attack and Cyber Warfare 26 ( Taylor and Francis Group, USA, 2015).

[v]Nir Kshetri, “Diffusion and Effects of Cyber-Crime in Developing Economies” 31 Taylor and Francis Group 1057-1079 (2010).

[vi]Number of Chinese netizens rises to 1.06 billion; internet availability rate reaches 75.6% - Global Times,” Globaltimes.cn, 2023 available at: https://www.globaltimes.cn/page/202303/1286575 (last visited May 17, 2023).

[vii]Sindhu Hariharan, “Faster growth in broadband users” The Times of India (Times Of India, 2021)available at: https://timesofindia.indiatimes.com/business/india-business/faster-growth-in-broadband-users/articleshow/83933589.cms  (last visited May 19, 2023).

[viii]DQINDIA Online, “The role of email spam in 2023 for cybercrime” Data Quest, 2023 available at: https://www.dqindia.com/the-role-of-email-spam-in-2023-for-cybercrime/ (last visited May 19, 2023).

[ix]Supra Note 2.

[x]“What is GDPR, the EU’s new data protection law? - GDPR.eu,” GDPR.eu, 2018available at:  https://gdpr.eu/what-is-gdpr/ (last visited May 23, 2023).

[xi]Paul M. Schwartz, “Property, Privacy, and Personal Data” 117 Harvard Law Journal 2023 (2004).

[xii]Ibid.

[xiii]Id at 118.

[xiv]George Orwell, Nineteen Eighty-Four 24 ( Secker & Warburg, London, 1949).

[xv]Paul M. Schwartz, “Property, Privacy, and Personal Data” 117 Harvard Law Journal 2023 (2004).

[xvi]Ministry of Communications and Information Technology, “52nd Report on Cyber Crime, Cyber Security and Right to Privacy” 44 (12th February, 2014).

[xvii]The Constitution of India, art. 21.

[xviii]Mehab Qureshi, “The Evolution of Right to Privacy in India: A Look at the Past, Present & Future” TheQuint (The Quint, 2021)available at:  https://www.thequint.com/tech-and-auto/the-evolution-of-right-to-privacy-a-look-at-the-past-present-and-the-future (last visited May 25, 2023).

[xix]The Constitution of Bangladesh, art. 43(B).

[xx]“Bangladesh steps into the data protection regime,” The Daily Star, 2019 availableat: https://www.thedailystar.net/opinion/human-rights/news/bangladesh-steps-the-data-protection-regime-1726351#:~:text=With%20the%20enactment%20of%20the%20Digital%20Security%20Act%2C,Act%2C%202018%20defines%20personal%20data%20as%20%22identity%20information%22. (last visited May 29, 2023).

[xxi]The Digital Security Act,2018 (Act XLVI of 2018), s. 26.

[xxii]“Data Protection and Privacy Legislation Worldwide,” UNCTAD, 2023 available at:https://unctad.org/page/data-protection-and-privacy-legislation-worldwide (last visited June 2, 2023).

[xxiii]Idris Ademuyiwa and Adedeji Adeniran,“ Report of Assessing Data Protection and Privacy in Africa” 4-5 ( 2020).

[xxiv]IANS, “Cyber-attacks: India among top 3 most-affected nations in Asia in 2021” @bsindia (Business Standard, 2022)available at: https://www.business-standard.com/article/international/cyber-attacks-india-among-top-3-most-affected-nations-in-asia-in-2021-122022400945_1.html (last visited June 4, 2023).

[xxv]AIR 1963 SC 1295, ¶ 28.

[xxvi]AIR 1975 SC 1378.

[xxvii]AIR 1997 SC 568, ¶ 1.

[xxviii](2017) 10 SCC, ¶ 144-146.

[xxix](1993) 1 SCC 645, ¶ 29, 30.

[xxx]AIR 2018 SC 4321.

[xxxi]The Indian Penal Code, 1860 ( Act 45 of 1860), s. 377.

[xxxii]2019 SCC OnLine Bom 3155, ¶ 8.

[xxxiii]Ministry of Communications and Information Technology, “Report on A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” 44 (12th February, 2014).

[xxxiv]“India: Data Protection Bill Fosters State Surveillance,” Human Rights Watch, 2022available at: https://www.hrw.org/news/2022/12/23/india-data-protection-bill-fosters-state-surveillance#:~:text=%E2%80%9CIndia%E2%80%99s%20proposed%20data%20protection%20law%20undermines%20everyone%E2%80%99s%2C%20including,Ganguly%2C%20South%20Asia%20director%20at%20Human%20Rights%20Watch.  (last visited June 7, 2023).

[xxxv]Ibid.

[xxxvi]Supra note 18.

[xxxvii]Shiv Shankar Singh, “Privacy and Data Protection in India: A Critical Assessment” 67 Journal of the Indian Law Institute 663-677 ( 2011).

[xxxviii]Shraddha Kulhari, Building-Blocks of a Data Protection Revolution, Nomos 29 (2017).

[xxxix]“Protection of Personal Information Act (POPI Act) - POPIA,” POPIA, 2023available at: https://popia.co.za/ (last visited June 12, 2023).

[xl]“Start page,” GDPR Summary, 2021available at: https://www.gdprsummary.com/ (last visited June 12, 2023).

[xli]OAIC, “Higher penalties to help protect Australians’ privacy” OAIC, 2023available at: https://www.oaic.gov.au/newsroom/higher-penalties-to-help-protect-australians-privacy#:~:text=Under%20the%20draft%20bill%2C%20the%20maximum%20penalty%20of,per%20cent%20of%20the%20entity%27s%20annual%20Australian%20turnover. (last visited June 12, 2023).

[xlii]The Information Technology Act, No. 21 of 2000.