Session with Adv. Mahendra Limaye on Cyber Laws and Cyber Safety

Session with Adv. Mahendra Limaye on Cyber Laws and Cyber Safety

Who has legal liability if Aarogya Setu Data is compromised?

The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 was notified by Ministry of Electronics and Information Technology on 11 May 2020. This has again led to new debate regarding whether after this notification Aarogya Setu app Data is safe? Adv Dr Mahendra Limaye, a cyber legal consultant, analyzed the notification and his reading of the notification is as below.

Functioning of Aarogya Setu app as per notification relates to technology and data management and certain necessary steps required to be taken to ensure its effective operation to detect and mitigate the spread of Covid 19 pandemic and enhance government preparedness at all levels. So the aim and object of the Aarogya Setu App was never a question and it is much applauded move by the government.

In order to ensure secure collection of data, protection of personal data of individuals and efficient use and sharing of personal or non-personal data for mitigation and redress this notification was specially issued. So we must understand that this notification was fall out of many objections raised towards security of the personal data collected through this app and about accountability of the data collected through this app and specially when some hacker claimed about vulnerability of this huge database. This response also shows government’s responsive approach to security concerns raised about the app and this is welcome move.

The notifications says that in order to formulate appropriate health responses for addressing the COVID-19 pandemic, data pertaining to persons who are infected, at high risk of being infected or who have come in contact with infected individuals is urgently required. This data includes demographic data, contact data, self assessment data and location data, collectively called ‘response. The demographic data includes the name, mobile number, age, gender, profession and travel history of an individual. Contact data covers data about any other individual that a given individual has come in close proximity with, including the duration of the contact, the proximate distance between the individuals and the geographical location at which the contact occurred. Self assessment data means the responses provided by that individual to the self assessment test administered within the Aarogya Setu mobile application. Finally Location data means data about the geographical position of an individual in latitude and longitude. So the broad categories of data collected through this app by government is once again made public by this notification.

The notification also states that the Ministry of Electronics and Information Technology, Government of India (“MeitY”) is designated as the agency responsible for the implementation of this Protocol and its developer, the National Informatics Center shall, under this Protocol be responsible for collection, processing and managing response data collected by the Aarogya Setu mobile application.

So it is highlighted that MeitY will be only supervising authority. So the government has brought NIC in picture for protection of entire data in the capacity of developer and made its role minimal in capacity of implementer.

Highlights of Principles for collection and processing of response data:

a. Any response data and the purpose for which it is collected by NIC shall be clearly specified in the Privacy Policy of the Aarogya Setu mobile application.

b. NIC shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses.

c. NIC shall process any data collected by it in a fair, transparent and non-discriminatory manner.

d. Contact and location data shall by default, remain on the device on which the Aarogya

Setu mobile application has been installed after such data has been collected. It may be uploaded to the server only for the purpose of formulating or implementing appropriate health responses.

e. Contact, location and self assessment data of an individual that has been collected by NIC shall not be retained beyond the period necessary to satisfy the purpose for which it is obtained which, unless a specific recommendation to this effect is made in the review under Para 10 of this Protocol, shall not ordinarily extend beyond 180 days from the date on which it is collected, after which such data shall be permanently deleted. Demographic data of an individual that has been collected by NIC shall be retained for as long as this Protocol remains in force or if the individual requests that it be deleted, for a maximum of 30 days from such request, whichever is earlier.

f. The response data shall be securely stored by NIC and shall only be shared in accordance with this Protocol.

Principles for sharing of response data have also been stated which highlights that 1) Response data containing personal data may be shared with various government agencies/bodies where such sharing is strictly necessary to directly formulate or implement an appropriate health response.2) Response data in de-identified form may be shared with various bodies with whom such sharing is necessary to assist in the formulation or implementation of a critical health response.3) NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared.

Obligations of entities with which response data is shared are like use of such data strictly for the purpose for which it is shared, the data accessed and used by such entities should not be retained beyond the period necessary to satisfy the purpose for which it is shared, in any circumstance; such data shall not ordinarily be retained beyond

180 days from the date on which it was accessed, after which such data shall be permanently deleted etc.

The main concern is who is liable for any privacy violations committed through security breach of Aarogya Setu App? This notification does not provide any clarity to said concern. It was clarified that any violation of these directions may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable. Legal position for the protection of sensitive personal information under section 43A of Information Technology Act 2000 is that state cannot be made responsible in case of breach of data or lapse in protection of sensitive personal data. Through this Notification State has clarified that it is acting only in supervisory capacity and National Informatics Center, which is developer of the Aarogya Setu app will own entire responsibility as far as security and sharing of Response Data is concerned.

As regards section 51 to 60 of the Disaster Management Act they have one important protection as related to breach of data and the protection is “ unless he proves that the offense was committed without his knowledge or that he exercised all due diligence to prevent the commission of such offense”.

In case of any data breach through Aarogya Setu app defense will be always available that all due diligence was observed to prevent the commission of offense like Data Theft etc. So in my view this notification clearly fails to provide any specific measures which government has suggested for protection of Data of millions of Aarogya Setu app users. Also the other question remains is whether the provisions of the Disaster management Act can be enforced after Disaster is over? If data breach is reported after present pandemic is over then whether these provisions can be enforced, remains a question in my mind.     

