Thursday, May 21, 2020
Session with Adv. Mahendra Limaye on Cyber Laws and Cyber Safety
Session with Adv. Mahendra Limaye on Cyber Laws and Cyber Safety
Tuesday, May 12, 2020
Who has legal liability if Aarogya Setu Data is compromised?
The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 was notified
by Ministry of Electronics and Information Technology on 11 May 2020. This has
again led to new debate regarding whether after this notification Aarogya Setu
app Data is safe? Adv Dr Mahendra Limaye, a cyber legal consultant, analyzed the
notification and his reading of the notification is as below.
Functioning of Aarogya Setu app as per notification relates to technology
and data management and certain necessary steps required to be taken to ensure
its effective operation to detect and mitigate the spread of Covid 19 pandemic
and enhance government preparedness at all levels. So the aim and object of the
Aarogya Setu App was never a question and it is much applauded move by the
government.
In order to ensure secure collection of data, protection of personal data
of individuals and efficient use and sharing of personal or non-personal data
for mitigation and redress this notification was specially issued. So we must
understand that this notification was fall out of many objections raised
towards security of the personal data collected through this app and about
accountability of the data collected through this app and specially when some
hacker claimed about vulnerability of this huge database. This response also
shows government’s responsive approach to security concerns raised about the
app and this is welcome move.
The
notifications says that in order to formulate appropriate health responses for
addressing the COVID-19 pandemic, data pertaining to persons who are infected,
at high risk of being infected or who have come in contact with infected
individuals is urgently required. This data includes demographic data, contact
data, self assessment data and location data, collectively called ‘response.
The demographic data includes the name, mobile number, age, gender, profession
and travel history of an individual. Contact data covers data about any other
individual that a given individual has come in close proximity with, including
the duration of the contact, the proximate distance between the individuals and
the geographical location at which the contact occurred. Self assessment data
means the responses provided by that individual to the self assessment test
administered within the Aarogya Setu mobile application. Finally Location data
means data about the geographical position of an individual in latitude and
longitude. So the broad categories of data collected through this app by
government is once again made public by this notification.
The
notification also states that the Ministry of Electronics and Information
Technology, Government of India (“MeitY”) is designated as the agency
responsible for the implementation of this Protocol and its developer, the
National Informatics Center shall, under this Protocol be responsible for
collection, processing and managing response data collected by the Aarogya Setu
mobile application.
So it is highlighted that MeitY will be only supervising
authority. So the government has brought NIC in picture for protection of
entire data in the capacity of developer and made its role minimal in capacity
of implementer.
Highlights of Principles for collection and processing
of response data:
a. Any response data and the
purpose for which it is collected by NIC shall be clearly specified in the
Privacy Policy of the Aarogya Setu mobile application.
b. NIC shall collect only such
response data as is necessary and proportionate to formulate or implement
appropriate health responses. Further, such data shall be used strictly for the
purpose of formulating or implementing appropriate health responses and
constantly improving such responses.
c. NIC shall process any data
collected by it in a fair, transparent and non-discriminatory manner.
d. Contact and location data
shall by default, remain on the device on which the Aarogya
Setu mobile application has been installed after such data has
been collected. It may be uploaded to the server only for the purpose of
formulating or implementing appropriate health responses.
e. Contact, location and self
assessment data of an individual that has been collected by NIC shall not be
retained beyond the period necessary to satisfy the purpose for which it is
obtained which, unless a specific recommendation to this effect is made in the
review under Para 10 of this Protocol, shall not ordinarily extend beyond 180
days from the date on which it is collected, after which such data shall be
permanently deleted. Demographic data of an individual that has been collected
by NIC shall be retained for as long as this Protocol remains in force or if
the individual requests that it be deleted, for a maximum of 30 days from such
request, whichever is earlier.
f. The response data shall be
securely stored by NIC and shall only be shared in accordance with this
Protocol.
Principles for sharing of response data have also been
stated which highlights that 1) Response
data containing personal data may be shared with various government
agencies/bodies where such sharing is strictly necessary to directly formulate
or implement an appropriate health response.2) Response data in de-identified
form may be shared with various bodies with whom such sharing is necessary to
assist in the formulation or implementation of a critical health response.3)
NIC shall, to the extent reasonable, document the sharing of any data and maintain
a list of the agencies with whom such data has been shared.
Obligations of entities with which response data is
shared are like use of such data strictly for the
purpose for which it is shared, the data accessed and used by such entities
should not be retained beyond the period necessary to satisfy the purpose for
which it is shared, in any circumstance; such data shall not ordinarily be
retained beyond
180
days from the date on which it was accessed, after which such data shall be
permanently deleted etc.
The main concern is who is liable for any privacy violations
committed through security breach of Aarogya Setu App? This notification does
not provide any clarity to said concern. It was clarified that any violation of
these directions may lead to penalties as per section 51 to 60 of the Disaster
Management Act, 2005 and other legal provisions as may be applicable. Legal
position for the protection of sensitive personal information under section 43A
of Information Technology Act 2000 is that state cannot be made responsible in
case of breach of data or lapse in protection of sensitive personal data.
Through this Notification State has clarified that it is acting only in
supervisory capacity and National Informatics Center, which is developer of the
Aarogya Setu app will own entire responsibility as far as security and sharing
of Response Data is concerned.
As regards section 51 to 60 of the Disaster Management Act
they have one important protection as related to breach of data and the
protection is “ unless he proves that the offense was committed without his knowledge or that he exercised all due
diligence to prevent the commission of such offense”.
In case of any data breach through Aarogya Setu app defense
will be always available that all due diligence was observed to prevent the
commission of offense like Data Theft etc. So in my view this notification clearly
fails to provide any specific measures which government has suggested for
protection of Data of millions of Aarogya Setu app users. Also the other
question remains is whether the provisions of the Disaster management Act can
be enforced after Disaster is over? If data breach is reported after present
pandemic is over then whether these provisions can be enforced, remains a
question in my mind.
