Saturday, October 8, 2022

AFTER FIVE YEARS WE ARE AT SQURE ONE. How much time will it take to enact Privacy Regulations in India?

 

We all are aware that Right to Privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21 of Indian Constitution. This fundamental right is one of the most significant rights when almost all of the Indian population is totally enthralled and captivated in cyberspace for one or other reason and we are not aware about the gaps from where this right can be infringed. These loopholes can be in form of cookies, permissions either explicit or implicit or when we access various websites, social media sites, online shopping sites etc.

Many of us may not even know that at present India is having which specific rules and regulations to protect this right to Privacy. Rather most of us even don’t bother about the same because common perception is that What can happen if my right to privacy is infringed and this casual attitude is very dangerous as social media providers and other online service providers are making merry of the ignorance of Indian citizen about protecting this Right to Privacy and minting tons of dollars.

This casual attitude of protecting this vital Fundamental right was witnessed in recent Supreme Court hearings wherein Government asked for some more time to inform to the court that what measures Government have initiated to frame the rules and regulations to protect this very important Fundamental Right.

And when similar situation was there almost FIVE YEARS AGO, the government has replied in similar manner and now WE ARE AGAIN LANDED AT SQUARE ONE. To refresh memory of those who may not recall the incident which happen five years ago, let us recall the same.

WhatsApp began its operations around 2010 and did not enable users’ data to be exchanged with any other entity for commercial exploitation from its commencement. WhatsApp, a non-revenue generating app, was bought for $19 billion by Facebook in February 2014, with the commercial interest best known to Facebook only and in the takeover agreement it was assured to users as well as to previous owners of WhatsApp that privacy policy would remain unchanged and WhatsApp, in its new Avatar, will never compromise with the data it had on its services. Rather as per my understanding it was essential and voidable term of the contract between parties.

Nonetheless, in 2016, WhatsApp, now controlled by Facebook, showed its true colour and unashamedly declared a shift to its privacy policies stating that it will now share information with Facebook family companies. It is Open Secret that Facebook makes money by commercial exploitation of entire data, it has with it.

It needs to be noted that The European Commission has already fined Facebook €110 million for providing incorrect or misleading information during the Commission's 2014 investigation under the EU Merger Regulation of Facebook's acquisition of WhatsApp. When Facebook notified the acquisition of WhatsApp in 2014, it informed the EU Commission that it would be unable to establish reliable automated matching between Facebook users' accounts and WhatsApp users' accounts. It stated this both in the notification form and in a reply to a request of information from the European Commission. However, in August 2016, WhatsApp announced updates to its terms of service and privacy policy, including the possibility of linking WhatsApp users' phone numbers with Facebook users' identities. The Commission also found that, contrary to Facebook's statements in the 2014 merger review process, the technical possibility of automatically matching Facebook and WhatsApp users' identities already existed in 2014, and that Facebook staff were aware of such a possibility. This establishes the wicked attitudes of FB towards different legal regimes in the world.

On 26th August 2016, a writ petition Number 7663 was filed in India at Delhi high court for protecting the rights of users of the WhatsApp application after its updates of terms of service in 2016. The High Court of Delhi discarded the writ petition and granted partial relaxation to the petitioner in September 2016 , in response towards this order, a Special Leave Petition was filed with the Supreme Court (Civil) No. 804 of 2017) seeking, first of, whether the privacy policy infringes the right to privacy of its user groups, furthermore, whether the failure of the user to share their data with Facebook is impermissible and, lastly, whether the way in which WhatsApp obtains user assent is misleading and manipulative. Additional question raised was Does the Internet networking systems that allow users to share text/audio/video messages, data and render audio/video calls constitute ‘telecommunication’ systems and are subject to regulation by the competent authorities?

The Supreme Court on September 6, 2017 directed Facebook and WhatsApp to file affidavits explaining what data is being shared by them, which were duly filed by the respective respondent. It was vehemently argued by petitioner that privacy being a common law right and also guaranteed under Article 21 of the constitution, the state must regulate data sharing and enact legislation to protect privacy rights.

 It was submitted on affidavit that WhatsApp has built-in privacy in form of end-to-end encryption and other security features and it does not store user messages once they’ve been delivered and being end-to-end encrypted, WhatsApp and third parties can’t read any messages. Also, it was submitted that users may delete their WhatsApp account at any time (including if users want to revoke their consent to WhatsApp’s use of their information) using WhatsApp’s in-app ‘delete my account’ feature.

Delhi High Court held in September 2016 that the contention of the Petitioners that the proposed change in the Privacy Policy of WhatsApp amounts to infringement of the Right to Privacy guaranteed under Article 21 of the Constitution of India, cannot be a valid ground to grant the reliefs as prayed for since the legal position regarding the existence of the fundamental right to privacy is yet to be authoritatively decided.

Thereafter in 2017, WhatsApp and Facebook filed a Special Leave Petition with the Supreme Court seeking the following issues to be considered ; 1) Whether the privacy policy infringes the right to privacy of its user groups, 2) Whether the failure of the user to share their data with Facebook is impermissible, 3) Whether the way in which WhatsApp obtains user assent is misleading, and 4) the Internet networking systems that allow users to share text/audio/video messages, data and render audio/video calls constitute ‘telecommunication’ systems and are subject to regulation by the competent authorities?

