Class Notes on PG. Diploma Cyber Law – Information Technology Law (SEM II)
Information Technology Act, 2000 (with Amendments update)
Nature and Scope of the Act
Objectives of IT Act
To provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communications, commonly referred to as “electronic commerce”
To facilitate electronic filing of documents with Government agencies
To amend the Indian Penal Code, Indian Evidence Act, 1872, The Bankers Book Evidence Act, 1891 and the Reserve Bank of India, 1934
Regulatory Bodies and Dispute Settlement Mechanism, under the Act
48 Establishment of Cyber Appellate Tribunal
(1) The Central Government shall, by notification, establish one or more appellate tribunals to be known as the Cyber 1 […] Appellate Tribunal.
(2) The Central Government shall also specify, in the notification referred to in sub-section (1), the matters and places in relation to which the Cyber Appellate Tribunal may exercise jurisdiction.
52A Powers of superintendence, direction, etc.
The Chairperson of the Cyber Appellate Tribunal shall have powers of general superintendence and directions in the conduct of the affairs of that Tribunal and he shall, in addition to presiding over the meetings of the Tribunal, exercise and discharge such powers and functions of the Tribunal as may be prescribed.
Privacy Issues in the Cyber World
“The Internet is a super-recorder,” says John McCarthy. Technology allows more accurate information gathering. There is a powerful debate around the fears we have. According to McCarthy, “We are getting a very clear picture of who you are.” Nowadays, the more information a company has, the more valuable it is.
With the evolution of technology, our concerns have changed. In the past it was nearly impossible to record any information about people. Nowadays we can retrace every web site a customer has visited. According to David Sobel, the Internet acts like a massive deregulator. “Government has become a seller of information to the private sector,” he said.
Is there a solution? One solution would be the self-regulating market approach. According to Jerry Kang “If the personal information is valuable, then the market has a price for it.” For example, if Amazon.com values information, they can buy it by giving customer a coupon with a dollar value.
The issue of privacy in the cyber world also depends on the level of knowledge of the customer. Many Internet users are not aware of the amount of data institutions have on them. It was suggested that a potential solution would be encryption, already used for credit card transactions. A legal framework is also needed, the panelists noted. No one solution is the answer because of cyber crime.
Data Protection Principles
Personal data must be:
1. Processed fairly and lawfully.
2. Obtained for specified and lawful purposes.
3. Adequate, relevant and not excessive.
4. Accurate and up to date.
5. Not kept any longer than necessary.
6. Processed in accordance with the “data subject’s” (the individual’s) rights.
7. Securely kept.
8. Not transferred to any other country without adequate protection in situ.
Privacy Rights of Data Subjects
The purpose of doing so is to empower and enable subjects to check what data relating to them is being held and what is being done with it. These rights come with responsibilities, it is not granted to subjects so that they may make enquiries out of idle curiosity but rather so that they can check what data is being processed on them and how accurate that data is.
The rights of data subjects are as follows:
- The right to establish the existence of personal data;
- The right of access;
- The right of objection;
- The right of rectification.
- These rights are discussed in greater detail below.
The right to establish the existence of personal data
Section 3 of the Data Protection Acts provides that subjects may request in writing to be informed whether a person is keeping data relating to them. That person must respond to the request, and if data is being kept then they must provide a description of the data and the purpose of its processing. This right has several advantages over the broader right of access: its quicker, 21 days versus 40; cheaper, being free versus €6.35 for the section 4 right; and broader, there are no exceptions to this right. However, the right is an anachronism, a holdover from the 1981 Strasbourg Convention and such a right is not required by the Data Protection Directive.
The Right of Access
Section 4 of the Data Protection Acts provides a right of access. Any data subject may request access to their personal data, such a request must be made in writing, be accompanied by a fee of €6.35 and contain such information as the controller “…may reasonably require in order to satisfy himself of the identity of the individual and to locate any relevant personal data or information”. The subject must fulfil all of these criteria before time will begin to run, but once time begins to run the controller has 40 days within which to respond to the request. The 40 days are calendar, not business, days. So a controller has a little less than 6 weeks within which to respond to a request. When responding to a request the controller must:
- Inform the requestor whether or not it processes data relating to the requestor;
- If it does, then provide the requestor with a description of the following:
- The categories of data being processed;
- The purpose of the processing
- The personal data
- Any recipients of the data.
