Author: Nikunj Pandey, III year of B.Com.,LL.B. from Institute of Law, Nirma University, Ahmedabad
Co-author: Mumal Kunwar Bhati, III year of B.Com.,LL.B. from Institute of Law, Nirma University, Ahmedabad
Introduction
Right to Privacy means “right to live alone, right to be free from any unwarranted interference”[1]. In India, development of privacy as a right could be traced back to plethora of cases where right to privacy was in question; however none of the cases could give privacy its due importance. Further, in 2017, K.S. Puttaswamy judgment[2] fueled the spark that was going on for years, which declared privacy as a fundamental right under Indian Constitution and hence it became as important as any other fundamental right. But the question that arises “Is constitution really protecting Right to Privacy in cyber space?”
Today, we are living in the technologically possessed world; with the advent of technology it had brought revolution in the lives of people. Everything is available at a mouse click from shopping to study, from food to travel etc. However, in the ease of doing transaction we are not realizing that after disseminating all our details on the online platform we are paving way for the criminals to creep into our privacy.
The right is available but there are no sufficient remedies to protect this right, this is evident from the rampant increase in cyber crimes across India and there lies the major challenges before the Government to fill the gaps in the existing legislation.
Cyber crime and right to privacy
The right to privacy is a crucial natural requirement of every human being since it establishes boundaries around an individual, limiting other people’s access. Accessing the personal or proprietary information of a person illegally and without his/her permission amounts to breach of right to privacy.
Cybercrime infringes the human rights of freedom of speech and expression, right to privacy, freedom of opinion and free flow of information. As cyber security threats are becoming increasingly widespread, complex and intense the breach of such human rights will grow. The cyber security issues are directly and substantially privacy and data security issues. With the recent revolution of social media and smart technologies, threats related to information security are elevating. Huge chunks of private data are left open to cyber attacks as firms struggle to stay up with the shifting landscape created by innovative technologies social practices and ever changing risks.
It becomes a matter of worry that though guaranteed by the Indian constitution as fundamental rights, there is no proper remedy available to protect our privacy.
Challenges to cyber security
Technology in creases risks of cybercrimes
Large-scale initiatives like Digital India with the 2nd largest internet users[3] globally offers dramatic progress but this revolution of technology is exposing our society to newer and bigger fundamental threats. Although such technological advancements leading us to a better future but at the cost of our privacy.
The new-age technologies like IoTs, AIs & cloud services are accumulating more and more data from individuals, Business entities, Government at one place, making it more vulnerable by opening up window for cyber crooks to commit significantly bigger, more lucrative cyber attacks.
This enormous data of general public stored with various organizations consists personal information such as fingerprints, sexual orientation, job profile, family details, living standards etc., it is vexatious to not have any dedicated law for the protection of our privacy.
Threats to cyber security will only intensify as the technology advances and no. of internet user increases. It has now become a norm today to allow the social media platforms to access, retain & process our personal data to sell it for targeted advertisements and other purpose. We have risked our privacy to access their services and as a consequence they now possess information like our location to daily activities, from the hotel we checked in to our photos. The breach of such information contends to serious infringement of our privacy.
Technology-powered increase in cybercrime[4]
1. Artificial Intelligence (AI) / Machine Learning (ML)
AI is a discipline that attempts to build smart systems and explore techniques for resolving complicated issues which are supposed to be solved by human thought, reasoning and judgment abilities.
ML is the study of building advanced software applications, that can constantly self upgrade or enhance their performance by experience. These technologies are deployed in a no. of industries to improve the efficiency and scalability of systems.
AI/ML poses potentially bigger threats to the data of different individuals, groups, and organizations by increasing the frequency, efficiency, volume and automation of attacks.
2. IoT and cyber crime
Cybercrime’s threat landscape has been widening as devices, sensory systems, appliances and cameras which constitute the IoTs continue to rise in numbers. By 2025, 41.6 billion linked IoT devices (or “things”) will be producing 79.4 Zettabytes (ZB) of data as per the projections of International Data Corporation[5].
Data acquired by IOT devices is becoming increasingly prone to theft, corruption, obliteration, coercion ad trade. It introduces new risks in existing IT systems and environments by widening the attack surface for cybercrime.
3. Privacy enhancing technologies PETs
Cyber crooks could deploy the PETs to commit illicit activities making it more difficult to track and investigate such criminal acts. Such technology could also be used to gain access to private information.
Data accumulation: causing serious threat
Data is the new oil
– Mukesh Ambani
As we walk through different websites to shop, book doctors’ appointment or pay the bills. A digital profile has been created of our private information, which is left vulnerable to theft and other cyber crimes that amounts to breach of privacy.
With the steady advancements of Artificial Intelligence, social media and e-commerce platforms, this digital profile of our private data is not only retained but further used for other monetary purposes. In 2018, the Facebook-Cambridge Analytica[6] case drew the attention of several nations to the protection of their citizens’ privacy.
Big data analytics contends that it could be used in detecting cyber risks at an early stage by employing advanced analysis methods. Big data can be equipped in enhancing public safety and security measures and can play a vital role as a problem solving too. On the other hand it brings more complexities in safeguarding the private information.