Advocate Dr. Mahendra Limaye
About the author- Advocate Dr
Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India.
He specifically practices in Information Technology Act based litigation's
before Civil as well as Criminal Courts in India. He has obtained his doctorate
on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.
Thursday, May 7, 2020
"Bois Locker Room" and what next we are waiting for?
Its only when such episodes get national publicity
suddenly the whole digital world becomes awake, all so called human right
activists become active and start hue and cry about regularisation of social
media etc. These are the same people who were at forefront in matter of Palghar
incident and came down heavily of Information Technology Act section 66A which
ultimately led to abolition of the same.
What we sow we reap is old saying. Our society consists
of the same people who had seen section 66A of I T Act as draconian and don’t
wanted social media to be regulated. They saw regulating social media, which
according to them is the biggest tool of freedom of speech and expression, as
curtailment of Fundamental Rights and ultimately our Apex Court also viewed in
similar perspective.
The underlying object of regulating social media
with reasonable restrictions was never debated seriously and nobody has taken a
futuristic view about the same. With many similar incidents gradually happening
every passing day and when it comes to flash point in Bois Locker Room issue,
people again started debating the need to regulate social media. So is this
completion of the circle?
We stared with section 66A which regulated online
posts on various grounds in 2008, then came 2015 Apex Court Judgement striking
down section 66A of I T Act and now with the incident of Bois Locker Room there
will be again enactment of some provisions for regulating social media. Unfortunately
all this is happening when most awaited regulation regarding Personal Data
Privacy is being studied by Indian Parliament. When in Puttuswamy case in July
2017, a need was felt to have a regulation to protect privacy of the
individuals and the panel was formed under chairmanship of Justice Shrikrishna
(Retd.) to draft new regulation. The Shrikrishna commission has submitted draft
bill in July 2018 and it was before parliament since then and recently a high
powered committee is again set up to finalise the same.
If this is the level of priority for Privacy
regulation in India and in absence of section 66A of I T Act there in no
deterrence to perpetrators of such heinous acts through Social Media and Bois
Locker Room incidents will happen regularly.
What was the incident?
An 18 year, Class 12 student resident of
Noida, started an Instagram group named "Bois Locker Room", on which
obscene messages and morphed photos of underage girls were shared. 27 more
students of prominent Delhi schools have been members of the group, some were
underage and some 18 and older. The chatroom, conversation was exposed by a
girl, who was targeted in the group chats and this has drawn massive anger,
shock and disgust on social media. The manner in which Class 11 and 12 students
casually discussed "gang-raping" girls, sexualized and slut-shamed those
in screenshots of chats have gone viral on Twitter and other social media."We absolutely do not allow behaviour that promotes sexual violence or exploits anyone, especially women and young people, and have taken action on content violating our Community Standards as we were made aware of it," was the Facebook spokesperson’s response on the episode. The official age of joining Instagram is 13 or above in India as per their policy.
In India 13 year old person is not capable of entering into contract but these social media giants are making mockery of Indian regulation by allowing these young kids by providing them such platforms.
There are basically few questions which need serious debate according to me.
1) Should social media be regulated? If yes by whom?
2) Should social media obey right to be forgotten or
right to modify one’s personal information?
3) Do we have Personal Date Privacy Act as a national
priority?
4) Could porn contents be specifically moved to different
domains like .xxx?
5) Is this encroachment of digitalisation in every walk
of life is must?
6) Are people really aware about threats posed by AI and
other activities?
7) When Cyber Awareness Education will be taught to
digital netizens?
Unless we collectively provide answers to
these questions such incidents are bound to happen. For that instance even if
you go through confession pages of schools you will find many such indecent
acts by students, who I am sure are not teens. If we investigate this scam, the first question comes to my mind is from where the teen got hold of the photographs? All of us know the answer is simple. The victims themselves might have uploaded these photographs without thinking that these photographs could be grabbed by anyone and used on any place on the earth. At the time of uploading picks they were never told what the consequences of such acts are. I can go one step further and caution the readers that there are syndicates which are trapping many persons carrying out indecent act on camera and blackmailing them.
Second question is regarding how teens of age group13/14 were given such liberty by their parents to use social media without proper supervision. Are those parents liable for punishment for acts of their minor wards? Yes they must be definitely penalised similar to new provisions in Motor Vehicle Act, where parents are liable for fine/jail term in case they handover vehicle to their under aged ward. Without parents supervision digital education will prove to be a disaster in country of digital illiterates.
Third question is under which provisions of law action will be taken and against whom?
This is very tricky situation because as per reports few are teens and will be protected being Juvenile. Those who are above 18 might not have passed any comments which could be strictly punishable under provisions of I T Act. If IPC is applied then act being committed in Cyber Space must be covered under provisions of I T Act and which provisions of I T Act are applicable? It’s not Identity Theft nor Personating nor Violation of Privacy as per various provisions of section 66 of I T Act. Can section 67 or 67A of I T Act be imposed?
What next is real question and answer for same is lies in answers of Seven questions posed by me earlier.
The power of collective will by self restraint, to make social media a better place can only make it possible. All the stake holders like we netizens, government of all the nations, social media giants along with search engines should come forward and extend best possible solution which will decide the course of future. From my side CYBER AWARENESS IS THE ONLY MANTRA which we are relentlessly carrying out since last decade.
Advocate
Dr. Mahendra Limaye
About the author- Advocate Dr
Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India.
He specifically practises in Information Technology Act based litigations
before Civil as well as Criminal Courts in India. He has obtained his doctorate
on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.
Subscribe to:
Posts (Atom)