- Have the data communicated to them in an intelligible form
- If the automated processing of this data will form the sole basis upon which a decision will be made relating to the subject, then the subject must be informed of the logic of the processing.
- There are a few exceptions to the right of access, but the data will have to be released unless those exceptions apply.
The right of rectification or erasure
If data is being processed in breach of the Data Protection Acts then subjects have the right to request its rectification or erasure. Such a request must be made in writing. Controllers should comply with such requests as soon as possible and must do so within 40 days. Where data is inaccurate or out-of-date then the subject will be deemed to have complied with such a request if he supplements the data. Where the controller makes such a change in respond to a request, then the controller must inform the subject that the change has been made and also inform anyone to whom the data was disclosed within the previous 12 months.
The Right of objection
Subjects have the right to request the cessation of the processing of their data which is causing or likely to cause substantial damage or distress to him or her or to another person, and the damage or distress is or would be unwarranted. Such a request must be made in writing for the processing either not to begin or else to cease within a reasonable time. Such a request can only be made where the processing is being undertaken:
- in the public interest or in the exercise of official authority or
- in the legitimate interests pursued by the data controller unless those interests are overridden by the interests of the data subject in relation to fundamental rights and freedoms and, in particular, his or her right to privacy with respect to the processing of personal data.
Such a request cannot be made where the subject has given his explicit consent or the processing is necessary:
- for the performance of a contract to which the data subject is a party;
- in order to take steps at the request of the data subject prior to his or her entering into a contract;
- for compliance with any other legal obligation to which the data controller or data subject is subject;
- to protect the vital interests of the data subject;
- for electoral activities;
The ministerial power to regulate for other cases lacks the powers and principles requited by the High Court in — and so is not effective. Where such a request is made it the controller must serve a notice within 20 days indicating that:
- the request will be complied with;
- the request will not be complied with and statin the reasons for such non-compliance.
A subject who is unhappy with the response to such a request may complain to the Data Protection Commissioner, who may invoke his power under section 10 of the Data Protection Acts.
Rights in respect of automated data processing
The Data Protection Acts apparent prejudice against automated data processing now seems somewhat anachronistic. The reality is that automated data processing systems make decisions about people all the time, it is not at all clear that there is any real point in having such decisions looked-over by a living person. It would seem likely that if a controller’s prejudices are reflected in his programming then they will also be reflected in his hiring choices.
What section 6B of the Data Protection Acts says is:
“…a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him or her such as, for example (but without prejudice to the generality of the foregoing), his or her performance at work, creditworthiness, reliability or conduct”
Many of the decisions that produce “…legal effects concerning a data subject…” will occur in the public sector, where basic standards of fair procedure will apply. Such standards would seem to preclude the taking of such automated decisions in any event, so rendering section 6B partially redundant.
In addition section 6B will not apply where:
- The subject has consented;
- The processing is necessary to comply with a statutory obligation of which the subject has been informed;
- The processing is necessary to enter into or fulfil a contract with the subject;
- The processing will grant a request of the subject and adequate steps have been taken to preserve his rights.
Enforcement is possibly the most interesting aspects of Europe’s Data Protection Laws but is an aspect that is frequently overlooked. Data protection is designed to be primarily enforced by users themselves, with supervisory authorities such as the Data Protection Commissioner and the Courts themselves reduced to a supervisory role. This role is conferred on users by giving a number of powers to them, namely: the right of access; the right of rectification; the right to object; and the right to sue.
Protection of Sensitive Data
Protecting sensitive data is the end goal of almost all IT security measures. Two strong arguments for protecting sensitive data are to avoid identity theft and to protect privacy.
The improper disclosure of sensitive data can also cause harm and embarrassment to students, faculty, and staff, and potentially harm the reputation of the Institute. Therefore, it is to everyone’s advantage to ensure that sensitive data is protected.
1. Data security is fundamental
Data security is crucial to all academic, medical and business operations. All existing and new business and data processes should include a data security review to be sure MIT data is safe from loss and secured against unauthorized access.
2. Plan ahead
Create a plan to review your data security status and policies and create routine processes to access, handle and store the data safely as well as archive unneeded data. Make sure you and your colleagues know how to respond if you have a data loss or data breach incident.
3. Know what data you have
The first step to secure computing is knowing what data you have and what levels of protection are required to keep the data both confidential and safe from loss.