Advocate Dr. Mahendra Limaye

About the author- Advocate Dr Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India. He specifically practices in Information Technology Act based litigation's before Civil as well as Criminal Courts in India. He has obtained his doctorate on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.

"Bois Locker Room" and what next we are waiting for?

Its only when such episodes get national publicity suddenly the whole digital world becomes awake, all so called human right activists become active and start hue and cry about regularisation of social media etc. These are the same people who were at forefront in matter of Palghar incident and came down heavily of Information Technology Act section 66A which ultimately led to abolition of the same.

What we sow we reap is old saying. Our society consists of the same people who had seen section 66A of I T Act as draconian and don’t wanted social media to be regulated. They saw regulating social media, which according to them is the biggest tool of freedom of speech and expression, as curtailment of Fundamental Rights and ultimately our Apex Court also viewed in similar perspective.

The underlying object of regulating social media with reasonable restrictions was never debated seriously and nobody has taken a futuristic view about the same. With many similar incidents gradually happening every passing day and when it comes to flash point in Bois Locker Room issue, people again started debating the need to regulate social media. So is this completion of the circle?

We stared with section 66A which regulated online posts on various grounds in 2008, then came 2015 Apex Court Judgement striking down section 66A of I T Act and now with the incident of Bois Locker Room there will be again enactment of some provisions for regulating social media. Unfortunately all this is happening when most awaited regulation regarding Personal Data Privacy is being studied by Indian Parliament. When in Puttuswamy case in July 2017, a need was felt to have a regulation to protect privacy of the individuals and the panel was formed under chairmanship of Justice Shrikrishna (Retd.) to draft new regulation. The Shrikrishna commission has submitted draft bill in July 2018 and it was before parliament since then and recently a high powered committee is again set up to finalise the same.

If this is the level of priority for Privacy regulation in India and in absence of section 66A of I T Act there in no deterrence to perpetrators of such heinous acts through Social Media and Bois Locker Room incidents will happen regularly.

What was the incident?

An 18 year, Class 12 student resident of Noida, started an Instagram group named "Bois Locker Room", on which obscene messages and morphed photos of underage girls were shared. 27 more students of prominent Delhi schools have been members of the group, some were underage and some 18 and older. The chatroom, conversation was exposed by a girl, who was targeted in the group chats and this has drawn massive anger, shock and disgust on social media. The manner in which Class 11 and 12 students casually discussed "gang-raping" girls, sexualized and slut-shamed those in screenshots of chats have gone viral on Twitter and other social media.
"We absolutely do not allow behaviour that promotes sexual violence or exploits anyone, especially women and young people, and have taken action on content violating our Community Standards as we were made aware of it," was the Facebook spokesperson’s response on the episode. The official age of joining Instagram is 13 or above in India as per their policy.
In India 13 year old person is not capable of entering into contract but these social media giants are making mockery of Indian regulation by allowing these young kids by providing them such platforms.
There are basically few questions which need serious debate according to me.

1)    Should social media be regulated? If yes by whom?

2)    Should social media obey right to be forgotten or right to modify one’s personal information?

3)    Do we have Personal Date Privacy Act as a national priority?

4)    Could porn contents be specifically moved to different domains like .xxx?

5)    Is this encroachment of digitalisation in every walk of life is must?

6)    Are people really aware about threats posed by AI and other activities?

7)    When Cyber Awareness Education will be taught to digital netizens?

Unless we collectively provide answers to these questions such incidents are bound to happen. For that instance even if you go through confession pages of schools you will find many such indecent acts by students, who I am sure are not teens.
If we investigate this scam, the first question comes to my mind is from where the teen got hold of the photographs? All of us know the answer is simple. The victims themselves might have uploaded these photographs without thinking that these photographs could be grabbed by anyone and used on any place on the earth. At the time of uploading picks they were never told what the consequences of such acts are. I can go one step further and caution the readers that there are syndicates which are trapping many persons carrying out indecent act on camera and blackmailing them.
Second question is regarding how teens of age group13/14 were given such liberty by their parents to use social media without proper supervision. Are those parents liable for punishment for acts of their minor wards? Yes they must be definitely penalised similar to new provisions in Motor Vehicle Act, where parents are liable for fine/jail term in case they handover vehicle to their under aged ward. Without parents supervision digital education will prove to be a disaster in country of digital illiterates.
Third question is under which provisions of law action will be taken and against whom?
This is very tricky situation because as per reports few are teens and will be protected being Juvenile. Those who are above 18 might not have passed any comments which could be strictly punishable under provisions of I T Act. If IPC is applied then act being committed in Cyber Space must be covered under provisions of I T Act and which provisions of I T Act are applicable? It’s not Identity Theft nor Personating nor Violation of Privacy as per various provisions of section 66 of I T Act. Can section 67 or 67A of I T Act be imposed?
What next is real question and answer for same is lies in answers of Seven questions posed by me earlier.
The power of collective will by self restraint, to make social media a better place can only make it possible. All the stake holders like we netizens, government of all the nations, social media giants along with search engines should come forward and extend best possible solution which will decide the course of future. From my side CYBER AWARENESS IS THE ONLY MANTRA which we are relentlessly carrying out since last decade.

Advocate Dr. Mahendra Limaye

About the author- Advocate Dr Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India. He specifically practises in Information Technology Act based litigations before Civil as well as Criminal Courts in India. He has obtained his doctorate on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.