Peter Wood, Chief Executive Officer of First Base Technologies LLP and a member of the ISACA London Chapter Security Advisory Group, explains that the crux of the issue is that big data's volume and velocity[7] “expands the boundaries of existing information security responsibilities and introduces significant new risks and challenges.”[1]
Insufficiency of Privacy legislation
Limitation of existing code
There is no illustrative data protection structure in our country, however the limited and insufficient laws that are dealing with the protection of data are Information Technology Act, 2000 and Information Technology (Reasonable security practices &procedures & sensitive personal Data or information) Rules, 2011.
IT Act deal with the violation of an individual’s right to privacy through digital means , however this act is not self sufficient to tackle repugnant increase in cyber crimes because of its provision being limited in scope. There have been amendments in the act and the new provisions are inserted but it could not provide for the efficiency of the existing act. With the changing dynamic, there have been explosion of new ways of committing crime through internet and this existing act being archaic could not get away with this growing menace of cyber crime.
Low conviction rate
Another loophole of this act is the worrying conviction rate over the years. According to National Crime Records Bureau report[8] there were total of 21,970 cases were registered from 2015 to 2020, however, the cases that went under trial were 382, out of which only 99 were convicted. These numbers are evident of the fact that there is no deterrence in the mind of people since the laws are not stringent enough that could create fear in the minds of people.
Delay in passing of Personal Data Protection Bill (PDPB)
In 2017, when the court pronounce judgment to declare privacy as a fundamental right gave rise to a hope that it would bring in an expressed legislation to govern data protection.
The Personal Data Protection Bill, which was the first active step towards the legislation of data privacy norms, was drafted in 2018, as a result of a committee headed by B.N Srikrishna[9], which deliberated upon the issue related to data protection and came up with this bill. This bill aims to achieve objective of providing security to the personal data of citizen by government and companies.
Moreover in 2019, this bill was submitted in Lok Sabha and was sent to Joint Parliamentary Committee for further deliberation. As of now, both the houses have granted fourth extension to Joint Parliamentary Committee[10] to submit its report on this bill, which is causing an indefinite delay for the bill to become an act and thus it has been 4 years and we have no codified law for the protection of right to privacy.
Recent cases of Data breaches in India
In the annual report of Indian Computer Emergency Response Team 2020[11], recorded 11,58,208 incidents of website intrusion & malware propagation, malicious code, ransom-ware attacks, data breaches & vulnerable security.
Till June 2021, more than 6.07 lakhs cases of cyber attacks were observed, and the leading cases of Dominos, Air India, Upstox, SBI, where the data of millions of customer were leaked from the database of company is a serious cause of concern for the government.
Although Section 43A of Information Technology Act,2000[12] provides for the responsibility of corporate bodies who are negligent in handling the sensitive personal data of its customers. Initially there was no specific definition of sensitive personal data under the IT Act, further the definition was given by the Information Technology (Reasonable security practices &procedures & sensitive personal Data or information) Rules, 2011. However, these rules have limitation that they apply only to body corporate and exclude the Government.
This make it even more necessary to expedite the process of Personal Data Protection Bill and make this an act, as this would govern all the public and private entities and would give more comprehensive definition of vague terms so as to provide for gaps in the existing code.
Conclusion
The legislation for privacy with respect to cyber space is still in its nascent stage and therefore, the Government has a key role to ensure that the rights of individuals are not intruded due to negligence.
Despite progress being made on enacting cyber laws and implementing them, cyber crime is still not nipped in the bud. Hence, Internet users need to be more careful of the sites they visit, know the privacy policy of these websites to protect their personal data as much as possible.
With the new technologies, hackers are also coming up with the new ways of committing crimes. There is need of amended legislation to accommodate the persistent and ever-changing threats to privacy in cyberspace. There is need of engaging with the private sector on the issue of cyber security implementation and privacy safeguards that still need to be strengthened.
Some suggestive measures to combat this threat-
The PDPB, bill which is still under debate shall be passed expeditiously, which would eventually help in reducing increasing cases.
The legislation shall be timely amended according to the changes taking place in the technology
Government shall come up with more and more awareness campaigns so as to make citizen aware of the potential risks
Now, this is the need of an hour for Government to come up with stringent laws against this contagious disease of cybercrime which would uphold the right to privacy of an individual in this techno-savvy world.
[1] Right To Privacy Under Article 21 and the Related Conflicts (legalservicesindia.com) [2] https://indiankanoon.org/doc/127517806/ [3] https://www.statista.com/statistics/262966/number-of-internet-users-in-selected-countries/ [4] https://www.rand.org/content/dam/rand/pubs/research_reports/RRA100/RRA137-1/RAND_RRA137-1.pdf [5] https://www.businesswire.com/news/home/20190618005012/en/The-Growth-in-Connected-IoT-Devices-is-Expected-to-Generate-79.4ZB-of-Data-in-2025-According-to-a-New-IDC-Forecast [6] https://www.bbc.com/news/technology-54722362 [7] https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2014/cs_201412/ [8] Crime in India Table Contents | National Crime Records Bureau (ncrb.gov.in) [9] https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf [10] Privacy Delayed Is Privacy Denied (thewire.in) [11] https://www.cert-in.org.in/Downloader?pageid=22&type=2&fileName=ANUAL-2021-0001.pdf [12] https://indiankanoon.org/doc/39800/