4. Scale down the data
Keep only the data you need for routine current business, safely archive or destroy older data, and remove it from all computers and other devices (smart phones, laptops, flash drives, external hard disks).
5. Lock up!
Physical security is the key to safe and confidential computing. All the passwords in the world won’t get your laptop back if the computer itself is stolen. Back up the data to a safe place in the event of loss.
Sensitive personal data.
In this Act “sensitive personal data” means personal data consisting of information as to—
- the racial or ethnic origin of the data subject,
- his political opinions,
- his religious beliefs or other beliefs of a similar nature,
- whether he is a member of a trade union
- his physical or mental health or condition,
- his sexual life,
- the commission or alleged commission by him of any offence, or
- any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Regulation of Trans-border data flows
The regulation of data flows across national and regional borders under the data privacy laws of dozens of countries and international and regional regulatory instruments is the topic of my new book entitled Transborder Data Flows and Data Privacy Law, which will be published in May by Oxford University Press. European Data Protection Supervisor Peter Hustinx was kind enough to write a foreword to the book.
The subject is too complex to discuss in detail here, but I can share the gist of some of my conclusions:
Regulation of transborder data flows has spread far beyond its original roots in Europe and now includes many countries in Africa, Asia and Latin America as well.
The adequacy approach typified by the EU Directive has been and is likely to remain the most influential model, though other ones—such as the accountability approach—have emerged in recent years.
Technological developments—particularly the growth of the Internet—and globalization raise important questions about transborder data flow regulation. For example, does it make sense anymore to distinguish between “transborder data flows” and any other kind of online data processing, given that data flows on the Internet without regard to national borders?
The types of data transferred across borders have also changed over time. There is now much more data containing information about identifiable persons (i.e., personal data) being transferred than ever before as well as more sharing of personal data between governments—often for law enforcement purposes.
Providing protection to personal data as they are accessed and transferred around the world has attained considerable economic importance and private-sector instruments—such as contractual clauses and internal corporate rules and policies—are increasingly used for this purpose.
There is a need for greater transparency about how data are transferred internationally and for greater interoperability between regulatory approaches.
Regulation tends to focus too much on applying local standards to personal data transferred outside national borders, rather than on the global implications of restricting transborder data flows.
A major theme of the book is the tension between regulation of transborder data flows and other legal requirements. As such regulation has spread, it has increasingly led to conflicts with legal obligations in other areas. Moreover, other important interests—such as freedom of expression and ensuring the free flow of data—are sometimes not sufficiently taken into account.
There is also a disproportionate relationship between the increasing flood of personal data now being transferred online and the limited possibility to enforce transborder data flow regulation by traditional legal means.
Where is the regulation of transborder data flows headed?
The number of countries enacting it will continue to grow and agreement on an international treaty dealing with the subject is highly unlikely, given the different approaches taken in different countries.
However, countries could take certain steps to produce an improved regulatory framework. For instance, if they are going to enact such regulation, then governments should themselves comply with it, which is often not the case. Transborder data flow regulation will continue to spread around the world and to create conflicts with other requirements, which companies and other organizations will have to come to terms with as a permanent feature of the global privacy landscape.
Cyber Laws Issues in E-Commerce
Introduction to L.P.O and B.P.O Business
Offences, Detection and Investigation of Offences under the Act
Penalties and Rule making power
Search and Seizure etc.
80 Power of police officer and other officers to enter, search, etc
(1) Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), any police officer, not below the rank of a 1 [Inspector], or any other officer of the Central Government or a State Government authorised by the Central Government in this behalf may enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed or of committing or of being about to commit any offence under this Act.
Explanation.-For the purposes of this sub-section, the expression “public place” includes any public conveyance, any hotel, any shop or any other place intended for use by, or accessible to the public.
(2) Where any person is arrested under sub-section (1) by an officer other than a police officer, such officer shall, without unnecessary delay, take or send the person arrested before a magistrate having jurisdiction in the case or before the officer-in-charge of a police station.
(3) The provisions of the Code of Criminal Procedure, 1973 (2 of 1974), shall, subject to the provisions of this section, apply, so far as may be, in relation to any entry, search or arrest, made under this section.
International Documents on Information Technology: Conventions and Treaties
Need for Uniform I.T. Law
Harmonization and Unification of I.T. Laws