In this SLP, the Government on 6.9.2017 submitted an Office Memorandum dated 31.7.2017 stating that it had constituted a Committee of Experts to deliberate on a data protection framework for India and data protection legislation can only be brought forward after a report by the Committee of Experts has been discussed. It was also stated further that the Government of India is cognizant of the growing importance of data protection in India. The need to ensure growth of the digital economy while keeping personal data of citizens secure and protected is of utmost importance.

The Terms of Reference were a) To study various issues relating to data protection in India b) To make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill. It was also submitted by Mr. Tushar Mehta, learned Additional Solicitor General appearing on behalf of the Union of India at that time that after the report comes into being, there is a possibility that the law shall be passed regulating the data protection.

Thereafter a draft Personal Data Protection Bill 2018 was submitted and put before parliament and wisemen suggested some suggestions and thereafter PDPB2019 was tabled in Parliament. Thereafter a Joint Parliamentary Committee was constituted to hear views from all the stakeholders to make this bill broader and covering all the features of the Data Protection including non-personal data also. And suddenly on 3’rd August 2022, government of India withdrew this important bill from the parliament stating that it would soon be replaced by “a comprehensive legal framework,” that will be “designed to address all of the contemporary and future challenges of the digital ecosystem,”.

Mr. Tushar Mehta, now the learned Solicitor General of India, submitted on hearing held on 23 September 2022 before the Five Bench Constitution Bench that the matters came up suddenly yesterday night. It is pointed out that these are the cases where a Bill was introduced but for some reasons it was withdrawn. However, the learned Solicitor General pointed out that the Parliament is considering on bringing in a new law which should address the concerns of the parties. His definite stand that the policy of the Government of India is that the users of all the intermediaries in India should not suffer discrimination in comparison to the users of these platforms anywhere else in the world.

This completes the entire circle and we are again at Square ONE.

The decision on the petition is still underway and, with a clear acknowledgement of the fundamental right to privacy in Justice Puttaswamy case, it seems to be a testing ground for Indian Parliament as how to implement the Data Protection Law in India.

Dr. Mahendra Limaye

Cyber Legal and Data Privacy Consultant

Monday, October 3, 2022

Is Cert-in JUSTIFYING its Role as a CYBERSPACE Watch-dog??

 

CERT-In (the Indian Computer Emergency Response Team) is a government-mandated information technology (IT) security organization. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country. CERT-In was created by the Indian Department of Information Technology in 2004 and functions of cert-in are;     

 1) Collection, analysis and dissemination of information on cyber incidents.

 2) Forecast and alerts of cyber security incidents

 3) Emergency measures for handling cyber security incidents

 4) Coordination of cyber incident response activities.

 5) Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.

 6) Such other functions relating to cyber security as may be prescribed.

 

One of the important duties on various stake-holders in cyberspace is reporting of cyber security incidents to the Cert-in as mandated in Rules of 2013 and as per section 70 (b) (7) Any service provider, intermediaries, data centres, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.

Cert-in is also empowered to issue directions for compliance's to the service providers, intermediaries, data centers and body corporate in such reports of cyber security incidents and to take appropriate action against non-compliance in form of civil as well as criminal remedy.

As per recent information received under RTI by Dr. Mahendra Limaye, a cyber legal consultant based in Nagpur, cert-in has received a total number of 394499, 1158208, 1402809 and 674021 cyber security incidents such as Phishing, Scanning, Distributed Denial of Service attacks, Website intrusions, Malware infections and Vulnerable services during the year 2019, 2020, 2021 and 2022 (up to June 22) respectively.

To the query regarding how many such cyber security incidents reported by 1) Service providers 2) Intermediaries 3) Data Centers 4) Body corporate, cert-in has issued directions for compliance, the response received from Cert-in is, “In discharge of its functions, appropriate communications calling for information and / or directions are issued by CERT-In to organizations.” This answer explains that cert-in was reluctant to issue detailed break-up of the incidents wherein directions were issued by the cert-in for compliance and hence to further queries like In how many cases non-compliance reports have been forwarded by cert-in to Review Committee and In how many non-compliance matters civil or criminal actions have been initiated by cert-in, the cert-in response was cold and stating no case booked and thus making it abundantly clear that cert-in has not recommended any matters of non-compliance to review committee nor initiated any civil or criminal actions against those who had not provided timely compliance's.

The main function of cert-in, is to provide guidance and collect information about cyber security incidents happened in India and cyber security incident is described as any real or suspected adverse event that is likely to cause or causes an offense or contravention, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity or availability of electronic information, systems, services or networks without authorization and have negative impact on national economy. Thus, it could be understood what significance is attached to roles and responsibilities of cert-in national cyber security and when about 36 lakh incidents have been received by cert-in in around 3 ½ years, it is highly improbable that compliance's would have been received in most of these incidents and still the information under RTI reveals that no matter was either referred to review committee or no matter was referred for appropriate civil or criminal action. Either the incidents reported were of not so significance to cert-in or may be of minimal risk to critical infrastructure of the nation and in both the cases cert-in owes to the nation the brake-up of the incidents sought under RTI.

The researchers in cyberspace very much doubt that when @36 Lakh incidents took place, there are no incidents which cert-in thought worthy of reporting to review committee or to any judicial authorities and hence they are compelled to raise questions regarding whether cert-in is justifying its role as a watch-dog of cyber space of India?

If RTI query is to be believed then it’s really worrying that the Indian premier organisation for reporting cyber incidents is not making use of its resources in effective ways and may be putting Indian Cyberspace in danger and that’s why the question, “Is Indian Cyber Watchdog sleeping?????

 

Dr Mahendra Limaye

Cyber Legal and Data Privacy Consultant